United States v. Michael Thomas

Case: 16-41264 Document: 00514268309 Page: 1 Date Filed: 12/11/2017 IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT United States Court of Appeals Fifth Circuit No. 16-41264 FILED December 11, 2017 UNITED STATES OF AMERICA, Lyle W. Cayce Clerk Plaintiff - Appellee v. MICHAEL THOMAS, Defendant - Appellant Appeal from the United States District Court for the Eastern District of Texas Before WIENER, HIGGINSON, and COSTA, Circuit Judges. GREGG COSTA, Circuit Judge: Michael Thomas worked as the Information Technology Operations Manager for ClickMotive, LP, a software and webpage hosting company. Upset that a coworker had been fired, Thomas embarked on a weekend campaign of electronic sabotage. He deleted over 600 files, disabled backup operations, eliminated employees from a group email a client used to contact the company, diverted executives’ emails to his personal account, and set a “time bomb” that would result in employees being unable to remotely access the company’s network after Thomas submitted his resignation. Once ClickMotive discovered what Thomas did, it incurred over $130,000 in costs to fix these problems. Case: 16-41264 Document: 00514268309 Page: 2 Date Filed: 12/11/2017 No. 16-41264 A jury found Thomas guilty of “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A). Thomas challenges the “without authorization” requirement of this provision of the Computer Fraud and Abuse Act. He contends that because his IT job gave him full access to the system and required him to “damage” the system—for example, at times his duties included deleting certain files—his conduct did not lack authorization. In support of his view that the statute does not reach those whose access to a system includes the ability to impair it, Thomas invokes the rule of lenity and principle that vague statutes cannot be enforced. But we conclude that Thomas’s conduct falls squarely within the ordinary meaning of the statute and affirm his conviction. I. Thomas’s duties at ClickMotive included network administration; maintaining production websites; installing, maintaining, upgrading, and troubleshooting network servers; ensuring system security and data integrity; and performing backups. He was granted full access to the network operating system and had the authority to access any data and change any setting on the system. Thomas was expected to perform his duties using his “best efforts and judgment to produce maximum benefit” to ClickMotive. Thomas was not happy when his friend in the IT department was fired. It was not just a matter of loyalty to his former colleague; a smaller IT staff meant more work for Thomas. So Thomas, to use his word, “tinkered” with the company’s system. The tinkering, which started on a Friday evening and continued through Monday morning, included the following: • He deleted 625 files of backup history and deleted automated commands 2 Case: 16-41264 Document: 00514268309 Page: 3 Date Filed: 12/11/2017 No. 16-41264 set to perform future backups. • He issued a command to destroy the virtual machine 1 that performed ClickMotive’s backups for one of its servers and then Thomas failed to activate its redundant pair, ensuring that the backups would not occur. • He tampered with ClickMotive’s pager notification system by entering false contact information for various company employees, ensuring that they would not receive any automatically-generated alerts indicating system problems. • He triggered automatic forwarding of executives’ emails to an external personal email account he created during the weekend. • He deleted pages from ClickMotive’s internal “wiki,” an online system of internal policies and procedures that employees routinely used for troubleshooting computer problems. • He manually changed the setting for an authentication service that would eventually lead to the inability of employees to work remotely through VPN. Changing the setting of the VPN authentication service set a time bomb that would cause the VPN to become inoperative when someone rebooted the system, a common and foreseeable maintenance function. • And he removed employees from e-mail distribution groups created for the benefit of customers, leading to customers’ requests for support going unnoticed. Thomas was able to engage in most of this conduct from home, but he did set the VPN time bomb on Sunday evening from ClickMotive’s office, which he entered using another employee’s credentials. It was during this visit to the office that Thomas left his resignation letter that the company would see 1 “A virtual machine is a self-contained operating environment that isolates an application from the entire computer on which it runs, denying the application access to other compartments of the system.” Jonathan L. Zittrain, The Generative Internet, 119 HARV. L. REV. 1974, 2037 n.220 (2006). 