A Cole County prosecutor has rebuffed Missouri Gov. Mike Parson’s request to file criminal charges against a St. Louis Post-Dispatch reporter who identified a major security flaw in a government website by viewing publicly available HTML code.
Post-Dispatch reporter Josh Renaud had been facing the threat of prosecution since his discovery that the state website’s HTML source code exposed the full Social Security numbers of teachers and other school employees in unencrypted form. Renaud merely viewed the website’s HTML and converted the Social Security numbers into plain text, and he gave the state time to close the gaping security hole before publishing his findings. Despite Renaud helping the state improve its security, Parson called the journalist a “hacker,” sought criminal charges, and threatened a civil suit.
On Friday, Cole County Prosecutor Locke Thompson issued a statement saying he has closed the investigation without charges:
There is an argument to be made that there was a violation of law. However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means. As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case. The investigation is now closed, and the Cole County Prosecutor’s Office will have no further comment on the matter.
As the county’s prosecuting attorney, Thompson is an elected official. Thompson and Parson are both Republicans.
Governor still insists reporter committed crime
Gov. Parson’s office continues to insist that the journalist committed a crime. “The hacking of Missouri teachers’ personally identifiable information is a clear violation of Section 569.095, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative,” the governor’s office said in a statement to Missourinet.
Normally, an organization notified of a security flaw would thank the person who reported it. Missouri state government officials did in fact plan to publicly thank Renaud in a press release, according to internal emails published by the Post-Dispatch in December.
But that draft of the press release was scrapped as the governor insisted on calling Renaud a hacker and demanding a criminal investigation. “It is unlawful to access encoded data and systems in order to examine other people’s personal information, and we are coordinating state resources to respond and utilize all legal methods available,” Parson said in October. In addition to announcing that his “administration notified the Cole County prosecutor of this matter,” Parson said that state law “allows us to bring a civil suit to recover damages against all those involved.” No civil suit has been filed.
Thompson’s decision to close the investigation came about seven weeks after the Missouri Highway Patrol finished its report on the incident.
Reporter slams governor for “political persecution”
Renaud published a statement on his personal website after the prosecutor’s new announcement, saying that the case being closed “is a relief” but “does not repair the harm done to me and my family.” Renaud continued:
My actions were entirely legal and consistent with established journalistic principles. Yet Gov. Mike Parson falsely accused me of being a “hacker” in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.
This was a political persecution of a journalist, plain and simple. Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data.
At the same time, I am concerned that the governor’s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri and decreasing the chance those flaws get fixed.
Post-Dispatch Publisher Ian Caso said, “We are pleased the prosecutor recognized there was no legitimate basis for any charges against the St. Louis Post-Dispatch or our reporter. While an investigation of how the state allowed this information to be accessible was appropriate, the accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes.”
Legislature urged to “address governor’s abuse of power”
The investigation also targeted Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis who helped Renaud verify the security vulnerability. Thompson’s statement about closing the investigation did not mention Renaud or Khan by name but seems to indicate that no charges will be brought against either one of them.
Khan’s attorney, Elad Gross, told Ars today that “the Cole County Prosecutor confirmed that no charges will be brought against Dr. Shaji Khan for working with St. Louis Post-Dispatch reporter Josh Renaud to verify the major security flaw in the Missouri Department of Elementary and Secondary Education website.”
Gross also provided a statement saying that “Governor Mike Parson had no basis to instigate a criminal investigation” into either Renaud or Khan. Renaud and Khan “responsibly reported a security flaw on a public website that transmitted teachers’ social security numbers to every website visitor. They did the right thing. But the governor used state law enforcement officers and taxpayer money to persecute them,” the statement said, continuing:
This malicious prosecution pushed by the governor terrorized and silenced Mr. Renaud, Dr. Khan, and their families for months. No government in America should have the power to silence the press or its citizens through sham prosecutions and investigations. The legislature should address the governor’s abuse of power immediately and ensure that other folks who come forward responsibly—like these two Missourians did—are protected from the vindictiveness of an embarrassed official and that our law enforcement resources are put to much better use than this.
Khan previously explained in a letter to Parson and other government officials that viewing a website’s unencrypted source code is not illegal and does not make someone a “hacker,” and that “translating the source code into plain text… can be done by anyone.”