Missouri Gov. Mike Parson overreacted and overreached following a St. Louis Post-Dispatch report about a data weakness at a state agency, and prosecuting this as a criminal offense will have a chilling effect.
The governor should have instead thanked the paper for identifying the flaw and for the way it handled what it learned. Instead, Parson doubled down in his criticism during a stop in Carthage on Thursday.
On Wednesday, the Post-Dispatch broke a story indicating that Social Security numbers for teachers and other education department employees could have been easily accessed via a website maintained by the Missouri Department of Elementary and Secondary Education. The paper reported the information was contained in the HTML source code of pages linked to the tool that allows a search for teacher certifications and credentials. The paper reported that, “teachers’ Social Security numbers were present in the publicly visible HTML source code of the pages involved.”
HTML source code is available to anyone with a web browser — it is what a website sends to your device. Just go to any webpage, then find the “View Page Source” command on your browser (or type “view-source:” in front of the URL) to see it. While it looks like a mess to us humans, it’s easily understood by computers: Your web browser translates that code into an easy-to-read page, yet it cannot be edited or changed.
According to the Post-Dispatch, the paper notified the agency after discovering the flaw, giving the state time to correct the problem.
All of this was the right and responsible thing to do.
But for that, the reporter and paper were condemned by Parson, who said the Missouri State Highway Patrol’s digital forensic unit will investigate and that his administration had also spoken to the prosecutor in Cole County.
That is an extreme move, given that no crime occurred.
Peter Swire, a cyber law expert and professor at the Georgia Institute of Technology’s School of Cybersecurity and Privacy, told The Associated Press that flagging security vulnerabilities on publicly accessible websites is a “public service” and is “clearly not criminal under federal law.”
“Right clicking does not count as criminal hacking,” Swire said.
What Parson calls “hacking” is better known as public service journalism — investigating and identifying problems and bringing them into the light .
Parson called what happened an “attempt to steal personal information,” but Jean Maneke, an attorney for the Missouri Press Association, said there was no evidence the newspaper was attempting to steal anything.
“There’s never been any criminal prosecution of a newspaper for this ever,” Maneke told The Kansas City Star. “But it’s not at all unusual for embarrassed public officials to proclaim that this is a newspaper’s fault when they’ve been caught with their pants down.”
Our advice to Parson: Drop the prosecution.