3 Case: 16-41264 Document: 00514268309 Page: 4 Date Filed: 12/11/2017 No. 16-41264 the next day. When the dust settled, the company incurred over $130,000 in out-of-pocket expenses and employees’ time to undo the harm Thomas caused. In a subsequent interview with the FBI, Thomas stated that he engaged in this conduct because he was “frustrated” with the company and wanted to make the job harder for the person who would replace him. A grand jury eventually charged Thomas with the section 1030(a)(5)(A) offense. But two days before the grand jury met, Thomas fled to Brazil. Nearly three years later, Thomas was arrested when he surrendered to FBI agents at Dallas/Fort Worth International Airport. At trial, company employees and outside IT experts testified that none of the problems ClickMotive experienced as a result of Thomas’s actions would be attributable to a normal system malfunction. They further stated that Thomas’s actions were not consistent with normal troubleshooting and maintenance or consistent with mistakes made by a novice. ClickMotive employees asserted that it was strange for the wiki pages to be missing and that someone in Thomas’s position would know that changing the setting of the VPN authentication service would cause it to become inoperative when someone rebooted the system. ClickMotive’s employee handbook was not offered at trial and there was no specific company policy that governed the deletions of backups, virtual machines, or wiki modifications. Employees explained, however, that there were policies prohibiting interfering with ClickMotive’s normal course of business and the destruction of its assets, such as a virtual machine or company data. Thomas’s own Employment Agreement specified he was bound by policies that were reasonably necessary to protect ClickMotive’s legitimate interests in its clients, customers, accounts, and work product. The jury instructions included the statutory definition of “damage,” which is “any impairment to the integrity or availability of data, a program, a 4 Case: 16-41264 Document: 00514268309 Page: 5 Date Filed: 12/11/2017 No. 16-41264 system, or information.” 18 U.S.C. § 1030(e)(8). The district court denied Thomas’s proposed instruction for “without authorization,” which was “without permission or authority.” It did not define the phrase. After the jury returned a guilty verdict, the district court sentenced Thomas to time served (which was the four months since he had been detained after returning to the country), plus three years of supervised release, and ordered restitution of $131,391.21. Thomas then filed an unsuccessful motion for judgment of acquittal. That motion, like this appeal, argued that the evidence was not sufficient to convict Thomas because he was authorized to damage the computer as part of his routine IT duties. II. A. Although raised in the context of a sufficiency challenge which usually focuses on the evidence, Thomas’s argument is principally a question of statutory interpretation. 2 So we will begin with an analysis of the statute as the elements of the statute establish what the evidence must prove. Because Thomas’s argument that he was authorized to damage a computer seems nonsensical at first glance, it is helpful at the outset to explain the steps he takes to get there. He first points out that his job duties included “routinely deleting data, removing programs, and taking systems offline for diagnosis and maintenance.” Thomas says this conduct damaged the computer within the meaning of the Computer Fraud and Abuse Act because damage is 2 We often see arguments focusing on the meaning of words in a criminal statute raised via a challenge to the jury instruction. But as will be discussed, Thomas’s requested instruction of “without authorization” did not include the limiting language he urges on appeal. This explains why a sufficiency challenge is the vehicle for his statutory argument. The government does not contend that his request for a different definition in the jury instruction estops him from arguing for a more limited definition in the context of a sufficiency challenge. 5 Case: 16-41264 Document: 00514268309 Page: 6 Date Filed: 12/11/2017 No. 16-41264 defined to just mean “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8); there is no requirement of harm. And the damage he caused by engaging in these routine tasks was not “without authorization” because it was part of his job. So far, so good. 3 Next comes the critical leap: Thomas argues that because he was authorized to damage the computer when engaging in these routine tasks, any damage he caused while an employee was not “without authorization.” Thus he cannot be prosecuted under section 1030(a)(5)(A). This argument is far reaching. If Thomas is correct, then the damage statute would not reach any employee who intentionally damaged a computer system as long as any part of that