Missouri Likely to Prosecute Reporter for Viewing Web Page Source
Missouri Governor Mike Parson is encouraging the prosecution of a St. Louis Post-Dispatch reporter for the supposed crime of viewing the HTML source of a state website, which inadvertently contained Social Security numbers of state educators. The reporter alerted the state and published an article only once the data was removed, but it looks likely that Missouri will move forward with computer tampering charges. Despite an FBI agent saying that the incident was not a network intrusion and that the state’s database was misconfigured, it seems that the governor isn’t above interpreting “View source,” a standard feature of Web browsers since the earliest days of the Web, as a form of tampering in an attempt to harass a news outlet over an embarrassing report. Technological ignorance, malice, or an unholy combination of both?
Wow. Just wow.
How can looking at the stuff the web server actively sends you be in any way considered tampering.
Missouri is not going to pursue anything based on the info from the article. The reporter and newspaper did everything right and greatly helped with the problem. Something is nuts so it could even be the article.
According to the article:
The problem is that this is not picking any lock. This is viewing content that a legitimate request sent to you.
This is more like you sent a letter to someone asking for one piece information and they mailed back a thousand pages of classified material along with what you asked for. The law doesn’t say you aren’t allowed to read what they sent you.
If the prosecutor can’t tell the difference, then the prosecutor doesn’t know what’s going on and needs to be replaced with someone who does.
It’s precedent setting.
They will find a way not to prosecute but leave the door open to be able to prosecute those who do violate for nefarious reasons.
The headline should read Missouri Governor is a Dick
This isn’t lock picking. This is someone ringing your doorbell, and telling you you left your keys in the lock.
maybe a dumb question: Isn’t it possible to configure highly sensitive web pages to disable, or password-protect the ability to “view source”?
Not to mention, another dumb question(?): why in the heck would private data, not specifically displayed on a web page,
be embedded in the source code?
If you disable view source, how does the client browser know what to display? There is nothing magical about view source. It merely shows the user what the browser was sent to render that page.
Web browsers may make it possible (via some scripting) to disable context menus for a page and maybe also commands like view-source, but it’s ultimately doomed to failure.
As @Simon wrote, when you do a “view source”, you are viewing the raw HTML content that your web browser downloaded in order to generate the page. Ultimately, there is no possible way to completely block viewing it. In the worst case, you could run a command-line tool (like wget) to just download the page, which you could then load into a text editor.
Why would the page contain private data? Unless one of the web developers decides to tell us, we’ll never know. It could be a bug. It could be the result of some debug/test code that they forgot to delete before the site/script went live. It could also just be sloppy programming by a developer who didn’t know how (or was too lazy) to design the page properly.
If you are looking for a conspiracy theory, maybe someone was trying to exfiltrate data for a nefarious purpose and this journalist stumbled on to it. (Sounds like a movie trope that’s been massively overused.) I’m sure you can think of a dozen other possibilities.
You are right, however, that there is no good reason to embed private data like social security numbers into a page’s source. If the page needs to display data like this, it should use a script to make a (secure) request to a server, retrieve only the specific data required, and free it as soon as it is no longer needed. Someone debugging the web page or viewing the source (which usually includes insertions/changes made by scripts) might see the data while it is being used, but he would only be able to see his own data, not everybody else’s.
Typical response from a politician these days - lash out at someone who finds something embarrassing about you. Never admit a blunder!
My ancient webpage (HTML) editing app Komposer, allows me to easily view a web page in source HTML. As indicated above, it is how web browsers receive the data for displaying the page as intended.
PHP or other server-based creation of the html code allows including private information in the server-based source code that is not sent to the browser as part of the web page. That’s only crude security, though, just a start.
To keep the discussion focused on the technical (View Source as a security vulnerability?) and security policy aspects (kneejerk reactions to ethical disclosure of vulnerabilities) of this situation, instead of broader political themes that may be unrelated, I’m trimming the last few posts and will delete future ones that stray off those topics.
