Bloggers Accused of Hacking for Opening Dropbox Link

John Lister's picture

A Californian city will pay $350,000 to two men it falsely accused of hacking its Dropbox account. Officials in Fullerton, California had actually sent a link that granted the access.

The case involves two bloggers, Joshua Ferguson and David Curlee, who wrote about local government and regularly requested documents under public record laws. As some of these files were very large, officials would often upload them to a Dropbox folder and provide a link granting access.

However, one such response in 2019 also mistakenly included a link giving access to a separate folder that included documents that were not meant to be released to the bloggers until a city attorney had reviewed whether they were necessary.

Files Unprotected

The Arstechnica site notes the folder was accessible by anyone with the link. It contained 19 Zip files of which five could be opened without a password. (Source: arstechnica.com)

The two bloggers then posted about the contents of these files, which included internal police investigations and claims of drunk-driving by a city employee. These had not been approved for release.

The city then launched a series of legal actions including a lawsuit that claimed the bloggers had breached both the federal Computer Fraud and Abuse Act and the state's Comprehensive Data Access and Fraud Act.

City Heading For Loss

The city also asked for restraining orders to stop further posting that referred to the contents of the files. These requests were granted and then overturned at several stages of the case moving through the court and appeal processes.

The case had yet to reach a final conclusion but it looked likely the city would eventually lose. The likeliest outcome seemed to be a ruling that somebody who receives a link to a folder can't be held legally responsible if the folder includes documents the sender didn't actually want them to see.

The city has agreed to pay $230,000 to cover the men's legal fees, give each of them $60,000 in damages, and post an apology on its website home page. As part of the deal the men will "return" the confidential documents, though that doesn't really have much meaning with digital files. (Source: ocregister.com)

What's Your Opinion?

Should the bloggers have used the material in the files? Was the city right to suggest they'd breached hacking laws? Should governments be using public software such as Dropbox to distribute documents?

Rate this article: 
Average: 5 (9 votes)

Comments

davolente_10330's picture

If the link to the documents was included as legitimate information and there was no indication that the recipients were not supposed to see those particular documents, I see no problem with their release. It's the city's error, after all - not the bloggers.

OadbyPC's picture

In the UK, if a bank accidentally credits your account with money, you cannot by law spend it and have a duty to return it/inform the bank.

Similarly, if it was clear they had received confidential info by mistake and it could be detrimental to the city if released, those bloggers should have deleted those files.

Like many people, I am ambivalent about Ed Snowden; OTOH I don't trust government, but I know it is still necessary to have some secrets, even if the people we have to trust with those secrets aren't trustworthy!

lgwhitlock_3287's picture

While ethically maybe they should have asked before publishing I still think they were within their rights to publish. Freedom of the press is what keeps the government accountable. That's why it is so important to triple check before sending links. They probably should have shared individual files rather than folders.

doulosg's picture

Some city employee messed up sending that link.
Presumably some other city employee messed up letting the issue go to litigation.
I'd be curious if the first employee was fired but sued the city and/or the second employee for turning the molehill into a mountain.

bloomdds_14318's picture

IMO, the bloggers were not legally wrong, but ethically wrong. It doesn't take a genius to distinguish receiving a link to the info they requested with an understanding of permission to use the info and a link to info they didn't request and thus did not have permission to use. It is amazing that there are no legal definitions to give the city grounds for their case. I suppose the case was really about the accusations and actions taken against the bloggers by those not knowing the bloggers were actually "given" access (by mistake).

But the real crime is that the lawyer(s) collected $230,000. (I'd have done it for $210,000:)
That's an absurd percentage on a contingency basis...and equally absurd amount even if paid hourly. (Can you imagine the bloggers telling their lawyer: We don't care how much you get, as long as we each get at least $50,000. And the lawyer bragged, "Hey, you got 20% more than you asked for ($60,000). Am I not wonderful?!)
Oh, I almost forgot. The bloggers also got an apology.