Relief as controversial charges dropped tempered by fears about chilling effect

UPDATED Missouri’s public prosecutor has decided not to file charges against a journalist accused of illegal hacking over his disclosure of security vulnerabilities in a state government-run website.

St. Louis Post-Dispatch reporter Josh Renaud expressed “relief” at the news but said the allegations made against him by Missouri governor Mike Parson in October 2021 could have a “chilling effect” on the good-faith reporting of security flaws.

The accusations centred on Renaud’s discovery of a problem in a domain maintained by the Missouri Department of Elementary and Secondary Education (DESE) that potentially exposed more than 100,000 Social Security numbers (SSNs) belonging to teachers and other school staff.


BACKGROUND Missouri governor criticized for confusing vulnerability disclosure with criminal hacking


In a story published on October 13, the St. Louis Post-Dispatch revealed that it had notified DESE of the vulnerability and delayed publication of the findings to give the agency time to secure the exposed data.

A number of cybersecurity experts said at the time that this approach to vulnerability disclosure accorded with how professional security researchers routinely alert businesses to security flaws.

Some noted that Renaud’s actions did not even constitute ‘hacking’, since he had simply viewed the site’s HTML source code, which was leaking the sensitive data – something easily done using web browsers’ built-in functionality.

Nevertheless, governor Parson labelled Renaud a “hacker”, claimed he had violated state computer crime laws, and referred the matter to the Missouri State Highway Patrol, which investigated the episode and relayed its findings to Cole County prosecutor Locke Thompson.

However, four months later, on Friday (February 11), Thompson told television station KRCG that he would not be filing charges.

‘Political persecution’

“This decision is a relief. But it does not repair the harm done to me and my family,” Renaud said in a statement (PDF).

“My actions were entirely legal and consistent with established journalistic principles. Yet Gov. Mike Parson falsely accused me of being a ‘hacker’ in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.

Renaud continued: “This was a political persecution of a journalist, plain and simple. Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data.”

However, the Office of Governor Parson continues to maintain that Renaud violated state law. Its communications director, Kelli Jones, told The Daily Swig: “The hacking of Missouri teachers’ personally identifiable information is a clear violation of Section 569.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.

Jones added: “The Prosecutor believes the matter has been properly addressed and resolved through non-legal means. The state will continue to work to ensure safeguards are in place to protect state data and prevent unauthorized hacks.”

Chilling effect

Renaud also warned that the case could have an adverse impact on the reporting of other security bugs.

“I am concerned that the governor’s actions have left the state more vulnerable to future bad actors,” he said. “His [Parson’s] high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.”


This article was updated on February 15 with comments from Kelli Jones, communications director for the Office of Governor Parson


RELATED New Zealand government mandates bug reporting process for federal agencies