AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âď¸Legal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.001 - $0.003 per brief
Full Opinion
Case: 16-41264 Document: 00514268309 Page: 1 Date Filed: 12/11/2017
IN THE UNITED STATES COURT OF APPEALS
FOR THE FIFTH CIRCUIT
United States Court of Appeals
Fifth Circuit
No. 16-41264 FILED
December 11, 2017
UNITED STATES OF AMERICA, Lyle W. Cayce
Clerk
Plaintiff - Appellee
v.
MICHAEL THOMAS,
Defendant - Appellant
Appeal from the United States District Court
for the Eastern District of Texas
Before WIENER, HIGGINSON, and COSTA, Circuit Judges.
GREGG COSTA, Circuit Judge:
Michael Thomas worked as the Information Technology Operations
Manager for ClickMotive, LP, a software and webpage hosting company. Upset
that a coworker had been fired, Thomas embarked on a weekend campaign of
electronic sabotage. He deleted over 600 files, disabled backup operations,
eliminated employees from a group email a client used to contact the company,
diverted executivesâ emails to his personal account, and set a âtime bombâ that
would result in employees being unable to remotely access the companyâs
network after Thomas submitted his resignation. Once ClickMotive discovered
what Thomas did, it incurred over $130,000 in costs to fix these problems.
Case: 16-41264 Document: 00514268309 Page: 2 Date Filed: 12/11/2017
No. 16-41264
A jury found Thomas guilty of âknowingly caus[ing] the transmission of
a program, information, code, or command, and as a result of such conduct,
intentionally caus[ing] damage without authorization, to a protected
computer.â 18 U.S.C. § 1030(a)(5)(A). Thomas challenges the âwithout
authorizationâ requirement of this provision of the Computer Fraud and Abuse
Act. He contends that because his IT job gave him full access to the system
and required him to âdamageâ the systemâfor example, at times his duties
included deleting certain filesâhis conduct did not lack authorization. In
support of his view that the statute does not reach those whose access to a
system includes the ability to impair it, Thomas invokes the rule of lenity and
principle that vague statutes cannot be enforced. But we conclude that
Thomasâs conduct falls squarely within the ordinary meaning of the statute
and affirm his conviction.
I.
Thomasâs duties at ClickMotive included network administration;
maintaining production websites; installing, maintaining, upgrading, and
troubleshooting network servers; ensuring system security and data integrity;
and performing backups. He was granted full access to the network operating
system and had the authority to access any data and change any setting on the
system. Thomas was expected to perform his duties using his âbest efforts and
judgment to produce maximum benefitâ to ClickMotive.
Thomas was not happy when his friend in the IT department was fired.
It was not just a matter of loyalty to his former colleague; a smaller IT staff
meant more work for Thomas. So Thomas, to use his word, âtinkeredâ with the
companyâs system. The tinkering, which started on a Friday evening and
continued through Monday morning, included the following:
⢠He deleted 625 files of backup history and deleted automated commands
2
Case: 16-41264 Document: 00514268309 Page: 3 Date Filed: 12/11/2017
No. 16-41264
set to perform future backups.
⢠He issued a command to destroy the virtual machine 1 that performed
ClickMotiveâs backups for one of its servers and then Thomas failed to
activate its redundant pair, ensuring that the backups would not occur.
⢠He tampered with ClickMotiveâs pager notification system by entering
false contact information for various company employees, ensuring that
they would not receive any automatically-generated alerts indicating
system problems.
⢠He triggered automatic forwarding of executivesâ emails to an external
personal email account he created during the weekend.
⢠He deleted pages from ClickMotiveâs internal âwiki,â an online system of
internal policies and procedures that employees routinely used for
troubleshooting computer problems.
⢠He manually changed the setting for an authentication service that
would eventually lead to the inability of employees to work remotely
through VPN. Changing the setting of the VPN authentication service
set a time bomb that would cause the VPN to become inoperative when
someone rebooted the system, a common and foreseeable maintenance
function.
⢠And he removed employees from e-mail distribution groups created for
the benefit of customers, leading to customersâ requests for support going
unnoticed.
Thomas was able to engage in most of this conduct from home, but he
did set the VPN time bomb on Sunday evening from ClickMotiveâs office, which
he entered using another employeeâs credentials. It was during this visit to
the office that Thomas left his resignation letter that the company would see
1 âA virtual machine is a self-contained operating environment that isolates an
application from the entire computer on which it runs, denying the application access to other
compartments of the system.â Jonathan L. Zittrain, The Generative Internet, 119 HARV. L.
