California city backs down from misguided ‘hacking’ lawsuit against bloggers
Suppose you want to visit a website to learn what might be hosted there. No one sent you an invitation or rolled out a red carpet; on the other hand, no one told you not to click, and no password stands in your way. Can you visit the URL? Phrased that way, the question likely sounds ridiculous, but it was the crux of a troubling lawsuit that the city of Fullerton brought against a group of local bloggers before changing course in a settlement this month. And while the issue is rarely litigated, it’s one that has important implications for investigative journalism — which is why the Reporters Committee filed a pair of friend-of-the-court briefs in the case. Here’s why we’re glad — and why journalists should be, too — that the city confessed error here.
By way of background: Fullerton had decided to use a Dropbox account to field public records requests, and it hosted that Dropbox folder at a URL — cityoffullerton.com/outbox — that was accessible to anyone who visited, without a password, even though the folder also contained documents that the city intended to keep confidential. According to the city’s lawsuit, Friends for Fullerton’s Future — a local watchdog group — downloaded a number of documents from the folder and began publishing the newsworthy ones, including records suggesting that the city explored persuading a police officer to resign rather than face official discipline to avoid generating a paper trail subject to disclosure under the public records laws. In response to those stories, the city sued the Friends for Fullerton’s Future, arguing that accessing the Dropbox violated state and federal anti-hacking laws. (For more, you can read the bloggers’ accounts of their experience fighting the lawsuit on their website.)
You might justifiably wonder how visiting a web page that anyone could access by typing in the URL amounts to hacking. To oversimplify a bit, California’s statute (the Computer Data Access and Fraud Act) and its federal counterpart (the Computer Fraud and Abuse Act) punish accessing data “without permission” and “without authorization,” respectively. The city argued that the bloggers lacked authorization because the city hadn’t expressly told them that they could have the documents. And the bloggers should have known that Fullerton didn’t mean to make the documents publicly accessible in the way it had, the city maintained, because “[o]ne could not navigate to the Dropbox account on the internet, nor from the City’s public website.”
What Fullerton seems to have meant by that — since, of course, one could navigate to the Dropbox on the internet by typing in the URL — is that the city assumed the URL was obscure enough that no one would visit it, even though, in practice, anyone could. But to see just how dangerous that argument was, consider how often you arrive each day at an inscrutably long and unguessable web address by using, say, a search engine. Because ordinary internet users understand that the point of publishing a site is to make it accessible, we don’t pause to worry whether we’ve received an express invitation to visit a link before we click on it. In the city’s view, though, a website owner would be entitled to inform you — after the fact — that it secretly intended to keep that web address a secret and that you committed a federal crime by visiting.
The vast discretion that would confer on website owners would have an especially chilling effect on journalism online. As the Reporters Committee highlighted, “Website operators routinely expose newsworthy information about themselves to the public, either without intending to or with the expectation that no one will notice. Just as routinely, journalists, academics, and other researchers use a range of techniques to uncover and report that information in the public interest.”
One example comes in recent reporting by The Intercept’s Mara Hvistendahl, who obtained a series of slide decks describing how Oracle markets its products for use in connection with Chinese surveillance efforts. How did she find them? By running a Google search for the right Chinese characters, which returned links to the decks on Oracle’s website even though Oracle seemed to be unaware that the documents were publicly accessible there.
Perhaps because the right answer in these cases is so intuitive, there’s very little judicial precedent that directly addresses the scenario. (You can read a bit more about the issue in an analysis I wrote for Lawfare earlier this year.) And with Fullerton’s decision to settle its suit, this won’t be the case that fills in the gap. The U.S. Supreme Court may shed some light on the issue, though, when it answers a related question this term in Van Buren v. United States — whether a website owner can turn a visit to their site into a criminal offense by imposing restrictions in their written terms-of-service. As we explained in that case, for much the same reason we filed in support of Friends for Fullerton’s Future, the Reporters Committee’s view is that website operators shouldn’t be the ones to decide whether gathering news about their site is a crime.
A decision in that case could come any day now and may provide some clarity about reporters’ rights. In the meantime, though, the Fullerton settlement is a welcome win for data journalism.
The Reporters Committee regularly files friend-of-the-court briefs and its attorneys represent journalists and news organizations pro bono in court cases that involve First Amendment freedoms, the newsgathering rights of journalists and access to public information. Stay up-to-date on our work by signing up for our monthly newsletter and following us on Twitter or Instagram.