Michael Thomas, a systems administrators who was convicted in 2016 for destroying his employer's network before resigning his job, has filed an appeal in which his lawyers are arguing that in reality he actually was authorized to trash the company's IT network, in a criminal case that might change the way judges look at the CFAA (Computer Fraud and Abuse Act).

All of this started in December 2011, when Thomas was working for ClickMotive, a company that builds websites for car dealerships.

According to court documents, embedded below, Thomas got upset on Thursday, December 1, 2011, when ClickMotive's leadership fired fellow and senior IT admin Andrew Cain.

Cain, who shortly after started preparing a lawsuit against ClickMotive for unlawful termination, told Thomas that the company's founders fired him because he was one of their first employees, and they didn't want to share a bonus with him when they would eventually sell the company later on.

This upset Thomas, who described Cain as a friend, but also because leadership offered him a bonus immediately after they fired Cain, even if he was now supposed to do the job of two people.

A weekend from hell makes Thomas quit

Things went downhill for Thomas almost immediately. On Friday, the next day, a severe power outage shut down the company's services. Because of the extent of the damage, Thomas was forced to work from home, on Saturday, and make sure everything was up and running.

On Sunday, things got even worse, as various ClickMotive servers went down following a DDoS attack. Because the attack was preventing Thomas from accessing the company's network from home, he was forced to come into office.

Overwhelmed with all his duties, this is when Thomas broke. Investigators say that instead of fixing the issues, the accused systematically destroyed ClickMotive's network, wrote his resignation, left his keys, badge, and laptop on his desk, and left.

Thomas caused damage, judge rules

Below is a list of Thomas' actions. Some were performed before Sunday, when he came into office, and can be easily interpreted as troubleshooting, but they were included in court documents as destructive actions.

Thomas disabled the pager notification system that would otherwise continually report system errors (performed on Friday).

Thomas powered down and deleted a virtual machine responsible for making backups of the email server, which was causing errors (performed on Saturday, the same day he consulted various online troublehsooting forums).

Thomas deleted critical ClickMotive wiki pages used by other employees (from Friday to Sunday).

Thomas deleted remotely stored backups of several servers (on-machine backups remained intact) (performed on Sunday, including the rest of his subsequent actions).

He turned off jobs that automatically created backups to remote servers.

Thomas deleted VPN keys, blocking other employees from connecting to the company's network.

He tampered with network policies so some services will have to be started manually, instead of automatically.

He removed employees from mailing lists where customers reported problems and asked for support.

On top of these, Thomas also accessed the email accounts of ClickMotive management, and transmitted some emails to his friend Cain, to help him in his upcoming lawsuit. Authorities never officially charged Thomas for this action.

ClickMotive recovered after two days

On Monday, when employees returned, they found Thomas's resignation letter. Even if other ClickMotive employees managed to restore all services within two days, management was fuming.

A civil lawsuit followed, and two years later, in 2013, US authorities filed official charges, accusing Thomas of intentionally causing damage to a computer system without authorization, under the CFAA.

Three years later, in the summer of 2016, a Texas judge found Thomas guilty following a trial, and later sentenced him to time served, three years of supervised release, and ordered him to pay $130,000.

Thomas case taken up by famous lawyer

One month later, in September 2016, Thomas filed an appeal. This past week, Thomas' lawyer, the infamous Tor Ekeland, published the opening appellate brief on his website, signaling the start of the appeal process.

Ekeland has a reputation of defending hackers. He previously defended Andrew "weev" Auernheimer, journalist Matthew Keys, and is currently handling the cases of Anonymous hacktivists Deric Lostutter and Lauri Love.

According to the appellate brief, Thomas and Ekeland's approach to the appeal process is to argue that none of the actions Thomas performed were illegal since they were performed with authorization.

Thomas files an interesting appeal

The two say that all IT administrators have to perform these destructive operations on a daily basis. The two point out that none of the actions Thomas took were explicitly forbidden by ClickMotive's internal policy, which only prohibited the "destruction of valuable property."

Court documents and statements made by Thomas to Cain previously showed that Thomas did admit to performing some of the acts he was convicted for.

Thomas and Ekeland are now going after the wording in the CFAA, the law under which he was charged and convicted.

The evidence was insufficient to support the jury’s conclusion that Thomas acted without authorization, for three reasons. First, according to the plain language of the statute, a computer user can only cause “damage without authorization” if he has “no rights, limited or otherwise,” to “impair” the “integrity or availability” of the data or system at issue. Because Thomas’s had broad authorization to manage ClickMotive’s systems, including to “damage” them, his conduct cannot have been “without authorization.”

[...]

Third, because the district court’s interpretation of “damage without authorization” fails to clearly define what conduct is prohibited or to adequately guide law enforcement, it renders the statute void for vagueness as applied to Thomas.

Basically, the two are saying that because Thomas had authorization to perform all actions and company policy didn't specifically mention that an employee was prohibited from damaging network systems, his conviction should be reversed.

Thomas argues that he didn't do anything illegal because he was on the job, which in his case specifically granted him authorization to perform these destructive actions, which when viewed from afar also looks like a sysadmin trying to troubleshoot his network and quitting in the middle of the process.

A previous version of this article mentioned that Thomas admitted performing some acts with malice. This is incorrect as court documents only showed he admitted to performing some of the acts described by the prosecution, but never admitted he performed them with malicious intent. Parts of the article were rewritten to factor in this change.