Relief as controversial charges dropped, tempered by fears of chilling effect
The Missouri prosecutor has decided not to press charges against a journalist charged with illegal hacking for disclosing security flaws on a website run by the state government.
St. Louis Post-Dispatch reporter Josh Renaud expressed “relief” at the news, but said allegations made against him by Missouri Governor Mike Parson in October 2021 could have a “chilling effect.” on Good Faith Reporting of Security Breaches.
The charges centered on Renaud’s discovery of a problem in an area operated by the Missouri Department of Elementary and Secondary Education (DESE) that potentially exposed more than 100,000 social security numbers (SSNs) belonging to teachers and other school personnel.
CONTEXT Missouri governor slammed for confusing vulnerability disclosure with criminal hacking
In an article published on October 13, the St. Louis Post-Dispatch revealed that it notified DESE of the vulnerability and delayed the release of the findings to give the agency time to secure the exposed data.
A number of cybersecurity experts said at the time that this approach to vulnerability disclosure was consistent with how professional security researchers routinely alert companies to security breaches.
Some noted that Renaud’s actions did not even constitute “hacking”, since he had simply viewed the site’s HTML source code, which leaked sensitive data, which was easily done using web browsers’ built-in functionality. .
Nevertheless, Governor Parson called Renaud a “hacker”, claims he had violated state computer crime laws and referred the case to the Missouri State Highway Patrol, which investigated the episode and reported its findings to Cole County District Attorney Locke Thompson.
However, four months later, on Friday February 11, Thompson Recount KRCG television station that he would not press charges.
“This decision is a relief. But that doesn’t fix the harm done to me and my family,” Renaud said in a declaration (PDF).
“My actions were entirely legal and in accordance with established journalistic principles. Yet Governor Mike Parson falsely accused me of being a “hacker” in a televised press conference, in press releases sent to every teacher in the state, and in attack advertisements aired by its political action committee. He ordered the highway patrol to open a criminal investigation, forcing me to remain silent for four anxious months.
Renaud continued: “It was a political persecution of a journalist, pure and simple. Despite this, I am proud that my reporting exposed a critical issue and caused the state to take action to better protect teachers’ private data.
According to Kansas City StarMike Parson’s spokesman, Kelli Jones, commented, “The state did its part in investigating and presenting its findings to the Cole County prosecutor, who elected not to press charges, as is his prerogative.
Renaud also warned that the case could negatively impact reporting of other security bugs.
“I fear the governor’s actions have left the state more vulnerable to future bad actors,” he said. “His [Parson’s] the well-publicized threats of legal retaliation against me and the Post-Dispatch will likely have a chilling effect, deterring people from reporting security or privacy breaches in Missouri, and decreasing the chances that those breaches will be fixed.
The daily sip invited Missouri Governor Mike Parson’s office for further comment on the prosecutor’s decision not to pursue the charges. We’ll update this article if and when we receive a response.
RELATED The New Zealand government imposes a bug reporting process on federal agencies