California City Settles for $450,000 After Suing Bloggers for Opening Dropbox Links It Sent Them

California City Settles for $450,000 After Suing Bloggers for Opening Dropbox Links It Sent Them
The Fullerton, California police department, one of the entities whose records were accidentally leaked by government employees, seen here during a protest against police brutality in 2011. (Photo: Kevork Djansezian, Getty Images)

The city of Fullerton, California, has agreed to settle for $US350,000 ($450,450) in a lawsuit brought by two bloggers it falsely accused of breaking into the municipal government’s Dropbox account. In reality, administrators just sent the intrepid journalists a public link that the city would have preferred they didn’t click.

Ars Technica reported that Joshua Ferguson and David Curlee, will receive $US60,000 ($77,220) each after a Fullerton city employee mistakenly responded to a request for records on police misconduct by emailing them not only the requested records but a link to an openly accessible Dropbox “Outbox” folder containing city records that hadn’t yet been cleared for release by a city attorney. Ferguson and Curlee downloaded 19 .zip files, five of which didn’t have passwords themselves, alongside the documents they were supposed to receive.

The two bloggers used the unprotected material in several stories that detailed such embarrassing items as a police official who offered authorities a deal to resign in order to sidestep the release of an internal investigation into their conduct and an insurance claim for a vehicle wrecked by an allegedly drunk municipal employee. Accessing the information was in line with journalistic practice and, as the settlement indicates, unambiguously legal — no stolen passwords or hacking was involved whatsoever. It was not, as city officials argued, as though the bloggers had stolen physical documents from City Hall.

The city then sent two cease-and-desists before filing a suit in 2019 claiming the bloggers had stolen the files, violating two anti-hacking laws: The Computer Fraud and Abuse Act (CFAA) and California state’s Comprehensive Computer Data Access and Fraud Act. As part of the suit, the OC Register reported, Fullerton attorneys sought and received a gag order requiring the bloggers to stop publishing material.

The order was later thrown out by an appellate court which found it to be an unconstitutional example of prior restraint, but the city tried (and failed) to have another gag order imposed regardless. Fullerton officials also subjected Ferguson and Curlee to demands they allow forensic investigators to pry through their electronic devices, while Ferguson says he was terminated from his job on the basis of the criminal accusations.

The suit backfired, with City Council members deciding in a 3-2 vote last week they had no chance of winning and a settlement deal was preferable.

The CFAA is infamously broad and criminalizes accessing a “protected computer without authorization or exceeding authorised access” — language that may have made more sense when the law was written in 1986, a time when computer networks were largely the domain of large corporations, the government, and the military, but now potentially makes a felony out of a massive range of activities bearing little resemblance to hacking.

The CFAA has been cited in lawsuits against everyone from academics and data scrapers to journalists and activists; the Electronic Frontier Foundation argued in an amicus brief in the Fullerton case that the law obviously shouldn’t allow the city to refuse to “accept responsibility for its own failure to limit public access to information” by “[twisting] criminal law to punish truthful reporting.”

Technology and Press Freedom Project director Gabriel Rottman told the Register, “They say an unlocked door is no excuse for burglary, but here there’s no door, much less a lock.” He added that there wasn’t any evidence the city had ever told the two bloggers they couldn’t access the other files.

“The city shouldn’t have tried to blame their mistakes on journalists trying to cover the city,” Kelly Aviles, the bloggers’ attorney, told the Register. “It was unbelievably wrong… those kind of people should never be in public office.”

Aviles will receive the remaining $US230,000 ($296,010) of the settlement, according to Ars Technica, and the city of Fullerton will publicly apologise for accusing them of being criminals. Ferguson and Curlee will return the remaining password-protected documents, which Aviles told the Register they never planned on using in the first place.