Missouri journalist smeared and attacked by officials after reporting website security flaw
Jefferson City, Missouri - Looking at the building blocks of a website is not hacking and it is something everyone can do when they surf the internet. However, simply checking up on website details sent one journalist on a wild legal ride that cost him a lot of time, energy, and suffering.
According to a February 11 statement from prosecuting attorney Locke Thompson, no charges will be pursued against Josh Renaud, a journalist who covers tech stories for the St. Louis Post-Dispatch.
Renaud was simply helping out by letting Missouri's Department of Elementary and Secondary Education (DESE) know that the social security numbers of 100,000 teachers and other staff around the state were publicly accessible because of mistakes in coding on a website run by the institution.
The journalist found the security flaw by checking the site's HTML source code, which anyone can do on any website by pressing "Ctrl + U" on Windows, "Option + Command + U" on Mac, or simply right click and select "View Page Source".
It all went downhill from there, as the Post-Dispatch reported. The DESE initially drafted a thank-you message for an official press release, but Governor Mike Parson's office instead started a criminal investigation, ran attack ads against Renaud, and forced him to remain silent on the issue for four months, according to Renaud's personal statement.
He pointed out that the way he was treated after trying to help with a cybersecurity flaw could "have a chilling effect" on other helpful people, who might not pipe up for fear of persecution.
Eventually, the inexplicable hunt ended in dropped charges, but as Renaud put it, the decision "does not repair the harm done to me and my family."
Just for clarity, looking at a website's source code, which is publicly available, is legal. And noticing and reporting a website's security flaws is not hacking.
Cover photo: IMAGO / Panthermedia