California City Drops Lawsuit Against Journalists; Admits It Failed To Secure Files Supposedly Accessed Illegally

News

from the unfortunately-this-now-leaves-the-taxpayers-exposed dept

The city of Fullerton, California spent nearly two years trying to turn some local journalists into criminals. Bloggers, who contributed to the digital publication Friends for Fullerton’s Future, dug into files posted publicly by the city and got sued for doing nothing more than anyone with a link to the city’s shared folder could have done.

Here’s the beginning of this ridiculousness, via the EFF.

The city sued two journalists and Friends for Fullerton’s Future based on several claims, including an allegation that they violated California’s Comprehensive Computer Data and Fraud Act when they obtained and published documents officials posted to a city file-sharing website that was available to anyone with an Internet connection. For months, the city made the file-sharing site available to the public without a password or any other access restrictions and used it to conduct city business, including providing records to members of the public who requested them under the California Public Records Act.

The city obviously expected records requesters to only access the records they requested. But the city made almost no effort to restrict access, so anyone with a link could access other unprotected files and folders. That some people chose not to limit themselves to the files they requested was a problem the city could have handled without getting accusational and litigious. But that’s not the route Fullerton chose. And now it’s paying for this blown judgment call.

In the settlement, the city abandoned its Section 502 claims and admitted that its allegations did not accurately reflect its security practices for the Outbox folder. The settlement states “[t]he City acted on its belief that access controls were in place” when it filed its lawsuit and “that its primary goal was to retrieve confidential documents for the protection of city employees, residents and those doing business with the City.”

[…]

The settlement also requires the city to pay Ferguson and Curlee $60,000 each as well as $230,000 for their attorney’s fees and costs.

The settlement [PDF] is quite a read. It does what so few settlements do: admit fault. The city makes it clear none of the journalists did anything wrong and that any unexpected access was due to lax security, rather than any attempt to circumvent (apparently nonexistent) protective measures.

In the process of gathering and reviewing documents in response to PRA requests, city staff began placing large volumes of records in the file sharing account for attorney review and redaction, believing these files and folders placed therein were secure and that access was restricted to city staff and the City Attorney’s office. However, due to errors by former employees of the City in configuring the account, the files and folders were in fact accessible and able to be downloaded by the public.

Once downloaded, some of the files placed on the shared drive required passwords to open, but due to lax password controls, Defendants, and possibly others, would have been able to open (unzip) many of the files without bypassing access controls because the same passwords may have been re-used for multiple files and/or were disclosed in public records.

There’s more. Here’s the “this is on us” admission:

Based on the City’s additional investigation and through discussions with Mr. Ferguson and Mr. Curlee, the City now understands that documents were not stolen or illegally taken from the shared file account as the City previously believed and asserted. Rather, the documents were made inadvertently available by the City in response to PRA requests.

And, finally, this sort of exculpatory anti-climax:

The City wishes to acknowledge its misunderstanding of the situation…

Well, it’s better than nothing, even if its “misunderstanding” involved more than $200,000 in legal fees and claims that the state’s CFAA-analogue (the Comprehensive Computer Fraud and Data Act) was broken by people who did nothing more than access files the city left accessible.

Better than that is the stipulation that all of these admissions by the city be posted in a “conspicuous location” on the city’s website for at least the next six months. That will make it a little more difficult to sweep this “misunderstanding” under the rug with a broom made of $350,000 of tax dollars. Hopefully, it will also discourage other future “misunderstandings” by other government agencies that fail to erect even the most basic security measures.

Filed Under: california, ccdfa, cfaa, fullerton, journalism, transparency