There was no evidence of criminal intent on the part of a St. Louis Post-Dispatch reporter who was approved by the governor after finding a security breach in a state website, Cole County District Attorney Locke Thompson said in an interview Monday.
If a crime was committed, Thompson said, it was on the “fringe” of overbroad state law and “wouldn’t be worth the time, effort or, quite frankly, taxpayers’ money.” to continue “.
The law in question says a person commits the crime of falsifying computer data by “accessing a computer, computer system or computer network, and intentionally reviewing information about another person”.
“The law seems to be so vague that it basically describes someone using a computer to look up someone’s information,” Thompson said.
Lawmakers may want to consider revising this section of state law, Thompson said.
“Our investigation did not reveal what we believe to be criminal intent,” he said. “While it might still technically be a crime, we didn’t believe there was intent.”
Thompson spoke to The Independent on Monday afternoon after publishing the dossier associated with the investigation into Josh Renaud, the Post-Dispatch reporter who discovered in October that the social security numbers of teachers, administrators and advisers were visible in the HTML code of a publicly accessible site operated by the Department of National Education.
HTML code is the programming that tells the computer how to display a web page.
Documents released Monday include summaries of interviews conducted by the Missouri State Highway Patrol and Renaud’s prosecutor’s office, several state employees, and Shaji Khan, a cybersecurity professor who helped confirm the Post’s security breach. -Dispatch.
Renaud told investigators he discovered the security flaw by accident while collecting publicly available data for a potential paper on teacher accreditation.
He was trying to build a dataset so the Post-Dispatch could run analysis on it and look for patterns that could lead to a story, Renaud told investigators. He needed to examine the source code to find the best way to collect the information, and in doing so he found what he thought was a social security number for an educator.
“He said he located a setting titled ‘Educator SSN’ and a nine-digit number below it, which at first glance appeared to be a social security number,” the interview summary reads. “He said he was shocked because he wasn’t looking for it and didn’t expect to find this information.”
To make sure what he found were indeed social security numbers, Renaud said he passed the information through teachers he knew. He also checked with Khan, who told investigators that the problem Renaud discovered had been a constant problem for 10 to 12 years.
Pam Keep, customer service manager for the state’s Information Technology Services Division, told investigators the data Renaud found was encrypted “but should have been encrypted.”
None of the data was encrypted and no password was required to access data from the public website.
Keep also said the site in question was “about 10 years old, and the fact that the data was only encoded and not encrypted had never been noticed before.”
In his interview with investigators, Khan likened the situation to someone “walking into a room and shouting their social security number in Chinese.”
“And if anyone in the room understands what he said,” a summary of the interview said, “they accuse that person of unauthorized access.”
Emails obtained by The Independent show Renaud informed about the status of the issue and promised to suspend publication of any stories about it until the issue is resolved and social security numbers were no longer exposed. He also explained to state officials in an email the steps he took to find and confirm the security breach.
Yet despite the fact that Missouri Department of Elementary and Secondary Education officials initially wanted to thank Renaud for uncovering the flaw, and an FBI agent telling the department that the incident “is not not a real network intrusion,” Parson called the reporter a hacker. and called for criminal prosecution.
Since Thompson announced his decision not to press charges against Renaud, Parson’s office has continued to allege he was a hacker.
Mallory McGowin, spokesperson for the Missouri Department of Elementary and Secondary Education, told investigators that Renaud did not access “anything that was not publicly available, and he was not not in a place where he shouldn’t have been”.
Renaud released a statement after learning that no charges would be filed, saying his actions were “entirely legal and consistent with established journalistic principles.”
“It was a political persecution of a journalist,” Renaud said, “pure and simple.”
Elad Gross, Khan’s attorney, released a statement saying that files released on Monday show “state officials have done all the wrongdoing here.”
“They failed to follow basic safety procedures for years, failed to protect teachers’ social security numbers, and failed to take responsibility,” Gross said, “instead, they chose to open a baseless investigation of two Missourians who did the right thing and reported the issue.”
Khan is “strapped by thousands of dollars,” Gross said, “and his family has been terrorized for four months due to the governor’s use of state law enforcement officers to his political purposes”.