The Dropbox logo is seen in an illustration photo from July 28, 2017. The City of Fullerton, California, says two journalists violated computer crimes laws by accessing files hosted in a Dropbox folder without permission. (Reuters/Thomas White)
The Dropbox logo is seen in an illustration photo from July 28, 2017. The City of Fullerton, California, says two journalists violated computer crimes laws by accessing files hosted in a Dropbox folder without permission. (Reuters/Thomas White)

Fullerton journalists sued for “hacking” city’s open Dropbox folder

In a complaint filed in the California Superior Court of Orange County on October 24, 2019, the City of Fullerton, California accused a community blog and two contributors of violating anti-hacking laws for accessing confidential files city employees posted online, according to their lawyer Kelly Aviles and court documents reviewed by CPJ. Aviles told CPJ in December that the suit could go to a jury trial in early 2020. The press freedom and legal advocacy group Reporters Committee for Freedom of the Press (RCFP) called the case the “first … we’re aware of where the computer crime laws have been misused so brazenly against members of the news media.”

The City of Fullerton claims that the blog Friends of Fullerton’s Future and two of its journalists, Joshua Ferguson and David Curlee, accessed over a dozen internal documents stored on the file hosting and sharing service Dropbox without permission, according to CPJ’s review. The blog publishes original articles and commentary on the city government and the local police department.

Aviles alleged, in a phone interview with CPJ, that the case is designed to retaliate against her clients for reporting and to block future publication. She told CPJ she has filed an anti-Strategic Lawsuit Against Public Participation (SLAPP) motion, which permits courts to dismiss lawsuits that are intended to censor public speech.

“The City’s suit was not in retaliation for anything,” Fullerton’s lawyer Kimberly Hall Barlow wrote in an email to CPJ. The blog was not a factor in the decision to bring the case, she said.

“If the argument is that a reporter can steal information him or herself and then be allowed to publish it at will, that is neither consistent with the first amendment law nor the ethical tenets of professional journalists,” she said.

Ferguson routinely requested public records, and the city had provided him with a link to the Dropbox folder in the past, he told CPJ. The city acknowledges sending a link to access the folder in response to records requests, according to court filings reviewed by CPJ. The folder was not password protected, and anyone could access it via the web address in the link. Files that were approved for public release were kept in the same folder as others that had not been, some of which were password protected, according to those documents.

The complaint said Ferguson and Curlee accessed files in the folder that had not been approved for release, thereby violating the Computer Fraud and Abuse Act (CFAA), a federal law intended to combat hacking, and a similar state law, the California Comprehensive Computer Data Access and Fraud Act. CPJ has reported concerns that the CFAA’s broad wording could be used to punish routine online journalistic activity.

The complaint said the journalists had intentionally obscured their activity using a virtual private network (VPN) and the Tor browser—digital security tools that CPJ and others routinely recommend that journalists use online. The City also requested a forensic analysis of the reporters’ computers and sought prior restraint to block future publication based on the files—a request that RCFP called “concerning” and Aviles called unconstitutional in court documents.

In November, a trial court in Orange County did not allow that forensic examination, according to Aviles, while an appeals court stayed the attempt to block future publication in December. But the anti-hacking lawsuit against the blog is ongoing, Aviles told CPJ.

“The city is calling me a hacker and a thief,” Ferguson told CPJ in December. Yet, he said, “the idea they are presenting—that hacking is just clicking a link—that idea would literally break the internet if broadly applied.”

“The conduct that the City complains of is no more criminal than clicking through the City’s website, finding confidential information, and downloading it,” Aviles wrote in court filings reviewed by CPJ. The city’s lawsuit is in “retaliation for Mr. Ferguson’s CPRA lawsuit and to silence the Blog,” she wrote. Immediately before the city launched its lawsuit, Ferguson had filed a California Public Records Act (CPRA) lawsuit requesting the release of documents related to alleged police misconduct, he told CPJ.

Kimberly Hall Barlow told CPJ that the city decided to file their suit before Ferguson filed his.

Ferguson told CPJ that the city’s complaint included Christopher Tennyson, his former co-worker at a local camera store where they sometimes shared the same computer, in order to damage Ferguson’s professional relationships. Kimberly Hall Barlow denied this, noting to CPJ that the city later dropped Tennyson from the suit.

Aviles said the case was draining her clients’ financial resources and impeding their ability to continue reporting.

“It would be hard for a large newspaper to deal with this,” Aviles told CPJ in November. “But for a blog of concerned citizen journalists—who felt like there was no voice in their community—it’s an outrageous thing to face.”

RCFP filed an amicus brief in support of the bloggers, as did the Electronic Frontier Foundation, a leading U.S. digital rights group. The editorial board of the local Orange County Register newspaper published an editorial in November asking the city to drop the case and “get some professional advice on how to password-protect its files.”