United States v. Michael Thomas , 877 F.3d 591 ( 2017 )

     Case: 16-41264   Document: 00514268309        Page: 1   Date Filed: 12/11/2017
IN THE UNITED STATES COURT OF APPEALS
FOR THE FIFTH CIRCUIT
United States Court of Appeals
Fifth Circuit
No. 16-41264                         FILED
December 11, 2017
UNITED STATES OF AMERICA,                                           Lyle W. Cayce
Clerk
Plaintiff - Appellee
v.
MICHAEL THOMAS,
Defendant - Appellant
Appeal from the United States District Court
for the Eastern District of Texas
Before WIENER, HIGGINSON, and COSTA, Circuit Judges.
GREGG COSTA, Circuit Judge:
Michael Thomas worked as the Information Technology Operations
Manager for ClickMotive, LP, a software and webpage hosting company. Upset
that a coworker had been fired, Thomas embarked on a weekend campaign of
electronic sabotage. He deleted over 600 files, disabled backup operations,
eliminated employees from a group email a client used to contact the company,
diverted executives’ emails to his personal account, and set a “time bomb” that
would result in employees being unable to remotely access the company’s
network after Thomas submitted his resignation. Once ClickMotive discovered
what Thomas did, it incurred over $130,000 in costs to fix these problems.
Case: 16-41264    Document: 00514268309    Page: 2    Date Filed: 12/11/2017
No. 16-41264
A jury found Thomas guilty of “knowingly caus[ing] the transmission of
a program, information, code, or command, and as a result of such conduct,
intentionally caus[ing] damage without authorization, to a protected
computer.”   18 U.S.C. § 1030(a)(5)(A).     Thomas challenges the “without
authorization” requirement of this provision of the Computer Fraud and Abuse
Act. He contends that because his IT job gave him full access to the system
and required him to “damage” the system—for example, at times his duties
included deleting certain files—his conduct did not lack authorization. In
support of his view that the statute does not reach those whose access to a
system includes the ability to impair it, Thomas invokes the rule of lenity and
principle that vague statutes cannot be enforced.        But we conclude that
Thomas’s conduct falls squarely within the ordinary meaning of the statute
and affirm his conviction.
I.
Thomas’s duties at ClickMotive included network administration;
maintaining production websites; installing, maintaining, upgrading, and
troubleshooting network servers; ensuring system security and data integrity;
and performing backups. He was granted full access to the network operating
system and had the authority to access any data and change any setting on the
system. Thomas was expected to perform his duties using his “best efforts and
judgment to produce maximum benefit” to ClickMotive.
Thomas was not happy when his friend in the IT department was fired.
It was not just a matter of loyalty to his former colleague; a smaller IT staff
meant more work for Thomas. So Thomas, to use his word, “tinkered” with the
company’s system. The tinkering, which started on a Friday evening and
continued through Monday morning, included the following:
• He deleted 625 files of backup history and deleted automated commands
2
Case: 16-41264       Document: 00514268309         Page: 3     Date Filed: 12/11/2017
No. 16-41264
set to perform future backups.
• He issued a command to destroy the virtual machine 1 that performed
ClickMotive’s backups for one of its servers and then Thomas failed to
activate its redundant pair, ensuring that the backups would not occur.
• He tampered with ClickMotive’s pager notification system by entering
false contact information for various company employees, ensuring that
they would not receive any automatically-generated alerts indicating
system problems.
• He triggered automatic forwarding of executives’ emails to an external
personal email account he created during the weekend.
• He deleted pages from ClickMotive’s internal “wiki,” an online system of
internal policies and procedures that employees routinely used for
troubleshooting computer problems.
• He manually changed the setting for an authentication service that
would eventually lead to the inability of employees to work remotely
through VPN. Changing the setting of the VPN authentication service
set a time bomb that would cause the VPN to become inoperative when
someone rebooted the system, a common and foreseeable maintenance
function.
• And he removed employees from e-mail distribution groups created for
the benefit of customers, leading to customers’ requests for support going
unnoticed.
Thomas was able to engage in most of this conduct from home, but he
did set the VPN time bomb on Sunday evening from ClickMotive’s office, which
he entered using another employee’s credentials. It was during this visit to
the office that Thomas left his resignation letter that the company would see
1 “A virtual machine is a self-contained operating environment that isolates an
application from the entire computer on which it runs, denying the application access to other
compartments of the system.” Jonathan L. Zittrain, The Generative Internet, 119 HARV. L.
REV. 1974, 2037 n.220 (2006).
3
Case: 16-41264    Document: 00514268309     Page: 4   Date Filed: 12/11/2017
