The most interesting part of this story is the potential legal risk of holding onto the records that were improperly disclosed.
Had the author not notified the city that they had royally screwed up by divulging far more sensitive information than they had realized, they likely would have never realized the error, and he would have been free to do whatever he liked with the data.
But once he notified them of their error, and they realized that the data was now in the hands of someone who should not have been given access to it, there is an interesting legal question about whether he has the right to keep it.
If this were physical property, or money, then there is a lot of case law around what happens when you find yourself in possession of something that was given to you by what was clearly a mistake. If a car dealer accidentally drops off a new car at your address, but later realizes it was intended for another address, you don't get to keep the car. Likewise, if $100,000 shows up in your bank account because it was mistakenly deposited there, that's gonna get clawed back.
But what about data? Mere information? I think there is a pretty good legal argument that there are categories of data (e.g. trade secrets) that a person can be ordered not to possess. So I think the author made the right call by agreeing to cooperate with the city's request, even if it was the city's own colossal error that put him in that position.
Nevertheless, it would have been nice for the city to reward him for his bringing the issue to their attention, rather than immediately trying to threaten him if they didn't help clean up their mess.
For mail with someone else's name on it, sure. But in this case, the "mail" had my name on the front, back and side... plus a username and password that only I know. So yeah, not sure that really applies here.
Thank you! I genuinely appreciate the kind words. I'm hopeful I'll have the next one out by the end of the year. A less successful story, but it's a good'n.
> Had the author not notified the city that they had royally screwed up by divulging far more sensitive information than they had realized, they likely would have never realized the error...
That would be incredibly risky, though. If the city did later realize their error, they would likely assume malice on the part of OP for not telling them about it. If we think his treatment after telling them wasn't great, imagine how bad it would be otherwise.
> ... and he would have been free to do whatever he liked with the data.
I don't think that necessarily follows. He could -- and likely would -- get in a lot of trouble for publishing the extra data.
> They thanked me for bringing the situation to their attention and all that, but the mood of the call was as if both parties had a knife behind their back. Somewhere towards the end of the call, I asked them if it was okay to keep the emails. Why not at least ask, right?
>...This isn't something I'm even remotely cool with, so we ended the call a couple minutes later, and agreed to have our lawyers speak going forward.
Honestly, the city was acting in very good faith, but OP decided to troll them and refused to cooperate with the third party auditor. To this day we have to kind of accept the affidavit he signed that data is gone.
This was definitely not my first rodeo and I like to think I've done a good job in acting in good faith in future similar instances [1] for example. Every time I've reported something, the other side acts differently every single time. Sometimes they're friendly, sometimes they put out obvious traps ("prove it that you found HIPAA sensitive info"), and sometimes they're just thankful it didn't go worse.
You gotta realize that we live in a world where people have been prosecuted for using nmap. So we have to ride a fine line between careful and aggressive.
I don't expect this to be a thing that stops happening as I continue sending FOIAs. Recently a police agency released to me thousands of social security numbers from ALPR scans (of all things). When I reported it, they shrugged us off and asked us to redact the documents ourselves. When we refused (why would I accept that liability) to, they redacted more, but left in about 800 more SSNs.
I get it. But as someone who has worked a lot of helpdesk and customer service roles in my life, all I can do is whinge. These departments clearly do not have the processes or experience to respond correctly, so the brunt of the pain is going to fall on inexperienced and overworked public servants whose whole job is to be harassed by citizens. So please be nice!
Heh, the city called me a good samaritan for acting in good faith, plus completely redid their entire process afterwards, including escalation paths to make this sort of thing less aggressive and conflict oriented in the future. So, uh, I'm honestly not sure what to say when things ultimately ended up better in the end.
And fwiw, I've worked at a high volume help desk too.
That's basically the opposite of the City of Chicago who did pretty much everything they could do behind the scenes to frustrate and ridicule you just for asking for some public information.
Your Seattle exchange makes perfect sense when you connect the people and the tech. You're using web3 thinking to interface with people using web2 tools to manipulate web1 software reading data from web0 systems. Sending and receiving info through this system is sometimes literally a game of telephone, but the translation steps will be set in stone.
E.g. Your email sent to IT was routed, unread, to another department. That department starts their rudimentary FOIA process which includes submitting IT-Request-4 regarding your specific date and field range. IT-Request-4 does not come with context. Seattle's IT department now specs out adding fields to a production database and adding your custom export to the end-of-day batch. They spec out additional hosting costs because IT-Request-4 was designed as a way to create data pipelines.
At this point there are only three people involved and they each have a different view on what's happening due to a knowledge gap. You could eliminate this (imho) by providing motivation and context in your initial request.
I wonder how these exchanges would look if you sent a 'pre-FOIA' heads up to specific departments in a city, introducing yourself as conducting a large-scale survey of FOIA processes and letting them know your request will revolve around a year's worth of email metadata. It feels like this could be a more collaborative process.
I would refuse to cooperate with the third party auditor as well. No one gets to scan my hard drive without a court order. And even then, I wouldn't provide the decryption passphrase unless I was legally required to.
Even though there isn't anything illegal or incriminating on my hard drive (as far as I know, anyway), I wouldn't agree to let someone violate my privacy for a mistake they made.
Regardless, this whole thing would be "verification theater". OP could have copied the records out to a flash drive before deleting them from the hard drive, and hid it in his floorboards, and there'd be no record he did that. Third-party audit would say "yep, looks like the files have been deleted off the hard drive", and that would be that.
Also, "good faith"? The lawyer OP ended up talking to said that their behavior seemed to indicate they were moving in the direction of CFAA charges. While we can't know that for certain, that's quite the opposite of good faith.
And did you have to sign it? What would have happened if you hadn't? Why do you have to sign a legally enforceable document because some idiot messed up?
Not OP, but signing it probably made the mess immediately disappear. Even if there was no legal requirement, the stress and potential expenses are not worth it if the data was genuinely deleted.
Taking a moral stand has costs that not everyone can bear.
And besides it’s an affidavit not an NDA. It’s just a legal document claiming that what he said happened, did in fact happen. Not sure what the moral stand is here in not signing it?
I would have to be legally compelled as well. The city may trust their auditor with my private communications and access to my financial accounts, but I do not.
>… and refused to cooperate with the third party auditor
Well, yeah. No way I am letting someone scan and archive my drives/data to correct their mistake. They broke other people’s privacy and now they want to break mine? Pound sand.
