California City Abuses Computer Crime Laws In Suit Aimed At Stopping Journalists From Publishing Records
A state appeals court in California struck down an order that undermined freedom of the press and prohibited a blog from publishing documents allegedly obtained through the City of Fullerton’s Dropbox account.
Joshua Ferguson, a contributor to Friends For Fullerton’s Future, filed a lawsuit under the California Public Records Act against the City of Fullerton in mid-October after they failed to provide files related to police misconduct that he requested.
Fullerton city attorneys counter-sued. They argued Ferguson and David Curlee, also a blog contributor, violated the Computer Fraud and Abuse Act (CFAA) and a state law known as the Comprehensive Computer Data Access and Fraud Act.
Because the lawsuit targeted Ferguson’s employer, he was forced to resign from a job that he had for ten years. He launched a GoFundMe to ensure he could still provide for his family’s basic needs.
The Reporters Committee for Freedom Of the Press (RCFP) believe this is the first case where computer crime laws “have been misused so brazenly against members of the news media.”
According to defense attorney Kelly Aviles, “The City argues that it has determined that the defendants are criminals because they accessed a Dropbox link sent by the City to Mr. Ferguson with his name on it.”
Dropbox is a company that offers a service that allows users to setup folders with files. A person can grant another person access to the folder. A person may also share a file by sending another person a link to that file.
RCFP submitted a brief outlining why the City of Fullerton’s claims “pose a severe threat to newsgathering.” They made clear the alleged conduct does not “amount to hacking” at all.
“The lawsuit arises out of the city’s use of Dropbox, a cloud-based service, to both store and distribute records pursuant to public records requests,” RCFP wrote in a post published to their website. “If the records ‘responsive’ to a request are too voluminous, the city shares the files with the requester via a Dropbox link instead of sending email attachments.”
“According to court filings, the city also stores potentially responsive records in the same Dropbox account. These are records that have not yet been authorized for release, but were uploaded to the Dropbox account for the city’s lawyers to access them for review and redaction.”
RCFP continued, “If we’re reading the filings in the case correctly, that Dropbox account—which, again, contained both allegedly sensitive or privileged records and batches of public records that the city invited requesters to download—wasn’t password protected (rather, only “zipped” files required a password).”
Ferguson and Curlee insist they were sent Dropbox links to specific folders, but the city alleges that they accessed folders that were setup for city’s attorneys. “Even though the records appear to have been literally available to the entire internet, the city claims that the bloggers violated federal and state computer crime laws (though this is a civil claim under those laws).”
A county court judge granted a temporary restraining order that amounted to prior restraint, which defense attorneys contend is “presumptively unconstitutional.”
Astoundingly, the City of Fullerton asked the judge to appoint a “third-party forensic expert to examine the computers, servers, and storage media” within the two journalists’ “possession, custody, or control.” Defense attorneys maintain this would violate the state’s shield law, which is supposed to protect “journalist from disclosing unpublished information or sources of information obtained in the course of gathering and reporting the news.”
Orange County Superior Court Judge Thomas Delaney denied this request by city attorneys.
The City of Fullerton argued Ferguson and “his accomplices” used a virtual private network (VPN) or an anonymizing browser like The Onion Router (TOR) to inappropriately access the Dropbox files. But in response to city attorneys’ criminalizing the journalistic use of privacy tools, the defense attorney for Ferguson pointed out that a person using such tools cannot be identified. They cannot possibly know who accessed the files if Ferguson used a VPN or TOR.
City attorneys “merely compiled a bunch of technical information into its declarations, hoping that this court will not understand that there is no actual evidence that the people it has named in this lawsuit have anything to do with accessing the files it claims were confidential, even though they were apparently maintained in such a careless manner that completely undermines the claim that the information is confidential,” Aviles suggested.
Furthermore, “The documents that the City claims are confidential and that were posted on the Blog could have been leaked by any number of people. [Neither] can the City demonstrate what files the blog has, if any, in its possession, undermining any threat of publication in the future and the need for any restraining order, much less one issued on an emergency basis.”
It would appear the City of Fullerton was totally incompetent and negligent in securing files it did not want the public to access. To deflect responsibility, they targeted two independent bloggers.
In their brief to the court, RCFP outlines [PDF] the abuse of computer crime laws and contempt, which officials seem to have for press freedom.
“The City sent links to specific folders in its commingled Dropbox account and seemed to expect that either a user would not know she could access other folders in the account, or ‘should have known’ that such folders contained information that was not ready for public release. This expectation appears to be the sole security feature the City implemented,” RCFP argues.
Exhibits from the City of Fullerton show it would “occasionally send” a “top-level address for the Dropbox account, which could then present that [person] with links to all the sub-folders,” including both documents under review by city employees and documents approved for release.
As RCFP notes, the “potential chill on newsgathering would be significant” if a government entity could sue journalists for publishing information “made available as a result of poor information security practices.”
The City of Fullerton is incorrectly interpreting the Computer Fraud and Abuse Act to try and suppress journalism. There was no “hacking,” and no one could have “exceeded” any “authorized access” if the files were not securely protected.
Finally, the RCFP addresses the City of Fullerton’s hostility toward encryption or privacy tools, an attitude prevalent among law enforcement and United States security agencies, especially in leak prosecutions.
“The use of such services is not only commonplace among journalists—it is a recommended industry practice,” RCFP declares. “In recent so-called ‘leak’ cases involving the prosecution of journalistic sources for the unauthorized disclosure of government nformation to members of the news media, prosecutors have sought to portray the use of encryption by reporters and sources as somehow indicative of malicious intent.”
“It is not. Everyone should be using encrypted services and applications to protect their communications. In fact, in 2017, the American Bar Association’s Committee on Ethics and Legal Responsibility recommended that lawyers use ‘high level encryption’ or other ‘strong protective measures’ to protect sensitive client information,” RCFP concludes.