A former systems administrator who was convicted on a charge relating to his decision to delete files at a company where he worked is appealing his sentence on the grounds that he was authorized to do so.

The argument could have serious ramifications for the enterprise information technology industry. Michael Thomas, now 38, was convicted in June under the federal Computer Fraud and Abuse Act for sabotaging the computer systems of auto industry web software provider ClickMotive. He was accused of accessing executives’ email, tampering with the company’s error-alert system, changing authentication settings that disabled the company’s virtual private network for remote employees and deleting 615 backup files and some pages of an internal wiki.

The grounds for the prosecution were under a CFAA provision of “unauthorized damages,” a provision of the law that Wired described at the time as “a dangerous facet of the law that allows an IT staffer to be charged with a felony for simply doing something that their employer deems to be “damaging.”

According to The Register, Thomas is arguing that while he did intentionally cause damage, it wasn’t “without authorization” given that he was expressly authorized to access all the systems he accessed. Further, he argued that he was expressly authorized to carry out the deletions he did, because that’s what sysadmin does: deletes backups, edits notification systems and adjusts email systems.

According to the filing lodged with the Fifth Circuit Court of Appeals in New Orleans:

Circuit courts have held that a CFAA defendant cannot be criminally liable for acting “without authorization” unless he does something he had “no rights, limited or otherwise,” to do. As ClickMotive’s IT administrator, Michael Thomas was broadly authorized to “damage” its systems within the meaning of the CFAA. Did he do so “without authorization” if he violated company policy or his common law duty of loyalty?

The filing goes on to argue that ClickMotive did not impose explicit or implicit restrictions on Thomas’s broad authority as an IT administrator and that he was given unlimited authorization to access, manage and use ClickMotive’s computer systems.

As Thomas was given broad discretion in his exercise of that authority, the filing argues that the charge fails because according to the plain language of the statute, a computer user can only cause “damage without authorization” if he has “no rights, limited or otherwise,” to “impair” the “integrity or availability” of the data or system at issue.

While the grounds for appeal actually make sense, the implications for enterprise IT if the appeal is successful are potentially profound in that it could mean that sysadmins could do as they please. The Register points out that the solution may be for companies to have explicit, commonsense policies about what sysadmins are allowed to do and what they are not allowed without additional permission. But even that aside, the potential that the actions of a nefarious sysadmin are not restricted by the law as it now stands is potentially much more damaging.

Photo: dagoaty/Flickr