A reporter who faced potential hacking charges for viewing website source code in his browser can rest easier now that Missouri officials have decided not to prosecute him.
This month, Cole County Prosecutor Locke Thompson announced no charges would be filed in conjunction with the revelation that Missouri’s Department of Elementary and Secondary Education’s (DESE) website exposed the Social Security details of educators.
“There is an argument to be made that there was a violation of law,” said Thompson in a statement [PDF]. “However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means.”
Last October, Josh Renaud, a reporter for the St Louis Post-Dispatch, found that a website run by the DESE exposed the Social Security numbers of school personnel. He did so by examining the client-side source code of the website, which is publicly viewable by anyone with a web browser.
After Renaud filed a story to this effect, Missouri Governor Mike Parson (R) said the state would investigate and explore legal options, and claimed the incident might cost the US state’s taxpayers as much as $50m.
“Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators,” said Parson in an October press conference.
“It is unlawful to access encoded data and systems in order to examine other people’s personal information and we are coordinating state resources to respond and utilize all legal methods available.”
It’s highly doubtful any court in the US would find it unlawful to access encoded data and the governor’s claims have been widely ridiculed by cybersecurity and legal experts.
In this context, “decoded” means converting a Social Security number encoded in a format called Base64 back to plain text. Encoding is a process that’s reversible without a key, which makes it different from encryption, both practically and legally. Outlawing decoding would be the equivalent of banning translation from one language into another.
Elad Gross, an attorney representing Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis who was contacted by Renaud to verify his findings, wrote a letter [PDF] to Missouri officials a week after Parson threatened prosecution. He explained how the only law violation with regard to the data exposure was committed by the state when it failed to secure its employees’ personal information.
Despite the absurdity of Parsons’s hacking claim, Renaud welcomed the news that Missouri officials have backed down.
“This decision is a relief,” said Renaud in a statement [PDF] published through his website. “But it does not repair the harm done to me and my family.
“My actions were entirely legal and consistent with established journalistic principles. Yet Governor Mike Parson falsely accused me of being a ‘hacker’ in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.
“This was a political persecution of a journalist, plain and simple.”
Renaud further expressed concern that Parson’s actions will have a chilling effect on those trying to report on security and privacy flaws in Missouri.
In a statement, Governor Parson’s office maintained that Renaud had unlawfully hacked the school website: “The hacking of Missouri teachers’ personally identifiable information was a clear violation of Section 569.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.” ®