United States v. Michael Thomas , 877 F.3d 591 ( 2017 )


Menu:
  •      Case: 16-41264   Document: 00514268309        Page: 1   Date Filed: 12/11/2017
    IN THE UNITED STATES COURT OF APPEALS
    FOR THE FIFTH CIRCUIT
    United States Court of Appeals
    Fifth Circuit
    No. 16-41264                         FILED
    December 11, 2017
    UNITED STATES OF AMERICA,                                           Lyle W. Cayce
    Clerk
    Plaintiff - Appellee
    v.
    MICHAEL THOMAS,
    Defendant - Appellant
    Appeal from the United States District Court
    for the Eastern District of Texas
    Before WIENER, HIGGINSON, and COSTA, Circuit Judges.
    GREGG COSTA, Circuit Judge:
    Michael Thomas worked as the Information Technology Operations
    Manager for ClickMotive, LP, a software and webpage hosting company. Upset
    that a coworker had been fired, Thomas embarked on a weekend campaign of
    electronic sabotage. He deleted over 600 files, disabled backup operations,
    eliminated employees from a group email a client used to contact the company,
    diverted executives’ emails to his personal account, and set a “time bomb” that
    would result in employees being unable to remotely access the company’s
    network after Thomas submitted his resignation. Once ClickMotive discovered
    what Thomas did, it incurred over $130,000 in costs to fix these problems.
    Case: 16-41264    Document: 00514268309    Page: 2    Date Filed: 12/11/2017
    No. 16-41264
    A jury found Thomas guilty of “knowingly caus[ing] the transmission of
    a program, information, code, or command, and as a result of such conduct,
    intentionally caus[ing] damage without authorization, to a protected
    computer.”   18 U.S.C. § 1030(a)(5)(A).     Thomas challenges the “without
    authorization” requirement of this provision of the Computer Fraud and Abuse
    Act. He contends that because his IT job gave him full access to the system
    and required him to “damage” the system—for example, at times his duties
    included deleting certain files—his conduct did not lack authorization. In
    support of his view that the statute does not reach those whose access to a
    system includes the ability to impair it, Thomas invokes the rule of lenity and
    principle that vague statutes cannot be enforced.        But we conclude that
    Thomas’s conduct falls squarely within the ordinary meaning of the statute
    and affirm his conviction.
    I.
    Thomas’s duties at ClickMotive included network administration;
    maintaining production websites; installing, maintaining, upgrading, and
    troubleshooting network servers; ensuring system security and data integrity;
    and performing backups. He was granted full access to the network operating
    system and had the authority to access any data and change any setting on the
    system. Thomas was expected to perform his duties using his “best efforts and
    judgment to produce maximum benefit” to ClickMotive.
    Thomas was not happy when his friend in the IT department was fired.
    It was not just a matter of loyalty to his former colleague; a smaller IT staff
    meant more work for Thomas. So Thomas, to use his word, “tinkered” with the
    company’s system. The tinkering, which started on a Friday evening and
    continued through Monday morning, included the following:
    • He deleted 625 files of backup history and deleted automated commands
    2
    Case: 16-41264       Document: 00514268309         Page: 3     Date Filed: 12/11/2017
    No. 16-41264
    set to perform future backups.
    • He issued a command to destroy the virtual machine 1 that performed
    ClickMotive’s backups for one of its servers and then Thomas failed to
    activate its redundant pair, ensuring that the backups would not occur.
    • He tampered with ClickMotive’s pager notification system by entering
    false contact information for various company employees, ensuring that
    they would not receive any automatically-generated alerts indicating
    system problems.
    • He triggered automatic forwarding of executives’ emails to an external
    personal email account he created during the weekend.
    • He deleted pages from ClickMotive’s internal “wiki,” an online system of
    internal policies and procedures that employees routinely used for
    troubleshooting computer problems.
