Meet Michael Thomas, real-life BOFH.
On December 5 2011, he quit his job as IT admin for a startup called ClickMotive.
This was no ordinary resignation. This was the mother of all IT admin resignations: the type of blow-it-all-to-smithereens resignation that some – many? Please, Lord, let it not be not all – sysadmins dream about.
On the day he called it quits, he left a few things: his resignation letter, his keys, his laptop, his entry badge, his offer to stay on as a consultant, and a trail of tears for whoever came in on Monday to find that Thomas had deleted 615 pages of ClickMotive’s backups, the pager notification system for network problems, half a dozen wiki pages, and employees’ access to the VPN. According to court documents, he also “tinkered” with email servers at the Texas company, which sets up and runs car dealership sites.
Thomas also cut off contact with the company’s customers – large auto companies and dealerships – by snipping the names of company employees and executives from email distribution groups created for customer support.
In June 2016, Thomas was convicted of a single federal count of violating the Computer Fraud and Abuse Act (CFAA) in the Eastern District of Texas. He was sentenced to the four months he already spent in pre-trial detention, three years supervised release, and to pay restitution of $131,391.21.
After a three-day trial, a jury had found Thomas guilty of knowingly transmitting programs, information, codes, or commands that intentionally caused damage to his employer’s computer system, that he lacked authorization to cause the damage, and that those damages incurred losses to the employer in excess of $5,000.
But hold on a minute, said his lawyer, well-known hacker defense attorney Tor Ekeland: Thomas’s role as a sysadmin gave him all the authorization he needed to routinely delete the sort of files he deleted on his last days at ClickMotive.
Now, Thomas is appealing (PDF) his conviction in the Fifth Circuit Court of Appeals in New Orleans, on those grounds.
His defense: sure, he did damage to ClickMotive’s systems. Intentionally. But it certainly wasn’t “without authorization.”
In fact, every sysadmin is authorized to access all the systems he accessed, and they’re all authorized to do the things he did: delete backups, edit notification systems, and tweak email systems. That’s part of their job, his argument goes.
Another part of his appeal that should have managers jumping on the phone with their lawyers and digging up their policy manuals: there was nothing in ClickMotive’s policies that said Thomas couldn’t do exactly what he did.
From the appeal, filed on Tuesday:
Michael Thomas had unlimited authorization to access, manage, and use ClickMotive’s computer systems, and was given broad discretion in his exercise of that authority.
Thomas was handling all of the routine duties of a sysadmin – deleting data, managing user privileges and more – because his friend, colleague, and the only other employee working in IT administration had recently been fired from ClickMotive. If carrying out those parts of the job constitutes “damage,” isn’t every sysadmin liable for getting sued under the CFAA?
Yes, Ekeland has argued: Thomas’s guilty verdict is “dangerous for anyone working in the IT industry.” It should worry any IT admin that’s ever hit the “delete” key in the course of their duties, he said:
If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony.
From the appeal:
The central issue in this case is whether Thomas acted ‘without authorization’ if he performed these same actions in a manner that was contrary to the company’s interests.
During his trial, Thomas’s defense team explained how over the weekend during which he did the damage and quit, he had been in the office to deal with a denial-of-service attack on ClickMotive’s site and to repair a cascading power outage problem.
Those 615 backup files he deleted? They were all replicated at other servers on the network.
Ekeland told Wired that ClickMotive’s treatment of Thomas has been pretty shabby, considering:
They’ve destroyed this guy’s life over the fact that he worked on a Sunday to keep the company going, and then deleted some files on the way out to say f*** you to his boss.
delayedthoughtengineering
Well, authorization is one thing. Malice is another. If he is found guilty to have operated with malice, which the attorney appears to confirm with his final statement about deleting files, then the charges should stick. System administration, even if it is not explicitly defined in the handbook, carries the assumption of benevolent intent. If you operate with malicious intent, you are, by definition, a rogue employee.
upsidedown
delayedthoughtengineering – I think you are missing the point. Malice is not an element of the CFAA. There’s no mens rea in the statue. If authorization exists there isn’t a CFAA violation. This seems to be an example of prosecutorial overreach at the behest of a company that chose not to pursue civil action. The DoJ should have better things to do than to be litigating employment disputes on behalf of vengeful company owners.
Bryan
The DoJ should have better things to do than to be litigating employment disputes
I highly agree…this should primarily be a civil suit (not that most employees have the means to repay $100k in damages) and not a criminal one.
