A journalist who faced potential hacking charges for viewing the website’s source code in his browser can rest easier now that Missouri officials have decided not to prosecute him.
This month, Cole County District Attorney Locke Thompson announced that no charges would be filed in conjunction with the revelation that the Missouri Department of Elementary and Secondary Education (DESE) website exposed the social security details of educators.
“There is an argument to be made that there has been a violation of law,” Thompson said in a statement. [PDF]. “However, upon review of the case, the issues at the heart of the investigation have been resolved through non-legal means.”
Last October, Josh Renaud, a reporter for the St Louis Post-Dispatch, discovered that a website run by DESE was exposing social security numbers for school personnel. He did this by examining the website’s client-side source code, which is publicly viewable by anyone with a web browser.
After Renaud filed a story to that effect, Missouri Governor Mike Parson (right) said the state would investigate and explore legal options, and claimed the incident could cost US taxpayers up to at $50 million.
“Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and looked up the social security number for those specific educators,” Parson said at a conference. press in October.
“It is illegal to access encrypted data and systems in order to examine other people’s personal information and we are coordinating state resources to respond and use all available legal methods.”
It is highly doubtful that any US court will find it illegal to access encrypted data and the governor’s claims have been widely ridiculed by cybersecurity experts and legal experts.
In this context, “decoded” means converting a Social Security number encoded in a format called Base64 into plain text. Encoding is a keyless, reversible process, which makes it different from encryption, both practically and legally. Prohibiting decoding would amount to prohibiting translation from one language into another.
Elad Gross, attorney representing Shaji Khan, professor of cybersecurity at the University of Missouri-St. Louis who was contacted by Renaud to verify his conclusions, wrote a letter [PDF] to Missouri officials a week after Parson threatened legal action. He explained how the only violation of the law regarding data exposure was committed by the state when it failed to secure the personal information of its employees.
Despite the absurdity of Parsons’ hacking accusation, Renaud welcomed the news that Missouri officials had backed down.
“This decision is a relief,” Renaud said in a statement. [PDF] published on its website. “But that doesn’t fix the harm done to me and my family.
“My actions were completely legal and in accordance with established journalistic principles. Yet Governor Mike Parson falsely accused me of being a ‘hacker’ during a televised press conference, in press releases sent to all state teachers and in attack ads aired by his political action committee He ordered the highway patrol to open a criminal investigation, forcing me to remain silent for four anxious months.
“It was a political persecution of a journalist, plain and simple.”
Renaud further expressed concern that Parson’s actions could have a chilling effect on those trying to report security and privacy breaches in Missouri.
In A declaration, Governor Parson’s office argued that Renaud illegally hacked into the school’s website: “The hacking of Missouri teachers’ personally identifiable information was a clear violation of Section 569.095, RSMo, which the state takes The state did its part by investigating and presenting its findings to the Cole County prosecutor, who chose not to press charges, as is his prerogative.” ®