In October, Missouri Governor Mike Parson announced that he wanted to prosecute a journalist who had warned the state about a flaw in a government website which exposed the social security numbers of more than 500,000 public school teachers. The results of that criminal investigation were published Monday by the St. Louis-Dispatch, which acquired them using a public records request.
Last week, Locke Thompson, the prosecutor who looked into the case, announced that there would be no charges against the St. Louis Post-Dispatch reporter Josh Renaud, putting an end to what was a ridiculous attempt to punish a journalist for, essentially, clicking “view source” on a website.
Videos by VICE
The Missouri State Highway Patrol investigation into Renaud, however, shows how police investigated what was a simple act of journalism.
“Mr. Renaud did not access anything that was not publicly available, nor was he in a place he should not have been.”
The document lays out the play-by-play of how the law enforcement officers found out about the flaw, and how they went about investigating the case. One of the things the investigators found is that the website in question had been vulnerable for ten years, “and the fact the data was only encoded and not encrypted had never been noticed before.”
Gov. Parson’s office did not immediately respond to a request for comment. A spokesperson for the St. Louis Post-Dispatch said in a statement sent via email that “the accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes.”
“This matter should have never gone beyond the state’s initial, intended response, which was to thank the reporter for the responsible way he handled the situation. Instead, too much taxpayer money has been wasted in a politically-motivated investigation,” the statement read.
The investigators talked to people who work at the Department of Elementary and Secondary Education (DESE), whose website was vulnerable, and learned about how the Social Security numbers were exposed by the site’s HTML code, which the document helpfully defines this way: “HTML is a standardized system for tagging text files to achieve font, color, graphic, and hyperlink effects on World Wide Web pages (definition located using Google).”
One of the people interviewed was Mallory McGowin, the Chief Communications Officer for the Communications Division of the DESE, who told the investigator that what Renaud accessed was publicly accessible to anyone else.
“From what she has observed, Mr. Renaud did not access anything that was not publicly available, nor was he in a place he should not have been. She said Josh Renaud appears of [sic] have only accessed open public data,” the investigator wrote in the report.
The authorities also interviewed Renaud, who explained how he found the vulnerability and how he explained that viewing the source code of a website is standard practice in data journalism. The journalist also explained that he never intended to publish nor collect the exposed Social Security numbers and he agreed to delay publishing the story until the flaw was fixed. Authorities who interviewed Renaud repeatedly asked him what he planned to do with the data.
In another interview, police interrogated a computer scientist interviewed by Renaud. The officer who interviewed the computer scientist repeatedly asked if what Renaud did was “hacking.”
Throughout the investigation, it’s obvious that Renaud did the best he could to warn the state government about the data exposure, and to limit the potential damage by not disclosing the existence of the vulnerability before it was patched. In the end, though, Renaud and the St. Louis Post-Dispatch were put through a seemingly unpleasant criminal investigation for simply reporting the news.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.