As of Tuesday (October 4, 2022), players of the popular game “Overwatch 2” have been unable to access the games online servers (see https://kotaku.com/overwatch-2-queue-times-ddos-connection-failed-launch-1849616598). The issue has been attributed to a mass distributed denial of service (DDoS) attack. The attack is executed by maliciously flooding servers with traffic to prevent others from connecting.
I was interested about the legality of such attacks in Canada. After conducting some research, I found s 430(1.1) in the Criminal Code – “Mischief in relation to computer data”. The section states that:
Everyone commits mischief who willfully…
(c) obstructs, interrupts or interferes with the lawful use of computer data; or
(d) obstructs, interrupts or interferes with a person in the lawful use of computer data or denies access to computer data to a person who is entitled to access to it.
It seems then that Parliament has turned its mind to this modern issue by specifically addressing the denial of access to computer data. The maximum penalty for an offence under s 430(1.1) is 10 years imprisonment. Attacks like the one Overwatch 2 is currently facing can therefore hold serious consequences for the perpetrators, at least in Canada.
Check out theVideos of Interest to Law 423 on YouTube 
Communications Law
Join the Community!
Hey Adam, great post! As an avid gamer this is something I’m all too familiar with. Its common to anticipate some sort of server issue on launch day, but its especially frustrating when its a DDoS attack (i.e. some 3rd party is purposely stopping players from accessing their new game). We discussed a few weeks ago in class how the video game world can be an arena for abuse as a consequence of its anonymity. This virtual “ski-mask” that the internet (including video games) enables is significant with respect to S 430(1.1) “mischief in relation to computer data”. I wonder if video game players can be characterized as a class of people for the purposes of 430(1.1). We often associate crime committed against an individual victim, or a group of identifiable victims. This becomes difficult in the context of DDoS attacks where multiple parties are affected simultaneously (e.g. the players (possibly millions), the developers, the publishing company, etc.).