Show-Me State Governor Threatens Reporter Who Showed Vulnerability

When the state of Missouri put up a website to allow parents of Missouri schoolchildren to check the credentials of their teachers, the teachers’ names, school affiliations and credentials were visible in the HTML of the website. But the same website also put at risk the personal information of more than 100,000 Missouri teachers.

Josh Renaud, a news designer and developer for the St. Louis Post-Dispatch—and who describes himself as “a retrocomputing enthusiast who runs a modern-day bulletin board system (BBS)”—examined the website and noted that “no private information was clearly visible nor searchable on any of the web pages” but that the social security numbers of the teachers “were contained in the HTML source code of the pages involved” and were clearly visible due to what Renaud, citing a cybersecurity researcher, called “a serious flaw” of the kind that has been publicly disclosed for 10 to 12 years.

Renaud and the St. Louis Post Dispatch acted consistently with the OWASP responsible vulnerability disclosure principles which, among other things, require those who find vulnerabilities to respect the privacy of others, to make reasonable efforts to contact the security team of the impacted organization, to provide sufficient details to allow the vulnerabilities to be verified and reproduced and to not demand payment or rewards for reporting vulnerabilities outside of an established bug bounty program. While Missouri has (at least on a website) a cybersecurity program, it does not appear to have a bug bounty program. The Post Dispatch notified the state agency responsible for the website as well as the teachers’ union responsible for representing the affected teachers. They provided the information they had about the location of the impacted website, the nature of the vulnerability and the fact that SSNs could be downloaded (and how). They then waited for the state to take down the impacted website (and any other state website that might have the same vulnerability) before they published an article on October 14, 2021 that described—in generic terms—the fact that the data was exposed.

The article noted that “The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.”

Did Renaud get a medal from the Missouri governor? Or the keys to Jefferson City? Did governor Parson award Renaud with the Medal of Valor for swiftly protecting the confidentiality of thousands of state employees?

Not so much.

Instead, Parsons called a press conference (starting at 8:34) and threatened to prosecute Renaud and the St. Louis Post Dispatch for “embarrassing” the governor’s office in a “political vendetta” aimed at “selling headlines” for their news outlet and for hacking the social security numbers of three teachers in a breach that the governor insisted would cost the state and its taxpayers in excess of $50 million. He promised to prosecute the “hacker” responsible for the attack, those who “aided and abetted” the hacker “and the media corporation that employed them.”

The Missouri governor noted that “through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the social security numbers of those educators.” The governor’s press secretary explained that the “… hack was more than a simple ‘right click'” and that “by the actors own admission, the data had to be taken through eight separate steps in order to generate a SSN.”

The governor noted that he was calling on law enforcement agencies to prosecute both the reporter and the St. Louis Post Dispatch and would be seeking “civil remedies” for violation of Missouri’s computer crime law which makes it a crime to “knowingly and without authorization or without reasonable grounds to believe that he has such authorization ….[a]ccess[] a computer, a computer system, or a computer network, and intentionally examines[]information about another person.” The governor described the journalist’s actions as an attempt to “access, convert and take personal information from Missouri teachers” and called the Social Security Numbers “encoded data and systems.”

Parsons threatened to bring the full weight of law enforcement to the task of finding and prosecuting the hacker, enlisting the assistance of Locke Thompson, the prosecuting attorney for Cole county (the county in which Jefferson City, the state capitol, is located), as well as the Digital Forensics Investigative Unit (DFIU) of the Division of Drug and Crime Control of the Missouri State Highway Patrol.

The case is similar to that several years ago involving Stefan Puffer, a cybersecurity researcher who demonstrated to the Houston Chronicle the fact that the Wi-Fi servers at the Harris County (Texas) Clerk’s office were configured in such a way as to permit open access not only to the routers but to computers connected to them. In that case, the United States Attorney in Houston actually prosecuted Puffer, in part because pornographic files were found on some of the computers at the Clerk’s office and the employees said that the porn was not theirs—so Puffer must have hacked in and put it there. Puffer insisted (and forensics showed) that there was no exploit of the misconfiguration and the Texas federal jury deliberated less than half an hour before acquitting Puffer.

So did Renaud commit a crime? The Missouri computer crime statute is pretty vague. First, it requires the state of Missouri to show that Renaud “knowingly and without authorization or without reasonable grounds to believe that he has such authorization ….[a]ccess[ed] a computer, a computer system, or a computer network.” It is the “access” to the computer or computer system that must both be “unauthorized” and which they must prove that Renaud had reasonable grounds to believe was unauthorized.

If all that Renauld did was to show the source code of the website or see data which, while hidden, was otherwise accessible, it is unlikely that the state of Missouri could even begin to prove a crime. But what about the “eight steps” that the governor’s press secretary claimed were necessary to see the SSNs? Again, the fact that it took effort (even minimal effort) does not mean that it was unauthorized. In the real world, an unlocked door (or a poorly locked door) is not necessarily an invitation to enter, but merely entering through an unlocked door is not necessarily trespass. If the SSNs were accessible through a simple mechanism in such a way that they were either “public” or nearly so (even if they weren’t intended to be) then there’s no unauthorized access. If, on the other hand, the reporter had to hack—that is, to exploit a vulnerability (even one that was known)—to get access, then there may be unauthorized access. But the state would still have to prove not only that the access to the computer or system was unauthorized, but also that Renaud did not have reasonable grounds to believe that it was authorized—something I think would be close to impossible—particularly in light of the burden of proof beyond a reasonable doubt.

The statute also requires that, in addition to unauthorized access, the “hacker” “intentionally examines[]information about another person.” This is just weird. The statute protects any information about another person. So, if I use my twin brother’s computer without his permission to do a Google search about governor Parsons, I would be accessing a computer without authorization (my brother’s) to examine information about another person. Absurd. This is why those who like sausage and have respect for the law should not watch either being made. The statute criminalizes a wide swath of protected activity—including, in this case, protected journalism.

This is not the first time the Post Dispatch has been involved in a case relating to computer hacking. In 2016, a paramedic, concerned about the activities of a fire department official, sent an email to a Post Dispatch reporter complaining about the fire department official from his personal Gmail account. In that case, the paramedic sued the fire department for accessing and reading his unsent emails to the Post Dispatch reporter and others and the court allowed that part of his case to proceed, finding that the emails contained “information about another person.”  But in the case of the teachers’ Social Security numbers, the data was exposed to the public—at least according to the reports of the Post Dispatch—even if it required eight steps (oh, some of those steps could have been ‘open computer, boot it up, open a browser, type in a URL, grab a cup of coffee …’)  It’s not the number of steps, its whether the data is accessible to the public—or at least whether it is reasonable to conclude that it is—even if it’s not supposed to be.

The governor revealed his true concern, and it’s not the “hack” of three SSNs. He was embarrassed by the newspaper. That’s not a crime. Is it?

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark