Missouri prosecutor declines to file charges over ‘hacker’ allegation against reporter

2 years ago 145
BOOK THIS SPACE FOR AD
ARTICLE AD

Relief as controversial charges dropped tempered by fears about chilling effect

Missouri prosecutor declines to file charges over 'hacker' allegation against reporter

Missouri’s public prosecutor has decided not to file charges against a journalist accused of illegal hacking over his disclosure of security vulnerabilities in a state government-run website.

St. Louis Post-Dispatch reporter Josh Renaud expressed “relief” at the news but said the allegations made against him by Missouri governor Mike Parson in October 2021 could have a “chilling effect” on the good-faith reporting of security flaws.

The accusations centred on Renaud’s discovery of a problem in a domain maintained by the Missouri Department of Elementary and Secondary Education (DESE) that potentially exposed more than 100,000 Social Security numbers (SSNs) belonging to teachers and other school staff.

BACKGROUND Missouri governor criticized for confusing vulnerability disclosure with criminal hacking

In a story published on October 13, the St. Louis Post-Dispatch revealed that it had notified DESE of the vulnerability and delayed publication of the findings to give the agency time to secure the exposed data.

A number of cybersecurity experts said at the time that this approach to vulnerability disclosure accorded with how professional security researchers routinely alert businesses to security flaws.

Some noted that Renaud’s actions did not even constitute ‘hacking’, since he had simply viewed the site’s HTML source code, which was leaking the sensitive data – something easily done using web browsers’ built-in functionality.

Nevertheless, Governor Parson labelled Renaud a “hacker”, claimed he had violated state computer crime laws, and referred the matter to the Missouri State Highway Patrol, which investigated the episode and relayed its findings to Cole County prosecutor Locke Thompson.

However, four months later, on Friday (February 11), Thompson told television station KRCG that he would not be filing charges.

‘Political persecution’

“This decision is a relief. But it does not repair the harm done to me and my family,” Renaud said in a statement (PDF).

“My actions were entirely legal and consistent with established journalistic principles. Yet Gov. Mike Parson falsely accused me of being a ‘hacker’ in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.

Renaud continued: “This was a political persecution of a journalist, plain and simple. Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data.”

According to the Kansas City Star, Mike Parson’s spokesperson Kelli Jones commented: “The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.”

Chilling effect

Renaud also warned that the case could have an adverse impact on the reporting of other security bugs.

“I am concerned that the governor’s actions have left the state more vulnerable to future bad actors,” he said. “His [Parson’s] high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.”

The Daily Swig has invited the office of Missouri governor Mike Parson to comment further on the prosecutor’s decision not to pursue charges. We will update this article if and when we receive a response.

RELATED New Zealand government mandates bug reporting process for federal agencies

Read Entire Article