For four months, Gov. Mike Parson tried to convince Missourians that a reporter who discovered a security flaw in a state website was a hacker who deserved criminal prosecution.
His argument crashed headlong into reality on Monday, when the 158-page investigative file produced by the Missouri State Highway Patrol and Cole County prosecutor was finally released and showed no evidence of anything that even resembled computer hacking.
Cole County Prosecutor Locke Thompson declined to press charges, saying that if any crime was committed it was both unintentional and based on a law so broad and vague it essentially criminalizes “using a computer to look up someone’s information.”
“Our investigation did not uncover any evidence that any of the (Social Security) numbers had been compromised,” Thompson said Monday in an interview with The Independent.
These revelations did little to dissuade the governor.
On Tuesday, Parson once again doubled down on the idea that the reporter was a criminal for uncovering a security flaw that left more than 500,000 teacher Social Security numbers exposed.
“The big thing is, why did you take people’s personal information out?” Parson said, according to KMOX. “If you just wanted to disclose it as a problem, you could have done that without taking anybody’s personal information. That’s where the real crime is. Where’s that information at? What did they do with that information?”
The truth is far simpler and less sinister.
St. Louis Post-Dispatch reporter Josh Renaud explained to investigators how he discovered that a state website that lists teachers’ names and certification status also accidentally exposed their Social Security numbers.
He was using the publicly available website to build a data set of local teacher certifications for a potential news story and needed to look at the website’s source code to figure out the best way to collect the information.
A website’s source code is typically available to anyone using a web browser.
Renaud saw that embedded in the coding was a parameter labeled “Educator SSN” and a nine-digit number below it.
To confirm that he’d just stumbled upon a potential problem, he reached out to teachers he knew personally to verify these were, in fact, their Social Security numbers. He also enlisted the help of Shaji Khan, an associate professor at University of Missouri-St. Louis and director of its Cybersecurity Institute.
It appears the process Renaud used to confirm the problem is what Parson is conflating with taking “people’s personal information out.”
Once Renaud was convinced the Social Security numbers of hundreds of thousands of teachers were at risk of public disclosure, he notified the state, explained how he found the flaw and promised not to publish anything until the issue was fixed.
State education officials initially wanted to thank Renaud for discovering the problem that, as investigators would learn, has existed undetected since 2011. And an FBI agent who looked at the incident informed the state that it was “not an actual network intrusion,” noting that the website in question “allowed open source tools to be used to query data that should not be public.”
State officials made it clear the information was on a public site, it was not encrypted or password protected and the reporter was not anywhere he wasn’t allowed.
The governor decided to blame a government failing on the reporter who discovered it.
– Katherine Jacobsen, program coordinator with the Committee to Protect Journalists
Despite all this, Parson convened a press conference to label the reporter a “hacker” and demand a highway patrol investigation. He accused the Post-Dispatch of trying to use the security flaw to embarrass him, and his political action committee launched ads to raise money off Parson’s attacks.
Parson’s attack drew mockery on social media from cyber security experts — and at least one GOP lawmaker — who pilloried the governor for calling someone who looks at HTML coding of a website a “hacker.”
In Missouri political circles, the governor’s public crusade against Renaud was also largely laughed off as a fit of pique by a governor with a renowned temper and habit of lashing out against anyone he perceives as a critic — reporters, health officials and even Republican legislative leaders.
But to those at the center of the investigation Parson’s attacks inspired, the last four months were no laughing matter.
While he was confident he would ultimately be vindicated, Renaud told St. Louis On the Air that he endured plenty of sleepless nights as possible criminal charges hung over his head.
“He wronged me in a very public way,” Renaud said of the governor. “He accused me of being a criminal and instigated a criminal investigation. … We cannot allow political officials to persecute journalists for publishing things they don’t like.”
Khan, the cybersecurity professor who helped confirm the security flaw for the Post-Dispatch, said through his attorney that he and his family were “terrorized for four months due to the governor’s use of state law enforcement officers for his political purposes.”
Beyond the personal toll on those who were under investigation, using anti-hacking laws to retaliate against unflattering reporting “raises grave constitutional concerns,” said Grayson Clary, a legal fellow at the Reporters Committee for Freedom of the Press.
“It’s just not reasonable to read laws like this in a way that would make criminals out of vast numbers of ordinary internet users,” Clary said.
“These laws are intended to deal with true hacking, you know, the outsider who cracks a password,” he said. “And when you extend them beyond that point, you start to run into clear constitutional concerns, especially if they give public officials as much power as the governor thinks he has to quash critical reporting.”
Katherine Jacobsen, program coordinator with the Committee to Protect Journalists, said it’s concerning to see an elected official try to use law enforcement to go after a journalist.
“The governor decided to blame a government failing on the reporter who discovered it,” she said.
She worries the governor’s actions will have a chilling effect on journalism, with news organizations fearful that critical coverage could result in criminal accusations and hefty legal bills.
“It signals that merely doing due diligence reporting in the public interest could create legal troubles for journalists,” Jacobson said. “Having this kind of drawn out legal battle or threat of a legal battle kind of hanging over, it puts strain on budgets, it puts strain on resources and creates a sense of greater mistrust of the media.”
Mark Maassen, executive director of the Missouri Press Association, said Renaud and the Post-Dispatch “did nothing wrong.”
“If anything,” he said, “they did (the department of education) a favor by acting responsibly and letting them know of the potential problem.”