More to the story
There is more to this story than can be covered in an article I think. In the US appeals are decided by a panel of 3 judges and are based on a cold reading of the record and the law. In this case it has nothing to do with intent, malicious or not, but whether authorization to cause damage existed - which he had. Damage under the CFAA is defined essentially as any kind of change. 'Without authorization' in the CFAA isn't defined and has been interpreted different ways by different courts. In the US there is something called the rule of lenity that says when a criminal law can be plausibly interpreted multiple ways, the court is required to take the interpretation favoring the defendant.
As some of the comments here have pointed out this was the wrong law to charge Thomas under, if charges were even warranted in the first place. Assuming there was even a violation of some kind of company policy, it is not permissible to base criminal liability on a private policy/contract. That would make the law void for vagueness as private parties would then be making decisions as to what is and is not criminal. The trial court judge and the prosecution here went to great lengths to make a square peg fit in a round hole here, applying a law that wasn't meant to be used in this scenario.
I am sympathetic to the sysadmin here after reading his legal defense fundrazr page. He worked over a weekend to keep the companies systems functional, after his buddy had been fired, then resigned without notice when he decided he'd had enough. The company owners were pissed that he quit when there were still network issues and decided to try and ruin his life by maliciously hiring attorneys to sue then get the Feds involved to prosecute him (rather than the state). Left out of the story is the fact that the company filed a civil suit initially, then dropped it a few months later. Also that most of the 'damage' alleged to have occurred arguably falls within normal troubleshooting processes based on the things that were happening that weekend. Or that the government froze all of his worldly assets, which were not tied to the alleged crime, and listed him on Interpol's website after charging him - stranding him in a foreign country and preventing him from being able to hire an attorney for years. How about that the $130k restitution figure is based on paying people to do his job for the next 18 months after he quit, or that the jury was hung 6-6 on the case after deliberating two days and only returned a guilty verdict when the judge refused to let anyone go home and return for a 3rd day of deliberations (because he wanted to go on vacation the next day). Maybe that the employee handbook he is alleged to have violated was never produced at trial, only an acknowledgment of his receipt of it, which specified violations could result in disciplinary action "up to and including termination". Also that the government wanted him to go to prison for 3.5 years but the judge released him after only the 4 months he spent awaiting trial and sentencing.
People don't seem to comprehend the toll that a federal criminal prosecution takes on someone, even if they win. They don't 'walk' or 'get away' with it. Being charged at that level for something that could result in 10 years in prison, under a system that is stacked against defendants, where 90% of cases plea guilty to reduce sentences. Where trials typically cost hundreds of thousands of dollars and face bleak odds of winning. Even if you win, you still lose. Criminal CFAA cases are very rare, ones that go to trial and appeal are even more so. This is a rare and important case that will help clarify the law. If his conviction is overturned it may curb future overreach by prosecutors who want their names in the paper, if upheld it will mean employers can retroactively rescind authorization and have employees prosecuted for anything they please.
Biting the hand that feeds IT
