Missouri governor targets journalist, newspaper that discovered flaw in state education database, threatens prosecution

Prepared by Grace Chisholm ’22

First posted January 25, 2022 12:39pm EST
Last updated February 15, 2022 5:09pm EST

All Associated Themes:

  • Legal Action
  • Press
  • Professional Consequences

External References

Missouri teachers’ Social Security numbers at risk on state agency’s website, St. Louis Post-Dispatch

A Missouri newspaper told the state about a security risk. Now it faces prosecution, NPR

Governor Accuses Reporter of Hacking After Flaws in State Website Are Revealed, The New York Times

Missouri governor calls for prosecution of journalist who flagged website flaw, NBC News

Missouri governor accuses journalist who warned state about cybersecurity flaw of criminal ‘hacking,’ The Washington Post

Parson issues legal threat against Post-Dispatch after database flaws exposed, St. Louis Post-Dispatch

Missouri Gov. Parson targets St. Louis newspaper for prosecution after report on state’s security vulnerability, The Kansas City Star

Missouri officials planned to thank Post-Dispatch before threatening newspaper, emails show, St. Louis Post-Dispatch

Missouri governor labels reporter a hacker, threatens criminal prosecution, U.S. Press Freedom Tracker

Missouri completes probe into Post-Dispatch over ‘hacking’ accusation, Fox2

Missouri offers credit monitoring after data flaw that Parson called ‘hacking,’ The Kansas City Star

Cybersecurity expert demands apology from Missouri governor over hacking claims, Missouri Independent

Missouri professor who verified website security flaw wants Gov. Parson to apologize, The Kansas City Star

Parson doubles down on push to prosecute reporter who found security flaw in state site, Missouri Independent

Cole County prosecutor declines to charge Post-Dispatch reporter targeted by Parson, St. Louis Post-Dispatch

Missouri prosecutor declines to charge St. Louis Post-Dispatch reporter Parson targeted, The Kansas City Star

Prosecutor isn’t pressing charges against reporter who found flaw in state website, Missouri Independent

After a St. Louis Post-Dispatch journalist discovered the Social Security numbers (SSNs) of some 100,000 teachers were easily available because of a security flaw in a website run by Missouri’s education department, he alerted education officials and waited until the problem was resolved before making it public. But on the day of the publication, the governor of Missouri accused him of “hacking” and threatened prosecution. 

Key Players

The Missouri Department of Elementary and Secondary Education (DESE) is the administrative arm of the Missouri State Board of Education. The department says it works with educators, legislators, government agencies, community leaders, and citizens “to maintain a strong public education system.” A search tool on its website allows the public to check teachers’ certifications and credentials.

The St. Louis Post-Dispatch is the largest daily newspaper serving the St. Louis metropolitan area with a daily circulation of about 70,000.

Josh Renaud, a staff member of the Post-Dispatch, published the story detailing the security issue in the DESE website.

Gov. Mike Parson (R) has clashed with the Post-Dispatch since the start of the COVID-19 pandemic. 

Further Details

According to the Post-Dispatch, the personal information of more than 100,000 educators had been at risk. Upon this discovery, the newspaper consulted Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, who confirmed that the SSNs were contained in HTML source code, which could be found via a right-click and scrolling down to “view public source.” Khan called the design a “serious flaw.”

The Missouri State Teachers Association released a statement urging the state to shore up security and prevent further disclosures of teachers’ data. “When Missouri educators share personal information with state agencies, they should be confident that information will remain protected,” the organization wrote, adding that its confidence was “eroded” in light of the discovery. 

“The State of Missouri has an obligation to deploy every resource necessary to keep protected personal information of Missouri’s education professionals secure,” it continued. 

On Oct. 13, 2021, the state said it had disabled the teacher certification search tool and would ensure no similar problems existed with other public search tools. 

But what drew the most attention was Parson and the state referring to Renaud as a “hacker,” accusing him of decoding HTML source code instead of using the “view public source” option.  “It is important to note that these records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once,” the state said. 

Jean Maneke, an attorney for the Missouri Press Association, immediately came to the newspaper’s defense, stressing that there was no evidence indicating the Post-Dispatch had tried to steal sensitive data. Instead, it brought the issue to DESE’s attention.

“There’s never been any criminal prosecution of a newspaper for this ever,” Maneke told The Kansas City Star. “But it’s not at all unusual for embarrassed public officials to proclaim that this is a newspaper’s fault when they’ve been caught with their pants down.”

Matt Bailey, director of the Digital Freedom program at PEN America, called the governor’s characterization of the reporter’s actions “an affront to democracy, the free press, and the public interest.”

“And it comes at a time when opportunistic political leaders seek to demonize the press,” Bailey told NPR. “Such craven acts merely serve the short-term interests of the governor; in the long term, they chip away at an already-precarious information ecosystem, where a growing number of people distrust credible accountability reporting.”