I run a group which discusses difficult issues - we keep names (people, political parties, etc) out of it and refer only to the policy itself - and our thoughts on that policy - then respect the right to have differing opinions about a policy. Our members can determine whether they agree or not - but not at the expense of the person putting forward their opinion.
Politicians and parties don’t need to be part of a technical discussion - just what you think the policy should be and why.
It is possible to do that - and it allows people to maintain friendships when you only work to move the ball to a greater understanding of the issue.
I’m not trying to be the topic police here…but can we forego the political comments here? There’s enough of that going on on too many forums and lists and while discussing whether or not viewing the page source of a web page is illegal or should be prosecuted certainly has merit…without doing a lot of google research to see exactly who said what and to whom and what the total context of it was it’s not clear that the state is or is not interested in prosecuting or what the governor or DA or whoever actually did or did not say when the entire statement is taken in the context of the actual conversation.
Blaming the right as some posts are is just as distasteful as blaming the left as others do…and we should try to be better than that here. We already know that the left doesn’t like what the right says/does/wants…and we likewise know that the right doesn’t like what the left says/does/wants. I’m surprised that ACE hasn’t weighed in on it already.
IANAL, but I’d expect the defendants -if this actually goes to trial- to file an immediate motion-to-dismiss-with-prejudice on the grounds that no crime was committed.
Nah, he is just another “Missouri Puke”.
But seriously, I can’t see where he has a case, and his staff should tell him so. If they don’t then the Missouri Attorney General should say the state will not support the governor.
Note that the AG isn’t involved. It’s the State Highway Patrol and the county prosecutor. The State Highway Patrol in Missouri can investigate state crimes likely rape, robbery, and financial and drug crimes. These are then handed off to the AG or the county prosecutors.
Although the AG could investigate this case and prosecute it, the AG is out of the loop.
The State Highway Patrol is under the Department of Public Safety whose head is appointed by the governor. The AG is elected separately.
So the top legal authority isn’t the Attorney General?
It appears there are multiple agencies that can investigate crime in the state. In most states, it’s not unusual for a local DA in the capital city to investigate government corruption. After all, the capital is in their jurisdiction.
The Highway Patrol (known as the State Police in other states) is a police force with detectives, labs, etc., so it’s not unusual they do investigations into murder, robberies, and other crime that’s not all that local or where the local police force might not have the expertise.
Usually paperwork crimes are handled by the AG in most states. The AG doesn’t have a police force, but has legal experts who know how to comb through books and how the law is applied. And usually, the AG can nose into investigations run by a local DA or the state police. In theory, the AG’s office is the one to press charges.
However, by using the State Highway Patrol, the governor is using an organization under his direct control. He can ensure that this incident is investigated fairly and justly until he gets the results he wants.
I assume that Highway Patrol investigations are handed over to the AG for prosecution. However, they’re handing it over to a county prosecutor and cutting the AG out of this completely.
They’re all on the same side. I take it that there’s some sort of agreement to leave the AG’s office out of it. As far as I can tell, the AG has said nothing. The AG might not want to go against the governor on this, but doesn’t want the stench of this case wafting over him.
It used to be that public officials tried hard to look smart, whether they were or not.
Ironically, now it seems that public officials try to look as dumb as the lowest common denominator of their constituents.
I look at source code often to learn tips on coding. On some pages the source code doesn’t show very much. They apparently have a way to bringing in code and then resetting. It appears they did some stupid coding such as including the database in the Show Me states Show Me code.
This is a politician speaking without bothering to get any facts first…having this disease is a prerequisite to becoming a politician regardless of party persuasion. I haven’t read the tweet, watched the video, or read the article…so I have no firsthand knowledge but since it’s been reported in the news I can almost guarantee that it was taken out of context or had some creative editing applied to it to make him look bad. Same thing happens whenever a “reporter”…although that’s a pretty low bar these days…doesn’t believe the same thing as the politician.
That almost sounds to me like our problem these days would be the evil newsmen and not just idiot politicians. People vilify the news all the time, and there is certainly some justification, but if so many politicians weren’t corrupt lying scumbags, this wouldn’t really be an issue because facts would stand out. But when facts become plyable and significant parts of society believe they can make up their own set of suitable facts, well then damnation of the press certainly isn’t going to fix anything.
