The Governor of Missouri, Mike Parson, does not understand how websites work: wants a journalist prosecuted for looking at website source code

The Governor of Missouri, Mike Parson, does not understand how websites work. He held a press conference earlier this week in St. Louis to reiterate his intention to prosecute a journalist for examining the source code of a state-run website.

As of October 2021, reporter Josh Renaud reported that social security numbers of over 100,000 school teachers, administrators, and counselors had been revealed in the Department of Elementary and Secondary Education website source code. The story was published only after he reported the problem to the state and fixed the vulnerability.

The DESE and Parson did not seem to appreciate the alert and immediately accused Renaud of hacking the DESE’s website. Margie Vandeven, Missouri’s education commissioner, sent a letter to educators saying “at least three teacher records were taken, the source code was unlocked from the webpage, and the social security numbers (SSNs) were viewed.”

According to St. Louis Post-Dispatch records, the FBI told the state the website had been “misconfigured” and Renaud’s actions were not an actual breach of the network.

There was no encryption in the source code. Generally, anyone with a web browser can view a website’s source code. If you are looking at it only, you can do so by opening the “Developer Tools” option available in nearly every web browser, including Chrome, Safari, Firefox, and Edge. Look at the source code of The Verge right now if you like. B
Governor Parson’s behavior since the paper’s story was first published is anything but funny, as a gross misunderstanding of how websites work by a state agency and the governor of the state is anything but funny. St. Louis Post-Dispatch obtained public records indicating that Vandeven initially intended to thank the newspaper for finding the vulnerability.
During the press conference, he compared Renaud’s actions to someone using a lock pick to enter a home without permission. Such a comparison is not appropriate. A website is meant to be public. Websites are public, not private. If a person is in a state-owned building and walks past a locked room where sensitive information is posted in the window to be seen by anyone, regardless of whether they have keys, that is a better analogy.

It would be nice if someone could knock on the door and point out the problem without fear of being prosecuted by an embarrassed man who doesn’t understand how websites work.