    • He manually changed the setting for an authentication service that
    would eventually lead to the inability of employees to work remotely
    through VPN. Changing the setting of the VPN authentication service
    set a time bomb that would cause the VPN to become inoperative when
    someone rebooted the system, a common and foreseeable maintenance
    function.
    • And he removed employees from e-mail distribution groups created for
    the benefit of customers, leading to customers’ requests for support going
    unnoticed.
    Thomas was able to engage in most of this conduct from home, but he
    did set the VPN time bomb on Sunday evening from ClickMotive’s office, which
    he entered using another employee’s credentials. It was during this visit to
    the office that Thomas left his resignation letter that the company would see
    1 “A virtual machine is a self-contained operating environment that isolates an
    application from the entire computer on which it runs, denying the application access to other
    compartments of the system.” Jonathan L. Zittrain, The Generative Internet, 119 HARV. L.
    REV. 1974, 2037 n.220 (2006).
    3
    Case: 16-41264    Document: 00514268309     Page: 4   Date Filed: 12/11/2017
    No. 16-41264
    the next day. When the dust settled, the company incurred over $130,000 in
    out-of-pocket expenses and employees’ time to undo the harm Thomas caused.
    In a subsequent interview with the FBI, Thomas stated that he engaged in this
    conduct because he was “frustrated” with the company and wanted to make
    the job harder for the person who would replace him.
    A grand jury eventually charged Thomas with the section 1030(a)(5)(A)
    offense. But two days before the grand jury met, Thomas fled to Brazil. Nearly
    three years later, Thomas was arrested when he surrendered to FBI agents at
    Dallas/Fort Worth International Airport.
    At trial, company employees and outside IT experts testified that none
    of the problems ClickMotive experienced as a result of Thomas’s actions would
    be attributable to a normal system malfunction. They further stated that
    Thomas’s actions were not consistent with normal troubleshooting and
    maintenance or consistent with mistakes made by a novice.          ClickMotive
    employees asserted that it was strange for the wiki pages to be missing and
    that someone in Thomas’s position would know that changing the setting of
    the VPN authentication service would cause it to become inoperative when
    someone rebooted the system.
    ClickMotive’s employee handbook was not offered at trial and there was
    no specific company policy that governed the deletions of backups, virtual
    machines, or wiki modifications. Employees explained, however, that there
    were policies prohibiting interfering with ClickMotive’s normal course of
    business and the destruction of its assets, such as a virtual machine or
    company data. Thomas’s own Employment Agreement specified he was bound
    by policies that were reasonably necessary to protect ClickMotive’s legitimate
    interests in its clients, customers, accounts, and work product.
    The jury instructions included the statutory definition of “damage,”
    which is “any impairment to the integrity or availability of data, a program, a
    4
    Case: 16-41264      Document: 00514268309         Page: 5    Date Filed: 12/11/2017
    No. 16-41264
    system, or information.” 18 U.S.C. § 1030(e)(8). The district court denied
    Thomas’s proposed instruction for “without authorization,” which was “without
    permission or authority.” It did not define the phrase.
    After the jury returned a guilty verdict, the district court sentenced
    Thomas to time served (which was the four months since he had been detained
    after returning to the country), plus three years of supervised release, and
    ordered restitution of $131,391.21. Thomas then filed an unsuccessful motion
    for judgment of acquittal. That motion, like this appeal, argued that the
    evidence was not sufficient to convict Thomas because he was authorized to
    damage the computer as part of his routine IT duties.
    II.
    A.
    Although raised in the context of a sufficiency challenge which usually
    focuses on the evidence, Thomas’s argument is principally a question of
    statutory interpretation. 2 So we will begin with an analysis of the statute as
    the elements of the statute establish what the evidence must prove.