No. 16-41264
the next day. When the dust settled, the company incurred over $130,000 in
out-of-pocket expenses and employees’ time to undo the harm Thomas caused.
In a subsequent interview with the FBI, Thomas stated that he engaged in this
conduct because he was “frustrated” with the company and wanted to make
the job harder for the person who would replace him.
A grand jury eventually charged Thomas with the section 1030(a)(5)(A)
offense. But two days before the grand jury met, Thomas fled to Brazil. Nearly
three years later, Thomas was arrested when he surrendered to FBI agents at
Dallas/Fort Worth International Airport.
At trial, company employees and outside IT experts testified that none
of the problems ClickMotive experienced as a result of Thomas’s actions would
be attributable to a normal system malfunction. They further stated that
Thomas’s actions were not consistent with normal troubleshooting and
maintenance or consistent with mistakes made by a novice.          ClickMotive
employees asserted that it was strange for the wiki pages to be missing and
that someone in Thomas’s position would know that changing the setting of
the VPN authentication service would cause it to become inoperative when
someone rebooted the system.
ClickMotive’s employee handbook was not offered at trial and there was
no specific company policy that governed the deletions of backups, virtual
machines, or wiki modifications. Employees explained, however, that there
were policies prohibiting interfering with ClickMotive’s normal course of
business and the destruction of its assets, such as a virtual machine or
company data. Thomas’s own Employment Agreement specified he was bound
by policies that were reasonably necessary to protect ClickMotive’s legitimate
interests in its clients, customers, accounts, and work product.
The jury instructions included the statutory definition of “damage,”
which is “any impairment to the integrity or availability of data, a program, a
4
Case: 16-41264      Document: 00514268309         Page: 5    Date Filed: 12/11/2017
No. 16-41264
system, or information.” 18 U.S.C. § 1030(e)(8). The district court denied
Thomas’s proposed instruction for “without authorization,” which was “without
permission or authority.” It did not define the phrase.
After the jury returned a guilty verdict, the district court sentenced
Thomas to time served (which was the four months since he had been detained
after returning to the country), plus three years of supervised release, and
ordered restitution of $131,391.21. Thomas then filed an unsuccessful motion
for judgment of acquittal. That motion, like this appeal, argued that the
evidence was not sufficient to convict Thomas because he was authorized to
damage the computer as part of his routine IT duties.
II.
A.
Although raised in the context of a sufficiency challenge which usually
focuses on the evidence, Thomas’s argument is principally a question of
statutory interpretation. 2 So we will begin with an analysis of the statute as
the elements of the statute establish what the evidence must prove.
Because Thomas’s argument that he was authorized to damage a
computer seems nonsensical at first glance, it is helpful at the outset to explain
the steps he takes to get there. He first points out that his job duties included
“routinely deleting data, removing programs, and taking systems offline for
diagnosis and maintenance.” Thomas says this conduct damaged the computer
within the meaning of the Computer Fraud and Abuse Act because damage is
2 We often see arguments focusing on the meaning of words in a criminal statute
raised via a challenge to the jury instruction. But as will be discussed, Thomas’s requested
instruction of “without authorization” did not include the limiting language he urges on
appeal. This explains why a sufficiency challenge is the vehicle for his statutory argument.
The government does not contend that his request for a different definition in the jury
instruction estops him from arguing for a more limited definition in the context of a
sufficiency challenge.
5
Case: 16-41264      Document: 00514268309         Page: 6    Date Filed: 12/11/2017
No. 16-41264
defined to just mean “any impairment to the integrity or availability of data, a
program, a system, or information,” 18 U.S.C. § 1030(e)(8); there is no
requirement of harm. And the damage he caused by engaging in these routine
tasks was not “without authorization” because it was part of his job. So far, so
good. 3 Next comes the critical leap: Thomas argues that because he was
authorized to damage the computer when engaging in these routine tasks, any
damage he caused while an employee was not “without authorization.” Thus
he cannot be prosecuted under section 1030(a)(5)(A). This argument is far
reaching. If Thomas is correct, then the damage statute would not reach any
employee who intentionally damaged a computer system as long as any part of
that employee’s job included deleting files or taking systems offline.
Thomas’s support for reading the statute to cover only individuals who
“had no rights, limited or otherwise [to] impair” a system comes from cases
addressing the separate “access” provisions of section 1030. See, e.g., LVRC
Holdings LLC v. Brekka, 