employee’s job included deleting files or taking systems offline. Thomas’s support for reading the statute to cover only individuals who “had no rights, limited or otherwise [to] impair” a system comes from cases addressing the separate “access” provisions of section 1030. See, e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (“[A] person who uses a computer ‘without authorization’ has no rights, limited or otherwise, to access the computer in question.”); see also Pulte Homes, Inc. v. Laborers’ International Union of North America, 648 F.3d 295, 303–04 (6th Cir. 2011) 3 This assumes Thomas is correct that the “damage” element does not require a showing of harm. The just-quoted statutory definition does not include the words “harm” or “loss.” This contrasts with a separate subsection of the same damage statute that requires both “damage and loss,” 18 U.S.C. § 1030(a)(5)(C), with a separate statutory definition for loss, 18 U.S.C. § 1030(e)(11). But some courts addressing the damage element do require some negative effect on the system. See United States v. Yucel, 97 F. Supp. 3d 413, 420 (S.D.N.Y. 2015) (concluding that damage occurs when “the system no longer operates as it did when it first came into the owner’s possession and has an unwanted characteristic”); Trademotion, LLC v. Marketcliq, Inc., 857 F. Supp. 2d 1285, 1292 (M.D. Fla. 2012) (stating that “impairment to integrity” requires “some diminution in the completeness or usability of date or information on a computer system”). In any event, the government concedes that at least some of what Thomas and other IT professional do in the normal course of their duties constitutes damage within the meaning of the statue. So we will assume that “damage” is defined as broadly as Thomas contends because even under his definition we conclude that he lacked authorization for the particular acts of damage charged as criminal conduct. 6 Case: 16-41264 Document: 00514268309 Page: 7 Date Filed: 12/11/2017 No. 16-41264 (relying on Brekka). But there are important differences between the “access” and “damage” crimes that make it inappropriate to import access caselaw into the damage statute. Section 1030(a)(5)(A) is the only independent “damage” provision, meaning it does not also require a lack of authorization to access the computer. Contrast 18 U.S.C. § 1030(a)(5)(B), (C) (both applying to damage that results from unauthorized access of a computer). It prohibits “intentionally caus[ing] damage without authorization.” As discussed, the statute defines damage. And as numerous courts have recognized in discussing both the damage and access provisions, the ordinary meaning of “without authorization” is “without permission.” See Brekka, 581 F.3d at 1133 (quoting Random House Unabridged Dictionary to define “authorization” as “permission or power granted by an authority”); United States v. Valle, 807 F.3d 508, 524 (2d Cir. 2015) (same); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (defining “without authorization” as “without approval”); Yucel, 97 F. Supp. 3d at 422 (citing Webster’s Third International Dictionary); see also Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1661–62 (2003) (“[T]he damage statute uses the phrase ‘without authorization’ to mean merely ‘without permission’ . . . .”). Indeed, Thomas asked that the jury be told that “without authorization” means “without permission or authority”; he did not seek an instruction that “without authorization” is limited to those who have no rights to ever impair a system. As the caselaw and Thomas’s proposed instruction recognize, the plain meaning of the damage provision is that it makes it a crime to intentionally impair a computer system without permission. And notably, it applies to particular acts causing damage that lacked authorization. See 18 U.S.C. § 1030(e)(8) (defining damage to include a single impairment of the system). Nothing in the statutory text says it does 7 Case: 16-41264 Document: 00514268309 Page: 8 Date Filed: 12/11/2017 No. 16-41264 not apply to intentional acts of damage that lacked permission if the employee was allowed to engage at other times in other acts that impaired the system. Crimes involving unauthorized access are more numerous in the Computer Fraud and Abuse Act. See, e.g., 18 U.S.C. § 1030(a)(1), (2), (3). Some of these provisions distinguish between “intentionally access[ing] a computer without authorization,” and “exceed[ing] authorized access.” See id. § 1030(a)(1), (2). To give meaning to the separate provisions, courts have interpreted “access without authorization” as targeting outsiders who access victim systems, while “exceeds authorized access” is applied to “insiders,” such as employees of a victim company. See Valle, 807 F.3d at 524 (citing United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (en banc)). It is this attempt to police that statutory line—between