The City of Fullerton, California has abandoned a lawsuit against two bloggers and a local website. The suit dangerously sought to expand California’s computer crime law in a way that threatened investigative reporting and everyday internet use.
The city’s lawsuit against the bloggers and the website Friends For Fullerton’s Future alleged, in part, that the bloggers violated the California Comprehensive Computer Data Access and Fraud Act because they improperly accessed non-public government records on the city’s file-sharing service that it used to disclose public records. But the settlement agreement between the city and bloggers shows those allegations lacked merit and badly misrepresented the city’s online security practices. It also vindicates the bloggers, who the city targeted for doing basic journalism.
The city’s poor approach to online security was apparent from the start. The city used Dropbox to create a shareable folder, which it called the “Outbox,” that was publicly accessible to anyone who had the link. And evidence in the lawsuit showed that city officials did not enable any of Dropbox’s built-in security features, such as requiring passwords or limiting access to particular individuals, before making the Outbox link publicly accessible.
Then the city widely shared the Outbox URL with members of the public, including the bloggers, when disclosing public records and for other city business. And because there were no restrictions or other controls on the Outbox folder, anyone with the link could access all the files and subfolders it contained, including files city officials claimed should not have been publicly accessible.
The crux of the city’s lawsuit alleged that the bloggers, Joshua Ferguson and David Curlee, accessed some Outbox subfolders and files “without permission,” in violation of California’s computer crime law, because the individuals did not follow officials’ directions to only access particular folders or files in the Outbox.
The city’s interpretation was a disturbing effort to stretch California’s criminal law, known as Section 502, to punish the journalists. That’s why EFF, along with the ACLU and ACLU of Southern California, filed a friend-of-the-court brief in support of the journalists and website. The Reporters Committee for Freedom of the Press also filed a brief in support of the bloggers. And an appellate court was scheduled to hear arguments in the case next week.
The city’s interpretation ignored that officials had made the entire Outbox public, such that anyone with the link would be able to access everything in it, just as anyone is able peruse any publicly accessible website. This configuration is the opposite of what the city should have done if it wanted to prevent access to sensitive information. Moreover, the city’s theory flouted open-access norms of the internet.
The city’s interpretation also sought to turn officials’ written directions to access only certain files into a violation of Section 502, a dangerous proposition that would give government officials broad discretion to criminalize internet access that they did not like. Also, the interpretation threatened to chill investigative journalism by criminalizing reporting about government records obtained by mistake or otherwise without officials’ permission, a dubious claim that the Supreme Court has repeatedly rejected on First Amendment grounds.
In the settlement, the city abandoned its Section 502 claims and admitted that its allegations did not accurately reflect its security practices for the Outbox folder. The settlement states “[t]he City acted on its belief that access controls were in place” when it filed its lawsuit and “that its primary goal was to retrieve confidential documents for the protection of city employees, residents and those doing business with the City.”
But a statement the city included in the settlement states:
However, due to errors by former employees of the City in configuring the account and lax password controls, some of the files and folders were in fact accessible and able to be downloaded and/or accessed without circumventing access controls.
The statement continues:
Based on the City’s additional investigation and through discussions with Mr. Ferguson and Mr. Curlee, the City now agrees that documents were not stolen or taken illegally from the shared file account as the City previously believed and asserted. The City retracts any and all assertions that Friends for Fullerton’s Future, Mr. Ferguson and/or Mr. Curlee acted illegally in accessing the documents.
The settlement also requires the city to pay Ferguson and Curlee $60,000 each as well as $230,000 for their attorney’s fees and costs.
EFF is thrilled that the city has walked away from its effort to penalize Ferguson, Curlee, and the blog for engaging in good journalism. And we congratulate the pair, the blog, and their attorney, Kelly Aviles, on being vindicated.
Of course, it would have been better if the city had never filed the lawsuit in the first place, which resulted in two rounds of appeals, including reversing a prior restraint issued against the blog, and a potentially dangerous expansion of Section 502. The statute, like the federal Computer Fraud and Abuse Act, is notoriously vague and can be misused to target individuals for their online activities.