Missouri Governor Presses To Prosecute Journalist Who Found Security Flaw

In October, the St. Louis Post-Dispatch reported on a security flaw in a government run website that could have exposed the Social Security numbers of more than 100,000 Missouri public school teachers and other personnel.

Governor Mike Parson responded by describing the reporter who uncovered the flaw as a “hacker,” and calling for his criminal prosecution.

As recently as Wednesday, Parson reiterated his view that the reporter should face charges for allegedly violating the state's computer tampering law. That law prohibits people from accessing a computer and intentionally examining someone else's information, without authorization.

“If somebody picks your lock on your house -- for whatever reason, it's not a good lock, it's a cheap lock or whatever problem you might have -- they do not have the right to go into your house and take anything that belongs to you,” Parson said, according to the Post-Dispatch.

To be clear, the journalist didn't do anything comparable to picking a lock in order to find the security flaw. That's because the information -- which was unencrypted and not password-protected -- was publicly available to anyone with an internet connection.

Specifically, the Social Security numbers were “contained in the HTML source code” of some pages on the education department's website, according to the newspaper.  What's more, the newspaper alerted state officials to the problem and waited for the flaw to be fixed before publishing a story about it. 

Parson isn't the first one to go on the offensive after learning of a security flaw. AT&T, for instance, publicly condemned Andrew Auernheimer for revealing shoddy security practices that exposed iPad users' email addresses.

Auernheimer, along with another person, figured out that AT&T had placed iPad users' email addresses on pages that could be accessed by anyone who had the correct URLs. (The URLs all began with the same block of characters but went on to include particular iPads' serial numbers.)

Federal authorities in New Jersey prosecuted Auernheimer for allegedly violating the federal Computer Fraud and Abuse Act, an anti-hacking law that prohibits people from accessing computer servers without authorization. He was convicted at trial, but the conviction was reversed on appeal on the grounds that New Jersey was the wrong locale for the case because none of the allegedly criminal acts took place in the state.

Tor Ekeland, the lawyer who represented Auernheimer, sees parallels between AT&T and Parson: They both responded to embarrassing information by blaming the messenger.

“What he's doing here is nothing new,” Ekeland says of Missouri's governor.

Ekeland adds that Parson's attempt to compare accessing a publicly available website to breaking into a house “tells you that he doesn't understand the internet.”

“In the physical world, if the door is open and you go into someone's house without permission, that's trespass,” Ekeland says.

By contrast, the internet is open by design.

“Unless they tell you you can't go in, you can,” Ekeland says. “If you close the architecture of the internet -- under the governor's incohate, antediluvian theory of computer law -- you shut it down completely.”

Next story loading loading..