REV. 1974, 2037 n.220 (2006).
3
Case: 16-41264 Document: 00514268309 Page: 4 Date Filed: 12/11/2017
No. 16-41264
the next day. When the dust settled, the company incurred over $130,000 in
out-of-pocket expenses and employeesâ time to undo the harm Thomas caused.
In a subsequent interview with the FBI, Thomas stated that he engaged in this
conduct because he was âfrustratedâ with the company and wanted to make
the job harder for the person who would replace him.
A grand jury eventually charged Thomas with the section 1030(a)(5)(A)
offense. But two days before the grand jury met, Thomas fled to Brazil. Nearly
three years later, Thomas was arrested when he surrendered to FBI agents at
Dallas/Fort Worth International Airport.
At trial, company employees and outside IT experts testified that none
of the problems ClickMotive experienced as a result of Thomasâs actions would
be attributable to a normal system malfunction. They further stated that
Thomasâs actions were not consistent with normal troubleshooting and
maintenance or consistent with mistakes made by a novice. ClickMotive
employees asserted that it was strange for the wiki pages to be missing and
that someone in Thomasâs position would know that changing the setting of
the VPN authentication service would cause it to become inoperative when
someone rebooted the system.
ClickMotiveâs employee handbook was not offered at trial and there was
no specific company policy that governed the deletions of backups, virtual
machines, or wiki modifications. Employees explained, however, that there
were policies prohibiting interfering with ClickMotiveâs normal course of
business and the destruction of its assets, such as a virtual machine or
company data. Thomasâs own Employment Agreement specified he was bound
by policies that were reasonably necessary to protect ClickMotiveâs legitimate
interests in its clients, customers, accounts, and work product.
The jury instructions included the statutory definition of âdamage,â
which is âany impairment to the integrity or availability of data, a program, a
4
Case: 16-41264 Document: 00514268309 Page: 5 Date Filed: 12/11/2017
No. 16-41264
system, or information.â 18 U.S.C. § 1030(e)(8). The district court denied
Thomasâs proposed instruction for âwithout authorization,â which was âwithout
permission or authority.â It did not define the phrase.
After the jury returned a guilty verdict, the district court sentenced
Thomas to time served (which was the four months since he had been detained
after returning to the country), plus three years of supervised release, and
ordered restitution of $131,391.21. Thomas then filed an unsuccessful motion
for judgment of acquittal. That motion, like this appeal, argued that the
evidence was not sufficient to convict Thomas because he was authorized to
damage the computer as part of his routine IT duties.
II.
A.
Although raised in the context of a sufficiency challenge which usually
focuses on the evidence, Thomasâs argument is principally a question of
statutory interpretation. 2 So we will begin with an analysis of the statute as
the elements of the statute establish what the evidence must prove.
Because Thomasâs argument that he was authorized to damage a
computer seems nonsensical at first glance, it is helpful at the outset to explain
the steps he takes to get there. He first points out that his job duties included
âroutinely deleting data, removing programs, and taking systems offline for
diagnosis and maintenance.â Thomas says this conduct damaged the computer
within the meaning of the Computer Fraud and Abuse Act because damage is
2 We often see arguments focusing on the meaning of words in a criminal statute
raised via a challenge to the jury instruction. But as will be discussed, Thomasâs requested
instruction of âwithout authorizationâ did not include the limiting language he urges on
appeal. This explains why a sufficiency challenge is the vehicle for his statutory argument.
The government does not contend that his request for a different definition in the jury
instruction estops him from arguing for a more limited definition in the context of a
sufficiency challenge.
5
Case: 16-41264 Document: 00514268309 Page: 6 Date Filed: 12/11/2017
No. 16-41264
defined to just mean âany impairment to the integrity or availability of data, a
program, a system, or information,â 18 U.S.C. § 1030(e)(8); there is no
requirement of harm. And the damage he caused by engaging in these routine
tasks was not âwithout authorizationâ because it was part of his job. So far, so
good. 3 Next comes the critical leap: Thomas argues that because he was
authorized to damage the computer when engaging in these routine tasks, any
damage he caused while an employee was not âwithout authorization.â Thus
he cannot be prosecuted under section 1030(a)(5)(A). This argument is far
reaching. If Thomas is correct, then the damage statute would not reach any
employee who intentionally damaged a computer system as long as any part of
that employeeâs job included deleting files or taking systems offline.