those who have no permission to access a system and those who have some permission to access but exceed it—that led to the language Thomas invokes about a “no authorization” case being limited to a person with “no right[], limited or otherwise, to access the computer in question.” Brekka, 581 F.3d at 1133 (emphasis added). This ensures that “access without authorization” applies to outsiders. Indeed, Brekka begins its analysis by recognizing that “authorization” has the ordinary meaning of “permission”; the separate term “exceeds authorized access” is the source for its conclusion that access without authorization must be an all-or-nothing proposition. Id. at 1133. In addition to its support in the bifurcated statutory scheme for access crimes, a narrow reading of those statutes avoids criminalizing common conduct—like violating contractual terms of service for computer use or using a work computer for personal reasons—that lies beyond the antihacking purpose of the access statutes. See, e.g., Valle, 807 F.3d at 512–13, 526–27 (involving police officer charged with violating section 1030(a)(2)(B) for accessing a government computer for a non-law enforcement purpose); United States v. Drew, 259 F.R.D. 449, 466 (C.D. Cal. 2009) 8 Case: 16-41264 Document: 00514268309 Page: 9 Date Filed: 12/11/2017 No. 16-41264 (involving defendant charged with violating sections 1030(a)(2)(C) and 1030(c)(2)(B)(ii) for creating a fictitious profile on a social networking website and then using the account to cyberbully a teenager in violation of the website’s Terms of Service); Kerr, supra, at 1663 (“If we interpret the phrase “exceeds authorized access” to include breaches of contract, we create a remarkably broad criminal prohibition that has no connection to the rationales of criminal punishment.”). None of these concerns translates to the damage statute. “Without authorization” modifies damage rather than access. Id. at 1661 (explaining that the federal damage statute uses “without authorization” in “a very different way” from how it is used in the access statutes). Section 1030(a)(5)(A) makes no distinction between all-or-nothing authorization and degrees of authorization. Its text therefore covers situations when the individual never had permission to damage the system (an outsider) or when someone who might have permission for some damaging acts causes other damage that is not authorized (an insider). Tellingly, other subsections of the same damage statute are limited to those who inflict damage while “intentionally access[ing] a protected computer without authorization.” 18 U.S.C. § 1030(a)(5)(B), (C). Because section 1030(a)(5)(A) is the one subsection of the damage statute that also applies to insiders, it would make no sense to import a limitation from the access statutes that is aimed at excluding insider liability. In support of his attempt to extend to the damage statute the limitation courts have read into the “access without authorization” statutes, Thomas cites the “presumption that identical words used in different parts of the same act are intended to have the same meaning.” Atlantic Cleaners & Dyers, Inc. v. United States, 286 U.S. 427, 433 (1932). But in light of the significant statutory differences between the access and damage crimes, Chief Justice Marshall’s corollary to the “consistent usage” canon is more apt: “It has been also said, that the same 9 Case: 16-41264 Document: 00514268309 Page: 10 Date Filed: 12/11/2017 No. 16-41264 words have not necessarily the same meaning attached to them when found in different parts of the same instrument: their meaning is controlled by context. This is undoubtedly true.” Cherokee Nation v. Georgia, 30 U.S. 1, 19 (1831), quoted in Antonin Scalia & Bryan Garner, READING LAW: THE INTERPRETATION OF LEGAL TEXTS 171 (2012). Nor is there a significant threat that liability under the damage statute would extend to largely innocuous conduct because the requirement of “intentionally causing damage” narrows the statute’s reach. Cf. Kerr, supra, at 1660–62 (stating that section 1030(a)(5)(A) “adds a very important weapon to the arsenal of computer crime statutes” and complements the access statutes that present a serious risk of being applied too broadly). Applying the damage statute to employees like Thomas also does not extend the law beyond what Congress intended. The Senate Report on the 1996 amendments to the Computer Fraud and Abuse Act stated that section 1030(a)(5)(A) “protect[s] computers and computer systems . . . from damage both by outsiders, who gain access to a computer without authorization, and by insiders, who intentionally damage a computer.” S. Rep. No. 104-357, at 9 (1996). It characterized these dual threats as “outside hackers” and “malicious insiders.” Id. at 9. This repeated emphasis that the damage statute would apply equally to both threats 4 was made with full awareness, from the time the statute was first enacted a decade earlier that, as Thomas emphasizes, employees are sometimes permitted or even required to engage in “repair activities.” S. Rep. No. 99-432, at 12 (1986). Such acts that are “necessary to the repair” of the system, would not be criminal because they are authorized. Id. The statute’s mens rea was also cited as a limitation on the statute’s reach. S. Rep. No. 104- 4 See also S. Rep. No. 104-357, at 10 (stating that section 1030(a)(5)(A) “would cover anyone who intentionally damages a computer, regardless of whether they were an outsider or an insider otherwise authorized to access the computer”). 