, 1133 (9th Cir. 2009) (“[A] person who
uses a computer ‘without authorization’ has no rights, limited or otherwise, to
access the computer in question.”); see also Pulte Homes, Inc. v. Laborers’
International Union of North America, 

, 303–04 (6th Cir. 2011)
3 This assumes Thomas is correct that the “damage” element does not require a
showing of harm. The just-quoted statutory definition does not include the words “harm” or
“loss.” This contrasts with a separate subsection of the same damage statute that requires
both “damage and loss,” 18 U.S.C. § 1030(a)(5)(C), with a separate statutory definition for
loss, 18 U.S.C. § 1030(e)(11). But some courts addressing the damage element do require
some negative effect on the system. See United States v. Yucel, 

, 420
(S.D.N.Y. 2015) (concluding that damage occurs when “the system no longer operates as it
did when it first came into the owner’s possession and has an unwanted characteristic”);
Trademotion, LLC v. Marketcliq, Inc., 

, 1292 (M.D. Fla. 2012) (stating
that “impairment to integrity” requires “some diminution in the completeness or usability of
date or information on a computer system”). In any event, the government concedes that at
least some of what Thomas and other IT professional do in the normal course of their duties
constitutes damage within the meaning of the statue. So we will assume that “damage” is
defined as broadly as Thomas contends because even under his definition we conclude that
he lacked authorization for the particular acts of damage charged as criminal conduct.
6
Case: 16-41264    Document: 00514268309     Page: 7   Date Filed: 12/11/2017
No. 16-41264
(relying on Brekka). But there are important differences between the “access”
and “damage” crimes that make it inappropriate to import access caselaw into
the damage statute.
Section 1030(a)(5)(A) is the only independent “damage” provision,
meaning it does not also require a lack of authorization to access the computer.
Contrast 18 U.S.C. § 1030(a)(5)(B), (C) (both applying to damage that results
from unauthorized access of a computer). It prohibits “intentionally caus[ing]
damage without authorization.” As discussed, the statute defines damage.
And as numerous courts have recognized in discussing both the damage and
access provisions, the ordinary meaning of “without authorization” is “without
permission.”    See 

(quoting Random House
Unabridged Dictionary to define “authorization” as “permission or power
granted by an authority”); United States v. Valle, 

, 524 (2d Cir.
2015) (same); WEC Carolina Energy Solutions LLC v. Miller, 

, 204
(4th Cir. 2012) (defining “without authorization” as “without approval”); 

(citing Webster’s Third International Dictionary); see also
Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in
Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1661–62 (2003) (“[T]he
damage statute uses the phrase ‘without authorization’ to mean merely
‘without permission’ . . . .”). Indeed, Thomas asked that the jury be told that
“without authorization” means “without permission or authority”; he did not
seek an instruction that “without authorization” is limited to those who have
no rights to ever impair a system. As the caselaw and Thomas’s proposed
instruction recognize, the plain meaning of the damage provision is that it
makes it a crime to intentionally impair a computer system without
permission. And notably, it applies to particular acts causing damage that
lacked authorization. See 18 U.S.C. § 1030(e)(8) (defining damage to include a
single impairment of the system). Nothing in the statutory text says it does
7
Case: 16-41264    Document: 00514268309     Page: 8   Date Filed: 12/11/2017
No. 16-41264
not apply to intentional acts of damage that lacked permission if the employee
was allowed to engage at other times in other acts that impaired the system.
Crimes involving unauthorized access are more numerous in the
Computer Fraud and Abuse Act. See, e.g., 18 U.S.C. § 1030(a)(1), (2), (3). Some
of these provisions distinguish between “intentionally access[ing] a computer
without authorization,” and “exceed[ing] authorized access.”            See 

(2). To give meaning to the separate provisions, courts have
interpreted “access without authorization” as targeting outsiders who access
victim systems, while “exceeds authorized access” is applied to “insiders,” such
as employees of a victim company. See 

(citing United
States v. Nosal, 

, 858 (9th Cir. 2012) (en banc)). It is this attempt
to police that statutory line—between those who have no permission to access
a system and those who have some permission to access but exceed it—that led
to the language Thomas invokes about a “no authorization” case being limited
to a person with “no right[], limited or otherwise, to access the computer in
question.” 