Even if they could prove my drives had been wiped, that would do nothing to prove it had not been otherwise copied elsewhere.
Uranium is illegal to possess and is a tangible object. Data is intangible and can be copied. If Matt gave into a request to search his hard drive, said search could extend into other devices, online accounts, etc. And that wouldn't even prove that he no longer possesses the data
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Yeah, who the hell does this guy think he is? We want to explore every nook of his house and he gets uppity? Clearly something to hide.
How is that hostile? To be aware of your rights and state they can’t do an illegal search?
Demanding a warrant to be searched is not hostile it’s the equivalent of saying no thank you. Hostile is when they have a warrant and you still refuse.
You cannot get a warrant without probably cause that a crime has been committed. So asking for a warrant to search your computer is literally asking to be charged with a crime.
IANAL, but demanding a prosecutor and judge be involved when dealing with an IT department is really dumb. If you can just agree with their legal team (and your lawyer) on the stipulations of the search and confirmation, you can't be charged with further crimes if they find anything ("fruit of the poison tree"). But insisting on getting hit with a warrant means anything they find can be used against you.
> You cannot get a warrant without probably cause that a crime has been committed. So asking for a warrant to search your computer is literally asking to be charged with a crime.
That is just completely 100% wrong. Warrants are not (or at least, shouldn't be, your mileage may vary based on your local authorities) issued like candy. Prosecutors and judges issue warrants when there is probable cause to search in the event of a crime being committed by you, or simply being committed within an area to which you have access that the public does not. That does not mean you are being charged with a crime. I would agree that more often than not, if you are having warrants issued for searches of your home or business, a criminal prosecution for you is probably not an unreasonable thing to be concerned about, but these are not the same thing. One absolutely happens without the other all the time.
> If you can just agree with their legal team on the stipulations of the search and confirmation, you can't be charged with further crimes if they find anything
This is the same fallacious thinking as "If I've committed no crime I have nothing to fear from being searched," and that's not the point: the point is it is your right to privacy that they are demanding they now have the right to encroach upon to ensure the secure and to-their-satisfaction destruction of data they erroneously sent you which cannot be performed without some element of highly invasive search, and also cannot be requested without the implication that they don't trust you to have deleted it.
This institution regardless of your individual opinions on it does not have your interest at heart: their negligence has placed the two of you as legal entities on opposing sides of a legal affair that can incredibly easily escalate to a conflict. Your lawyer is your FIRST call in this situation, and after that, you shut the fuck up and let your lawyer do their job.
So regardless, by demanding a warrant you would be insisting that the IT Department declare a crime had been committed in the first place. Even if you wanted to defend the legality of you holding onto ill-gotten data, why would you want to get the prosecutor involved at all? Getting a warrant on your property is the worst possible outcome here.
I agree you shouldn't do anything without a lawyer closing looking over the stipulation. But demanding a warrant is probably the dumbest available option. Especially when they already know you have the thing they are looking for!
>Especially when they already know you have the thing they are looking for!
I disagree, the conversation went that they wanted to Verify it was deleted. That is totally out of grounds for the city to want. The data in this case is contraband, but it was leaked by the city, and hosted by the city in the FOIA portal.
It totally misses the point, you should never consent to a search to verify you don't have it, especially to a third party. Ever. They want to poke and prod around, then it's a warrant and strict chain of custody. None of this third party forsenic firm stuff.
> If you can just agree with their legal team (and your lawyer) on the stipulations of the search and confirmation, you can't be charged with further crimes if they find anything ("fruit of the poison tree").
This part is completely wrong. “Fruit of the poison tree” only counts if the original search was illegal. If you let them search for something specific, nothing is stopping them from using anything they find, even if it wasn’t what they were searching for (as long as they found it during the normal course of searching for the thing they were supposed to be searching for)
If you get to define the terms of the search with a lawyer, wouldn't that make the terms of any additional snooping illegal?
Again, I get that a warrant is a great bar to them searching your stuff. But if they already know you have what they are looking for, a warrant seems bad!
Friend, I don't know how to say this politely, but I'll try my best: you're really missing something fundamental here and I'm not sure what it is or why you're so persistent on thinking it's okay to allow a government agency full access to your drive through third party contractors. Please, for your own sake, do some independent research. Or talk to a lawyer. Or read articles about prosecutorial abuse. Many of us have told you this is a bad idea and in no uncertain terms: it's a BAD idea to allow unfettered access to your shit.
I highly recommend you take an afternoon off and sit in a criminal court room and watch how criminal cases progress through the system. Especially for things like drug crime, and especially when evidence is weak. You will learn so much.
Well, all of them really. Sure, no warrant you can make an attempt to drop evidence because of overzealous police/executive power if there was no consent but the idea is to require documentation and to make sure the state (in this case) crosses their T's and does their I's before they can engage in this sort of conversation. Many times, if the case is weak, or not enforceable, a judge will not sign to execute the warrant or said people that want to search will not try to get one (either knowing it wont be granted or it would be denied.)
With the warrant demand talk, I would also say that once you make the demand - you give an address where you recieve service and do not follow up or communicate anymore.
> Many times, if the case is weak, or not enforceable, a judge will not sign to execute the warrant or said people that want to search will not try to get one (either knowing it wont be granted or it would be denied.)
Absolutely. Demanding a warrant is your protection against a weak case. But in this particular case, OP has already told authorities that they possessed contraband. The authorities already have everything they need to exercise a warrant. So insisting on one here is the exact opposite protection.
Again, OP was smart and worked with a lawyer to deescalate.
I don’t speak for all of us, but I would certainly be one. The “particularity” feature of a warrant would be a primary concern, as would be the involvement of someone other than LE (I.e., the magistrate or judge signing the warrant).
Again, in this particular circumstance, where OP has already admitted to being in possession of the files, would there be any difficulty in obtaining a warrant for all of his computers?
I'm honestly curious as to what there would be to gain on insisting on a warrant rather than just agree to some deal and avoid criminal proceedings.
So the feds can just ship anyone uranium, then insist on searching their house “to confirm it’s all gone”, and you think they’d be able to get a warrant to do so if you refused to consent?
Bypass anyone’s Fourth Amendment rights with this one weird trick discovered by some guy on HN (civil rights attorneys HATE him!)
