I was authorized to trash my employer's network, sysadmin tells court
Michael Thomas' appeal will send shockwaves through IT industry if successful
Back in December 2011, Michael Thomas did what many sysadmins secretly dream of doing: he trashed his employer's network and left a note saying he quit.
As well as deleting ClickMotive's backups and notification systems for network problems, he cut off people's VPN access and "tinkered" with the Texas company's email servers. He deleted internal wiki pages, and removed contact details for the organization's outside tech support, leaving the automotive software developer scrambling.
The real-life BOFH then left his keys, laptop, and entry badge behind with a letter of resignation and an offer to stay on as a consultant.
What Thomas didn't consider while leaving his elaborate "screw you" was that he might be breaking the law. Just under two years later, he was charged with a single felony count of "intentionally causing damage without authorization, to a protected computer."
He was found guilty by a jury in June last year, and in August was sentenced to time served plus three years of supervised release. He was also ordered to pay $130,000.
Now, however, Thomas is appealing [PDF] that conviction in the Fifth Circuit Court of Appeals in New Orleans using a legal defense that may have enormous implications for sysadmins across the entire United States.
In essence, Thomas is arguing that, yes, while he did intentionally cause damage it wasn't "without authorization." In fact, he was expressly authorized to access all the systems he accessed, and he was expressly authorized to carry out the deletions he did – every sysadmin in the world deletes backups, edits notification systems and adjusts email systems. In fact, it's fair to say that is a big part of the job they are paid to carry out.
His legal filing to the Fifth Circuit also points out that none of his actions were forbidden by the company's own policies.
Thomas is telling the court: sure, I trashed their systems but I did nothing illegal. And he has a point. It's just that every company in America is terrified that he might win the argument.
Of course, there is a back story.
Thomas was hired to the company by a friend of his – Andrew Cain. Cain was the company's first employee and the only IT employee. As the company – which sets up and runs car dealership websites – grew, it needed another full-time IT staffer to handle demand.
Things went well for two years until, out of the blue, the company's founders fired Cain. Cain suspected the reason for his firing was the founders were looking to sell the company – something they have done repeatedly in the past as serial entrepreneurs – and didn't want to have to give Cain his cut as the first employee. At the same time they fired Cain – on a Thursday – Thomas was offered a bonus to stay on and take over his friend's job.
It's fair to say that Cain was just a tad irritated. And he called Thomas to tell him the news and that he would be suing for wrongful dismissal. And that's when ClickMotive started having trouble with its IT systems.
Thomas' appeal filing admits many of the things that came out during the investigation and trial: he obtained emails from ClickMotive's system and forwarded them to Cain's wife to help his lawsuit.
The day after Cain was fired, a Friday, the entire ClickMotive network went down from a power outage. Thomas got it back up and was still working remotely on Saturday, mopping up problems. Then, on the Sunday, the network was hit with a denial-of-service attack, taking it down again.
And so Thomas drove to the office Sunday evening and start working on getting it back up. While there, however, the rogue employee also carried out a whole range of activities, before departing a few hours later and leaving his keys, laptop, badge and a resignation letter – which were discovered the next morning.
That Sunday, Thomas deleted remotely stored backups and turned off the automated backup system. He made some changes to VPN authentication that basically locked everybody out, and turned off the automatic restart. He deleted internal IT wiki pages, removed users from a mailing list, deactivated the company's pager notification system, and a number of other things that basically created a huge mess that the company spent the whole of Monday sorting out (it turned out there were local copies of the deleted backups).
While the company's actions don't exactly cover it in glory, using your admin privileges to delete backups and mess up your employer's system is not a great idea (no matter how appealing it might be). The question is: is it illegal?
"Michael Thomas had unlimited authorization to access, manage, and use ClickMotive's computer systems," argues his Tor Ekeland lawyers, "and was given broad discretion in his exercise of that authority."
Unsurprisingly as one of only two IT people in the company, Thomas basically had full rein over the computer systems. He could manage users and their privileges without requiring specific authorization. Part of his job was to delete unnecessary data.
As the filing argues: "The central issue in this case is whether Thomas acted 'without authorization' if he performed these same actions in a manner that was contrary to the company's interests."
And it argues that he didn't. He had the right to make changes to all the systems he touched; the term "without authorization" is ambiguous and was interpreted too broadly in his case; and the court didn't identify exactly what he did that was prohibited.
Since the appeal has decided to focus in on the specific legal language used to convict Thomas, it could have far-reaching implications either way.
If he is found to have acted without authorization, the question then becomes: does that make other sysadmins criminally liable for mistakes they might make unless they get explicit permission beforehand? That would create a hell of a problem.
If Thomas is found to have acted with authorization, every company will wonder if that gives their sysadmins carte blanche to ruin their systems with no legal comeback. That's not going to sit very well in boardrooms.
Of course, one solution would be to have explicit, commonsense company policies about what sysadmins are allowed to do and what they are not allowed without additional permission.
Or perhaps the better solution is to follow an age-old piece of advice that company bosses never seem to grasp: don't treat your employees like shit. ®
Sponsored: Becoming a Pragmatic Security Leader