Relief as controversial charges dropped tempered by fears about chilling effect
Missouri’s public prosecutor has decided not to file charges against a journalist accused of illegal hacking over his disclosure of security vulnerabilities in a state government-run website.
St. Louis Post-Dispatch reporter Josh Renaud expressed “relief” at the news but said the allegations made against him by Missouri governor Mike Parson in October 2021 could have a “chilling effect” on the good-faith reporting of security flaws.
The accusations centred on Renaud’s discovery of a problem in a domain maintained by the Missouri Department of Elementary and Secondary Education (DESE) that potentially exposed more than 100,000 Social Security numbers (SSNs) belonging to teachers and other school staff.
In a story published on October 13, the St. Louis Post-Dispatch revealed that it had notified DESE of the vulnerability and delayed publication of the findings to give the agency time to secure the exposed data.
A number of cybersecurity experts said at the time that this approach to vulnerability disclosure accorded with how professional security researchers routinely alert businesses to security flaws.
Some noted that Renaud’s actions did not even constitute ‘hacking’, since he had simply viewed the site’s HTML source code, which was leaking the sensitive data – something easily done using web browsers’ built-in functionality.
Nevertheless, Governor Parson labelled Renaud a “hacker”, claimed he had violated state computer crime laws, and referred the matter to the Missouri State Highway Patrol, which investigated the episode and relayed its findings to Cole County prosecutor Locke Thompson.
However, four months later, on Friday (February 11), Thompson told television station KRCG that he would not be filing charges.
“This decision is a relief. But it does not repair the harm done to me and my family,” Renaud said in a statement (PDF).
“My actions were entirely legal and consistent with established journalistic…