On Wednesday, the St. Louis Post-Dispatch disclosed that its staff had identified a security vulnerability in the Missouri Department of Elementary and Secondary Education (DESE) website. While reviewing teacher credentials on a publicly accessible website maintained by the state, the staff found that the source code for the website, which is also publicly accessible, contained the Social Security Number for the teacher just searched.
According to Krebs on Security, the source code was easily viewable by the public through specific settings on the internet browser or by right-clicking on the page and choosing View Source. No certain “decoding” was necessary to view the information, and the code is considered “public” as it is easily viewable.
While the website contains information on over 100,000 teachers in Missouri, the Post-Dispatch reported that only three teachers’ information was viewed. The paper then notified the website administrators of the vulnerability, and the information was provided further to the Missouri Office of Administration with a request to suspend the search engine and effect corrections to the code that would prevent the public availability of such information.
To protect the teachers, the Post-Dispatch withheld the story until the state had an opportunity to take measures to prevent a further breach of the information.
Within the First Amendment of the U.S. Constitution is the statement that “Congress shall make no law…abridging the freedom of speech, or of the press…and to petition the Government for a redress of grievances” for this very purpose. A free press is intended to provide accountability of Government for the People. It is in this vein that investigations such as that by the Post-Dispatch are conducted, to ensure that Government is protecting the People and its employees as they are charged with doing.
Missouri Gov. Mike Parson (R) seemed to take issue with the fact that the Post-Dispatch investigated what information on the state’s teachers was available to the general public. Instead of praising the Post-Dispatch staffer for finding and reporting the vulnerability as opposed to keeping it quiet and using the information that he had found, Gov. Parson has initiated a criminal investigation into the matter, threatening the staff member with prosecution and having to repay the state for the cost of the investigation.
Calling the staff member a “hacker,” Gov. Parson stated that the staff member converted and decoded the information without authorization. The accusation included “seeking to access, convert, and take personal information from Missouri teachers.” Gov. Parson that the information was obtained through a “multi-step process” that was not authorized.
In reality, the information, by being contained in the HTML coding used for the website, was made available for all to see. The “multi-step process” simply included right-clicking on the page and choosing “View Source.” This would be tantamount to, in a physical file folder containing the information, finding a pocket in the folder and reviewing the information there, as well.
For viewing the information in that “pocket,” the staff member is now facing a Class A Misdemeanor charge from the state for violating Chapter 569.095 of Missouri Revised Statutes. This section, titled “Tampering with computer data” and cited by Gov. Parson as the basis for the criminal investigation, revolves around improperly accessing computer systems or data. While the state may not have intended the information to be seen by the public, they made it available by including it in the website coding. To the layperson, there was nothing inherently wrong or illegal with what was done, particularly considering that this was done in the performance of investigating how the state protects, or lacks to protect, the information of educators.
Calling it “a serious matter,” Gov. Parson vowed to prosecute “anyone who hacked our system and anyone who aided or encouraged them to do so.”
Gov. Parson also threatened, in addition to criminal prosecution, a civil case against those involved to repay the state for the investigation. “(This) may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.” In other words, he threatens to have those he has called “hackers” pay for an investigation into why the state failed to keep educators’ Social Security Numbers private.
It seems that the state of Missouri is responsible for the information being made publicly accessible and that they are now embarrassed at the fact that it was so.
By threatening Class A Misdemeanor charges and civil costs up to, or exceeding, $50 million, it is as though Gov. Parson is attempting to tell the People not to investigate Government. If you find something Government doesn’t like and have the potential of letting others know about the failure, you may be punished even if you take measures to allow Government to rectify the situation.