I don't think the OP trolled them. It's their mistake, and he pointed out the mistake. "We'll hire a contractor to do whatever they want with your computer, or you go to jail." is not a fair way of resolving the situation. It cover's the mistake-maker's ass at great cost to the person who reported the mistake.
Would you ever use a computer again if someone else of unknown intent had unlimited access to it for an extended period of time? I certainly wouldn't.
The suggested remedy isn't even effective. You can't prove that you deleted something. It could all be on an SD card buried under a rock somewhere, regardless of what the consultant finds.
Frankly, given the track record of cooperation, the first offer should have been "just delete them and sign an affidavit attesting to that" which is exactly what happened.
The intent could be either confirming the deletion of the data... or trying to find evidence to charge you with some kind of crime for having the data in the first place... or trying to dig up random dirt. Services which Kroll conveniently seems to also provide.
A warrant is only required for a police search. You can agree to have anyone search your property as a resolution to any legal agreement if you want to.
A warrant is required for all government search, and I can just as easily waive my right for a warrant w/ the police.
In fact, a workers for the municipality is the very last government level Id want snooping in my house. Next thing I know Im getting fined for having the wrong colored bathroom tiles.
> A warrant is required for all government search,
False. (As, also, is the upthread claim that "A warrant is only required for a police search")
Reasonableness is required for all government search, warrants are usually (but not categorically, there are all kinds of established exceptions to the warrant requirement) required for reasonableness.
For example, if you enter into an agreement with your state to be a foster parent, you also have to agree for the state to inspect your home regularly. It's part of the agreement - no warrant required.
The state is free to make search a condition of an agreement. So if the state wants to say "Agree to a search or we will pursue criminal proceedings", you are free to accept or deny their agreement.
Agreeing to a search as part of access to a nonessential service is quite different from being extorted with the thread of criminal proceedings if you don't allow them to violate your rights.
I think this point is needlessly pedantic because it hasn’t much to do with the topic at hand. GP’s point was that you were wrong to say that warrants are _only_ required for police searches.
The search we’re talking about here is very much the kind of search that warrants a warrant.
At least in the state of Washington, only police officers are authorized to execute warrants. So I don't feel like I am being pedantic. If you are saying it requires a warrant, it's officially a police search.
I feel like I am taking crazy pills in this thread and no one has an idea of what a warrant actually is and they are just throwing it around like a magic word.
So they make a grave mistake from a data protection point of view.
Why do I need to give a contractor access to things on my drives like my work contracts, bank statements, other contracts, encrypted SSH keys, as well as some information other people gave me to keep redundant - because of their mistake?
Especially because the average one of these contractors doesn't tend to exude competency. You know, like the first party I'm talking to which caused this whole disaster?
Especially because it wouldn't help. If I wanted to, I'd have drives they don't know about, or containers they can't recognize.
Are you kidding? Let some contractor a local government hires copy your drives? Those people will be incompetent at best. Protecting your property isn't "trolling".
OP could have easily copied the contents to another disk or remote server if they were malicious, and then still complied with the search. There is no way to prove the data was never moved to another system. That is besides the point that their mistake should not become his problem to deal with.
As it should be- think of the possible abuse if a government entity could send you private information 'by mistake', and then be able to mandate a search of your property for that info.
The US doesn't, as far as I'm aware, have any encoded right to one's personal data. Furthermore, copyright in the US does not extend to databases, such as a list of records. So there isn't a clear legal regime under which to prosecute someone for holding onto records they recieved improperly. Physical property and even some coyrightable data would be a different story.
The City said they were going to go for a fraud and abuse case. I have 0 experience with that subject, but I would assume there would have to be an action, or intent of an action, to make it a crime. I wonder if the data simply existing on a hard drive would be enough to convict.
Now that I think about it, I don't think I have a strong moral conviction against a judge ordering someone to delete data that contains sensitive information they received in error. Jail time and a fine? Absolutely not. Forcing them to delete (and confirming deletion)? Yes.
You're right, my wording was imprecise. My point was that he could have continued to delve into the information without anyone hassling him, unless the city independently discovered their mistake. But you are right to point out that he still would have been somewhat limited in what he could do with the data without arousing suspicion.
I'd think he has the right to keep it. That right also comes with any criminal liability associated with improperly handling or releasing that data along with any civil damages that follow from the same. You'd be foolish to actually want to express this right.
However, there is zero chance I'd acquiesce to a third party high end security contractor like Kroll in to "scan my systems." I found that a little bit disturbing for a city to unleash it's world wide third party contractor on an unsuspecting civilian that was trying to help them out of a _legal mess_ they created.
Government IT is famously expensive, and so often a disaster. I recently needed to open an account with a local agency. The fun started with two date fields on the web form, which turned out (trial and error) to require different formats.
I finally received my credentials, but they didn't work. Assuming that the password was likely the problem, I tried the password reset function, only to get a 404 error.
The person I corresponded with was very polite, but it took three resets on their end, before I could finally log in.
A private company with these issues would go out if business. The government probably just hires another incompetent dweeb, who will have a job for life.
The government probably has outsourced this to the only company which bid based on some "anti-corruption" or "fair-trading" rules which were passed. There is of course no way to hold that outsourced company to account.
More like the company made the lowest bid, and their bid was intentionally lower than the actual cost of building what the agency wanted built, so they did the least work possible to get it to vaguely work, and moved on.
...and internal rules will mean that the lowest bid will have to be taken.
Probably a bit of both. I'd be very nervous about jumping through the hoops that come with supplying to government -- hoops the people working in the government don't want, but ones that have been put in by politicians for various reasons.
External rules too. In the US, some state legislatures like to take away local control from counties and municipalities for political reasons. An IT manager for your city might know what the best solution would be, but depending on the State's bidding requirements they may be forced to take the lowest bidder even if they know there will be issues, but they meet the basic requirements of the ask. They need to teach government RFP/RFB writing in grade school.
It’s funny because I once had to hand edit the form on an experian website to sign up because their stupid UI wouldn’t let me enter in a date in the right format
Oof, when I started my new job this year, my I-9 form was rejected with what turned out to be two date fields with different formats. That took some debugging on my part to figure out. :/
Argh. I used to work a lot in open data, including a stint within the open data department of a major city government.
This kind of behaviour does nothing to advance the cause. It just perpetuates the belief that open data and FOI are massive waste of time and resources and open legal risks for no good reason.
I'm also pretty surprised that people think email metadata from government is legitimate open data. Do you think it should be public how many times you have emailed government and gotten a response, and to which departments? I don't.