Thomasâs support for reading the statute to cover only individuals who
âhad no rights, limited or otherwise [to] impairâ a system comes from cases
addressing the separate âaccessâ provisions of section 1030. See, e.g., LVRC
Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (â[A] person who
uses a computer âwithout authorizationâ has no rights, limited or otherwise, to
access the computer in question.â); see also Pulte Homes, Inc. v. Laborersâ
International Union of North America, 648 F.3d 295, 303â04 (6th Cir. 2011)
3 This assumes Thomas is correct that the âdamageâ element does not require a
showing of harm. The just-quoted statutory definition does not include the words âharmâ or
âloss.â This contrasts with a separate subsection of the same damage statute that requires
both âdamage and loss,â 18 U.S.C. § 1030(a)(5)(C), with a separate statutory definition for
loss, 18 U.S.C. § 1030(e)(11). But some courts addressing the damage element do require
some negative effect on the system. See United States v. Yucel, 97 F. Supp. 3d 413, 420
(S.D.N.Y. 2015) (concluding that damage occurs when âthe system no longer operates as it
did when it first came into the ownerâs possession and has an unwanted characteristicâ);
Trademotion, LLC v. Marketcliq, Inc., 857 F. Supp. 2d 1285, 1292 (M.D. Fla. 2012) (stating
that âimpairment to integrityâ requires âsome diminution in the completeness or usability of
date or information on a computer systemâ). In any event, the government concedes that at
least some of what Thomas and other IT professional do in the normal course of their duties
constitutes damage within the meaning of the statue. So we will assume that âdamageâ is
defined as broadly as Thomas contends because even under his definition we conclude that
he lacked authorization for the particular acts of damage charged as criminal conduct.
6
Case: 16-41264 Document: 00514268309 Page: 7 Date Filed: 12/11/2017
No. 16-41264
(relying on Brekka). But there are important differences between the âaccessâ
and âdamageâ crimes that make it inappropriate to import access caselaw into
the damage statute.
Section 1030(a)(5)(A) is the only independent âdamageâ provision,
meaning it does not also require a lack of authorization to access the computer.
Contrast 18 U.S.C. § 1030(a)(5)(B), (C) (both applying to damage that results
from unauthorized access of a computer). It prohibits âintentionally caus[ing]
damage without authorization.â As discussed, the statute defines damage.
And as numerous courts have recognized in discussing both the damage and
access provisions, the ordinary meaning of âwithout authorizationâ is âwithout
permission.â See Brekka, 581 F.3d at 1133 (quoting Random House
Unabridged Dictionary to define âauthorizationâ as âpermission or power
granted by an authorityâ); United States v. Valle, 807 F.3d 508, 524 (2d Cir.
2015) (same); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204
(4th Cir. 2012) (defining âwithout authorizationâ as âwithout approvalâ); Yucel,
97 F. Supp. 3d at 422 (citing Websterâs Third International Dictionary); see also
Orin S. Kerr, Cybercrimeâs Scope: Interpreting âAccessâ and âAuthorizationâ in
Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1661â62 (2003) (â[T]he
damage statute uses the phrase âwithout authorizationâ to mean merely
âwithout permissionâ . . . .â). Indeed, Thomas asked that the jury be told that
âwithout authorizationâ means âwithout permission or authorityâ; he did not
seek an instruction that âwithout authorizationâ is limited to those who have
no rights to ever impair a system. As the caselaw and Thomasâs proposed
instruction recognize, the plain meaning of the damage provision is that it
makes it a crime to intentionally impair a computer system without
permission. And notably, it applies to particular acts causing damage that
lacked authorization. See 18 U.S.C. § 1030(e)(8) (defining damage to include a
single impairment of the system). Nothing in the statutory text says it does
7
Case: 16-41264 Document: 00514268309 Page: 8 Date Filed: 12/11/2017
No. 16-41264
not apply to intentional acts of damage that lacked permission if the employee
was allowed to engage at other times in other acts that impaired the system.
Crimes involving unauthorized access are more numerous in the
Computer Fraud and Abuse Act. See, e.g., 18 U.S.C. § 1030(a)(1), (2), (3). Some
of these provisions distinguish between âintentionally access[ing] a computer
without authorization,â and âexceed[ing] authorized access.â See id.
