Missouri governor threatens to prosecute journalist for sharing web security flaw

Missouri Governor Mike Parson might want to read up on the differences between disclosing and exploiting security flaws. According to The Missouri Independent, Parson accused a St. Louis Post-Dispatch reporter of being a “hacker” for having the audacity to… report security holes. The journalist disclosed a Department of Elementary and Secondary Education web app flaw that let anyone see over 100,000 teachers’ Social Security numbers in site source code, and Parson interpreted this as a “political game” meant to “embarrass the state” — that is, a malicious hack.

The governor has already referred the case to the Cole County Prosecutor, and even has the Missouri Highway State Patrol investigating. An attorney for The Post-Dispatch maintained that the reporter “did the responsible thing” by sharing the flaw with the government to get it fixed. The lawyer also helpfully refreshed Parson on his internet lingo. A hacker is someone who “subverts” security with sinister intent, not a reporter trying to bolster security by sharing publicly available information.

This flaw wasn’t recent, either. University of Missouri-St. Louis professor Shaji Khan told The Post-Dispatch that this kind of vulnerability had been known for “at least” 10 years, and that it was “mind boggling” the Department would let these problems linger. Audits in 2015 and 2016 had highlighted data collection issues at both the Department and school districts.

No, prosecutors probably won’t file charges. It’s a bit difficult to convict someone whose ‘hack’ effectively amounted to clicking “view page source” in their browser. However, this highlights an all-too-familiar problem with politicians that don’t understand tech. It doesn’t just lead to embarrassments, such as letters to long-gone CEOs — it can discourage responsible security disclosures and put thousands of people at risk.