> I'm also pretty surprised that people think email metadata from government is legitimate open data. Do you think it should be public how many times you have emailed government and gotten a response, and to which departments? I don't.
on the surface i agree with you. beneath the surface, other governmental units already possess all the metadata for your emails/phone calls, it would be a weird bit of asymmetry to say it’s okay for them to have your metadata but not for you to have their metadata.
it’s not a perfect mirror, for obvious reasons, but if OP went on to show that this metadata is powerful and push that neither side should be collecting that type of metadata, then that’s a single legitimate use i can think of for this kind of FOIA.
None of this is open data. Open data is data that's released on a discretionary basis; often times a FOIA request for the same data found within open data has a legal requirement for redaction. We see this happen all the time. What's worse is that at the executive level, eg chief data officers are often forbidden by legal teams from interacting with the media and adjacent orgs. I've literally been told by a CDO that they cannot speak with me.
My go-to phrase for open data is, "open data is a lie". Because at the end of the day, we have zero legal recourse to validate that what is provided through open datasets is complete, both in terms of available columns and available rows. Very rarely will it ever be explained why, or even if, information is missing. And the subsequent effects of that lead to a deep public misunderstanding of what's going on. And much of it is intentional out of explicit fear that the public will misinterpret the data. So we go through FOIA instead and we end up going through legal battles. There's a reason I've had to do ~10 FOIA suits.
tl;dr: open data is nice, but its lack of rigor and accountability makes it effectively useless for anything that requires depth.
Perhaps you missed the bit where I said I worked in open data for years, including inside government.
They are two very different processes, yes. Open data tends to connect you with technologists and subject matter experts who want to talk about their field. FOI tends to connect you with lawyers and governance gurus who want to find reasons not to give you what you want.
Around here the FOI processes are getting slower and less forthcoming, in defiance of the law, and ridiculous requests like these ones do not help make the case for their support.
I've spoken to many people inside government who work on the open data side. To be blunt: the signal to noise ratio isn't very good in terms of whether someone actually knows what they're talking about. So please consider my reluctance to take much of what is said as a product of being lied to for years, both intentionally and unintentionally.
Yes, FOI processes are getting slower and yes we're going to keep suing. What other choice do we have? One thing to consider is that SO MUCH of that is a product of gov agencies simply not preparing their documents in a way that makes them FOIAable. So much can be done that simply isn't -- a significant amount of which is very intentional (eg, police records) in an intentional violation of the law.
We're not trying to be dicks in all of this. We just want to know what's going on. So yours (and many others in your position)'s clear desire to think of us as adversaries rather than simply people who want to know what the fuck is going on is blinding your vision.
Get out of your head as a person in government and start thinking as a person who's at least empathetic towards the frustrations of a tired public that constantly lied to, deceived, and fed communications that are perpetually weighed down by legally reviewed PR releases. We can do better, but sure as hell not with your defeated attitude.
One thing to consider is that 'government' literally constantly advertises the opportunity for you to get credentials to their system and prepare documents themselves. They will pay you to do this.
> So yours (and many others in your position)'s clear desire to think of us as adversaries rather than simply people who want to know what the fuck is going on is blinding your vision.
Yea, I don't work in his position or any government position, but you are being adversarial. And, whatever you're trying to do, you're being a dick in at least this comment.
Maybe. But again, please try to view it as an expression of years and years of frustration. The stakes are high with this shit. When we are denied access to records, the implications are often as serious as literal deaths, sexual violence, and systemic abuse of millions of people.
I am familiar with the system and many serious problems with it. Some people who want to fix things about government go work there. You are complaining that they think of you as an adversary, but it's clear that you are thinking of government employees as adversaries, who have been frustrating you for years, and at least sometimes you're clearly being a dick about it.
You're attributing way more malice than I think is warranted. Take a breath, friend. I've been largely calm and collected in this conversation, but you've (ironically) raised this to a higher adversarial point. I have no ill will towards you.
Funny enough, I tried to get a gov job recently. A chief data officer job in a niche group which I think I'd do a damn good job at. They denied me immediately because I don't have a degree, despite my qualifications. So yeah, I actually agree to a point that joining gov can be a way to 'fix things'... but, welp?
But even further, I have tried working with gov agencies on issues I've felt deep anguish towards. In late 2019 I did a significant amount of free data analysis of Chicago's parking tickets for the Chicago mayor's office to show how excessive ticketing can be. They reached out to me, they said they loved the work, but did shit-all with it. Later that year, the mayor ended up doing a 180 on the desire to have more-just ticketing policies. A month after I gave them that analysis, in a FOIA lawsuit trial, the city's counsel threw me under the bus by arguing that my end goal in that litigation is to gain access to their data so that I can modify it. Completely baseless argument that actively ignored that I put significant effort in trying to help with the highest office of the city. For free. So dude? I've fucking tried. In the end the city acted (and acts!) like a bully for the sole purpose of winning their cases. When that's the standard of behavior we receive, it's a damn wonder we even try to make any intentional effort to be kind.
Also, when I've been told over the phone and email countless times, "we are not obligated to answer questions under the law"... even for the most basic of things.. it's pretty clear where the disconnect is.
I could go on with these stories, but since it really sounds like you didn't read the article I shared -- please do, and you might better see where many of us are coming from.
> I'm also pretty surprised that people think email metadata from government is legitimate open data. Do you think it should be public how many times you have emailed government and gotten a response, and to which departments? I don't.
In Sweden, when you contact the government by web form or mail, they warn you that every communication is by law part of the public record (metadata and contents), and you should not include anything sensitive that you do not want divulged.
Having worked as a sysadmin on the other end I can almost guess how his initial request was received.
As many others do they only read part of his request and were dumbfounded by the scale of it. So in their minds he was requesting way too much information and they probably spent days at the water cooler laughing at this guy under wrong pretences.
Eventually someone realized their misinterpretation and proceeded to make the dire mistake of exporting the e-mail headers with a cut off at a hard coded value I'm assuming. Instead of parsing out the headers from the email.
And it wasn't until he pointed this out to them that they started taking him seriously. :D
I'm also a sysadmin who unfortunately found that attitude familiar. Some IT groups really do create these toxic environments where it's common to make fun of the people they serve.
I certainly don't expect IT groups to bend over backward for every request or be polite in the face of real abuse, but the toxic shit that is said at the water cooler is never that. It's literally insulting people's intelligence or taking pleasure in people's pain, especially if it involves exercising their power over users.
