Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers
from the let-it-go,-mike dept
Missouri Governor Mike Parson is nothing if not consistent in his desire to stifle free speech. As you'll recall, the St. Louis Post-Dispatch discovered that the state's Department of Elementary and Secondary Education (DESE) website was programming in such an incompetent fashion that it would reveal, to anyone who knew where to look, the social security numbers of every teacher and administrator in the system (including those no longer employed there). The reporting on the vulnerability was done exactly following ethical disclosure best practices -- getting just enough evidence of the vulnerability, alerting the state to the problem and not publishing anything until the vulnerability was fixed. The FBI told Missouri officials early on "that this incident is not an actual network intrusion" and DESE initially wrote up a press release thanking the journalists for alerting them to this.
But then Parson blundered his way into making a mess of it, insisting that the reporters were hackers and ordering the Missouri Highway Patrol to "investigate" them for prosecution. When people mocked him for this, he doubled down by insisting that this was real hacking and that those reporting otherwise were part of "the fake news."
A month later, DESE admitted that it had fucked up, apologized to all the teachers and administrators (current and former) who its own incompetence had exposed, and offered credit monitoring to them all. Notably, DESE did not apologize to the journalists who discovered this mess, and the governor has continued to stand by his call to prosecute them.
Earlier this week the Highway Patrol claimed it had completed its investigation... and turned the findings over to state prosecutors. That alone seems worrisome, as there's nothing to turn over to prosecutors here beyond "our governor is a very foolish man, who can't admit to his own failings."
Capt. John Hotz said the results were turned over to Cole County Prosecuting Attorney Locke Thompson.
“The investigation has been completed and turned over to the Cole County Prosecutor’s office,” Hotz told the Post-Dispatch on Monday.
And the Governor still thinks the end result will be the prosecution of journalists for exposing the fact that his own administration ran a dangerously incompetent computer system that put 600,000 current and former state employees' private info at risk:
Gov. Mike Parson on Wednesday expressed his opinion the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.
“I don’t think that’ll be the case,” Parson said when asked what he would do if the prosecutor didn’t pursue the case. “That’s up to the prosecutor; that’s his job to do.”
Parson's continued insistence that this was unauthorized hacking is absolute garbage.
“If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you,” Parson said.
That analogy is just dumb on multiple levels. They didn't pick any lock. They didn't intrude somewhere they weren't supposed to go. The website put the info on their computers in the HTML. They didn't break any locks. They didn't access a system they didn't have access to. They just went where they were allowed to go, and the state's incompetent technologists handed them info it should not have.
Under Parson's definition of "hacking" it would be easy to turn anyone into a hacker. Just expose data you shouldn't expose on a website, and wait until anyone visited the page. That's not how this should work and the fact that he's still pressing this issue raises serious questions about Parson's competence to do anything, let alone run an entire state.
Filed Under: criminalizing security, ethical disclosure, hacking, journalism, mike parson, missouri highway patrol, vulnerability
Companies: st. louis post-dispatch