However the “this endangers all working-in-earnest sysadmins” argument stretches a technicality FAR too far–with nothing dangerous preceding Ekeland’s brazen twist of the spirit of the law.
Nothing in my employment docs explicitly prohibits throwing a rock through the window, yet it would cause monetary loss much like deleting backups can. I suppose now I have the freedom to argue “no one said I *couldn’t* do that,” as I depart and light the place on fire.
So okay… we need two more clauses against throwing rocks and pyrotechnics, and we’re set. Oh wait: what if I bring my doberman to work and tell her to bite the boss? That’s not explicitly disallowed either. I leave later most nights than everyone else…what if I leave the water running upstairs on a Friday? Oh crap; we’re gonna be updating these bylaws for a while now.
With so many attorneys vying to be Saul Goodman, we (the rest of society) are forced to include scads of extraneous verbiage like “in good faith” in every legal document where it should be patently apparent. Now let’s waste everyone’s time and tax dollars to amend the CFAA with “but it certainly doesn’t count if you’re not being mean,” so we can blame the bottleneck and folly on government inefficiency instead of scavengers like Ekeland.
Michael you made a string of very bad decisions; take your medicine.
Max
I don’t know though, if throwing rocks was part of your regular job, even sometimes throwing them at windows, it’s a bit different. It’s not like he did something he would never do as part of his job. If it’s a crime to do something you are normally expected to do but did it in a way your employer doesn’t agree with, you basically are at the mercy of your employer with everything you do. It’s like when you get the key to the office building, and you normally go in and out how you please because your job requires it and your employer authorized you to enter whenever you want. Suddenly your boss decides he didn’t like that you entered on a specific day, for whatever reason, and charges you with breaking and entering (or illegal entry).
Bryan
Excellent point, and one I should’ve caught–shame on me. I suppose I was so swept away by the hyperbole of “admins everywhere are now criminals” interpretation that I augmented my counterpoint–ewps. Before I jumped the shark however I remained on point.
To entertain Ekeland’s interpretation would set an abhorrent precedent. Without knowing more details than what’s here at at Wired, I can only hope the judge laughed at Ekeland and said, “I can’t believe you’re serious.”
Max
I am certainly no lawyer, but if he was convicted solely on the grounds that he had “no authorization”, I think Ekeland has a point. He did have authorization. While he should certainly be punished in a civil case, and it might be argued that what he did was a crime, it certainly wasn’t the crime they accused him of. And deciding that way does give an employer the power to decide if their employees are committing a crime, on a daily basis. If an employer can just “take back” the authorization he gave his employees after the fact, based on the outcome of their actions, this would be the more worrisome precedent. I stand by my key-to-the-office-building turned into breaking and entering example.
Bryan
Yes, your key is probably the best “analog analog.” I’m just strongly opposed to the requirement that the “letter of the law” is such an omnipresent necessity. While some crimes are grey area, most are self-evident and shouldn’t require half the legislation which details them against the loophole nitpickers:
“Okay yeah, that was illegal, but what about on an odd-numbered Saturday during the month of June in the Eastern Hemisphere north of the 45th parallel while wearing a brown hat? We could say THAT’S fair, right?”
The routine dealings of humanity shouldn’t warrant (har) more than a handful of laws:
1. don’t kill or hurt anyone else
2. don’t break, ruin, or steal anyone’s stuff
3. do what you say you’re gonna do or don’t say it
Heck, that covers most of it right there. I realize I’m being overly-idealistic, but the point is valid. We don’t need to all donate our lives to philanthropy, and success doesn’t preclude respecting fellow humans; it could pretty simple with more cooperation and less greed.
*sigh* okay, back to reality :-)
Max
I do get your sentiment. Unfortunately, the less specific you define those laws the more interpretations of it you will get. That just means you give more authority to judges/juries. 1. Don’t kill or hurt anyone else -> You could sue your ex girlfriend for breaking your heart and emotionally hurting you in the process. I’m not saying she doesn’t deserve it, but it’s probably not what we want our laws to look like.
Bryan
Once again Max…well stated. :-)
Jen
Those examples don’t make sense unless you’re saying that they are a part of your job. In any case, a company policy shouldn’t define what is a crime, the law should, and it should be clearly written such that someone who throws a rock can’t be charged with grand theft auto.
Bryan
Yep thanks, Max already caught me–and I corrected myself.
