This Week in Technology + Press Freedom: Nov. 3, 2019
Here’s what the staff of the Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press is tracking this week.
A brazen misuse of computer crime laws against journalists
If it continues to progress, a lawsuit involving a local California public records request could have lasting implications for federal and state computer crime law. The lawsuit, brought by a city government, presents a fact pattern that hacking law aficionados have feared could emerge from the ambiguous Computer Fraud and Abuse Act and similar state laws.
The case involves Fullerton, California, and a blog called Friends for Fullerton’s Future. Earlier this month, Joshua Ferguson, a frequent contributor to the blog, filed a lawsuit against the city over its refusal to disclose certain public records relating to alleged misconduct by police and city employees. Last week, the city filed its own lawsuit against the blog and two named contributors, alleging many claims, including violations of the CFAA and California’s Comprehensive Computer Data Access and Fraud Act. An Orange County Superior Court judge granted a temporary restraining order prohibiting the blog from posting or reporting on what the city claims are hacked documents online.
The lawsuit arises out of the city’s use of Dropbox, a cloud-based service, to both store and distribute records pursuant to public records requests. If the records “responsive” to a request are too voluminous, the city shares the files with the requester via a Dropbox link instead of sending email attachments. According to court filings, the city also stores potentially responsive records in the same Dropbox account. These are records that have not yet been authorized for release, but were uploaded to the Dropbox account for the city’s lawyers to access them for review and redaction. If we’re reading the filings in the case correctly, that Dropbox account — which, again, contained both allegedly sensitive or privileged records and batches of public records that the city invited requesters to download — wasn’t password protected (rather, only “zipped” files required a password).
In response to their records requests, Ferguson and fellow contributor David Curlee were given Dropbox links to specific folders — again, with only .zip files requiring a password, which the city provided. The city is alleging that the bloggers accessed folders in the city’s Dropbox account that were intended for review by city attorneys and were not specifically shared with them. Even though the records appear to have been literally available to the entire internet, the city claims that the bloggers violated federal and state computer crime laws (though this is a civil claim under those laws). The city asserts that accessing these pre-review documents exceeded authorization under the CFAA and was simultaneously use without permission, which is the trigger under California law. The city has accused the bloggers of publishing information from the documents in posts on the blog.
In addition to seeking compensatory and punitive damages for alleged violations, the city also sought and was granted a temporary restraining order (read: prior restraint). The city is asking the court to order the bloggers to stop publishing any documents from the Dropbox account, to permanently delete any privileged or confidential information from the blog, and to delete files from their own computers under court-appointed supervision.
The prior restraint sought here is, of course, concerning. But this is the first case we’re aware of where the computer crime laws have been misused so brazenly against members of the news media. First, the conduct alleged — accessing publicly available documents over the public internet — is clearly not hacking. A court finding that accessing publicly available documents over the public internet constitutes hacking would pose serious concerns for data journalists.
In addition, the city’s press release on the case cites the fact that the bloggers’ alleged conduct may force the city to defend itself against breach-of-confidentiality claims. But there’s a fundamental causation issue: These documents were available for the taking (the actual Dropbox account didn’t require a password), and the city shared the full link to access its account with records requesters on several occasions, including with a defendant. In other words, the breach was caused by the city’s information security practices, not publication.
We will be filing an amicus letter on Monday in support of the defendants and will be watching the case closely.
— Lyndsey Wajert & Linda Moon
Quick Hits
Axios reported on a June memo describing how members of the White House’s cybersecurity and IT teams were tasked with “proactively identifying and investigating leaks of sensitive information.” Sources confirmed to Axios that staffers on the cyber and IT teams were allowed to “investigat[e] user activity” through computer browser histories, as well as by using software to track which employees opened links or documents.
WhatsApp and its parent, Facebook Inc., are suing the spyware manufacturer NSO Group. The lawsuit alleges that the Israeli company used malware to hack into the mobile phones of more than 1,000 people, including journalists and activists, to conduct surveillance. In December of last year, a Saudi dissident also sued the manufacturer, alleging that the company’s software enabled Saudi Arabia to hack his phone and track his communications with Washington Post journalist Jamal Khashoggi, who was murdered last year in the Saudi consulate in Istanbul, Turkey.
The Pentagon decided not to award Amazon (whose founder, Jeff Bezos, owns the Washington Post, a frequent target of criticism from President Trump) a $10 billion cloud-computing contract. In July, Trump publicly stated that he was looking “very seriously” at intervening in the closely-watched bid for the Pentagon’s JEDI contract, and said he had heard complaints that the contract wasn’t “competitively bid.” Some legal analysts expect litigation over the decision as federal regulations are structured to prevent political interference in the contracting process. The Reporters Committee continues to monitor the use of complex regulatory regimes, including the government contracting process, for retaliation.
Administration officials said that the White House plans to instruct federal agencies not to renew subscriptions to the Washington Post and the New York Times. Though the White House has stated that the move is a cost-cutting measure, it comes on the heels of an interview with Fox News host Sean Hannity, in which President Trump said he would cancel the White House’s subscriptions to the papers because the outlets were “fake.” Notably, an investigative data reporter for the Post pointed out via Twitter that readers with a “.mil” or “.gov” email address can get a free subscription.
Google reported in a blog post that it will begin including the number of government requests it receives for Google Cloud Platform and G Suite enterprise customer data in its semi-annual transparency report. Google has published the report since 2010 in response to government requests for user information, though it will start including the GCP and G Suite request data beginning next year. The decision comes after the U.S. and U.K. entered a bilateral agreement under the Cloud Act.
Twitter announced this week that it will stop running political advertising. Twitter’s position is in contrast to Facebook’s decision not to fact-check political ads. Facebook’s policy is similar to the “no-censorship” piece of the FCC’s Equal Time Rule that bars broadcasters from declining to run such ads (and several cable providers have rejected political ads that do not meet their accuracy standards).
Finally, 50 years ago this week, the internet was born! ?
Gif of the Week: All this talk about the CFAA has us thinking about hacking — inspiring this week’s gif from “Jurassic Park.”
Like what you’ve read? Sign up to get This Week in Technology + Press Freedom delivered straight to your inbox!
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee Attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Fellow Linda Moon and Legal Fellows Jordan Murov-Goodman and Lyndsey Wajert.