    Because Thomas’s argument that he was authorized to damage a
    computer seems nonsensical at first glance, it is helpful at the outset to explain
    the steps he takes to get there. He first points out that his job duties included
    “routinely deleting data, removing programs, and taking systems offline for
    diagnosis and maintenance.” Thomas says this conduct damaged the computer
    within the meaning of the Computer Fraud and Abuse Act because damage is
    2 We often see arguments focusing on the meaning of words in a criminal statute
    raised via a challenge to the jury instruction. But as will be discussed, Thomas’s requested
    instruction of “without authorization” did not include the limiting language he urges on
    appeal. This explains why a sufficiency challenge is the vehicle for his statutory argument.
    The government does not contend that his request for a different definition in the jury
    instruction estops him from arguing for a more limited definition in the context of a
    sufficiency challenge.
    5
    Case: 16-41264      Document: 00514268309         Page: 6    Date Filed: 12/11/2017
    No. 16-41264
    defined to just mean “any impairment to the integrity or availability of data, a
    program, a system, or information,” 18 U.S.C. § 1030(e)(8); there is no
    requirement of harm. And the damage he caused by engaging in these routine
    tasks was not “without authorization” because it was part of his job. So far, so
    good. 3 Next comes the critical leap: Thomas argues that because he was
    authorized to damage the computer when engaging in these routine tasks, any
    damage he caused while an employee was not “without authorization.” Thus
    he cannot be prosecuted under section 1030(a)(5)(A). This argument is far
    reaching. If Thomas is correct, then the damage statute would not reach any
    employee who intentionally damaged a computer system as long as any part of
    that employee’s job included deleting files or taking systems offline.
    Thomas’s support for reading the statute to cover only individuals who
    “had no rights, limited or otherwise [to] impair” a system comes from cases
    addressing the separate “access” provisions of section 1030. See, e.g., LVRC
    Holdings LLC v. Brekka, 
    581 F.3d 1127
    , 1133 (9th Cir. 2009) (“[A] person who
    uses a computer ‘without authorization’ has no rights, limited or otherwise, to
    access the computer in question.”); see also Pulte Homes, Inc. v. Laborers’
    International Union of North America, 
    648 F.3d 295
    , 303–04 (6th Cir. 2011)
    3 This assumes Thomas is correct that the “damage” element does not require a
    showing of harm. The just-quoted statutory definition does not include the words “harm” or
    “loss.” This contrasts with a separate subsection of the same damage statute that requires
    both “damage and loss,” 18 U.S.C. § 1030(a)(5)(C), with a separate statutory definition for
    loss, 18 U.S.C. § 1030(e)(11). But some courts addressing the damage element do require
    some negative effect on the system. See United States v. Yucel, 
    97 F. Supp. 3d 413
    , 420
    (S.D.N.Y. 2015) (concluding that damage occurs when “the system no longer operates as it
    did when it first came into the owner’s possession and has an unwanted characteristic”);
    Trademotion, LLC v. Marketcliq, Inc., 
    857 F. Supp. 2d 1285
    , 1292 (M.D. Fla. 2012) (stating
    that “impairment to integrity” requires “some diminution in the completeness or usability of
    date or information on a computer system”). In any event, the government concedes that at
    least some of what Thomas and other IT professional do in the normal course of their duties
    constitutes damage within the meaning of the statue. So we will assume that “damage” is
    defined as broadly as Thomas contends because even under his definition we conclude that
    he lacked authorization for the particular acts of damage charged as criminal conduct.
    6
    Case: 16-41264    Document: 00514268309     Page: 7   Date Filed: 12/11/2017
    No. 16-41264
    (relying on Brekka). But there are important differences between the “access”
    and “damage” crimes that make it inappropriate to import access caselaw into
    the damage statute.
    Section 1030(a)(5)(A) is the only independent “damage” provision,
    meaning it does not also require a lack of authorization to access the computer.
    Contrast 18 U.S.C. § 1030(a)(5)(B), (C) (both applying to damage that results
    from unauthorized access of a computer). It prohibits “intentionally caus[ing]
    damage without authorization.” As discussed, the statute defines damage.