Oh... this reminds me of where the Assessor of my county threatening to call the cops and inform them of me wanting public data; attempting to charge me thousands of dollars more for records that should only cost the amount it takes to duplicate the records; and more...
1. From address
2. To address
3. bcc addresses
4. cc addresses
5. Time
6. Date
correlates person-related information (who was in contact with whom at which date and time). storing it, let alone processing it is only admissible on a need to know basis. even if you jump through the hoop of an officer acting on behalf of Seattle is not a person any more, which is a stretch already, even then all email addresses outside the Seattle gov domain are completely taboo without a court order and a cause (and being criminal investigator)
I agree that government records should be open and are good for transparency. The problem comes when people don't realize that something they're doing would put all of the personal information they've submitted into the public record, or when it's required to do this to access a service.
In Washington, and Seattle specifically, doing something as simple as reserving a park space or signing up for a constituent newsletter means a public record has been created. Data brokers and people who want to "just reach out for a simple conversation" and political parties routinely make grabs for this data to populate mailing lists and the like.
That's annoying and shouldn't be a function of public records laws. We exempt utility billing records, even when the utility is owned by a city, and library card data and so on. Asking for a service from the government should be wholly exempt.
The counterpoint is that as a citizen, I should be able to find out who keeps renting out the park and ruining the grass because ultimately, we the people hold the government accountable.
In the early years of the rollout of federal income tax, the government lacked an IRS to enforce the code. They addressed the issue by making income tax filings public knowledge, so that if individuals saw that, for instance, their neighbor was claiming poverty income on their spacious mansion with the new well-appointed carriage house, they could sic the feds on them. Today, many states still post the voter rolls (and their status, such as "out of town for this election") at voting places because it's considered to be part of the public's right to defend the vote by noticing that Steve said he'd be out of town (or moved last month), but here he is in the voting line; is he trying to double-vote?
We have learned to our chagrin that such data is functionally useless to joe average voter because he is far far too ill informed and ill positioned to use it.
For instance it's incredibly easy to detect double voting if you have to check in at the polling location and send your ballot in in a signed envelope how on earth would it be possible to miss such?
What can happen and does happen to thousands of folks in an election with over a 100M voters is folks plan to be out of town and come back.
Lets be mean. When you thought of this sort of circumstance is an imaginary problem that would have thousands of false positives and zero true positives.
You ably demonstrate why its useless to crowd source election integrity because the crowd doesn't know anything. If you need further evidence look at all the other imaginary election fraud from causes as simple as not understanding things like
- people cast legit votes then die weeks or months later
- people move in area and forget to update their voter registration
- people have the same first and last name as the recently dead/moved/imprisoned/otherwise ineligible
We already do this and put up with it with mailing addresses. The only difference is that the transaction cost of your email address is basically nil compared to your mailing address.
So, email addresses kind of suffer from the same problem as Social Security numbers - they were never designed to be private information! But they have been forced to fit that role.
And, you know, cities have no problem giving out personal information all of the time. Your personal address, or whoever owns property in a city, is a matter of public record. And so the city has no problem handing out your name and address to anyone that asks. Your email address is much lower stake.
The issue isn't that email addresses are private information, it's that they are personally identifiable.
[EDIT: to be clear, the following refers to the GP comment referring to in Europe, where as the parent comment is clearly US-centric]
Even if you replaced every distinct e-mail address with an ID or hash or whatever, they would still fall foul of GDPR because that ID or hash would become PII. You might say that's impossible, but for instance, if you knew that you happened to send specific e-mails to people in that dataset, you could correlate the times to discover your own hash, then filter by your hash and use the times to correlate with who you sent them to. Now you know the hashes of everyone you corresponded with, and can do PII-based analysis on that, e.g. how many people e-mailed them and when, whether they responded, who else they e-mailed after receiving those e-mails (so you might be able to start identifying colleagues etc), etc.
PII, even in what looks to be anonymous data, is very valuable to people who are determined to mine it, which is why typically data such as this should only be disclosed in aggregate, and usually after verifying that each aggregated set of data actually covers a large enough group of individuals that also can't be correlated another way.
Public records are for the public! I both love and hate it. I think it makes sense for citizens to be able to check in on what the govt is doing. Unfortunatley the govt likes to keep tabs on a lot of things and it'd sure be nice if they didn't and it'd be even nicer if those records didn't have to be public.
If you think that request was bad you should look up the history of LexisNexis. Their bread and butter is requesting data and collecting it all into a single database that you can use to background check anyone the american government vaguely knows about.
There also used to be a site called masscorruption that I'm pretty sure focused on a single county government in massachusetts run by some whacker with an axe to grind. He filed a FOIA request for every image file on a government desktop, which was fulfilled, and he went on to publish the employee's personal images that probably should not have been stored on a govt computer.
At my workplace whenever I put a government employee in the to: line a banner appears in outlook informing me that the message I am writing can be FOIA'd. Especially with local govts you just never know how people are going to get activated and what will be interesting to them.
Whoever the author is has a totally different view of "metadata".
Metadata from my perspective would be "general amount of emails", (possibly) "address blocks (just involved, not from/to/bcc/cc)", "time frames" (with large window averaging), (maybe...) "very vague categories".
That’s true, but remember that these are government employees. All business that they conduct is a matter of public record by definition. They are required by our laws to maintain a record of all actions and communications, which anyone is allowed to consult. Technically they’re not supposed to use government resources for private communication, and legally they are not allowed to use _private_ communication resources for _public_ business.
No, they aren't. 'They', being the people whose email addresses are being released, includes everyone who emails or receives an email from a government official. Thought you'd like to receive updates on the construction outside your house by email? Now it includes you.
Yes, they are. Virtually every consequential interaction you have with the government ends up as part of the public record. You don’t have to do that via email, and if email is convenient then having two email addresses is not that difficult. There are well–known exceptions, such as library borrowing records, which are exempt and have been since long before email addresses were invented.
No, you misunderstood. Perhaps I stated it poorly.
My statement is that every interaction with local government in the US generates a public record. This is true even when email is not involved. For example, let’s say that you have purchased a property. The deed is registered with a county government. The tax assessor decides how much property tax you will owe. They record whether you have actually paid that tax or not. All of these records are public information, and there is very little concession to privacy. In the US, there is no expectation of privacy around these records. Anyone in the US can look up these records for any property at all, and your name is there for all to see. The amount you paid for the property is there for all to see, and so on. Your phone number and email address would be there too, except for the fact that they don’t collect or store that information. They don’t need too, because they always do business with you by mail. These days you can also use their website to pay your property tax, or to look up information about a property you are interested in, but that is ancillary.
