Officials in Missouri prepared to publicly applaud a journalist who identified a security weakness until the governor changed his mind and labeled the writer a “hacker,” threatening both a lawsuit and prosecution.
As we reported on October 14, St. Louis Post-Dispatch writer Josh Renaud discovered a security weakness in the HTML source code of a publicly accessible website that revealed the Social Security numbers of teachers and other school personnel in unencrypted form. Renaud and the Post-Dispatch handled the situation in the same manner that reputable security researchers do: they informed the public about the security weakness and kept it hidden until it was addressed.
Despite this, Missouri Governor Mike Parson referred to Renaud as a “hacker” and said that the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to disgrace the state and sell headlines for their news source.” The governor went on to say that his “administration has notified the Cole County prosecutor of this matter,” that the Missouri State Highway Patrol’s Digital Forensic Unit would investigate “all of those involved,” and that state law “allows us to bring a civil suit to recover damages against all of those involved.
“The email was received by the Post-Dispatch through a public-records request on October 12th. By 1:18 p.m. on October 13, “McGowin contacted Kelli Jones and Johnathan Shiflett, both of whom work in the governor’s office, to suggest Vandeven asked her to meet with governor’s office officials,” the Post-Dispatch said. McGowin referred to the journalist as a “person” in a draught press release he emailed at 3:46 p.m., likely after that encounter. Shiflett referred to him as a “hacker” in a later draught emailed at 4:20 p.m.
“Kyle indicated the FBI would talk to Gwen Carroll, the AUSA (Assistant US Attorney), with the additional information from the emails to determine if this still matched the crime and if she was interested in prosecuting,” Robinson said in the email.
Viewing source code isn’t considered “hacking” or unlawful.
Shaji Khan, a cybersecurity expert at the University of Missouri-St. Louis who assisted the Post-Dispatch writer in verifying the security flaw was also caught up in the October snafu. Khan recruited a counsel after the governor’s threats and submitted a letter to Parson and other state officials, claiming that they had violated his First Amendment “freedom to speak freely without fear of government punishment.” The inquiry of Khan by the state would “break the ban on malicious prosecution,” according to the letter.
Viewing a website’s unencrypted source code is not prohibited or “hacking,” according to Khan’s letter.
The letter said that “no legislation in Missouri or on the federal level forbids members of the general public from examining publicly available websites or the website’s unencrypted source code.” “No reasonable person would believe that viewing a publicly accessible website, its unencrypted source code, or any unencrypted translations of that source code was illegal.”
The public can look for teacher qualifications and credentials on the Missouri government website. However, “The website’s “serious security issue” led it to “mail the complete Social Security number of Missouri teachers to every visitor to the website, whether the user was aware of it or not.” That data was also configured to be automatically saved in the web browsers of visitors “According to Khan’s letter. The source code was simple to convert to plain text.
“None of the data was encrypted, no passwords were needed, and the State of Missouri took no precautions to secure the teachers’ Social Security numbers that the State routinely supplied to every website visitor,” Khan said.