    And as numerous courts have recognized in discussing both the damage and
    access provisions, the ordinary meaning of “without authorization” is “without
    permission.”    See 
    Brekka, 581 F.3d at 1133
    (quoting Random House
    Unabridged Dictionary to define “authorization” as “permission or power
    granted by an authority”); United States v. Valle, 
    807 F.3d 508
    , 524 (2d Cir.
    2015) (same); WEC Carolina Energy Solutions LLC v. Miller, 
    687 F.3d 199
    , 204
    (4th Cir. 2012) (defining “without authorization” as “without approval”); 
    Yucel, 97 F. Supp. 3d at 422
    (citing Webster’s Third International Dictionary); see also
    Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in
    Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1661–62 (2003) (“[T]he
    damage statute uses the phrase ‘without authorization’ to mean merely
    ‘without permission’ . . . .”). Indeed, Thomas asked that the jury be told that
    “without authorization” means “without permission or authority”; he did not
    seek an instruction that “without authorization” is limited to those who have
    no rights to ever impair a system. As the caselaw and Thomas’s proposed
    instruction recognize, the plain meaning of the damage provision is that it
    makes it a crime to intentionally impair a computer system without
    permission. And notably, it applies to particular acts causing damage that
    lacked authorization. See 18 U.S.C. § 1030(e)(8) (defining damage to include a
    single impairment of the system). Nothing in the statutory text says it does
    7
    Case: 16-41264    Document: 00514268309     Page: 8   Date Filed: 12/11/2017
    No. 16-41264
    not apply to intentional acts of damage that lacked permission if the employee
    was allowed to engage at other times in other acts that impaired the system.
    Crimes involving unauthorized access are more numerous in the
    Computer Fraud and Abuse Act. See, e.g., 18 U.S.C. § 1030(a)(1), (2), (3). Some
    of these provisions distinguish between “intentionally access[ing] a computer
    without authorization,” and “exceed[ing] authorized access.”            See 
    id. § 1030(a)(1),
    (2). To give meaning to the separate provisions, courts have
    interpreted “access without authorization” as targeting outsiders who access
    victim systems, while “exceeds authorized access” is applied to “insiders,” such
    as employees of a victim company. See 
    Valle, 807 F.3d at 524
    (citing United
    States v. Nosal, 
    676 F.3d 854
    , 858 (9th Cir. 2012) (en banc)). It is this attempt
    to police that statutory line—between those who have no permission to access
    a system and those who have some permission to access but exceed it—that led
    to the language Thomas invokes about a “no authorization” case being limited
    to a person with “no right[], limited or otherwise, to access the computer in
    question.” 
    Brekka, 581 F.3d at 1133
    (emphasis added). This ensures that
    “access without authorization” applies to outsiders. Indeed, Brekka begins its
    analysis by recognizing that “authorization” has the ordinary meaning of
    “permission”; the separate term “exceeds authorized access” is the source for
    its conclusion that access without authorization must be an all-or-nothing
    proposition. 
    Id. at 1133.
    In addition to its support in the bifurcated statutory
    scheme for access crimes, a narrow reading of those statutes avoids
    criminalizing common conduct—like violating contractual terms of service for
    computer use or using a work computer for personal reasons—that lies beyond
    the antihacking purpose of the access statutes. See, e.g., 
    Valle, 807 F.3d at 512
    –13, 526–27 (involving police officer charged with violating section
    1030(a)(2)(B) for accessing a government computer for a non-law enforcement
    purpose); United States v. Drew, 
    259 F.R.D. 449
    , 466 (C.D. Cal. 2009)
    8
    Case: 16-41264     Document: 00514268309     Page: 9   Date Filed: 12/11/2017
    No. 16-41264
    (involving defendant charged with violating sections 1030(a)(2)(C) and
    1030(c)(2)(B)(ii) for creating a fictitious profile on a social networking website
    and then using the account to cyberbully a teenager in violation of the website’s
    Terms of Service); 
    Kerr, supra, at 1663
    (“If we interpret the phrase “exceeds
    authorized access” to include breaches of contract, we create a remarkably
    broad criminal prohibition that has no connection to the rationales of criminal
    punishment.”).
