A Loveland, CO–based investigation into homeless shelters, dark money, and the council.

What this is

A documented record of public-records research into two Loveland, CO city council decisions in 2026.

  1. Ord 6807 (Jan 2026), which approved a $2.85M purchase of 599 W 71st St for use as a homeless shelter and was then abandoned on 26 January 2026.
  2. R-10-2026 (Feb 2026), which approved the Costco Build-to-Anchor Agreement involving Centerra Properties West. The same Centerra cash-flow system was the subject of the city’s Phase I audit by Ernst & Young (Nov 2025), which marked roughly $34.5M of internal transfers as identified but not yet tested.

Every claim in the chapters links back to a primary record. The chain is always one of: a recorded council vote, a recorded deed, a 990 filing, a Colorado Secretary of State filing, an audit deliverable, or a transcribed meeting. If a claim cannot be tied to a public record, it is not in the dossier.

What this is not

This is not a legal complaint. It is not a journalistic investigation published under a masthead. It is not an allegation of personal criminal conduct against any named person. Entity names and dollar amounts come from the cited filings. Inference is labelled as inference.

If something here is wrong, the source link is the place to start. The contact path for corrections is at the bottom of every page.

How records were collected

All sources cited in the dossier are public records. They fall into four categories.

  1. City civic-web portals. cilovelandco.civicweb.net for agendas and packets, reflect-cityofloveland-co.cablecast.tv for video. Open to anyone with a browser, no login.
  2. County recorder and assessor sites. records.larimer.org and apps.larimer.org. Some endpoints require a free registered account, the same one any member of the public can create at no cost. That account was used.
  3. Federal nonprofit filings. Via the ProPublica Nonprofit Explorer and the IRS 990 corpus. Public API, no auth.
  4. State business registrations. Colorado Secretary of State business-entity database. Public, no auth.

Council meetings were transcribed locally from publicly broadcast Cablecast streams using whisper.cpp. The transcripts are linked alongside the source video so any reader can verify a quote against the recording.

CFAA compliance

The federal statute is the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Two of its categories are relevant here: “access without authorization” and “exceeds authorized access.” None of the collection in this dossier touches either one.

No access without authorization

Every system queried was a public record system that any member of the public can reach using a stock browser. No password protection was bypassed. No paywall was crossed. No login screen was tricked. Where an account was required (Larimer County landmark records), a real registered account was used, and the data viewed through it is the data that account is entitled to view.

No exceeding authorized access

The Supreme Court’s 2021 decision in Van Buren v. United States, 593 U.S. 374, holds that “exceeds authorized access” applies only when a user accesses files or folders they are not entitled to see. It does not apply to accessing public data for a reason the site operator might disapprove of. This dossier accesses only public records, and only the records the operator publishes for public viewing.

The Ninth Circuit’s decision in hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), holds that scraping publicly available data, where no authentication is needed, is not “without authorization” under the CFAA. Every endpoint in the retrieval matrix at /methodology/ returns public data without authentication.

TLS profile matching is not “circumvention”

Some county and city endpoints reject requests from non-browser clients at the edge (Akamai or similar bot-manager products). When that happened, the request was retried with a Chrome 146 TLS handshake and matching headers, supplied by the curl_cffi library. The data returned is the same data the bot manager would return to a person opening the same URL in Chrome.

This is request-shape matching, not access-control bypass. The Digital Millennium Copyright Act’s anti-circumvention rule, 17 U.S.C. § 1201, applies to defeating technological measures that effectively control access to a copyrighted work. Public county-records databases and city-council agendas are not copyrighted works within the meaning of § 1201. Bot-manager edge filters are not access controls in that sense either.

No rate-limit abuse

Retrieval ran at human-scale rates with delays between requests. No site returned a 429 Too Many Requests response during collection. None of the published terms of service for the cited sites prohibit the rate or volume of retrieval that was performed.

No nonpublic records

No internal city or county system was accessed. No email, no internal network, no personnel data, no executive-session content beyond what the city itself releases publicly. Every record cited in the dossier appears on a page reachable from a public navigation menu, or is available through a documented public-records request channel (CORA in Colorado).

A note on surveillance

Any investigation that catalogues local power structures by name attracts attention from the people named in it and their associates. We are familiar with surveillance, HUMINT, and their tactics. The main contributor of this project has chosen to remain anonymous due to this concern and the implication of naming structures of authority and power within their community.

Project participants assume the following baseline.

  1. The dossier itself is lawful. Every source is a public record, and the legal posture above describes why no federal computer-access statute is in play. The published material does not contain anything that requires defending in court.
  2. Attention is not the same as risk. Open-records work on city budgets, council votes, and recorded property transactions has been protected speech in Colorado for as long as those records have existed. Naming a council member’s vote, citing a deed, or quoting a meeting transcript is not a basis for any compulsory process against the person doing the citing.
  3. Operational hygiene is a precaution, not an admission. Participants treat ordinary aspects of digital life (where the project is published from, which accounts touch the site, which device handles drafts) the way any researcher working on a sensitive topic would. None of those precautions imply the underlying work is in any sense covert. The records being aggregated are public; the aggregation is public; the dossier is public.
  4. If a participant is contacted by law enforcement, the response is to ask for a lawyer and to refer the agency to the public record. No participant in this project is required to discuss editorial decisions, sourcing, contributor identity, or research methods with any agency that has not produced lawful process. Standard reporter-shield and First-Amendment protections apply to anyone publishing factual material about public officials.
  5. Anyone using or quoting this dossier should mirror it. A simple wget --mirror against the public site captures every page and every locally archived primary source. If the site is taken offline for any reason, a current mirror is the simplest insurance against link rot or pressure-driven removal.

This section will be expanded with concrete contact-and-response procedures once those are finalized.