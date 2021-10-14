Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap. But Missouri Gov. Mike Parson (R) did the opposite: He called the journalist “a hacker” who may face civil or criminal charges for “decod[ing]” HTML code on the Department of Elementary and Secondary Education website and viewing three Social Security numbers.
The journalist was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson announced Thursday. He said that he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.
The announcement immediately drew appalled reactions from the Post-Dispatch and other journalistic organizations.
“We stand by our reporting and our reporter who did everything right,” Ian Caso, president and publisher of the Post-Dispatch, said in a statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”
Committee to Protect Journalists’ U.S. and Canada program coordinator Katherine Jacobsen called Parson’s legal threats “absurd.”
“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” she told The Washington Post in an email.
A spokeswoman for Parson did not immediately respond to The Washington Post’s inquiry. Neither did Josh Renaud, the Post-Dispatch journalist who authored the story.
According to the article, which first published Wednesday, a Post-Dispatch journalist discovered the vulnerability on a public database that allows anyone to look up teacher credentials.
The employee’ Social Security numbers were not searchable in the database or immediately visible upon opening the page, but they could be seen in the HTML source code, which is easily viewable on most websites. (If you are reading this article on a standard Web browser, you can probably see its HTML code by right clicking and selecting “view page source,” or a similar option.)
With the help of three educators and a cybersecurity expert, a journalist confirmed that the figures were indeed Social Security numbers and informed the state about the problem.
In his address Thursday, Parson made the simple procedure sound nefarious. He said the Post-Dispatch journalist undertook a “multistep process” to take “the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators.”
This, Parson said, was unlawful. He took no questions from reporters.
Post-Dispatch attorney Joe Martineau said in a statement the state agency was deflecting “its failure by referring this to as ‘hacking.’”
“The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse,” Martineau . “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent.”
Parker Higgins, advocacy director at the Freedom of the Press Foundation, said “whether expressly or intentionally, this is an effort to intimidate a reporter who is doing important reporting and uncovering a newsworthy story.”
Higgins also said it’s the latest example of a long-standing problem in which researchers are attacked after discovering security flaws and alerting the website owners to create a safer online environment. “That’s a bad way to do security. You do want this kind of disclosure handled and the person not feel they should do something else with it, like monetize it.”
“If you start calling that hacking, it really is criminalizing a whole swath of behavior and not just among reporters, but also concerned citizens,” Higgins added.
Parsons said “this incident alone may cost Missouri taxpayers up to $50 million" and that the state was taking steps to address the security vulnerability.
His address was streamed on Facebook. Below the video, several commenters jokingly offered the governor a little tech support — pointing out that anyone could “hack” any website with the click of a menu.
Republican state representative Tony Lovasco, who according to the Post-Dispatch has an IT background and codes for a hobby, chimed in, too. He tweeted that Parson’s office “has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.”
“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he wrote.