SomeoneWithABrain
Sure, but you see the CFAA basically makes doing anything with a computer a possible felony. This guy should absolutely have to pay damages, and just like with non-computer based destruction of property the punishment should scale (possibly including jail time) with the amount of property damage. But prosecuting under the CFAA is pretty bogus, as you said authorization (or lack thereof) is one thing (a CFAA felony) and malice is another (standard scaling based on property damages).
The CFAA is dangerous since it is used as a catch-all for anytime something happens with a computer, when we have perfectly usable other laws that could be used to deal with things like theft, property destruction, defamation, etc.
Bryan
Heh, very nice. We’re all arguing CFAA specifics when it was the wrong law to invoke in the first place. +1
AFAIK there’s no legislation anywhere making it illegal to be a dick, but it’d be a lot better–and probably simpler–world if we could just change that.
Jeff
The authorization stated he “was given broad discretion”. It would seem that a “reasonable person” test could easily be applied here. If a reasonable person’s discretion would had deleted the files and taken the other actions in the best interest of administrating the system for the company, then he’s okay. But if a reasonable person would see that damage would be done to the company, then he should be held accountable for his actions.
upsidedown
It has nothing to do with the companies ‘best interest’, it is about authorization. What is in someones ‘best interest’ is extremely subjective and vague. You can’t base criminal law on something so indefinite. The CFAA a trespass law, if you invite someone over and they steal or break something that might be theft or vandalism, but its not trespassing.
Mace Moneta
Every recovery process involves damage to the company – at least temporarily. That’s an insufficient discriminator in determining criminal activity.
A ‘reasonable person’ test is also without value. A reasonable person has no idea what systems administration involves.
This seems to call for an actual jury of peers – other system administrators.
Jeff
A reasonable person test does take that into account — it’s a person that has the information needed to make a reasonable decision about the point in question. Otherwise, the person can’t make a reasonable decision.
jkwilborn
Unfortunately, I believe most states have thrown out ‘common law’ and made themselves ‘statue states’. It means is if it’s not written that way specifically, then it’s not a violation. You have to spell out what a violation is. Argue reasonable all you want, but many times it’s one word that makes the difference.
It’s another sad day for the computer world.
Atombath
It could be argued we are only given authorization to systems with the sole intention of correcting or preventing issues. Any other access would be unauthorized, such as installing a game server or accessing HR records. The case would be unremarkable if he were tried for something reasonable such as vandalism. A blatantly stretched use of CFAA for sure… and it might allow him to get away with it.
Bryan
Exactly. And vandalism is probably the perfect example. We all have “access” to the same walls, alleys, and bridges, yet most of us routinely exercise our right to not spill paint on them.
Robert
Anyone who uses a computer at work should be concerned about the potential implications of this case. Based on the governments view, everyone breaks this law every day and it is completely up to them who they want to go after. We should ‘trust’ their discretion. If you break the typical company policy that says ‘computers are only to be used for business purposes’ if you check your personal e-mail, the weather, news, sports scores etc. you have committed a federal crime. If small violations are tolerated how do you know what crosses the line? If you empty the trash on your laptop or delete something from your inbox then get in a spat with your boss can they then, after the fact, say you weren’t authorized to do that?
John T Gaskill
Seems like the “prudent and reasonable man” test in Law has been abandoned, along with any semblance of common freaking sense.
Anonymous
The reasonable person test is irrelevant. The CFAA says that CRIMINAL charges occur when damage to computers occur AND the authority of the person has been exceeded (i.e. a receptionist goes through and deletes everything on all public drives after being fired). Since this person was the only one in IT to do all the regular maintenance I seriously doubt he didn’t have authority to do what he did.
CIVIL charges on the other hand can easily take into account mitigating circumstances as listed above to recover costs, etc from the person (and I think the $131,391.21 is the civil side of the lawsuit). While the damage done was basic (especially since there were still backups still available) I’m assuming the amount includes the loss of business, etc which can easily be classed as the punishment for doing this.
FormerITAdmin
If the files deleted were files which had been backed up onto other servers, were actually files that were corrupted (converted to a different file, like a Windows Script Component that needn’t have a specific extension, but can be made to act as a exe/dll file,) then deleting them would not just be justified, but totally necessary to stop a DOS attack. I think that the employers should have to prove that what he did caused more damage than if he had just quit the job and let the DOS attack continue. I think the $131,391.21 could easily have been exceeded in losses if he had walked away, and I’m not certain that he isn’t being charged for losses from the initial DOS attack.