Missouri governor rebuffed: Journalist won’t be prosecuted for viewing HTML

  News
image_pdfimage_print
Gov. Mike Parson standing in front of a podium at a press conference.
Enlarge / Gov. Mike Parson at a press conference on May 29, 2019, in Jefferson City, Missouri.

A Cole County prosecutor has rebuffed Missouri Gov. Mike Parson’s request to file criminal charges against a St. Louis Post-Dispatch reporter who identified a major security flaw in a government website by viewing publicly available HTML code.

Post-Dispatch reporter Josh Renaud had been facing the threat of prosecution since his discovery that the state website’s HTML source code exposed the full Social Security numbers of teachers and other school employees in unencrypted form. Renaud merely viewed the website’s HTML and converted the Social Security numbers into plain text, and he gave the state time to close the gaping security hole before publishing his findings. Despite Renaud helping the state improve its security, Parson called the journalist a “hacker,” sought criminal charges, and threatened a civil suit.

On Friday, Cole County Prosecutor Locke Thompson issued a statement saying he has closed the investigation without charges:

There is an argument to be made that there was a violation of law. However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means. As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case. The investigation is now closed, and the Cole County Prosecutor’s Office will have no further comment on the matter.

As the county’s prosecuting attorney, Thompson is an elected official. Thompson and Parson are both Republicans.

Governor still insists reporter committed crime

Gov. Parson’s office continues to insist that the journalist committed a crime. “The hacking of Missouri teachers’ personally identifiable information is a clear violation of Section 569.095, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative,” the governor’s office said in a statement to Missourinet.

Normally, an organization notified of a security flaw would thank the person who reported it. Missouri state government officials did in fact plan to publicly thank Renaud in a press release, according to internal emails published by the Post-Dispatch in December.

But that draft of the press release was scrapped as the governor insisted on calling Renaud a hacker and demanding a criminal investigation. “It is unlawful to access encoded data and systems in order to examine other people’s personal information, and we are coordinating state resources to respond and utilize all legal methods available,” Parson said in October. In addition to announcing that his “administration notified the Cole County prosecutor of this matter,” Parson said that state law “allows us to bring a civil suit to recover damages against all those involved.” No civil suit has been filed.

Thompson’s decision to close the investigation came about seven weeks after the Missouri Highway Patrol finished its report on the incident.

https://arstechnica.com/?p=1834032