The claim that the reporter hacked into the state website has been debunked. Parson still says he’s a criminal • Missouri Independent

For four months, Governor Mike Parson tried to convince Missouri residents that a journalist who discovered a security flaw in a state website was a hacker who deserved criminal prosecution.

His argument crashed into reality on Monday, when the 158-page investigative brief produced by the Missouri State Highway Patrol and the Cole County prosecutor was finally released and showed no evidence of anything. which even looked like hacking.

Cole County District Attorney Locke Thompson declined to press charges, saying if a crime was committed, it was both unintentional and based on a law so broad and vague it essentially criminalizes “using a computer to seek someone’s information”.

“Our investigation has found no evidence that any of the (Social Security) numbers have been compromised,” Thompson said Monday in an interview with The Independent.

These revelations did little to deter the governor.

Tuesday, Parson again doubled down on the idea that the journalist was a criminal for uncovering a security flaw that left more than 500,000 teachers’ social security numbers exposed.

“Most important is why did you delete people’s personal information?” Parson said, according to KMOX. “If you just wanted to disclose it as an issue, you could have done so without taking anyone’s personal information. This is where the real crime lies. Where is this information? What did they do with this information? »

The truth is much simpler and less sinister.

St. Louis Post-Dispatch reporter Josh Renaud told investigators how he discovered that a state website that lists teachers’ names and certification status also accidentally exposed their Social Security numbers.

He was using the publicly available website to create a dataset of local teacher certifications for a potential news story and had to consult the website’s source code to determine how best to collect the information.

A website’s source code is usually accessible to anyone using a web browser.

Renaud saw that the coding included a parameter labeled “Educator SSN” and a nine-digit number below it.

To confirm that he had just stumbled upon a potential problem, he contacted teachers he knew personally to verify that these were indeed their social security numbers. He also enlisted the help of Shaji Khan, an associate professor at the University of Missouri-St. Louis and director of his cybersecurity institute.

It appears that the process Renaud used to confirm the issue is what Parson confuses with deleting “people’s personal information”.

Once Renaud was convinced that the social security numbers of hundreds of thousands of teachers were at risk of public disclosure, he informed the state, explained how he found the loophole, and promised not to publish anything until the problem was not solved.

national education officials first wanted to thank Renaud for uncovering the problem, which investigators would learn had existed undetected since 2011. And an FBI agent who reviewed the incident informed the state that it was “not a real network intrusion,” noting that the website in question “allowed open source tools to be used to interrogate data that should not be public.

State officials made it clear that the information was on a public site, that it was not encrypted or password protected, and that the reporter was nowhere where he was not authorized .

Despite all this, Parson called a press conference to call the reporter a “hacker” and demand a highway patrol investigation. He accused the Post-Dispatch of trying to use the security breach to embarrass him, and his political action committee ran ads to raise funds from the Parson attacks.

Parson’s attack drew mockery on social media from cybersecurity experts – and at least one GOP legislator — who pilloried the governor for calling someone looking at a website’s HTML coding a “hacker.”

In Missouri political circles, the governor’s public crusade against Renaud was also widely mocked by a fit of spite. by a governor of reputable temperament and the habit of take it out on anyone he perceives as a critic – journalists, health officials and even Republicans legislative leaders.

But for those at the center of the investigation inspired by Parson’s attacks, the past four months have been no laughing matter.

While he was confident he would ultimately be vindicated, Renaud said Saint Louis live that he endured many sleepless nights as possible criminal charges hung over his head.

“He wronged me in a very public way,” Renaud said of the governor. “He accused me of being a criminal and opened a criminal investigation. … We cannot allow politicians to persecute journalists for publishing things they don’t like.

Khan, the cybersecurity professor who helped confirm the Post-Dispatch security breach, said through his attorney that he and his family were “terrorized for four months due to the governor’s use of state law enforcement officers for his political purposes.

Beyond the personal toll of those under investigation, the use of anti-piracy laws to retaliate against unflattering reporting “raises serious constitutional concerns”, said Grayson Clary, lawyer at the Journalists Committee for Freedom of the Press.

“It’s just not reasonable to read laws like this in a way that would make criminals out of a lot of ordinary internet users,” Clary said.

“These laws are meant to fight real hackers, you know, the stranger cracking a password,” he said. “And when you expand them beyond that point, you start to run into clear constitutional issues, especially if they give officials as much power as the governor thinks he has to quash critical reporting.”

Katherine Jacobsen, program coordinator for the Committee to Protect Journalists, said it was concerning to see an elected official trying to use law enforcement to prosecute a journalist.

“The governor decided to blame a failing government on the reporter who found out about it,” she said.

She fears the governor’s actions could have a chilling effect on journalism, with news organizations fearing critical coverage could result in criminal charges and hefty legal bills.

“It indicates that simply reporting with due diligence in the public interest could create legal problems for journalists,” Jacobson said. “Having this kind of drawn-out legal battle or the threat of a pending legal battle strains budgets, strains resources and creates a sense of greater distrust of the media.”

Mark Maassen, executive director of the Missouri Press Association, said Renaud and the Post-Dispatch “did nothing wrong.”

“If anything,” he said, “they did (the Department of Education) a service by acting responsibly and informing them of the potential problem.”