This is a story of a politician who cried “hacker” after a reporter informed a state agency that sensitive information was embedded in their website’s HTML source code1. While we wish this was a joke or fictional story it, unfortunately, is not. If the state of Missouri does move forward with the prosecution this state action would sound the alarm for researchers and reporters resulting in a chilling effect on the practice of responsible reporting.
Josh Renaud, a reporter from the St. Louis Post-Dispatch was researching the Missouri Department of Elementary and Secondary Education’s website for an upcoming story when he realized that “Teachers’ Social Security numbers were embedded in the websites HTML source code” (meaning anyone could have easily viewed the page source code and obtained the SSNs). The concerned reporter communicated his findings to the state agency and delayed his report to allow enough time for the state to remove the affected portions of the website.
But instead of thanking the reporter for discovering a security vulnerability, the Governor of Missouri held a news conference labeling the reporter as a “hacker” and threatened prosecution, even though the State’s Department of Public Safety Director had received confirmation from the FBI that “this incident is not an actual network intrusion.”
We couldn’t agree more with the following statements made by House Representatives Crystal Wade and Tony Lovasco.
Rep. Tony Lovasco tweeted on October 14, 2021:
“It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry-standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking.”
Rep. Crystal Wade asserted in a public statement made on October 14, 2021 that:
“The governor should direct his anger towards the failure of state government to keep its technology secure and up to date and work to fix the problem, not threaten journalists with prosecution for uncovering those failures.”
This recent example underscores the notion that there is a real need for Policymakers to understand how technology works and behaves. Earlier this year, past congressional hearings also showed us that many Policymakers do not understand basic internet functions. We urge Policymakers to do their homework so that they can make educated and informed decisions on technology issues. Me2BA offers itself as a resource for Policymakers to navigate opaque and complex technology issues, so that researchers and journalists can continue to safely perform responsible reporting, which is a crucial function to keep everyone safe online.
1 A website’s HTML source code is readily viewable by the public by simply right-clicking on a webpage and selecting, “View page source” from the options. Alternatively, a browser designated shortcut can open the webpage source code, such as “Ctl + U”.