A Texas Jury’s Guilty Verdict Should Worry IT Admins

IF YOU’RE A systems administrator working in the United States, a recent decision from 12 Texan jurors should give you a moment of pause before you next hit the delete key.

On Wednesday last week, a jury in the trial of 37-year-old Michael Thomas found him guilty of violating the Computer Fraud and Abuse Act, a verdict with a maximum sentence of 10 years in prison and up to $250,000 in restitution payments. But unlike the typical convictions under that controversial and vague computer hacking law, Thomas can hardly be called a hacker: He’s accused of deleting a collection of his employer’s files before leaving his job as a systems administrator at the auto dealership software firm ClickMotive in 2011. And critics of the CFAA say that Thomas’s prosecution—and now conviction—reveal a dangerous facet of the law that allows an IT staffer to be charged with a felony for simply doing something that their employer deems to be “damaging.”

As Thomas’ lawyer Tor Ekeland has pointed out, Thomas wasn’t charged with the usual CFAA violation of “unauthorized access” or “exceeding authorized access,” but rather “unauthorized damages,” an even murkier element of the law that acknowledges Thomas’s job gave him full authorized access to ClickMotive’s systems. Thomas’s guilty verdict, argues Ekeland, is “dangerous for anyone working in the IT industry. If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony.”

Prosecutors in the Eastern District of Texas, where Thomas was tried, called the case a victory. “The jury’s verdict in this case sends an important message to IT professionals everywhere: an employee in the defendant’s position holds the proverbial keys to the kingdom and with that power comes great responsibility,” wrote U.S. Attorney Bales in a press statement. “Intentionally causing damage to a computer system without authorization is a criminal act that can and will be prosecuted.”

The court should not be delegating the drafting of criminal law to the people who write employment contracts. DEFENSE ATTORNEY AARON WILLIAMSON Over Thomas’s three-day trial, the prosecution presented evidence that Thomas intentionally harmed ClickMotive by combing through executives’ email, tampering with the network’s error-alert system, and changing authentication settings that disabled the company’s VPN for remote employees. He also deleted 615 backup files and some pages of an internal wiki. “When he did this act with the intent to mess with his company, that rose to the level of a criminal act,” says assistant U.S. attorney Camelia Lopez, one of the prosecutors in the case. “It wasn’t accidental…and it was beyond the scope of normal practices and procedures.”

ClickMotive, which was later acquired by the larger auto dealership software firm DealerTrack, claims that those changes caused $140,000 in damages as they struggled to determine the extent of Thomas’s tampering. And under the CFAA, any damages above $5,000 constitute a felony. “The fact that [Thomas] let this fire burn is the reason we pursued the case,” says Lopez.

MORE ON THE CFAA Hacker Lexicon: What Is the Computer Fraud and Abuse Act? IT Admin Faces Felony for Deleting Files Under Flawed Hacking Law Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case Thomas is accused of seeking to harm ClickMotive as revenge after two of his fellow IT staffers were laid off. But despite that motivation, his defense points to a certain ambivalence: he seems to have at least stopped far short of maximizing the amount of damage he could do. The defense detailed at trial how Thomas went into the company’s offices the weekend before he quit—just days after those layoffs—to help defend the company against a denial-of-service attack on its website and to repair a cascading power outage problem. And the 615 backup files he deleted were all replicated elsewhere on the network. “They’ve destroyed this guy’s life over the fact that he worked on a Sunday to keep the company going, and then deleted some files on the way out to say fuck you to his boss,” says Ekeland.

Ekeland also points out that the prosecution never entered Thomas’s employment agreement as evidence, and yet used that agreement to define the “unauthorized damages” that constitute his crime. “There was not a single communication produced at trial, a single written document that showed he wasn’t authorized to do what he did,” says Ekeland. “After the fact, your boss says ‘that wasn’t authorized,’ you violated an unwritten policy, and bang, you’re hit with a felony.”

If it's a statute that can be better defined, I hope the higher courts will be able to sort that out. PROSECUTOR CAMELIA LOPEZ Aside from the specific terms of Thomas’s employment, Electronic Frontier Foundation attorney Nate Cardozo points to the prosecution as a dangerous use of the CFAA, and one that should have been settled with a civil lawsuit. “What this guy was alleged to have done was awful and he shouldn’t have done it, and he should be held accountable with civil law, and he should pay a price in money if what he did cost money,” Cardozo told WIRED last week. “Ten years in prison is insane.”

Thomas’s defense team says they plan to ask the judge in the trial to overrule the jury under a Rule 29 motion, and if that fails, to seek an appeal. They point to cases like the corporate espionage case U.S. vs. Nosal and U.S. vs. Valle—the so-called “cannibal cop” case in which a New York police officer looked up information on private individuals as part of a bizarre stalking and cannibalism fetish—that have already found that employment contracts can’t be the basis for CFAA convictions. “The court should not be delegating the drafting of criminal law to the people who write employment contracts,” says defense attorney Aaron Williamson. “We think that issue is 100-percent at play in our case.”

But prosecutor Camelia Lopez counters that the CFAA, as written, criminalizes Thomas’s actions. “The language is pretty clear when we read it, and the definitions are very broad,” she says. “If it’s a statute that can be better defined, I hope the higher courts will be able to sort that out. We’d all benefit from that.”

/r/sysadmin Thread Parent Link - ired.com