§ 1030(a)(1), (2). To give meaning to the separate provisions, courts have
interpreted âaccess without authorizationâ as targeting outsiders who access
victim systems, while âexceeds authorized accessâ is applied to âinsiders,â such
as employees of a victim company. See Valle, 807 F.3d at 524 (citing United
States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (en banc)). It is this attempt
to police that statutory lineâbetween those who have no permission to access
a system and those who have some permission to access but exceed itâthat led
to the language Thomas invokes about a âno authorizationâ case being limited
to a person with âno right[], limited or otherwise, to access the computer in
question.â Brekka, 581 F.3d at 1133 (emphasis added). This ensures that
âaccess without authorizationâ applies to outsiders. Indeed, Brekka begins its
analysis by recognizing that âauthorizationâ has the ordinary meaning of
âpermissionâ; the separate term âexceeds authorized accessâ is the source for
its conclusion that access without authorization must be an all-or-nothing
proposition. Id. at 1133. In addition to its support in the bifurcated statutory
scheme for access crimes, a narrow reading of those statutes avoids
criminalizing common conductâlike violating contractual terms of service for
computer use or using a work computer for personal reasonsâthat lies beyond
the antihacking purpose of the access statutes. See, e.g., Valle, 807 F.3d at
512â13, 526â27 (involving police officer charged with violating section
1030(a)(2)(B) for accessing a government computer for a non-law enforcement
purpose); United States v. Drew, 259 F.R.D. 449, 466 (C.D. Cal. 2009)
8
Case: 16-41264 Document: 00514268309 Page: 9 Date Filed: 12/11/2017
No. 16-41264
(involving defendant charged with violating sections 1030(a)(2)(C) and
1030(c)(2)(B)(ii) for creating a fictitious profile on a social networking website
and then using the account to cyberbully a teenager in violation of the websiteâs
Terms of Service); Kerr, supra, at 1663 (âIf we interpret the phrase âexceeds
authorized accessâ to include breaches of contract, we create a remarkably
broad criminal prohibition that has no connection to the rationales of criminal
punishment.â).
None of these concerns translates to the damage statute. âWithout
authorizationâ modifies damage rather than access. Id. at 1661 (explaining
that the federal damage statute uses âwithout authorizationâ in âa very
different wayâ from how it is used in the access statutes). Section 1030(a)(5)(A)
makes no distinction between all-or-nothing authorization and degrees of
authorization. Its text therefore covers situations when the individual never
had permission to damage the system (an outsider) or when someone who
might have permission for some damaging acts causes other damage that is
not authorized (an insider). Tellingly, other subsections of the same damage
statute are limited to those who inflict damage while âintentionally access[ing]
a protected computer without authorization.â 18 U.S.C. § 1030(a)(5)(B), (C).
Because section 1030(a)(5)(A) is the one subsection of the damage statute that
also applies to insiders, it would make no sense to import a limitation from the
access statutes that is aimed at excluding insider liability. In support of his
attempt to extend to the damage statute the limitation courts have read into
the âaccess without authorizationâ statutes, Thomas cites the âpresumption
that identical words used in different parts of the same act are intended to
have the same meaning.â Atlantic Cleaners & Dyers, Inc. v. United States, 286
U.S. 427, 433 (1932). But in light of the significant statutory differences
between the access and damage crimes, Chief Justice Marshallâs corollary to
the âconsistent usageâ canon is more apt: âIt has been also said, that the same
9
Case: 16-41264 Document: 00514268309 Page: 10 Date Filed: 12/11/2017
No. 16-41264
words have not necessarily the same meaning attached to them when found in
different parts of the same instrument: their meaning is controlled by context.
This is undoubtedly true.â Cherokee Nation v. Georgia, 30 U.S. 1, 19 (1831),
quoted in Antonin Scalia & Bryan Garner, READING LAW: THE INTERPRETATION
OF LEGAL TEXTS 171 (2012).
Nor is there a significant threat that liability under the damage statute
would extend to largely innocuous conduct because the requirement of
âintentionally causing damageâ narrows the statuteâs reach. Cf. Kerr, supra,
at 1660â62 (stating that section 1030(a)(5)(A) âadds a very important weapon
to the arsenal of computer crime statutesâ and complements the access statutes
that present a serious risk of being applied too broadly). Applying the damage
statute to employees like Thomas also does not extend the law beyond what
Congress intended. The Senate Report on the 1996 amendments to the
Computer Fraud and Abuse Act stated that section 1030(a)(5)(A) âprotect[s]
computers and computer systems . . . from damage both by outsiders, who gain
access to a computer without authorization, and by insiders, who intentionally
damage a computer.â S. Rep. No. 104-357, at 9 (1996). It characterized these
dual threats as âoutside hackersâ and âmalicious insiders.â Id. at 9. This
repeated emphasis that the damage statute would apply equally to both
threats 4 was made with full awareness, from the time the statute was first
enacted a decade earlier that, as Thomas emphasizes, employees are
sometimes permitted or even required to engage in ârepair activities.â S. Rep.
