Missouri Gov. Mike Parson and state Education Commissioner Margie Vandeven have blatantly mischaracterized the circumstances under which a Post-Dispatch reporter discovered teachers’ Social Security numbers embedded on a state public-education website. Clearly embarrassed by the fact that the state government had jeopardized sensitive information of perhaps 100,000 teachers, Parson and Vandeven chose to shoot the messenger — the Post-Dispatch’s Josh Renaud — for having brought the flaw to the state’s attention.
Vandeven was first to attack Renaud, though officials did not mention him by name, alleging on Wednesday that he “took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.” A separate Department of Elementary and Secondary Education statement labeled the reporter a “hacker.”
The next day, a clearly misinformed Parson lashed out further, threatening criminal prosecution because the reporter engaged in a “multistep process” and “decoded the HTML source code.” Parson complained that the state now must spend “as much as $50 million” to fix the problems and secure its website.
Let’s deconstruct that. First, HTML source code is publicly available to anyone who has slightly more than a basic knowledge of web-page design. Parson’s knowledge clearly is at a sub-basic level. Anyone who has a right-click mouse key can expose the source code behind any web page out there. The code often looks like gobbledygook. But experienced designers know that source code is just a list of commands that tell web browsers where to locate text and graphics and how to present them on a web page.
It’s the state that posted the teachers’ sensitive private information publicly. If the state has to spend millions of dollars to fix the website and secure teachers’ data, that’s because the state created its own problem — not the newspaper that brought it to the state’s attention.
Renaud discovered Social Security numbers while attempting to aggregate publicly available teacher certification data, as his front-page story on Thursday explained. Once he verified that Social Security numbers were embedded in source code, the newspaper did the responsible thing by alerting state officials to the problem. The Post-Dispatch withheld publication of Renaud’s story to give the state time to disable the web feature that put Social Security numbers at risk of discovery.
Predatory hackers don’t behave that way. Responsible journalists do. This is watchdog journalism at its finest.
The reactions by Parson and Vandeven seem designed to distract the public and hide the state’s embarrassment over its own gross negligence. Parson further embarrassed himself by accusing the Post-Dispatch of carrying out a “political vendetta” and trying to “sell headlines.”
Renaud’s story, while important, might not have lasted beyond a one- or two-day news cycle. But Parson’s antics, threatening a civil lawsuit and criminal prosecution, exploded this into a major national story. The state created the problem, and Parson is the one who created the headlines.
View our Up for Discussion video online at STLToday.com/opinion.