The same holds true for almost all other ways that you might interact with the government. Building permits and inspections are public records. Arrest warrants are open. Trial records. Water bills are public records, if the water is provided by a utility owned and operated by the government (varies from place to place). Drivers licensing is almost entirely open. Vehicle registration. Bids on providing goods and services to the government are only sealed for a short time; once the winning bidder is selected all of them become public records. All of this is business as usual in the US.
Finally, all of the official communications of government employees and elected officials, whether internal to a government department or not, are public records. That means that if you talk to a mayor, whether by phone or by email or by written letter, and the mayor is acting in an official capacity, then the entirety of your communication is a public record. That includes the type of communication, how it was delivered, your phone number, your email address, etc. All of it is to be recorded and made available to the public upon request.
Of course public records may contain information that is not public. When a member of the public requests a public record, such non–public information should be redacted from the copy that they receive. That includes things like credit card numbers and social–security numbers, but not necessarily phone numbers or email addresses. Especially not the phone numbers or email addresses of the parties to the communication. Maybe it’s different where you’re from, but here those are important parts of the public record. If you want to talk to the mayor but don’t want your email address to become part of the public record, then don’t talk to the mayor via email! Write a letter instead.
> This isn't something I'm even remotely cool with, so we ended the call a couple minutes later, and agreed to have our lawyers speak going forward. ... After that call, I asked my lawyer to reach out to their lawyer and was pretty much told that Seattle was approaching the problem as if they were pursuing Computer Fraud And Abuse (CFAA) charges. For information that they sent. Jiminey Cricket..
Not addressing the main thrust of the article I know, but I am genuinely curious: do a lot of people have a "my lawyer" ready to go?
I don’t think it’s necessarily common in general. But it’s not surprising to me that someone who files a lot of public records requests has one, as a lawsuit is your main recourse if they refuse your request or demand fees you think are unreasonable, at least in the jurisdictions I’m familiar with.
I'd think it's pretty common. It's not necessarily "on-call" as in "waiting for you", but depending on what you do, you end up having contact with different lawyers in different areas. And in doubt, it's better to stick with someone knowing your situation.
Like, I had a few issues with the last place I rented, and during that, I entered the Mieterschutzbund, an association for tenant protection. Through this, I can get access to an hour of consulting with an expert from the association as well as one or two hours of a lawyer specializing in tenant laws. This doesn't take much longer than 1-2 days. So I guess I have a tenancy lawyer on call.
It's pretty common. My wife and I have a lawyer friend who handles small matters for us for the low, low cost of buying her meal the next time we go out. Plus I fix her (aluminum wired) electric.
There are 1.3M lawyers in the US according to the ABA. There are 250M adults in the US. I find it hard to believe that this is common (if "pretty common" means more than ~20% of adults?).
Yeah, I think took that into account in my estimation. Not every lawyer will be willing to work for free for a friend (it's like doctors constantly being bombarded for free medical advice, or software engineers constantly asked to provide free IT services to fix people's computers/phones/routers/network). I also assume that law is highly specialized, so a lawyer specialized in Constitutional or Patent law may not want to handle Family law, Contract law, Employment law, or Personal Injury law.
I figure the number of lawyers willing to do such small favors is in the range of 1% to 10% of the 1.3M (wild guess). So if each of them had 100 friends-and-family "clients", it still wouldn't add up to "pretty common".
Yeah. I have three lawyers amongst very good friends and family. They are all up for general discussion about law or a bit of basic research. I don't think any would go as far as writing a letter on my behalf.
For all emails sent to/from any Seattle owned email address in 2017, please provide the following information:
1. From address
2. To address
3. bcc addresses
4. cc addresses
5. Time
6. Date
Is this really a reasonable request that the government is expected to answer? Doesn't this expose a bunch of private information about government employees and the people they interact with? I understand this post (and apparently the law) takes this as completely normal thing, but it seems really weird to me.
Some examples:
* exact times people are getting in/out the office (eg. the time in the morning when a person first answers an email from their boss)
* full information about holidays taken by all employees (eg. days/weeks during which no emails are sent)
* friendships or relationships (eg. any communication between employees that doesn't follow from the hierarchy or from team delineations)
* information from criminal investigations (eg. an investigator sending an email to the parking fine department probably means one of the cases they're working on is related to parking fines)
This all seems a huge privacy leak? Should this stuff even be called "metadata" if so much can be derived from it?
Very much so! Since writing, I've since gone into freelance investigative journalism and nonprofit work focusing on gov transparency. A lot of what I learned has fortunately been applicable to a lot of investigative work. I need to write more about my own work, but time time time.
This is why city council member Dan Strauss, when going door to door campaigning, gives out his personal Gmail address rather than his city of Seattle address.
It's generally illegal for public employees or officers of any kind to make more than incidental use of public resources for any personal, rather than public-business purposes (political or otherwise), and further its even more illegal for public officials to use public resources for political campaign purposes.
So, yeah, using a non-city email address as his campaign contact email seems not only legal and ethical, but probably legally and ethically mandatory.
The main body of the rule is "No state officer or state employee may use or authorize the use of facilities of an agency, directly or indirectly, for the purpose of assisting a campaign for election of a person to an office or for the promotion of or opposition to a ballot proposition. Knowing acquiescence by a person with authority to direct, control, or influence the actions of the state officer or state employee using public resources in violation of this section constitutes a violation of this section. Facilities of an agency include, but are not limited to, use of stationery, postage, machines, and equipment, use of state employees of the agency during working hours, vehicles, office space, publications of the agency, and clientele lists of persons served by the agency."
EDIT AGAIN: Looking at that again, that is specific to state officers or employees, so may not be applicable to city officials, but represents the kind of rule that is commonly in place.
He's the currently serving incumbent. When he gives me an email address, it's not as if I'm going to be contacting him inquiring about the details of his campaign. It's more likely I'm going to contact him about why the police are dragging their heels to assign more patrols around Ballard high School where more than five students have been mugged, some at gunpoint, in recent weeks.