No. 99-432, at 12 (1986). Such acts that are ânecessary to the repairâ of the
system, would not be criminal because they are authorized. Id. The statuteâs
mens rea was also cited as a limitation on the statuteâs reach. S. Rep. No. 104-
4 See also S. Rep. No. 104-357, at 10 (stating that section 1030(a)(5)(A) âwould cover
anyone who intentionally damages a computer, regardless of whether they were an outsider
or an insider otherwise authorized to access the computerâ).
10
Case: 16-41264 Document: 00514268309 Page: 11 Date Filed: 12/11/2017
No. 16-41264
357, at 11 (â[I]nsiders, who are authorized to access a computer, face criminal
liability only if they intend to cause damage to the computer.â 5 (emphasis
added)). By providing immunity from the damage statute to any âmalicious
insiderâ who was permitted to cause âdamageâ in some situations as part of his
job duties, Thomasâs interpretation would substantially curtail the statuteâs
intended reach.
So Thomasâs reading of âwithout authorizationâ is at odds with the
statutory language and legislative intent. His offered construction thus finds
no recourse in the rule of lenity because there is no interpretive tie for that
principle to break. United States v. Castleman, 134 S. Ct. 1405, 1416 (2014)
(stating that âthe rule of lenity only applies if, after considering text, structure,
history, and purpose, there remains a grievous ambiguity or uncertainty in the
statute, such that the Court must simply guess as to what Congress intendedâ
(internal quotation marks omitted)).
We conclude that Section 1030(a)(5)(A) prohibits intentionally damaging
a computer system when there was no permission to engage in that particular
act of damage. To the extent more is needed to flesh out the scope of
âpermissionâ when a defendant has some general authority to impair a
network, there is helpful guidance in one of our cases addressing an access
statute, which if anything should define authorization more narrowly for the
reasons we have discussed. United States v. Phillips, 477 F.3d 215, 219 (5th
Cir. 2007). Phillips says to look at the âexpected norms of intended use.â Id.
5 This statement that insiders are only liable for intentionally causing damage is
further support for the point made above that section 1030(a)(5)(A) is the only damage
provision that can apply to insiders. The other two damage provisions, which require
unauthorized access, have lower mens rea requirements. Section 1030(a)(5)(B) applies to
recklessly causing damage. Section 1030(a)(5)(C) imposes strict liability when it comes to
the damage requirement, though the conduct must result in both âdamage and loss.â
11
Case: 16-41264 Document: 00514268309 Page: 12 Date Filed: 12/11/2017
No. 16-41264
B.
With this understanding of the damage statute, we turn to the more
typical sufficiency review and evaluate whether the evidence supported the
conviction. This analysis usually begins with talk of the considerable deference
the juryâs view of the evidence should receive, with it getting to make
credibility determinations, draw reasonable inferences, and the like. United
States v. Winkler, 639 F.3d 692, 696 (5th Cir. 2011). Reliance on that standard
of review is unnecessary here as there is overwhelming evidence to support the
juryâs view that Thomas did not have permission to engage in the weekend
damage campaign.
The nature of Thomasâs conduct is highly incriminating. No reasonable
employee could think he had permission to stop the system from providing
backups, or to delete files outside the normal protocols, or to falsify contact
information in a notification system, or to set a process in motion that would
prevent users from remotely accessing the network. Phillips, 477 F.3d at 220
(affirming jury finding of lack of authorization to launch a brute-force attack
program when that would not be permissible âwithin the understanding of any
reasonable computer userâ). Thomas emphasizes the unlimited access he had
to the system that gave him the ability to inflict this damage. But it is not
conceivable that any employee, regardless of their level of computer access,
would be authorized to cause these problems. The incidents for which Thomas
was held liable were nothing like the periodic acts he performed as part of his
duties. Those tasks may have impaired the system on a limited basis in order
to benefit the computer network in the long run. Routine deletions of old files
provide that benefit by increasing storage space. Taking systems offline allows
for necessary maintenance. In contrast, the various types of damage Thomas
caused during the last few days before he resigned resulted in over $130,000
in remediation costs. Regardless of whether the definition of âdamageâ under
12
Case: 16-41264 Document: 00514268309 Page: 13 Date Filed: 12/11/2017
No. 16-41264
the statute requires a showing of harm, impairments that harm the system are
much less likely to be authorized than those that benefit the system. It would
rarely if ever make sense for an employer to authorize an employee to harm its
computer system.