(emphasis added). This ensures that
“access without authorization” applies to outsiders. Indeed, Brekka begins its
analysis by recognizing that “authorization” has the ordinary meaning of
“permission”; the separate term “exceeds authorized access” is the source for
its conclusion that access without authorization must be an all-or-nothing
proposition. 

In addition to its support in the bifurcated statutory
scheme for access crimes, a narrow reading of those statutes avoids
criminalizing common conduct—like violating contractual terms of service for
computer use or using a work computer for personal reasons—that lies beyond
the antihacking purpose of the access statutes. See, e.g., 

–13, 526–27 (involving police officer charged with violating section
1030(a)(2)(B) for accessing a government computer for a non-law enforcement
purpose); United States v. Drew, 

, 466 (C.D. Cal. 2009)
8
Case: 16-41264     Document: 00514268309     Page: 9   Date Filed: 12/11/2017
No. 16-41264
(involving defendant charged with violating sections 1030(a)(2)(C) and
1030(c)(2)(B)(ii) for creating a fictitious profile on a social networking website
and then using the account to cyberbully a teenager in violation of the website’s
Terms of Service); 

(“If we interpret the phrase “exceeds
authorized access” to include breaches of contract, we create a remarkably
broad criminal prohibition that has no connection to the rationales of criminal
punishment.”).
None of these concerns translates to the damage statute.          “Without
authorization” modifies damage rather than access. 

(explaining
that the federal damage statute uses “without authorization” in “a very
different way” from how it is used in the access statutes). Section 1030(a)(5)(A)
makes no distinction between all-or-nothing authorization and degrees of
authorization. Its text therefore covers situations when the individual never
had permission to damage the system (an outsider) or when someone who
might have permission for some damaging acts causes other damage that is
not authorized (an insider). Tellingly, other subsections of the same damage
statute are limited to those who inflict damage while “intentionally access[ing]
a protected computer without authorization.” 18 U.S.C. § 1030(a)(5)(B), (C).
Because section 1030(a)(5)(A) is the one subsection of the damage statute that
also applies to insiders, it would make no sense to import a limitation from the
access statutes that is aimed at excluding insider liability. In support of his
attempt to extend to the damage statute the limitation courts have read into
the “access without authorization” statutes, Thomas cites the “presumption
that identical words used in different parts of the same act are intended to
have the same meaning.” Atlantic Cleaners & Dyers, Inc. v. United States, 

, 433 (1932). But in light of the significant statutory differences
between the access and damage crimes, Chief Justice Marshall’s corollary to
the “consistent usage” canon is more apt: “It has been also said, that the same
9
Case: 16-41264       Document: 00514268309         Page: 10     Date Filed: 12/11/2017
No. 16-41264
words have not necessarily the same meaning attached to them when found in
different parts of the same instrument: their meaning is controlled by context.
This is undoubtedly true.” Cherokee Nation v. Georgia, 

, 19 (1831),
quoted in Antonin Scalia & Bryan Garner, READING LAW: THE INTERPRETATION
OF LEGAL TEXTS 171      (2012).
Nor is there a significant threat that liability under the damage statute
would extend to largely innocuous conduct because the requirement of
“intentionally causing damage” narrows the statute’s reach. Cf. 

–62 (stating that section 1030(a)(5)(A) “adds a very important weapon
to the arsenal of computer crime statutes” and complements the access statutes
that present a serious risk of being applied too broadly). Applying the damage
statute to employees like Thomas also does not extend the law beyond what
Congress intended.        The Senate Report on the 1996 amendments to the
Computer Fraud and Abuse Act stated that section 1030(a)(5)(A) “protect[s]
computers and computer systems . . . from damage both by outsiders, who gain
access to a computer without authorization, and by insiders, who intentionally
damage a computer.” S. Rep. No. 104-357, at 9 (1996). It characterized these
dual threats as “outside hackers” and “malicious insiders.” 