    None of these concerns translates to the damage statute.          “Without
    authorization” modifies damage rather than access. 
    Id. at 1661
    (explaining
    that the federal damage statute uses “without authorization” in “a very
    different way” from how it is used in the access statutes). Section 1030(a)(5)(A)
    makes no distinction between all-or-nothing authorization and degrees of
    authorization. Its text therefore covers situations when the individual never
    had permission to damage the system (an outsider) or when someone who
    might have permission for some damaging acts causes other damage that is
    not authorized (an insider). Tellingly, other subsections of the same damage
    statute are limited to those who inflict damage while “intentionally access[ing]
    a protected computer without authorization.” 18 U.S.C. § 1030(a)(5)(B), (C).
    Because section 1030(a)(5)(A) is the one subsection of the damage statute that
    also applies to insiders, it would make no sense to import a limitation from the
    access statutes that is aimed at excluding insider liability. In support of his
    attempt to extend to the damage statute the limitation courts have read into
    the “access without authorization” statutes, Thomas cites the “presumption
    that identical words used in different parts of the same act are intended to
    have the same meaning.” Atlantic Cleaners & Dyers, Inc. v. United States, 
    286 U.S. 427
    , 433 (1932). But in light of the significant statutory differences
    between the access and damage crimes, Chief Justice Marshall’s corollary to
    the “consistent usage” canon is more apt: “It has been also said, that the same
    9
    Case: 16-41264       Document: 00514268309         Page: 10     Date Filed: 12/11/2017
    No. 16-41264
    words have not necessarily the same meaning attached to them when found in
    different parts of the same instrument: their meaning is controlled by context.
    This is undoubtedly true.” Cherokee Nation v. Georgia, 
    30 U.S. 1
    , 19 (1831),
    quoted in Antonin Scalia & Bryan Garner, READING LAW: THE INTERPRETATION
    OF LEGAL TEXTS 171      (2012).
    Nor is there a significant threat that liability under the damage statute
    would extend to largely innocuous conduct because the requirement of
    “intentionally causing damage” narrows the statute’s reach. Cf. 
    Kerr, supra, at 1660
    –62 (stating that section 1030(a)(5)(A) “adds a very important weapon
    to the arsenal of computer crime statutes” and complements the access statutes
    that present a serious risk of being applied too broadly). Applying the damage
    statute to employees like Thomas also does not extend the law beyond what
    Congress intended.        The Senate Report on the 1996 amendments to the
    Computer Fraud and Abuse Act stated that section 1030(a)(5)(A) “protect[s]
    computers and computer systems . . . from damage both by outsiders, who gain
    access to a computer without authorization, and by insiders, who intentionally
    damage a computer.” S. Rep. No. 104-357, at 9 (1996). It characterized these
    dual threats as “outside hackers” and “malicious insiders.” 
    Id. at 9.
    This
    repeated emphasis that the damage statute would apply equally to both
    threats 4 was made with full awareness, from the time the statute was first
    enacted a decade earlier that, as Thomas emphasizes, employees are
    sometimes permitted or even required to engage in “repair activities.” S. Rep.
    No. 99-432, at 12 (1986). Such acts that are “necessary to the repair” of the
    system, would not be criminal because they are authorized. 
    Id. The statute’s
    mens rea was also cited as a limitation on the statute’s reach. S. Rep. No. 104-
    4 See also S. Rep. No. 104-357, at 10 (stating that section 1030(a)(5)(A) “would cover
    anyone who intentionally damages a computer, regardless of whether they were an outsider
    or an insider otherwise authorized to access the computer”).
    10
    Case: 16-41264      Document: 00514268309        Page: 11     Date Filed: 12/11/2017
    No. 16-41264
    357, at 11 (“[I]nsiders, who are authorized to access a computer, face criminal
    liability only if they intend to cause damage to the computer.” 5 (emphasis
    added)). By providing immunity from the damage statute to any “malicious
    insider” who was permitted to cause “damage” in some situations as part of his
    job duties, Thomas’s interpretation would substantially curtail the statute’s
    intended reach.