Sounds like he's trying to keep campaign activities separate from work activities. Doesn't sound necessarily unethical to me. Using your position as a public servant to use public resources for campaign purposes is what strikes me as unethical.
He's implicitly admitting that he conducts civic business via his Gmail account. That means his Gmail account contains public records and is thus subject to FOIA requests.
I'm not sure if city councilors are subject to such public scrutiny but it's still really stupid.
Nope, you are correct, I completely over-looked the "campaigning". Campaigning is actually supposed to be kept very separate from civic business. Updating my comment.
I have to say, Seattle seems to have some very cooperative clerks. Here requests for large datasets (or extracts thereof) are more likely to be denied based on various phony reasons or the copying valued at ridiculous prices nobody's backing down from. That you got this data without involving at least one appeals process is pretty good.
That said, I mostly only make "difficult" FOIA-equivalent requests. Routine requests for specific documents are mostly no trouble here.
Companies and governments will always undermine privacy either by incompetence or because it's good for business. In every case the only party that benefits from more privacy is really the end user. So what can we as users do about this? Is there an email service that can generate unique alias addresses? just.for.bloated.govt.dept.123@xyz.com would really help but I'm guessing the big companies like Google and Microsoft have no interest in privacy.
Most self-hosted email lets you set up a wildcard address and blackhole or tag mail send to particular addresses at will. Fastmail has a 1Password integration that automates this and lets you use @fastmail.com as the domain, but using a wildcard with any provider isn’t much more difficult.
How do I find more information out about FOIA requests?
Also, in your post I think you mentioned "FOIA junkies" or something along those lines, this implies to me there's a community of people who understand this stuff and talk about it. That sounds really interesting to join. Is there a subreddit or something?
Muckrock.com is a wonderful source of information as a starting point. It has many, many, many requests publicly online. They also run documentcloud.org, which has many millions of documents received through FOIA.
There are definitely groups out there that have collectively caught the "FOIA bug". It's a very fun culture of sharing and holding those in power accountable when they otherwise wouldn't be. I recommend just submitting a random request to a random agency about something you're interested as another alternative starting point. What tends to happen, amusingly, is that once someone submits their first, then something kinda clicks in their head and they submit another, then another... then they sue. It's all very organic and it's very uplifting to see someone grow in this field. We generally try to do our best to teach others what we've learned (tactics, strategy, wording, techniques, etc). So if you pick something up, definitely share the love.
Thank you for all of this! I chuckled at "... then they sue. It's all very organic and it's very uplifting" out of context lol
This stuff is really interesting to me for sure! I guess my biggest concerns are kind of just a generic paranoia about "getting on some list" and also the kind of thing that happened in the article. They send you too much info then suddenly are threatening you and are asking to scan your hard drive. Not saying I'm deterred but dealing with government feels like a kind of frightening task at times for some reason!
So my big takeaway from this is to never email a government official or agency if at all possible, because that’s how you end up on spam lists via FOIA.
The "single line of powershell" thing really undermines this person's credibility. Without knowing how and where this information is stored, how can he possibly know what the level of effort in retrieving it is? I agree that the initial cost estimate was absurd, but you don't win any points by claiming extreme simplicity of a task you don't have full visibility into.
Easy. If I receive an email from them that contains an outlook 365 email header, then they use Outlook 365. So then just send them the command that works with outlook 365. It's literally that simple. I have a good idea of what the amount of work because I've sent the same request about 100 times and have learned quite a lot, both through conversations, email, litigation and other's litigation. If experience isn't helpful then I ask for a small slice and use that to calibrate their estimate. Estimates are usually very wrong, like it was with Seattle.
Specifically, someone had asked how a "single line of Powershell" could be useful in a FOIA request (in the marshell thread I think). This is the example.
He did refuse it, and nothing bad happened, it seems. Unfortunately, he had to get his own lawyer involved, who likely negotiated with the city's lawyer in order to get them to back off. That kind of assistance was probably not cheap for OP.
The article unpacks that a bit. IIUC, he did refuse the request, and purged the files and verified the purge using his own tools. With lawyers involved, the city became inclined to accept that as sufficient to protect city interests.
Had he dug in completely, the city was treating the situation as if they would bring charges under the Computer Fraud and Abuse Act (which I don't think precisely fits, but might have been the only leverage the city had to prevent a potential bad actor from capitalizing on their mistake).
IANAL but the city could sue, whether or not they would would win IDK, if I were fighting it I'd argue along the lines of "if I meant to misuse the data I wouldn't have told you I had it and scanning my hard drive opens up my personal data to the same potential mis-distribution that I notified the city of."
I agree with the author's reaction though, and any non-court ordered scanning of my system would have to happen under my supervision, with strict agreement on the how.
Honestly, the city had no way of knowing that he hadn't already sold the entire dataset on Silk Road, so they were instilling a huge amount of trust that he was being a "Good Samaritan".
The dataset was so large they were probably not opening up the files before sending them over. It was clearly a rookie mistake by someone who had never had to do this stuff before and wouldn't have known what to look for.
Again, the vast majority of the emails were automated alert/spam emails. So it's unclear if a random sample of the data would have turned up anything interesting to look at if you didn't know what you were looking for.
I don't agree, I think opening any of the files would have made it immediately apparent that the first 256 chars of each email were included, if that's indeed what happened as the article said.
>Some things about the dataset: It’s very messy – triple quotes, semicolons, commas, oh my. There are a millions of systems alerts. For seattle.gov → seattle.gov communication, there are two distinct metadata records
Opening a file of that size in Excel would probably crash the desktop. And this was probably a lowly admin without a lot of other tools.
The first 256 char of a lot of system emails are going to just have junk html and header tags. If you don't understand that you are looking at HTML, it's not going to be apparent that you are looking at the body of an email.
It's a rookie mistake to be sure, but the admin was clearly unfamiliar with what was being requested.
Would it really have been a XLS file? I would expect probably CSV? In that case, just running 'less' on the file (or the Microsoft equivalent) would be fine, and wouldn't tax anyone's desktop resources.
That's not a "rookie mistake"; that's gross negligence. Whenever I write some sort of script to produce some sort of data file, I always look to ensure that the data file ends up looking like what I expect.
This isn't even to ensure my data file doesn't include something private, just to ensure that it actually includes what I intended it to, and I didn't do something dumb like put the data in the same field twice, or duplicate the same record over and over, or whatever.