This
repeated emphasis that the damage statute would apply equally to both
threats 4 was made with full awareness, from the time the statute was first
enacted a decade earlier that, as Thomas emphasizes, employees are
sometimes permitted or even required to engage in “repair activities.” S. Rep.
No. 99-432, at 12 (1986). Such acts that are “necessary to the repair” of the
system, would not be criminal because they are authorized. 

mens rea was also cited as a limitation on the statute’s reach. S. Rep. No. 104-
4 See also S. Rep. No. 104-357, at 10 (stating that section 1030(a)(5)(A) “would cover
anyone who intentionally damages a computer, regardless of whether they were an outsider
or an insider otherwise authorized to access the computer”).
10
Case: 16-41264      Document: 00514268309        Page: 11     Date Filed: 12/11/2017
No. 16-41264
357, at 11 (“[I]nsiders, who are authorized to access a computer, face criminal
liability only if they intend to cause damage to the computer.” 5 (emphasis
added)). By providing immunity from the damage statute to any “malicious
insider” who was permitted to cause “damage” in some situations as part of his
job duties, Thomas’s interpretation would substantially curtail the statute’s
intended reach.
So Thomas’s reading of “without authorization” is at odds with the
statutory language and legislative intent. His offered construction thus finds
no recourse in the rule of lenity because there is no interpretive tie for that
principle to break. United States v. Castleman, 

, 1416 (2014)
(stating that “the rule of lenity only applies if, after considering text, structure,
history, and purpose, there remains a grievous ambiguity or uncertainty in the
statute, such that the Court must simply guess as to what Congress intended”
(internal quotation marks omitted)).
We conclude that Section 1030(a)(5)(A) prohibits intentionally damaging
a computer system when there was no permission to engage in that particular
act of damage.       To the extent more is needed to flesh out the scope of
“permission” when a defendant has some general authority to impair a
network, there is helpful guidance in one of our cases addressing an access
statute, which if anything should define authorization more narrowly for the
reasons we have discussed. United States v. Phillips, 

, 219 (5th
Cir. 2007). Phillips says to look at the “expected norms of intended use.” 

statement that insiders are only liable for intentionally causing damage is
further support for the point made above that section 1030(a)(5)(A) is the only damage
provision that can apply to insiders. The other two damage provisions, which require
unauthorized access, have lower mens rea requirements. Section 1030(a)(5)(B) applies to
recklessly causing damage. Section 1030(a)(5)(C) imposes strict liability when it comes to
the damage requirement, though the conduct must result in both “damage and loss.”
11
Case: 16-41264    Document: 00514268309      Page: 12   Date Filed: 12/11/2017
No. 16-41264
B.
With this understanding of the damage statute, we turn to the more
typical sufficiency review and evaluate whether the evidence supported the
conviction. This analysis usually begins with talk of the considerable deference
the jury’s view of the evidence should receive, with it getting to make
credibility determinations, draw reasonable inferences, and the like. United
States v. Winkler, 

, 696 (5th Cir. 2011). Reliance on that standard
of review is unnecessary here as there is overwhelming evidence to support the
jury’s view that Thomas did not have permission to engage in the weekend
damage campaign.
The nature of Thomas’s conduct is highly incriminating. No reasonable
employee could think he had permission to stop the system from providing
backups, or to delete files outside the normal protocols, or to falsify contact
information in a notification system, or to set a process in motion that would
prevent users from remotely accessing the network. 