Katherine Jacobsen, a program coordinator for the Committee to Protect Journalists, , told The Washington Post that Parson’s legal threats were “absurd.”

“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” Jacobsen wrote in an email.

Missouri House Minority Leader Crystal Quade (D) called Renaud’s work part of “the finest tradition of public interest journalism” and decried Parson’s remarks. “The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and to work to fix the problem, not threaten journalists with prosecution for uncovering those failures,” Quade said in a statement released Oct. 14, 2021.

At a press conference the same day, Parson promised his administration was committed to “standing up against any and all perpetrators who attempt to steal personal information and harm Missourians” and would address ongoing security concerns. 

Citing a state statute about tampering with computer data, Parson argued that nothing in DESE’s website authorized the journalist to access teachers’ personal information.

“We apologize to the hardworking Missouri teachers who now have to wonder if their personal information was compromised for pathetical political gain by what is supposed to be one of Missouri’s news outlets,” he said.

Ian Caso, president and publisher of the Post-Dispatch, defended its actions. “We stand by our reporting and our reporter who did everything right,” Caso said. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”

Outcome

Cybersecurity expert who advised Post-Dispatch is also targeted by state officials

Khan also faced threats of prosecution. On Oct. 21, 2021, according to the Missouri Independent, Khan’s attorney, Elad Gross, sent a letter to Parson, several state agencies, and Uniting Missouri, a political action committee (PAC) organized in support of Parson. Gross called for “separate, detailed and public statements apologizing to Professor Khan, to be shared on their respective websites, with Missouri and national press outlets, on social media sites, and to anyone the parties communicated their false accusations.” 

According to The Kansas City Star, Gross said state officials defamed the professor and violated his Free Speech rights by threatening retaliation. “The government’s threat of prosecution would have a chilling effect on people of ordinary firmness and has had such an effect on Professor Khan,” Gross wrote.

“Professor Khan has already had to suspend his normal interactions with members of the press. Additionally, the government’s retaliatory actions will deter other Missourians from assisting the state when they uncover wrongdoing.”

Gross promised he would “explore every avenue to address the wrongdoing in court.”

PAC publishes ad attacking the Post-Dispatch as ‘fake news’ 

On Oct. 20, 2021, Uniting Missouri published an ad on YouTube saying that the Post-Dispatch’s reporting was the latest from Missouri’s “fake news factory” and that Parson was “standing up to the fake news media.”

“The St. Louis Post-Dispatch is purely playing politics,” according to the ad. “Exploiting personal information is a squalid excuse for journalism. And hiding behind the noble principle of Free Speech to do it is shameful.”

State purchases credit monitoring service for afflicted teachers

On Nov. 10, 2021, the DESE announced it would spend $800,000 to offer credit monitoring to teachers affected by the security flaw. According to the department, 620,000 teachers were eligible for a year of credit and identity-theft monitoring through a digital privacy protection platform.

“Educators have enough on their plates right now and I want to apologize to them for this incident and the additional inconvenience it may cause them,” Commissioner of Education Margie Vandeven said in a statement.

Records reveal state official intended to thank Renaud

On Dec. 3, 2021, the Post-Dispatch reported that despite Parson’s angry response to the story, an open records request revealed that Vandeven had originally planned to thank Renaud for his discovery. 

“We are grateful to the member of the media who brought this to the state’s attention,”  Vandeven wrote in an email dated Oct. 12, 2021. An FBI agent told a state cybersecurity official the day before that the “incident [was] not an actual network intrusion.”

Investigation ends, county prosecutor decides not to pursue charges

After Parson’s accusation of hacking, the Missouri Highway Patrol’s digital forensic unit opened an investigation into the Post-Dispatch, which ended on Dec. 27, 2021, according to Fox2. The materials from the investigation were then handed over to Locke Thompson (R), the Cole County prosecuting attorney. 

On Feb. 11, 2022, Thompson issued a statement announcing his decision not to file charges against Renaud because “the issues at the heart of the investigation have been resolved through non-legal means[.]”

“As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case,” he wrote.

Thompson did not respond to the Missouri Independent’s request to clarify what he meant by “non-legal means.”

In a statement posted on Twitter, Renaud said the decision was a “relief” but does not “repair the harm done to me and my family.”

“My actions were entirely legal and consistent with established journalistic principles,” Renaud wrote. “This was a political persecution of a journalist, plain and simple.”

Gov. Parson’s spokeswoman, Kelli Jones, continued to call Renaud’s reporting “hacking” and a “clear violation” of the state’s laws on computer tampering.

“The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative,” she said in a statement.

Throughout the probe, Parson had expressed confidence that Thompson would file charges.

Caso said the Post-Dispatch was “pleased the prosecutor recognized there was no legitimate basis for any charges against” Renaud or the newspaper.

“While an investigation of how the state allowed this information to be accessible was appropriate, the accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes,” he said in a statement.