City Pays $350k After Suing “Hackers” For Opening Dropbox Link It Sent To Them

City pays $350,000 after suing “hackers” for opening Dropbox link it sent them

The city of Fullerton, California, has agreed to pay $350,000 to settle a lawsuit it brought against two bloggers it accused of hacking the city’s Dropbox account.

Joshua Ferguson and David Curlee frequently made public record requests in the course of covering city government for a local blog, Friends for Fullerton’s Future. The city used Dropbox to fulfill large file requests, and in response to a June 6, 2019, request for records related to police misconduct, Ferguson and Curlee were sent a link to a Dropbox folder containing a password-protected zip file. 

But a city employee also sent them a link to a more general “Outbox” shared folder that contained potential records request documents that had not yet been reviewed by the city attorney. The folder wasn’t password protected or access restricted. At the time, there were 19 zip files in the outbox, five of which were not password protected. 

The bloggers downloaded the files related to their records request and the 19 zip files in the outbox link. In the unprotected files, Ferguson and Curlee found emails relating to police internal affairs investigations and an insurance claim regarding an automobile crash involving an allegedly drunk city employee, among others. Throughout June 2019, the bloggers published posts using the documents as source material. 

The city sent two cease and desist letters to Ferguson and Curlee, claiming that the files were confidential and had not been intended for either blogger. On October 24, 2019, the city also filed a restraining order, asking the court to order the bloggers to stop further publication of the documents. The city also sought the return of the documents and requested that a third-party forensic firm be allowed to search the bloggers’ computers. 

In early November 2019, the city filed a lawsuit against the bloggers, alleging violations of the Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act. An Orange County judge hearing the case granted the restraining order, which later was overturned by a California appellate court. Months later, the city again filed to block publication and again was rebuffed on appeal.

As the case made its way through the courts, both the Electronic Frontier Foundation and the Reporters Committee for Freedom of the Press filed amicus briefs earlier this year in support of the bloggers. The EFF’s brief was particularly pointed. “The City’s interpretation would permit public officials to decide—after making records publicly available online (through their own fault or otherwise)—that accessing those records was illegal,” the group wrote. “The City proposes that journalists perusing a website used to disclose public records must guess whether particular documents are intended for them or not, intuit the City’s intentions in posting those documents, and then politely look the other way—or be criminally liable.”

The city of Fullerton faced increasingly long odds of winning the lawsuit, and last week, the city council voted 3-2 to settle the suit. Under the terms of the settlement, the city will pay the defendants $230,000 in attorneys costs and $60,000 each in damages. The city will also post a public apology on its website.