(affirming jury finding of lack of authorization to launch a brute-force attack
program when that would not be permissible “within the understanding of any
reasonable computer user”). Thomas emphasizes the unlimited access he had
to the system that gave him the ability to inflict this damage. But it is not
conceivable that any employee, regardless of their level of computer access,
would be authorized to cause these problems. The incidents for which Thomas
was held liable were nothing like the periodic acts he performed as part of his
duties. Those tasks may have impaired the system on a limited basis in order
to benefit the computer network in the long run. Routine deletions of old files
provide that benefit by increasing storage space. Taking systems offline allows
for necessary maintenance. In contrast, the various types of damage Thomas
caused during the last few days before he resigned resulted in over $130,000
in remediation costs. Regardless of whether the definition of “damage” under
12
Case: 16-41264    Document: 00514268309      Page: 13   Date Filed: 12/11/2017
No. 16-41264
the statute requires a showing of harm, impairments that harm the system are
much less likely to be authorized than those that benefit the system. It would
rarely if ever make sense for an employer to authorize an employee to harm its
computer system.
The harmful acts themselves would be enough to support the verdict, but
Thomas’s words and conduct in response to the criminal investigation provide
additional support. When questioned by federal agents, he acknowledged the
distinction we have just made. He did not say that he caused the damage in
order to maintain or improve the system; instead, his motive was to make
things more difficult for the person hired to replace him. And his flight to
Brazil is not what is expected of someone who had permission to engage in the
conduct being investigated. See Allen v. United States, 

, 499 (1896)
(“[T]he law is entirely well settled that the flight of the accused is competent
evidence against him as having a tendency to establish his guilt.”).
The circumstances surrounding the damaging acts provide even more
support for the finding of guilt. Thomas committed the various acts one after
the other in a concentrated time span beginning Friday evening and continuing
through the weekend. Thomas did most of this from home, but the one time
he had to go the office he did so using another employee’s credentials. One of
his acts—falsification of contact information in the alert system—prevented
Thomas’s conduct from being detected during the weekend as employees would
not receive notifications about the damage to the system. He submitted his
resignation immediately after completing the damage spree and timed the
most damaging act—the one that would prevent remote access—so that it
would not occur until he was gone. Why this sequence of events if Thomas had
permission to cause the damage?
13
Case: 16-41264    Document: 00514268309      Page: 14   Date Filed: 12/11/2017
No. 16-41264
All of this provided ample support to conclude that Thomas lacked
permission to inflict the damage he caused. As that question of authorization
is the only element he challenges, sufficient evidence supports the conviction.
III.
What we have just said about the straightforward application of the
damage statute to Thomas’s conduct also dooms his claim that the law is
unconstitutionally vague. That is because even if a statute might be vague
when applied to some situations, “a defendant whose conduct is clearly
prohibited cannot be the one making that challenge.”           United States v.
Westbrooks, 

, 325 (5th Cir. 2017).
Further proof that Thomas’s conduct is a paradigmatic application of
section 1030(a)(5)(A) comes from its similarity to a hypothetical use of the
statute that a leading computer crime scholar foresaw years ago. Professor
Kerr provided the following example that is essentially this case but for a twist
that the employee is upset about his own employment situation rather than a
colleague’s:
Employee sabotage: Sam is a computer programmer who is angry
at his employer for denying him a promotion. Sam decides to take
revenge by deleting some of his employer’s important files, and by
launching a denial-of-service attack that overwhelms his
company’s webserver with requests and takes it offline for a few
hours. The deletion of the files will not constitute an unauthorized
access. Sam accessed his employer’s computer when he used it to
delete files, but as a programmer he was authorized to access those
files and therefore has not committed access without
authorization. Similarly, the denial-of-service attack will not itself
constitute an unauthorized access crime. Sending the data to the
computer does access the computer, but the access is not without
authorization: The webserver has been configured to accept all web
traffic requests, such that sending many requests will not
circumvent any code-based restrictions.
14
Case: 16-41264    Document: 00514268309    Page: 15   Date Filed: 12/11/2017
No. 16-41264
Sam does not avoid criminal liability, however. The deletion of the
files may constitute destruction of property or conversion and,
depending on the applicable state laws, he could be prosecuted
under general property crime statutes. Sam could also be
prosecuted for damaging the computer under the federal computer
damage statute, 18 U.S.C. § 1030(a)(5)(A)(i).

–65 (emphasis added).
The law review article is not all that undermines the contention that
Thomas lacked notice that his conduct was criminal. Just a couple weeks after
the damage spree, and before the FBI had contacted Thomas, he told the friend
whose firing had set this in motion that “he thought he might have broken the
law.” Which law, the friend inquired? Thomas’s response: “the Computer
Fraud and Abuse Act.”
* * *
The judgment of the district court is AFFIRMED.
15