New emails obtained by the St. Louis Post-Dispatch show that before Missouri’s governor accused Post-Dispatch reporter Josh Renaud of being a “hacker” and threatened him with criminal and civil action, state officials had proposed thanking Renaud for uncovering a mistake that led to a possible exposure of thousands of teachers’ social security numbers in the HTML code of a state agency website.
The emails, obtained by the Post-Dispatch through a public records request, reveal correspondence between Missouri Gov. Mike Parson’s office and officials in the state’s Department of Elementary and Secondary Education proposing statements for a press release about the vulnerability. In an Oct. 12 email from DESE spokeswoman Mallory McGowin, the department suggested a quote from Education Commissioner Margie Vandeven stating, “We are grateful to the member of the media who brought this to the state’s attention.”
However, in a press conference on Oct. 15, Parson struck an accusatory tone toward the “individual” who “act[ed] against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.” Parson accused Renaud of committing a “hacking” “crime” against Missouri teachers, and threatened to hold him and the Post-Dispatch “accountable” for actions Parson described as “beyond unethical” and for “pathetic, political gain.”
Renaud discovered the database flaw on Oct. 12 through a web application that allowed the public to search for teacher credentials, and alerted DESE the same day. The paper delayed publication of Renaud’s story until Oct. 14 to give the department time to repair the vulnerability and ensure other state websites did not have the same flaw.
Emails further show edits changing a characterization of Renaud from “individual” to “hacker,” despite correspondence from FBI official Kyle Storm to Missouri Department of Public Safety Director Sandra Karsten, informing her “after reading the emails from the reporter that this incident is not actual network intrusion,” but rather a “misconfigur[ation]” which “allowed open source tools to be used to query data that should not be public.” Karsten forwarded the email to officials in Parson’s office, including his chief of staff.
When asked at a ribbon-cutting ceremony on Dec. 7 whether he still believed Renaud and the paper broke the law, Parson responded, “Most certainly I believe that. And most certainly I don’t know where that information’s coming from that you guys printed on that, whether it’s very accurate or not either. It has a tendency not to be very accurate a lot of times.” The state’s investigation into Renaud and the paper was still open as of Dec. 7.
As this newsletter has explained in the past, acts like the viewing of a website’s HTML code are not hacking (in fact, if you’re on Chrome, you can see it with three clicks in the browser: View > Developer > View Source).
However, we continue to see government officials conflate accessing publicly available information online with hacking, often accompanied by civil or criminal legal threats, which has major implications for public interest data journalism. Hacking laws should be about hacking (as the Supreme Court recently clarified in affirming that using a computer for an improper purpose, but in a way that you’re allowed to, is not hacking).
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Legal Fellow Grayson Clary and Technology and Press Freedom Project Legal Fellow Gillian Vernick.