IT Admin Faces Felony for Deleting Files Under Flawed Hacking Law
Hacking laws are generally intended to punish, well, hacking—not the digital equivalent of destroying the office printer on the day you quit.
But when IT administrator Michael Thomas deleted a collection of files before leaving his job at the auto dealership software firm ClickMotive in 2011, the 37-year-old Texan wasn’t merely charged with destruction of property or sued by his ex-employer for damages. Instead, he’s been charged with a felony count of violating the Computer Fraud and Abuse Act, (CFAA) a law passed in 1986 to prevent and prosecute malicious hacking. The charges could carry up to 10 years in prison and $250,000 in penalties—and have already led to the seizure of Thomas’s proceeds from the sale of his house. And as Thomas’s trial begins today in the Eastern District of Texas, his defense attorneys and some legal observers argue that his case represents yet another new form of prosecutorial overreach based on the CFAA’s long-controversial and overbroad measures.
The new wrinkle in Thomas’s case, says his lawyer and well-known hacker defense attorney Tor Ekeland, is that Thomas hasn’t been charged with “unauthorized access”—the usual crime of hackers who break into computer systems. In fact, Ekeland says Thomas’s role as a systems administrator gave him all the authorization he needed to routinely delete the sort of files he deleted on his last days at ClickMotive. Instead, because his employer interpreted his actions as malicious and claimed more than $5,000 in damages as a result of them, he’s been charged with “unauthorized damages,” a rarer and even more loosely defined provision of the CFAA. And Ekeland argues that relatively new use of the CFAA could set a troubling precedent for how it can be used against a firm’s own authorized employees.
“Consider the fact that you’re a systems administrator at any company, and you get into an employment dispute,” says Ekeland. “Your employer gets pissed off and bang, you’re facing felony counts, a statutory maximum of ten years because you deleted some emails when you went out the door. That has real implications for the IT industry.”
According to his indictment, in December 2011 Thomas deleted 615 backup files from ClickMotive’s servers, as well as half a dozen pages of the company’s internal wiki. He also turned off automatic backup settings for several different parts of the company’s network. All of that, the indictment reads, was “sabotage…in retaliation for business decisions” made by ClickMotive. Thomas’s defense attorneys say that in the days before those deletions, two of his colleagues had been laid off. Thomas himself quit shortly after deleting the files, leaving a note behind offering his services as an independent IT consultant.
None of that sounds like particularly admirable behavior for an IT administrator. But Thomas’s defense argues that all of the 615 backup files he deleted were replicated somewhere in ClickMotive’s current production systems, casting doubt on whether he was really intending to damage the company. Neither ClickMotive nor prosecutors for the Eastern District of Texas responded to WIRED’s request for comment.
But more to the point, even if those actions were damaging or malicious, they don’t sound like the sort of misbehavior that should be addressed with a hacking law, says Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation. Instead, it sounds like the sort of employer-employee business dispute that’s usually solved with a civil lawsuit. “What this guy was alleged to have done was awful and he shouldn’t have done it, and he should be held accountable with civil law, and he should pay a price in money if what he did cost money,” Cardozo says. “Ten years in prison is insane.”
In fact, ClickMotive did initially seem to be considering suing Thomas immediately after he quit, sending him a subpoena ordering him to submit to a deposition. But it inexplicably dropped that suit in 2012 when the criminal investigation against him began. In 2013, Thomas turned down a plea agreement and—rather unwisely—decided to flee the United States for Sao Paulo, Brazil, where his wife’s family lived. In response, prosecutors filed a motion that requested the court to seize all his American assets, including the proceeds of the sale of his home in Texas. He’s since voluntarily returned to the U.S. to face trial, but has been jailed without bail after prosecutors argued that he represented a flight risk.
EFF’s Cardozo says the case could hold significance for how prosecutors are able to use—or abuse—the CFAA. He argues that the Eastern District of Texas prosecutors’ application of the “unauthorized damages” provision of the CFAA mirrors controversial cases where defendants have been accused of “unauthorized access” because they merely violated the terms of service of a website. But that practice of prosecuting terms of service violations has fallen out of favor among prosecutors since a federal judge ruled that alleged cyberbully Lori Drew couldn’t be convicted under the CFAA for violating Myspace’s terms of service.
This case raises a different but parallel concern: That what counts as “unauthorized damages” is determined by an employee’s agreement with his or her employer, a contract that has just as little to do with computer hacking as a website’s terms of service. Cases like U.S. vs. Nosal and U.S. vs. Valle have found employment agreements can’t be the basis for CFAA charges of unauthorized access or exceeding authorized access. But Thomas’s case and its “unauthorized damages” charge raises that question again, this time for behavior that may fall entirely within the defendant’s job description.
“If this defendant is convicted and the conviction is upheld, it opens the door to the prosecution of anyone who does their job in a way that their employer can reasonably argue violates their employment agreement,” says Cardozo. “What used to be an employment law issue or contract law issue all of a sudden becomes a felony…A felony conviction for breaking your employer’s policies is not what the CFAA is for.”