Photo Courtesy of Office of Missouri Governor
A journalist at the St. Louis Post-Dispatch discovered a flaw with the Missouri Department of Elementary and Secondary Education’s (DESE) website that allowed social security numbers of teachers in Missouri to be viewed publicly. The newspaper notified the State of Missouri and withheld publication of the story until the state could fix the flaw. Doing this is common practice, according to cybersecurity experts.
Now, did Missouri tell this journalist and the newspaper “thank you” and continue to fix the flaw? No. Instead, Governor Mike Parson has labeled this reporter as a “hacker” and has announced the threat of a criminal investigation into this reporter and their newspaper.
Exactly why would the governor be threatening this journalist with legal action? Not because this journalist committed a crime, but because the governor is embarrassed that this happened, and wants to deflect the blame onto someone else other than his administration. This sets up a dangerous situation, and also reveals that the State of Missouri needs to update its technology.
The governor said that this journalist used a process to access encoded data, which is illegal under Missouri State law. The governor also claimed that this journalist “decoded the HTML” of the DESE to get to the social security number of teachers in the state. However the way this journalist found the flaw was by right-clicking and then going to “view page source,” which is also known as the F12 key on most laptops. Also, your browser (Google Chrome or Microsoft Edge) automatically decodes HTML.
The governor is also embarrassed that this happened, that DESE’s cybersecurity people somehow didn’t catch it. Naturally, he is trying to deflect blame in hopes that people do actually start to blame the reporter and their newspaper, and forget that it is the governor’s fault that this happened in the first place.
Parson had a press conference the day after the article was published, and this was when the governor tossed the wild accusations against the journalist. He went as far as to claim that this journalist was “acting against the state agency to embarrass the state and sell headlines for their news outlet.” This logic doesn’t even make sense. He taps into the common Republican narrative that news outlets are biased against Republican politicians. The Post-Dispatch is also doing well enough financially that they wouldn’t have to sell news headlines.
If the governer threatens criminal action against a reporter who alerts the state to a flaw that has to be fixed, that’s going to start to discourage others from reporting flaws that have to be fixed, since they would be afraid of what the governer may say if they report the flaw to the state. It’s a natural human reaction. The State of Missouri needs to know if there are more flaws in its cyber systems, and the people who report them must be free of any potential consequences. If no one reports flaws to the state, that could lead to a cyberattack that could decimate state systems. It also tramples all over the First Amendment’s freedom of the press. In this article, the press is not threatening national security and the article does not contain any obscene content. It is simply an article that is warning the state about something that it might want to take a good look at.
The fact that this reporter was also able to locate the social security number of teachers purely by right-clicking also reveals that the State of Missouri is in need of updating the technology of the state. Maybe start by investing in some better cybersecurity measures?
The press has the freedom to publish this story. They are not in violation of any sort of federal, state, or local law whatsoever. This is not the Post-Dispatch’s fault. This is the fault of a governor who is unwilling to accept his mistakes.