The harmful acts themselves would be enough to support the verdict, but
Thomasâs words and conduct in response to the criminal investigation provide
additional support. When questioned by federal agents, he acknowledged the
distinction we have just made. He did not say that he caused the damage in
order to maintain or improve the system; instead, his motive was to make
things more difficult for the person hired to replace him. And his flight to
Brazil is not what is expected of someone who had permission to engage in the
conduct being investigated. See Allen v. United States, 164 U.S. 492, 499 (1896)
(â[T]he law is entirely well settled that the flight of the accused is competent
evidence against him as having a tendency to establish his guilt.â).
The circumstances surrounding the damaging acts provide even more
support for the finding of guilt. Thomas committed the various acts one after
the other in a concentrated time span beginning Friday evening and continuing
through the weekend. Thomas did most of this from home, but the one time
he had to go the office he did so using another employeeâs credentials. One of
his actsâfalsification of contact information in the alert systemâprevented
Thomasâs conduct from being detected during the weekend as employees would
not receive notifications about the damage to the system. He submitted his
resignation immediately after completing the damage spree and timed the
most damaging actâthe one that would prevent remote accessâso that it
would not occur until he was gone. Why this sequence of events if Thomas had
permission to cause the damage?
13
Case: 16-41264 Document: 00514268309 Page: 14 Date Filed: 12/11/2017
No. 16-41264
All of this provided ample support to conclude that Thomas lacked
permission to inflict the damage he caused. As that question of authorization
is the only element he challenges, sufficient evidence supports the conviction.
III.
What we have just said about the straightforward application of the
damage statute to Thomasâs conduct also dooms his claim that the law is
unconstitutionally vague. That is because even if a statute might be vague
when applied to some situations, âa defendant whose conduct is clearly
prohibited cannot be the one making that challenge.â United States v.
Westbrooks, 858 F.3d 317, 325 (5th Cir. 2017).
Further proof that Thomasâs conduct is a paradigmatic application of
section 1030(a)(5)(A) comes from its similarity to a hypothetical use of the
statute that a leading computer crime scholar foresaw years ago. Professor
Kerr provided the following example that is essentially this case but for a twist
that the employee is upset about his own employment situation rather than a
colleagueâs:
Employee sabotage: Sam is a computer programmer who is angry
at his employer for denying him a promotion. Sam decides to take
revenge by deleting some of his employerâs important files, and by
launching a denial-of-service attack that overwhelms his
companyâs webserver with requests and takes it offline for a few
hours. The deletion of the files will not constitute an unauthorized
access. Sam accessed his employerâs computer when he used it to
delete files, but as a programmer he was authorized to access those
files and therefore has not committed access without
authorization. Similarly, the denial-of-service attack will not itself
constitute an unauthorized access crime. Sending the data to the
computer does access the computer, but the access is not without
authorization: The webserver has been configured to accept all web
traffic requests, such that sending many requests will not
circumvent any code-based restrictions.
14
Case: 16-41264 Document: 00514268309 Page: 15 Date Filed: 12/11/2017
No. 16-41264
Sam does not avoid criminal liability, however. The deletion of the
files may constitute destruction of property or conversion and,
depending on the applicable state laws, he could be prosecuted
under general property crime statutes. Sam could also be
prosecuted for damaging the computer under the federal computer
damage statute, 18 U.S.C. § 1030(a)(5)(A)(i).
Kerr, supra, at 1664â65 (emphasis added).
The law review article is not all that undermines the contention that
Thomas lacked notice that his conduct was criminal. Just a couple weeks after
the damage spree, and before the FBI had contacted Thomas, he told the friend
whose firing had set this in motion that âhe thought he might have broken the
law.â Which law, the friend inquired? Thomasâs response: âthe Computer
Fraud and Abuse Act.â
* * *
The judgment of the district court is AFFIRMED.
15