Absolutely correct…and I’m not really damning the press anymore than the politicians…and we’re way, way off topic here I think.
That said…it’s clear that we have lots of political divisions now…and both sides lie, obfuscate, and prevaricate…and the media against both sides then takes what they say out of context and massages it to meet the political leanings of that particular reporter. I think we all realize that you can tell a politician is lying because his lips are moving. What exacerbates the issue is that journalists as a class…and there are exceptions so this is just a generalization…are no longer interested in reporting the news but in making the news, being the news, and getting clicks…and that’s a bad thing. Back in the day…you would never have guess from listening to Walter Cronkite on the CBS evening news was a way out liberal and practically a socialist in his personal beliefs. He kept that to himself except for his occasional commentary and even then was extremely measured in his words and careful to not be what would be called click-bait today. And I’m not complaining about the so called mainstream media which some perceive to be biased against them…I’m talking about all of the biased/slanted/click-bait things that so called journalists do today.
The vast majority of pols…on both sides…are as you say…corrupt lying scumbags. But we do need to damn the press to get them back to being actual journalists instead of being interested in making their political opponents look bad…and there are very few journalists that are actually interested in the truth, the whole truth, and nothing but the truth these days.
I have to wonder if in this case, the governor is really as ignorant as he appears. It would be one thing if this were the first time this issue was coming up; it’s different when there’s been criticism from knowledgeable people as to why a potential prosecution is misguided. Surely, even if the governor is technically illiterate, is everyone around him just as ignorant? And are they all deaf to the criticisms?
This is, of course, a possibility, but I’m more likely to believe this is just a cynical ploy by the governor to try intimidate members of the press from publishing stories which make him look bad. Does he come off looking stupid? Sure, but that doesn’t seem to be much of a hindrance in today’s political climate.
Not all political activity is bad. Nor are all the politicians. Its not a each side are equally bad issue. None of that is present here.
What we witness is willingness of this politician to game partisan media to intimidate a journalist despite the technical advice he almost certainly was made aware of.
What it does raise is the question of the relative shallowness of the grasp most people have of technology. That’s a vulnerability which will continue to dog society as technology continues its ongoing disruption. We are primates with cellphones and technology’s evolutionary pace could outstrip our collective ability to cope.
That’s a reasonable conclusion…but I notice that this is a Republican governor…and I’m not suggesting that your word choices like “gaming” and “partisan media” and “intimidate a journalist” are intended to be deliberately inflammatory because you’re not a Republican…but they could be taken that way by some and the larger tenor of this entire thread to me seems to be more political bashing than anything else.
The governor might be stupid…and he might be gaming the partisan media and all those other things…but one can easily point out just as many instances of that on the other side of the political aisle. I won’t list them here because (a) Adam will likely edit them out, (b) they’re really not material, and (c) the fact that as I stated all politicians lie for political benefit…this is almost universally true and while it may apply to Governor Parson of MO in this case depending on political persuasion of the evaluator…it may also apply to AOC, the President, the former President, the Governor of NY and many other political officials on both sides.
I’m just saying that using those kinds of words that could easily be taken as inflammatory gets away from the actual discussion of whether viewing the source of a web page is illegal or whatever…and that one can easily point fingers at the other side of the aisle as well. I could easily point out examples on the other side where politicians deliberately try to game the media and inflame partisan media to intimidate journalists.
And just to forestall any comments that I’m being partisan here…I’m not. I’m mostly in the center politically but believe that what’s good for the goose is good for the gander as well…I’m more than happy to point out stupidity on any side…and it’s obviously not just the province of one side or the other.
Alright, I think everything that’s useful to be said on this has been, so I’m going to close the comments.
And the prosecutor has declined to press charges in the end.
Brian Krebs expands on the story with the detail that the governor’s office was in charge of security for the site in question, which had been exposing the teachers’ data for over a decade.
Join the discussion in the TidBITS Discourse forum