10 Case: 16-41264 Document: 00514268309 Page: 11 Date Filed: 12/11/2017 No. 16-41264 357, at 11 (“[I]nsiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer.” 5 (emphasis added)). By providing immunity from the damage statute to any “malicious insider” who was permitted to cause “damage” in some situations as part of his job duties, Thomas’s interpretation would substantially curtail the statute’s intended reach. So Thomas’s reading of “without authorization” is at odds with the statutory language and legislative intent. His offered construction thus finds no recourse in the rule of lenity because there is no interpretive tie for that principle to break. United States v. Castleman, 134 S. Ct. 1405, 1416 (2014) (stating that “the rule of lenity only applies if, after considering text, structure, history, and purpose, there remains a grievous ambiguity or uncertainty in the statute, such that the Court must simply guess as to what Congress intended” (internal quotation marks omitted)). We conclude that Section 1030(a)(5)(A) prohibits intentionally damaging a computer system when there was no permission to engage in that particular act of damage. To the extent more is needed to flesh out the scope of “permission” when a defendant has some general authority to impair a network, there is helpful guidance in one of our cases addressing an access statute, which if anything should define authorization more narrowly for the reasons we have discussed. United States v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007). Phillips says to look at the “expected norms of intended use.” Id. 5 This statement that insiders are only liable for intentionally causing damage is further support for the point made above that section 1030(a)(5)(A) is the only damage provision that can apply to insiders. The other two damage provisions, which require unauthorized access, have lower mens rea requirements. Section 1030(a)(5)(B) applies to recklessly causing damage. Section 1030(a)(5)(C) imposes strict liability when it comes to the damage requirement, though the conduct must result in both “damage and loss.” 11 Case: 16-41264 Document: 00514268309 Page: 12 Date Filed: 12/11/2017 No. 16-41264 B. With this understanding of the damage statute, we turn to the more typical sufficiency review and evaluate whether the evidence supported the conviction. This analysis usually begins with talk of the considerable deference the jury’s view of the evidence should receive, with it getting to make credibility determinations, draw reasonable inferences, and the like. United States v. Winkler, 639 F.3d 692, 696 (5th Cir. 2011). Reliance on that standard of review is unnecessary here as there is overwhelming evidence to support the jury’s view that Thomas did not have permission to engage in the weekend damage campaign. The nature of Thomas’s conduct is highly incriminating. No reasonable employee could think he had permission to stop the system from providing backups, or to delete files outside the normal protocols, or to falsify contact information in a notification system, or to set a process in motion that would prevent users from remotely accessing the network. Phillips, 477 F.3d at 220 (affirming jury finding of lack of authorization to launch a brute-force attack program when that would not be permissible “within the understanding of any reasonable computer user”). Thomas emphasizes the unlimited access he had to the system that gave him the ability to inflict this damage. But it is not conceivable that any employee, regardless of their level of computer access, would be authorized to cause these problems. The incidents for which Thomas was held liable were nothing like the periodic acts he performed as part of his duties. Those tasks may have impaired the system on a limited basis in order to benefit the computer network in the long run. Routine deletions of old files provide that benefit by increasing storage space. Taking systems offline allows for necessary maintenance. In contrast, the various types of damage Thomas caused during the last few days before he resigned resulted in over $130,000 in remediation costs. Regardless of whether the definition of “damage” under 12 Case: 16-41264 