    So Thomas’s reading of “without authorization” is at odds with the
    statutory language and legislative intent. His offered construction thus finds
    no recourse in the rule of lenity because there is no interpretive tie for that
    principle to break. United States v. Castleman, 
    134 S. Ct. 1405
    , 1416 (2014)
    (stating that “the rule of lenity only applies if, after considering text, structure,
    history, and purpose, there remains a grievous ambiguity or uncertainty in the
    statute, such that the Court must simply guess as to what Congress intended”
    (internal quotation marks omitted)).
    We conclude that Section 1030(a)(5)(A) prohibits intentionally damaging
    a computer system when there was no permission to engage in that particular
    act of damage.       To the extent more is needed to flesh out the scope of
    “permission” when a defendant has some general authority to impair a
    network, there is helpful guidance in one of our cases addressing an access
    statute, which if anything should define authorization more narrowly for the
    reasons we have discussed. United States v. Phillips, 
    477 F.3d 215
    , 219 (5th
    Cir. 2007). Phillips says to look at the “expected norms of intended use.” 
    Id. 5 This
    statement that insiders are only liable for intentionally causing damage is
    further support for the point made above that section 1030(a)(5)(A) is the only damage
    provision that can apply to insiders. The other two damage provisions, which require
    unauthorized access, have lower mens rea requirements. Section 1030(a)(5)(B) applies to
    recklessly causing damage. Section 1030(a)(5)(C) imposes strict liability when it comes to
    the damage requirement, though the conduct must result in both “damage and loss.”
    11
    Case: 16-41264    Document: 00514268309      Page: 12   Date Filed: 12/11/2017
    No. 16-41264
    B.
    With this understanding of the damage statute, we turn to the more
    typical sufficiency review and evaluate whether the evidence supported the
    conviction. This analysis usually begins with talk of the considerable deference
    the jury’s view of the evidence should receive, with it getting to make
    credibility determinations, draw reasonable inferences, and the like. United
    States v. Winkler, 
    639 F.3d 692
    , 696 (5th Cir. 2011). Reliance on that standard
    of review is unnecessary here as there is overwhelming evidence to support the
    jury’s view that Thomas did not have permission to engage in the weekend
    damage campaign.
    The nature of Thomas’s conduct is highly incriminating. No reasonable
    employee could think he had permission to stop the system from providing
    backups, or to delete files outside the normal protocols, or to falsify contact
    information in a notification system, or to set a process in motion that would
    prevent users from remotely accessing the network. 
    Phillips, 477 F.3d at 220
    (affirming jury finding of lack of authorization to launch a brute-force attack
    program when that would not be permissible “within the understanding of any
    reasonable computer user”). Thomas emphasizes the unlimited access he had
    to the system that gave him the ability to inflict this damage. But it is not
    conceivable that any employee, regardless of their level of computer access,
    would be authorized to cause these problems. The incidents for which Thomas
    was held liable were nothing like the periodic acts he performed as part of his
    duties. Those tasks may have impaired the system on a limited basis in order
    to benefit the computer network in the long run. Routine deletions of old files
    provide that benefit by increasing storage space. Taking systems offline allows
    for necessary maintenance. In contrast, the various types of damage Thomas
    caused during the last few days before he resigned resulted in over $130,000
    in remediation costs. Regardless of whether the definition of “damage” under
    12
    Case: 16-41264    Document: 00514268309      Page: 13   Date Filed: 12/11/2017
    No. 16-41264
    the statute requires a showing of harm, impairments that harm the system are
    much less likely to be authorized than those that benefit the system. It would
    rarely if ever make sense for an employer to authorize an employee to harm its
    computer system.
