Missouri governor Mike Parson is facing a monumental backlash after threatening to prosecute a journalist for responsibly reporting a serious security lapse in the state’s website.
Earlier this week, St. Louis Post-Dispatch journalist Josh Renaud reported that the website for the state’s Department of Elementary and Secondary Education (DESE) was exposing over 100,000 teachers’ Social Security numbers. These SSNs were discovered by viewing the HTML source code of the site’s web pages, allowing anyone with an internet connection to find the sensitive information by right-clicking the page and hitting “view page source.” For many, viewing a web page’s source code is as simple as hitting F12 on your keyboard.
The Post-Dispatch reported the vulnerability to state authorities to patch the website, and delayed publishing a story about the problem to give the state enough time to fix the problem. The DESE has since confirmed that the “educator certification search tool was disabled immediately” and that the vulnerability is now fixed.
That should have been the end of it. While any other official might have thanked the newspaper for uncovering the flaw and for giving a heads-up before going public, Missouri’s Republican Governor Mike Parson described the journalist who uncovered the vulnerability as a “hacker”, and said the newspaper uncovered the flaw in “an attempt to embarrass the state”.
“A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did,” he said during a press conference on Thursday. “This individual is not a victim. They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines to their news outlet.
“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” said Parson. The governor has also referred the case to county prosecutors.
Unsurprisingly, the governor’s response to the Post-Dispatch report — and his clearly confused understanding of the term “hacker” — has sparked criticism, even from within his own party. Republican lawmaker Tony Lovasco wrote on Twitter that it was “clear the governor’s office has a fundamental misunderstanding of both web technology and industry-standard procedures for reporting security vulnerabilities,” adding that “journalists responsibly sounding an alarm on data privacy is not criminal hacking.”
U.S. Senator Ron Wyden also called out Parson’s remarks, tweeting: “Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem.”
Naturally, those within the cybersecurity industry have also been quick to weigh in on Parson’s comments. Rachel Tobac, a hacker and CEO of SocialProof Security, tweeted: “If your code leaks personal data via public development tools that any person can see by simply pressing F12 on a keyboard then you have a huge data leak issue, not a hacking situation, on your hands.”
The Post-Dispatch is also taking Parson’s response with a pinch of salt, and is standing by Renaud. The paper said its journalist “did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse.”
“A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent,” it added in a statement. “For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded.”
Of course, while Parson is vowing to hold the Post-Dispatch “accountable” for the supposed crime of helping the state find and fix a security vulnerability, the chances of Renaud facing an eventual conviction are likely slim, given a recent decision by the U.S. Supreme Court in the case of Van Buren v. United States, which ruled that a person violates the law when they access files or other information that they would otherwise be unable to.
But should the state take action, a prosecution could have a chilling effect on journalism and security research, further amplifying the problem of researchers facing legal threats and attacks after discovering and reporting security flaws to their owners.