Governor Accuses Reporter of Hacking After Flaws in State Website Are Revealed
A reporter at The St. Louis Post-Dispatch this week alerted Missouri education officials that a state website that lists teachers’ names and certification status had a flaw: The page made the teachers’ Social Security numbers easily available.
The Post-Dispatch also notified the teachers’ union and waited two days until the state had fixed the problem before publishing an article on Thursday revealing the security problem.
To many, it looked like the type of watchdog reporting that many news organizations consider the hallmark of responsible journalism. But Gov. Mike Parson of Missouri had a different view.
At a news conference on Thursday, he said that he had asked prosecutors and the State Highway Patrol to investigate the reporter, whom he accused of carrying out a “hack” of teachers’ private information.
“This individual is not a victim,” Mr. Parson said at the news conference, without identifying the reporter or The Post-Dispatch. “They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”
He added, “We will not let this crime against Missouri teachers go unpunished.”
The announcement infuriated reporters, other news organizations and media rights groups, who said the reporter was being threatened with a criminal investigation for doing his job.
“The newspaper and the reporter did nothing wrong,” said Mark Maassen, executive director of the Missouri Press Association. “It’s not uncommon for elected officials to blame the media for instances like this. But, in this case, The Post-Dispatch and their reporter should be applauded for uncovering a serious flaw and then alerting the state agency.”
Captain John Hotz, a spokesman for the Missouri State Highway Patrol, said the agency was “investigating the potential unauthorized access to Department of Elementary and Secondary Education data.” He declined to comment further.
Locke Thompson, the prosecuting attorney for Cole County, said that his office would examine the findings of the State Highway Patrol.
“Once the investigation is complete, I will review the evidence and determine whether criminal charges are appropriate,” he said.
In a statement, Ian Caso, the president and publisher of The Post-Dispatch, said that he was “grateful” for the work of Josh Renaud, a news designer and developer who broke the story about the problems with the website, which is run by the Missouri Department of Elementary and Secondary Education.
“I think he should be commended for his work and sense of duty,” Mr. Caso said. “We are surprised and disappointed at the governor’s response and deflection.”
Joe Martineau, a lawyer for the newspaper, said it was “unfounded” for education officials to deflect the failures of their computer system by painting Mr. Renaud’s reporting as a hack.
“A hacker is someone who subverts computer security with malicious or criminal intent,” he said. “Here, there was no breach of any firewall or security and certainly no malicious intent.”
The Post-Dispatch said the Social Security numbers for teachers, administrators and counselors were “present” in the HTML source code of the publicly available pages of the website. The source code for a web page can typically be found by right-clicking on it and scrolling down to “view page source.”
Mr. Parson, a Republican, said that it was “unlawful to access encoded data and systems in order to examine other people’s personal information.”
He cited a state law that said a hacker was anyone who gained unauthorized access to information or content. He said the reporter had no authorization to “convert or decode” the information on the website.
“This was clearly a hack,” Mr. Parson said, adding that the state would investigate the flaws that were uncovered in the system.
Legal observers said they were perplexed by Mr. Parson’s interpretation of what constituted a hack.
Frank Bowman, a professor of law at the University of Missouri School of Law, said that it was difficult to imagine the prosecution of a reporter who alerted state officials to information he discovered by examining a publicly available website.
The chances of prosecutors going after Mr. Renaud, the reporter, “are between zero and zero,” Professor Bowman said. “They’re not going to embarrass themselves like this.”
Tony Lovasco, a Republican state representative with a professional background in computers, said the governor’s announcement showed “a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.”
“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he said on Twitter.
Teachers in the state were upset to learn about the flaws in the system, said Byron Clemens, spokesman for the local chapter of the American Federation of Teachers, St. Louis Local 420. They have been advised to get a copy of their credit reports to make sure their information has not been compromised.
“It’s a shame that the governor is trying to politicize what was a public service,” Mr. Clemens said, referring to The Post-Dispatch story.
Sandra Davidson, a professor at the Missouri School of Journalism, said that while she was unnerved by the governor’s aggressive response, she said it might lead to more dogged reporting.
“Would it so infuriate reporters, editors and publishers that the governor would make this kind of threat that it would, in fact, embolden the journalists?” Professor Davidson asked.
On Friday, The Post-Dispatch continued to follow the story.
It published another piece on the subject — this one examining the “massive computer shortcomings” plaguing the State of Missouri.