Document: 00514268309 Page: 13 Date Filed: 12/11/2017 No. 16-41264 the statute requires a showing of harm, impairments that harm the system are much less likely to be authorized than those that benefit the system. It would rarely if ever make sense for an employer to authorize an employee to harm its computer system. The harmful acts themselves would be enough to support the verdict, but Thomas’s words and conduct in response to the criminal investigation provide additional support. When questioned by federal agents, he acknowledged the distinction we have just made. He did not say that he caused the damage in order to maintain or improve the system; instead, his motive was to make things more difficult for the person hired to replace him. And his flight to Brazil is not what is expected of someone who had permission to engage in the conduct being investigated. See Allen v. United States, 164 U.S. 492, 499 (1896) (“[T]he law is entirely well settled that the flight of the accused is competent evidence against him as having a tendency to establish his guilt.”). The circumstances surrounding the damaging acts provide even more support for the finding of guilt. Thomas committed the various acts one after the other in a concentrated time span beginning Friday evening and continuing through the weekend. Thomas did most of this from home, but the one time he had to go the office he did so using another employee’s credentials. One of his acts—falsification of contact information in the alert system—prevented Thomas’s conduct from being detected during the weekend as employees would not receive notifications about the damage to the system. He submitted his resignation immediately after completing the damage spree and timed the most damaging act—the one that would prevent remote access—so that it would not occur until he was gone. Why this sequence of events if Thomas had permission to cause the damage? 13 Case: 16-41264 Document: 00514268309 Page: 14 Date Filed: 12/11/2017 No. 16-41264 All of this provided ample support to conclude that Thomas lacked permission to inflict the damage he caused. As that question of authorization is the only element he challenges, sufficient evidence supports the conviction. III. What we have just said about the straightforward application of the damage statute to Thomas’s conduct also dooms his claim that the law is unconstitutionally vague. That is because even if a statute might be vague when applied to some situations, “a defendant whose conduct is clearly prohibited cannot be the one making that challenge.” United States v. Westbrooks, 858 F.3d 317, 325 (5th Cir. 2017). Further proof that Thomas’s conduct is a paradigmatic application of section 1030(a)(5)(A) comes from its similarity to a hypothetical use of the statute that a leading computer crime scholar foresaw years ago. Professor Kerr provided the following example that is essentially this case but for a twist that the employee is upset about his own employment situation rather than a colleague’s: Employee sabotage: Sam is a computer programmer who is angry at his employer for denying him a promotion. Sam decides to take revenge by deleting some of his employer’s important files, and by launching a denial-of-service attack that overwhelms his company’s webserver with requests and takes it offline for a few hours. The deletion of the files will not constitute an unauthorized access. Sam accessed his employer’s computer when he used it to delete files, but as a programmer he was authorized to access those files and therefore has not committed access without authorization. Similarly, the denial-of-service attack will not itself constitute an unauthorized access crime. Sending the data to the computer does access the computer, but the access is not without authorization: The webserver has been configured to accept all web traffic requests, such that sending many requests will not circumvent any code-based restrictions. 14 Case: 16-41264 Document: 00514268309 Page: 15 Date Filed: 12/11/2017 No. 16-41264 Sam does not avoid criminal liability, however. The deletion of the files may constitute destruction of property or conversion and, depending on the applicable state laws, he could be prosecuted under general property crime statutes. Sam could also be prosecuted for damaging the computer under the federal computer damage statute, 18 U.S.C. § 1030(a)(5)(A)(i). Kerr, supra, at 1664–65 (emphasis added). The law review article is not all that undermines the contention that Thomas lacked notice that his conduct was criminal. Just a couple weeks after the damage spree, and before the FBI had contacted Thomas, he told the friend whose firing had set this in motion that “he thought he might have broken the law.” Which law, the friend inquired? Thomas’s response: “the Computer Fraud and Abuse Act.” * * * The judgment of the district court is AFFIRMED. 15