We are not talking about one of the geniuses here at HN. The guy answering FOIA requests for the city is the IT equivalent of the counter person at a McDonalds. I don't think it's fair to flame them for being an idiot when it's clearly a process issue.
That's not how access to email content should work at any organization, and I can personally tell you that responsible government organizations don't give it to entry level employees.
Discovery and FOIA-equivalent requests that I've seen at the SLTT level were handled with the care that is expected for potentially sensitive communications. I'm sure smaller orgs can't do it as well, but Seattle is probably going to have some money for this stuff.
I suppose this is why some gov officials use weird aliases for emails. It’s not on the up and up but it avoids disclosing potentially embarrassing or illegal activities…
> To do that right would be a full time project for a handful of people for at least months, not "a one line powershell command"
Huh? Maybe bash and not powershell, but it should be pretty simple. If they have to go into the tape backups for that data, ok, perhaps not, but a reasonable mail system should make this a fairly simple task. Even if it takes a 30-line python script, that's not a big deal, and it can be left to run unattended over how many hours or days it needs to in order to go through that many files.
> You then harangued them for charging too much -- they had to come up with an estimate, and they estimated 30 seconds to review the data they sent you for each email.
The city later admitted that its original estimate was completely wrong, because they didn't have to review the email data at all (since bodies weren't to be included). I think "harranguing" them (which there's no evidence the OP did) seems pretty reasonable when they wanted to charge tens of millions of dollars to do something that ultimately actually cost forty bucks.
Also understand that this is in general how FOIA is: people ask for information, and government agencies do whatever they can to get out of providing that information, regardless of their legal requirement to do so. It's entirely reasonable to look at initial objections from the agency with a cynical, skeptical eye.
> You then insisted they __agree not to review the data__ so you could get it cheap
Huh? The data did not legally require review. The city made a mistake initially, or intentionally lied in order to get out of fulfilling the request.
> You should have informed them, deleted the data, and moved on with your life.
That's... exactly what he did? His initial beating-around-the-bush response was designed with the hard-earned knowledge that people often get punished for reporting mistakes of this nature. Which... is what actually seemed to be happening after the city was actually aware of their self-inflicted data breach. They wanted him to submit to a third-party audit (no, screw that) and seemed to be moving in the direction of filing charges against him before he got his lawyer involved. For their own negligence!
I have zero sympathy for the city here. Regardless of why OP wanted this data or whether or not you or I think it's useful data for a citizen to have, the city screwed the pooch here, and OP's karma slate seems pretty clean to me, at least for this particular incident.
Should it be that easy to socially engineer city employees with access to huge troves of potentially confidential information?
If anything, OP did the city a favor by going out of his way to inform them. What if OP was a black hat?
Also, who cares why he wanted the data? It's his right to it as a citizen. Just like it's your right to drive around at 2am without answering to the cops, even if they find it weird.
As in, he (like everybody else) is legally entitled to have access to records our government is responsible for making available, in the interest of transparency and accountability. Be thankful there are people out there volunteering to do the testing necessary to make sure our rights are working properly.
This person is doing the dirty ground work of protecting our rights, and incurring legal fees because of it.
The entitled prima donnas are the public employees of Seattle that seem to have the attitude that they shouldn't be bothered to do their jobs properly.
If this is your attitude, I hope there are people in your line of work that make it their personal hobby to bait you into getting you fired like this guy did.
What this is is pure scumbaggery using the guise of public service. It's akin to those "first amendment auditors" on YouTube.
I'm extremely unsurprised that the Seattle Police and Human Services depts were holdouts from returning this data. Police are notorious for stonewalling these types of disclosure requests.
Really? Do you agree this data should cost 30 million dollars to retrieve? Do you agree that 10tb of storage should cost 1000s of dollars? Would you be mad if someone sent you data you did not ask for and then threatened legal action if you did not grant full access to your personal data in return?
I don't agree with all his takes. It's absurd he toyed with the idea of asking to keep this data, for instance... But I think he is rightfully pissed.
Sounds like he was fucking with people who work for Seattle and then acting indignant and affronted when he gleaned even the slightest bit of irritation or frustration in response.
What does that have to do with it? The writer could easily, with no additional effort, treat people more respectfully and get the same results. We should not celebrate casual meanness.
"slightest bit of irritation or frustration in response."
I'll admit I could have been kinder, but I'm not sure I'd call their irritation "slight". You're really downplaying the (clearly intentional) audacity of their response as well as how often these sorts of audacious responses happen. It's hard NOT to get aggressive in these communications when their intentions are clearly rooted in just making me go away. It's a very common pattern and a very frustrating one at that, especially when the gov folks are intentionally obstinate on top of everything else. Here's another example of an agency that started off aggressively and got egg on their face from their hubris to show what I mean:
"The production of the requested records for March 5, required the time of 5 interns (3 unpaid) who all worked 6 hours cutting and pasting the emails from paper copies. This also required staff time to collect and print the emails and review for the security concerns we indicated in an earlier email. The estimated cost, which was not charged to you, was conservatively, $412 for the record we produced:"
To this, followed by the records for free, after I sent them instructions:
I have been working with our IT folks and may be able to extract to a spreadsheet to fulfill your request.
But anywho, whenever I teach FOIA stuff these days I always start out with the advice to always be kind. So it's a lesson learned.
Maybe he could have been more polite, but the author‘s responses here and other blog posts make it clear that he was actually intending to use the metadata and wasn’t just “fucking with“ city employees.
Had the author not notified the city that they had royally screwed up by divulging far more sensitive information than they had realized, they likely would have never realized the error, and he would have been free to do whatever he liked with the data.
But once he notified them of their error, and they realized that the data was now in the hands of someone who should not have been given access to it, there is an interesting legal question about whether he has the right to keep it.
If this were physical property, or money, then there is a lot of case law around what happens when you find yourself in possession of something that was given to you by what was clearly a mistake. If a car dealer accidentally drops off a new car at your address, but later realizes it was intended for another address, you don't get to keep the car. Likewise, if $100,000 shows up in your bank account because it was mistakenly deposited there, that's gonna get clawed back.
But what about data? Mere information? I think there is a pretty good legal argument that there are categories of data (e.g. trade secrets) that a person can be ordered not to possess. So I think the author made the right call by agreeing to cooperate with the city's request, even if it was the city's own colossal error that put him in that position.
Nevertheless, it would have been nice for the city to reward him for his bringing the issue to their attention, rather than immediately trying to threaten him if they didn't help clean up their mess.