    The harmful acts themselves would be enough to support the verdict, but
    Thomas’s words and conduct in response to the criminal investigation provide
    additional support. When questioned by federal agents, he acknowledged the
    distinction we have just made. He did not say that he caused the damage in
    order to maintain or improve the system; instead, his motive was to make
    things more difficult for the person hired to replace him. And his flight to
    Brazil is not what is expected of someone who had permission to engage in the
    conduct being investigated. See Allen v. United States, 
    164 U.S. 492
    , 499 (1896)
    (“[T]he law is entirely well settled that the flight of the accused is competent
    evidence against him as having a tendency to establish his guilt.”).
    The circumstances surrounding the damaging acts provide even more
    support for the finding of guilt. Thomas committed the various acts one after
    the other in a concentrated time span beginning Friday evening and continuing
    through the weekend. Thomas did most of this from home, but the one time
    he had to go the office he did so using another employee’s credentials. One of
    his acts—falsification of contact information in the alert system—prevented
    Thomas’s conduct from being detected during the weekend as employees would
    not receive notifications about the damage to the system. He submitted his
    resignation immediately after completing the damage spree and timed the
    most damaging act—the one that would prevent remote access—so that it
    would not occur until he was gone. Why this sequence of events if Thomas had
    permission to cause the damage?
    13
    Case: 16-41264    Document: 00514268309      Page: 14   Date Filed: 12/11/2017
    No. 16-41264
    All of this provided ample support to conclude that Thomas lacked
    permission to inflict the damage he caused. As that question of authorization
    is the only element he challenges, sufficient evidence supports the conviction.
    III.
    What we have just said about the straightforward application of the
    damage statute to Thomas’s conduct also dooms his claim that the law is
    unconstitutionally vague. That is because even if a statute might be vague
    when applied to some situations, “a defendant whose conduct is clearly
    prohibited cannot be the one making that challenge.”           United States v.
    Westbrooks, 
    858 F.3d 317
    , 325 (5th Cir. 2017).
    Further proof that Thomas’s conduct is a paradigmatic application of
    section 1030(a)(5)(A) comes from its similarity to a hypothetical use of the
    statute that a leading computer crime scholar foresaw years ago. Professor
    Kerr provided the following example that is essentially this case but for a twist
    that the employee is upset about his own employment situation rather than a
    colleague’s:
    Employee sabotage: Sam is a computer programmer who is angry
    at his employer for denying him a promotion. Sam decides to take
    revenge by deleting some of his employer’s important files, and by
    launching a denial-of-service attack that overwhelms his
    company’s webserver with requests and takes it offline for a few
    hours. The deletion of the files will not constitute an unauthorized
    access. Sam accessed his employer’s computer when he used it to
    delete files, but as a programmer he was authorized to access those
    files and therefore has not committed access without
    authorization. Similarly, the denial-of-service attack will not itself
    constitute an unauthorized access crime. Sending the data to the
    computer does access the computer, but the access is not without
    authorization: The webserver has been configured to accept all web
    traffic requests, such that sending many requests will not
    circumvent any code-based restrictions.
    14
    Case: 16-41264    Document: 00514268309    Page: 15   Date Filed: 12/11/2017
    No. 16-41264
    Sam does not avoid criminal liability, however. The deletion of the
    files may constitute destruction of property or conversion and,
    depending on the applicable state laws, he could be prosecuted
    under general property crime statutes. Sam could also be
    prosecuted for damaging the computer under the federal computer
    damage statute, 18 U.S.C. § 1030(a)(5)(A)(i).
    
    Kerr, supra, at 1664
    –65 (emphasis added).
    The law review article is not all that undermines the contention that
    Thomas lacked notice that his conduct was criminal. Just a couple weeks after
    the damage spree, and before the FBI had contacted Thomas, he told the friend
    whose firing had set this in motion that “he thought he might have broken the
    law.” Which law, the friend inquired? Thomas’s response: “the Computer
    Fraud and Abuse Act.”
    * * *
    The judgment of the district court is AFFIRMED.
    15