On October 24 the City of Fullerton filed a lawsuit against the Friends for Fullerton’s Future (FFFF) Blog and some of its authors for allegedly illegally downloading confidential files from a city Dropbox folder and posting these files on their blog.

According to Matthew Strebe, CEO of Connetic, who the city contracted to do a forensic analysis of its Dropbox account, FFFF author Joshua Ferguson and others knowingly accessed confidential, private and privileged material using foreign Virtual Private Networks (VPN) and TOR (designed for stealth access) to anonymize their activities to grab files that were stored or placed on the shared file service, of which they were not authorized to access.

According to a press release issued by the city, “The actions of the Blog have placed the City in a position to defend against claims of breach of confidentiality and have potentially put at risk the security of protected information of both employees and members of the public.”

The FFFF blog and its authors have submitted numerous Public Records requests to the city in recent years. The city’s lawsuit explains that, in the course of responding to these requests, sometimes FFFF bloggers were given access to folders in the city’s Dropbox account.

The question remains whether a city employee accidentally gave the blog access to its entire dropbox account. City Manager Ken Domer says no; however, in a written statement as part of the lawsuit, Assistant City Clerk Mea Klein stated that “There were a few occasions where the City inadvertently sent PRA requesters a link to the City’s entire Dropbox account, but in each such instance, the PRA requester was provided the name of the specific subfolder containing the responsive documents.”

The specific incident appears to have occurred June 6, 2019, when an employee of another department gave blog author David Curlee not only the name of the file which had been prepared to answer his public records request along with a password, but also a link to the city’s entire outbox.

According to a post published October 25 on the FFFF blog, author Joshua Ferguson, who along with Curlee is named as a defendant in the lawsuit, claims that the city suit is retaliation for a Public Records Lawsuit he filed against the city on October 10.

Ferguson sued the city for allegedly refusing to provide public records, including those related to a 2016 incident when former city manager Joe Felz crashed into a tree and was allegedly given special treatment by the police. Following the incident, both Felz (who later pled guilty to charges brought by the OCDA) and former police chief Dan Hughes retired, and former Sgt. Corbett was charged by the OCDA with falsifying a police report; he pleaded not guilty and is scheduled for a jury trial Nov. 13. 

The FFFF blog authors have submitted approximately 80 public records requests since December 2017 according to the city. Over the years blog has published numerous stories alleging police and city hall misconduct, and has backed up many of these stories with internal city documents.

In June, after the city became aware that the blog was posting confidential personnel information, the City Attorney’s Office issued a “Cease and Desist” letter to FFFF, but the Blog did not comply.

In addition, the city of Fullerton contracted with Glass Box Technology to audit, assess and consult on the security of the city’s information technology. The company found vulnerabilities in the system and recommended the city hold off on filing a lawsuit against FFFF until they were fixed to prevent the issues from becoming public which could alert hackers.

The city filed a request for a restraining order on October 24, 2019 asking the court to stop further publishing or sharing of confidential material taken from the city files, return of the documents, and a third party forensic expert to search the computers of the FFFF authors.

The Observer reached out to Ferguson for comment, but he instructed us to speak instead with his lawyer.

In her response to the city’s complaint, FFFF attorney Kelly Aviles argues that, in suing and restricting the blog from publishing the documents, the city is violating the First Amendment rights of her clients.

“The basic purpose of the First Amendment is to prevent the government from imposing prior restraints against the press,” the response states, “Regardless of how beneficent-sounding the purposes of controlling the press might be,” the Court has “remain[ed] intensely skeptical about those measures that would allow government to insinuate itself into the editorial rooms of this Nation’s press.”

“…Thus, the City cannot prevail as a matter of law, regardless of how the records were originally obtained. The City’s requests are flatly unconstitutional and Defendants, therefore, respectfully request this Court denying the City’s request in its entirely,” the response concludes.

According to the City’s press release, “The requested restraining order is limited in scope to protect the 1st Amendment rights of the Blog and seeks only to stop the disclosure of legally protected documents and for all such documents to be returned to the City.  It does not seek to quell the Blog’s existence or ability to publish 1st Amendment protected content nor opinion posts.”

The day after the city filed its request, Orange County Superior Court Judge Thomas Delaney ordered Ferguson and the FFFF blog to stop publishing confidential city documents. The restraining order also prohibits passing the documents to anyone else or deleting them. However, the judge did not order the computer search requested by the city.

A preliminary injunction hearing has been scheduled on November 21 for this case and an anti-strategic lawsuit against public participation (SLAPP) motion filed by FFFF attorney Aviles against Fullerton will be heard the same day.

A Second Cyber Expert Weighs In

The Observer, seeking another opinion on whether a connection could be be made between the city Dropbox and FFFF, reached out to John Gilbert, director of Build Cyber/Blake Phillips to weigh in on the Strebe report included in the city complaint. Below is Gilbert’s analysis:

“I reviewed the Declaration of Matthew Strebe, summarizing his forensic analysis of the incident involving Fullerton’s private records. In short, Mr. Strebe’s analysis is, in my opinion, of the highest quality and done to the highest standards of post-security event forensic analysis. To summarize his findings:

-The City of Fullerton utilizes the 3rd party file storage and transfer service Dropbox, and had at one time given Mr. Ferguson and his associates access to certain requested files. This included accidentally giving Mr. Ferguson a link that allowed him access to City files he did not request.

-Dropbox associates logins with users’ email addresses when those links are sent to those users’ inboxes.

-Dropbox uses cookies (pieces of code transferred to the users’ browsers) to identify them, keeping their session alive and connection open.

-Dropbox requires the user to actively logout, otherwise the cookie will continue to associate the user’s email address and computer with Dropbox every time a connection is made.

-Mr. Ferguson and his associates at some point started using certain technologies to hide their actual IP addresses, making it appear they were logging in from overseas, etc. (Virtual Personal Networks – VPNs, and The Onion Network – TOR)

-Apparently, Mr. Ferguson and his associates forgot to logoff or delete their cookies, using the same computer and browser to connect to the City’s Dropbox account.

-This activity was logged by Dropbox, showing Mr. Ferguson and associates’ email addresses at every login, despite those IP addresses appearing from various other countries.

-Other connections that did not have their actual email addresses associated with them were linked to Ferguson and his associates because 1) The files accessed all had to do with Ferguson and 2) the IP addresses and login patterns fit with those already established as being associated with Ferguson and associates’ email addresses.

-I consider the evidence that Ferguson and his associates were attempting to access City files while attempting to hide their tracks incontrovertible and damning. It would be incomprehensibly difficult to fake or otherwise fabricate the connections logged by the City’s Dropbox account in such a way that would associate Mr. Ferguson so clearly with this illegal activity.

Further, Fullerton needs to have a serious look at their IT protocols, and keep a tighter grip on their public release procedures and encrypt-at-rest protocols.”

To read the city’s complaint and related documents including the Strebe Report, visit: https://docs.cityoffullerton.com/weblink/1/fol/751807/Row1.aspx

To read FFFF’S October 2, 2019 lawsuit against the city for withholding public records, visit: https://www.fullertonsfuture.org/wp-content/uploads/2019/10/petition-for-writ-of-mandate.pdf

Exhibit D of the lawsuit includes a link in response to Ferguson’s public records request to the city web site where the SB 1421-required records of numerous police officers are posted. Visit: www.cityoffullerton.com/sb1421.