Missouri prosecutor won’t charge reporter governor accused of ‘hacking’
A Missouri prosecutor said Friday that a St. Louis Post-Dispatch reporter who was accused last year by Gov. Mike Parson of “hacking” the state government for reporting a website vulnerability won’t face any criminal charges.
In a statement released to a local TV station, Cole County Prosecutor Locke Thompson, who was overseeing an investigation, said it was not worth the money or resources to pursue a case against the reporter and his newspaper.
Parson used a media appearance last October to accuse the reporter, Josh Renaud, of “hacking” after the Post-Dispatch published a story based on Renaud’s discovery that a website operated by the Missouri Department of Elementary and Secondary Education was inadvertently exposing the personal information of public-school employees, including Social Security numbers.
Renaud reported that he discovered the flaw when viewing the page’s HTML source code, a document visible to any standard web browser. But despite Renaud’s confirming his find with an outside computer scientist and notifying the agency before publishing his story — standard practices in vulnerability disclosures — Parson reacted with public fury and demands for a criminal investigation, a process he at one point said could cost up to $50 million.
Parson’s reaction also did not mirror responses inside his own administration. At one point, the education department planned to thank the Post-Dispatch before the governor’s office decided to go with a more aggressive tack, which was criticized for chilling press freedoms and software vulnerability researchers.
“It is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case,” Thompson said in his statement Friday, which was reported by KCRG, a CBS affiliate in Jefferson City.
“We are pleased the prosecutor recognized there was no legitimate basis for any charges against the St. Louis Post-Dispatch or our reporter,” the newspaper’s publisher, Ian Caso, said Friday evening. “While an investigation of how the state allowed this information to be accessible was appropriate, the accusations against our reporter were unfounded and made to deflect embarrassment for the state’s failures and for political purposes.”
Thompson’s decision not to prosecute was also applauded by Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency.
In a statement published on his personal website, Renaud wrote that the past few months have been “one of the most difficult seasons” of a 20-year career in journalism. And he said that while there could be lasting damage, he’s proud of his coverage.
“This decision is a relief. But it does not repair the harm done to me and my family,” Renaud wrote. “My actions were entirely legal and consistent with established journalistic principles. … This was a political persecution of a journalist, plain and simple. Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data.”
But he also warned that Parson’s behavior could still discourage other individuals from sharing vulnerability discoveries with government officials across the state.
“His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed,” Renaud wrote.
