Trouble for the city of Fullerton brews as it faces damaging revelations from a single online blog.
Internal documents of alleged police misconduct and preferential treatment to city employees have been exposed by the blog, “Friends for Fullerton’s Future.” Devoted to transparency between city and citizens, the blog has remained an outspoken critic of Fullerton throughout the years.
Now, the blog faces legal trouble as four of its main writers face charges of hacking to publish secret city documents.
Joshua Ferguson, a writer for the blog and one of the central characters within the case, claims the charges are in retaliation after he and fellow writer David Curlee, another defendant named in the lawsuit, filed a Public Records Lawsuit on Oct 25.
Under SB 1421, a statewide disclosure law, select records, documents, photos, and evidence involving various forms of police misconduct can be requested by the public.
The City of Fullerton’s dedicated page defines the law as, “requir[ing] certain peace or custodial officer’s personnel records and records relating to specific incidents, complaints, and investigations to be made available for public inspection, pursuant to the California Public Records Act.”
Ferguson has argued that Fullerton took actions to circumvent this new law in order to hide vital information from the public. Outlined in various depositions and evidentiary documents, Ferguson repeatedly made public records requests under the new SB 1421 law. Sometimes these requests were granted; other times, they were denied.
Among the secret documents published on the blog is an incident involving former Fullerton City Manager Joe Felz.
In 2016, a drunken Felz was involved in a hit and run before being pulled over by the Fullerton Police Department. He was then driven home by the FPD. One of the responding officers, former Sgt. Roger Jeffrey Corbett, was charged with falsifying the police report in an alleged attempt to downplay the incident. Corbett pleaded not guilty and his trial is currently underway.
Another document published was a draft agreement between the city and former Lt. Kathryn Hamel, who at the time was the subject of two investigations.
The blog alleged the agreement, “between the city and former Lt. Kathryn Hamel to halt at least one internal affairs investigation if she resigned from the department, in an effort to shield the records from a new state disclosure law that allows the public to see select police misconduct records.”
First Amendment and journalist advocacy groups have swelled together in support of Ferguson. The Reporters Committee for Freedom of the Press (RCFP), an advocacy group based out of Washington D.C., filed an amicus brief, detailing the potential harm the lawsuit could bring to journalism. Meanwhile, the First Amendment Coalition Group, a nonprofit organization based in San Francisco, is following the developments of the case.
The RCFP, in their amicus brief, argued, “…the City is effectively arguing that an invitee to one part of a field ‘should have known’ that moving to another part would transform them into a trespasser…But without actual notice that a portion of the field is off-limits, an invitee cannot transform into a trespasser.”
Invoking the First Amendment, the key question is whether Ferguson had the right to access the information that he did. A divisive piece of evidence comes down to a declaration by Assistant City Clerk Mea Klein.
Klein had regular contact with Ferguson, as she was the one who processed many of his public records requests over the last year. According to Klein’s declaration, Ferguson had submitted 80 public records requests to the city since December 2017.
Her declaration details the process in which requests were granted, either through an email attachment or a link to a specific folder within the city’s Dropbox. There, the files could be accessed.
On June 6, a city employee sent Curlee a link and password to the entire city’s Dropbox. Klein elaborated that if a master link was emailed, the specific name of the folder pertaining to the request was listed. By naming the specific folder pertaining to their request, it only gave them permission to that particular folder, not others within the Dropbox.
The main folder in contention is titled “pr1919 – JoshFerguson.zip,” known as the “Subject File” in depositions, was added to the city’s Dropbox in response to records request Ferguson made. An email correspondence between City Clerk Lucinda Williams and Ferguson notified him that certain files potentially contained sensitive information and would need to be reviewed by legal counsel.
The city alleges Ferguson and other blog members downloaded documents without permission that were unrelated to a public record request while masking their identities using Virtual Private Network (VPN) and Tor proxy networks.
A declaration by Matthew Strebe, Chief Executive Director of Connetic, analyzed the activity within the city’s Dropbox to determine that Ferguson used VPN software since 2017 to access files.
Beyond Strebe’s analysis, a declaration by Christopher Tennyson, a former co-worker of Ferguson’s at Fullerton Cameras, alleges that Ferguson used Tennyson’s login information to download city files, using his employer’s Dropbox account. However, it is worth noting that Tennyson was originally named within the lawsuit, before being dropped and providing his declaration.
Ferguson has never acknowledged downloading the aforementioned folder and staunchly denies using any such software to hack into Fullerton’s Dropbox, citing a declaration submitted by John Bambenek. A specialist in cybersecurity and intelligence, Bambenek argues that the city’s Dropbox did not have any kind of password protection and allowed public permission within its settings. Bambenek continued that the use of a VPN network is commonplace for journalists and researchers while noting discrepancies within the data logs of Strebe’s analysis.
Ferguson’s defense attorney, Kelly Aviles, has argued against the hacking charges.
“ …accessing the City’s publicly accessible Dropbox account, that it failed to secure by even the most basic protections – such as a password – could never be considered ‘hacking’ under the CFAA [Computer Fraud and Abuse Act] or its California Counterpart,” wrote Aviles in an emergency appeal regarding a recently overturned gag order against the blog.
It is also worth noting that the city’s Dropbox has since been deleted. The city declined to make a comment.
To explain their interpretation of the evidence thus far, both legal teams frequently use the analogy of a house.
The prosecution argues that just because the door to a home is open, does not give a stranger the right to enter. Even if permission is given, it does not give the person the right to go through personal belongings. According to the prosecution, Ferguson and Curlee may have received access to the Dropbox, but it did not give them the right to rummage through the underwear drawers, to air out dirty laundry.
Yet, in the dozens of emails provided within depositions, there was never a printed disclosure or security warning.
The RCFP’s amicus brief continues, “Analogies between the digital and physical world are often inapposite, but to the extent they are helpful, there was no door, let alone a lock in this case. The better analogy is an open, unfenced field that one has actually been invited onto.”
At times, the city’s testimony may appear damning to the blog. However, there is enough evidence to suggest the possibility of Fullerton’s negligence in keeping confidential records out of public hands.
Regardless of whether Ferguson and the blog are guilty of hacking, what was exposed by the “Friends of Fullerton’s Future” is questionable behavior, on the part of City Hall’s conduct, that can only be explained in a court of law.