The governor’s charge of a journalist hack

Posted

I’m writing this column after one of the most vicious and unfounded attacks I’ve heard by a Missouri governor against a major Missouri news organization.

It involves the St. Louis Post-Dispatch story published Thursday, Oct. 14, about how a state Education Department website allowed access to the Social Security numbers of teachers.

Rather than praising the newspaper’s story identifying a major security breach in his administration, Gov. Mike Parson used a Facebook session later that morning to accuse the reporter and the newspaper of violating state law.

After citing the law as well as the criminal and civil penalties, he announced “not only are we going to hold this individual accountable, but we also will be holding accountable all those who aided this individual and the media corporation that employs them.”

He even went on to cite a state cost of $50 million, suggesting a civil penalty.

In more than five decades covering Missouri’s statehouse, I cannot remember a governor ever suggesting a criminal investigation against a reporter or a news outlet because of a news story.

To the Post-Dispatch’s credit, the newspaper actually delayed publication of the story to give the state time to address the problem and close access to that data.

Besides, the Education Department should not have been surprised. As the Post-Dispatch noted in its story, the state auditor twice in earlier years had warned about digital security problems involving education information. Rather than praising the newspaper, Gov. Mike Parson charged the information was acquired by illegal decoding of encrypted information without authorization.

“It is unlawful to access encoded data and systems in order to examine people’s personal information,” Parson said. “They had no authorization to convert or decode, so this clearly was a hack.”

That reflects a gross misunderstanding of the digital information in the internet environment.

Information provided on the web automatically is converted or “decoded” by browsers in order to display the information on your screen without any “authorization.”

Websites you visit put their information into HTML.

That is just a method to structure plain text into a format web browsers can display in a graphical presentation along with links to other sites. HTML stands for Hypertext Markup Language which you easily can see by clicking on your browser’s source-view tab.

In fact, anti-virus software on personal computers “decodes” HTML to protect you from virus infections. Sometimes HTML pages can include a link to a database with a password. That can be a huge security breach. But it’s open to global web.

Yes, the world is experiencing an explosion of hacking into personal data.

But the problem largely results from the failure of companies, database systems and even governments like Missouri from protecting private personal data on their websites or not having strong password authorization requirements to access the data.

Identifying that failure of the Education Department to protect personal information of teachers should have been praised by the governor, not used as the basis for a criminal investigation against the journalist who reported it.

The governor cited a state law that makes it a crime for “tampering with computer data…without authorization...and intentionally examines information about another person.”

Putting information on the web for the world to see, I would argue, amounts to authorization to examine. I regularly examine state government information provided on the web about campaign contributors, legislators, lobbyists and, yes, even the governor without any “authorization.”

Obviously I’m biased as a journalist.

But it seems to me that a news organization that reported a major privacy vulnerability in a state government website, notified the agency of the problem and did not release the story until the problem was resolved should have been praised by the governor rather than threatened with civil penalties and criminal prosecution.

It struck me that neither the Education Department commissioner nor the administration’s IT director were available at the governor’s Facebook session to answer questions.

(Phill Brooks has been a Missouri statehouse reporter since 1970. He is the statehouse correspondent for KMOX Radio, director of Missouri Digital News and an emeritus faculty member of the Missouri School of Journalism. He has covered every governor since the late Warren Hearnes).