Prosecutor found no ‘criminal intent’ by reporter accused of hacking by Missouri governor
A Cole County Prosecutor says the state law was "so vague that it basically describes someone using a computer to look up someone’s information."
There was no evidence of any criminal intent by a St. Louis Post-Dispatch reporter who was targeted by the governor after finding a security flaw in a state website, Cole County Prosecutor Locke Thompson said in an interview Monday.
If any crime was committed, Thompson said, it was in the “fringes” of an overly-broad state law and “wasn’t going to be worth the time, the effort or, quite frankly, the taxpayer dollars to pursue.”
The law in question says a person commits the offense of tampering with computer data by “accessing a computer, a computer system or a computer network, and intentionally examines information about another person.”
“The law does appear to be so vague that it basically describes someone using a computer to look up someone’s information,” Thompson said.
Lawmakers may want to consider revising that section of state law, Thompson said.
“Our investigation didn’t uncover what we believe to be any criminal intent,” he said. “Even though it still may have technically been a crime, we didn’t believe that there was intent.”
Thompson spoke to The Independent Monday afternoon after releasing the file associated with the investigation of Josh Renaud, the Post-Dispatch reporter who in October discovered that Social Security numbers for teachers, administrators and counselors were visible in the HTML code of a publicly accessible site operated by the state education department.
HTML code is the programming that tells the computer how to display a web page.
The documents released Monday include summaries of interviews conducted by the Missouri State Highway Patrol and prosecutor’s office of Renaud, several state employees and Shaji Khan, a cybersecurity professor who helped confirm the security flaw for the Post-Dispatch.
Renaud told investigators that he discovered the security flaw by accident while he was collecting publicly available data for a potential story on teacher accreditation.
He was trying to build a data set so the Post-Dispatch could run analysis on it and look for trends that could lead to a story, Renaud told investigators. He needed to look at the source code to figure out the best way to collect the information, and in doing so he found what he thought was a social security number for an educator.
“He stated he located a parameter that was labeled ‘Educator SSN’ and a nine-digit number below it, which at face value appeared to be a social security number,” the summary of the interview says. “He stated he was shocked because he was not looking for it and did not expect to find that information.”
To make sure what he found were indeed social security numbers, Renaud said he ran the information by teachers he knew. He also checked with Kahn, who told investigators the problem discovered by Renaud has been a continual issue for the past 10 to 12 years.
Pam Keep, client service manager for the state’s Information Technology Services Division, told investigators that the data Renaud found was encoded “but should have been encrypted.”
None of the data was encrypted and no passwords were required to access the data from the public website.
Keep also said the site in question was “about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.”
During his interview with investigators, Khan compared the situation to a person who “walks into a room and shouts their social security number in Chinese.”
“And if anyone in the room understands what they said,” a summary of the interview said, “they are charging that person with unauthorized access.”
Emails obtained by The Independent show Renaud informed the state of the issue and promised to withhold publishing any story about it until the problem was fixed and the Social Security numbers were no longer exposed. He also laid out to state officials in an email the steps he’d taken to find and confirm the security flaw.
Yet despite the fact that officials within the Missouri Department of Elementary and Secondary Education initially wanted to thank Renaud for uncovering the flaw, and that an FBI agent told the department the incident “is not an actual network intrusion,” Parson labeled the reporter a hacker and called for criminal prosecution.
Since Thompson announced his decision not to file charges against Renaud, Parson’s office has continued to allege he was a hacker.
Renaud released a statement after learning no charges would be filed saying his actions were “entirely legal and consistent with established journalistic principles.”
“This was a political persecution of a journalist,” Renaud said, “plain and simple.”
Missouri Independent is part of States Newsroom, a network of news outlets supported by grants and a coalition of donors as a 501c(3) public charity. Missouri Independent maintains editorial independence.
Copyright 2022 St. Louis Public Radio. To see more, visit St. Louis Public Radio.