There was no evidence of any criminal intent by a St. Louis Post-Dispatch reporter who was targeted by the governor after finding a security flaw in a state website, Cole County Prosecutor Locke Thompson said in an interview Monday.
If any crime was committed, Thompson said, it was in the “fringes” of an overly-broad state law and “wasn’t going to be worth the time, the effort or, quite frankly, the taxpayer dollars to pursue.”
The law in question says a person commits the offense of tampering with computer data by “accessing a computer, a computer system or a computer network, and intentionally examines information about another person.”
“The law does appear to be so vague that it basically describes someone using a computer to look up someone’s information,” Thompson said.
Lawmakers may want to consider revising that section of state law, Thompson said.
“Our investigation didn’t uncover what we believe to be any criminal intent,” he said. “Even though it still may have technically been a crime, we didn’t believe that there was intent.”
Thompson spoke to The Independent Monday afternoon after releasing the file associated with the investigation of Josh Renaud, the Post-Dispatch reporter who in October discovered that Social Security numbers for teachers, administrators and counselors were visible in the HTML code of a publicly accessible site operated by the state education department.
HTML code is the programming that tells the computer how to display a web page.
The documents released Monday include summaries of interviews conducted by the Missouri State Highway Patrol and prosecutor’s office of Renaud, several state employees and Shaji Khan, a cybersecurity professor who helped confirm the security flaw for the Post-Dispatch.
Renaud told investigators that he discovered the security flaw by accident while he was collecting publicly available data for a potential story on teacher accreditation.
He was trying to build a data set so the Post-Dispatch could run analysis on it and look for trends that could lead to a story, Renaud told investigators. He needed to look at the source code to figure out the best way to collect the information, and in doing so he found what he thought was a social security number for an educator.
“He stated he located a parameter that was labeled ‘Educator SSN’ and a nine-digit number below it, which at face value appeared to be a social security number,” the summary of the interview says. “He stated he was shocked because he was not looking for it and did not expect to find that information.”
To make sure what he found were indeed social security numbers, Renaud said he ran the information by teachers he knew. He also checked with Khan, who told investigators the problem discovered by Renaud has been a continual issue for the past 10 to 12 years.
Pam Keep, client service manager for the state’s Information Technology Services Division, told investigators that the data Renaud found was encoded “but should have been encrypted.”
None of the data was encrypted and no passwords were required to access the data from the public website.
Keep also said the site in question was “about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.”
During his interview with investigators, Khan compared the situation to a person who “walks into a room and shouts their social security number in Chinese.”
“And if anyone in the room understands what they said,” a summary of the interview said, “they are charging that person with unauthorized access.”
Emails obtained by The Independent show Renaud informed the state of the issue and promised to withhold publishing any story about it until the problem was fixed and the Social Security numbers were no longer exposed. He also laid out to state officials in an email the steps he’d taken to find and confirm the security flaw.
Yet despite the fact that officials within the Missouri Department of Elementary and Secondary Education initially wanted to thank Renaud for uncovering the flaw, and that an FBI agent told the department the incident “is not an actual network intrusion,” Parson labeled the reporter a hacker and called for criminal prosecution.
Since Thompson announced his decision not to file charges against Renaud, Parson’s office has continued to allege he was a hacker.
Mallory McGowin, spokeswoman for the Missouri Department of Elementary and Secondary Education, told investigators that Renaud hadn’t accessed “anything that was not publicly available, nor was he in a place he should not have been.”
Renaud released a statement after learning no charges would be filed saying his actions were “entirely legal and consistent with established journalistic principles.”
“This was a political persecution of a journalist,” Renaud said, “plain and simple.”
Elad Gross, Khan’s attorney, released a statement saying the files released Monday show “state officials committed all of the wrongdoing here.”
“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security Numbers, and failed to take responsibility,” Gross said, “instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem.”
Khan’s is “out thousands of dollars,” Gross said, “and his family was terrorized for four months due to the governor’s use of state law enforcement officers for his political purposes.”