Blame And Shame

That's not how web pages work, Governor.

2021-10-14 Previous Home Next

Missouri Governor Mike Parson today said that a newspaper reporter was a "hacker" and had stolen personal information about citizens. He vowed to prosecute.

"This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians," he said.

pointing html

What was the problem?

A St. Louis Post-Dispatch reporter earlier this week discovered that the education department's web site, where the public could look up credential information about teachers, contained the Social Security Number (SSN) in the returned information about the teacher.

Anyone could have gained access to all the teachers' SSNs, which are "personally identifiable data" that could be used to impersonate them for financial harm.

The newspaper notified the department, which took down the web site and started investigating.

Getting defensive

But! The next day, the Missouri education department wrote a press release which said:

Through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators.

This description is dishonest.

The claim that the "hacker took the records of at least three educators" is simply a misrepresentation of someone visiting a public web page with their browser.

And the phrase "decoded the HTML source code" makes it sound like the sensitive information was encrypted or somehow protected and the hacker did something special to view it. This is not the case.

How web pages work

When you visit a web page, your browser downloads it to your computer or phone.

The web page contains two kinds of information:

The browser displays the content by following the instructions in the code.

The code itself, and any content that is not displayed, are downloaded but normally not shown to you. But all of this can still be viewed easily. Browsers typically have functions like "view source" to do so.

Who is responsible?

The press release went on to explain:

It is important to note that these records were only accessible on an individual basis, and there was no option to decode SSNs for all educators in the system all at once. The state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident.

Uh, no. This information, including SSNs of all the teachers, was freely available on a public web site, and the department of education is responsible for that web site.

As soon as you publish a web page, all its information becomes available to the whole world. No one needs an "option to decode SSNs." Anyone can download all the teachers' information and extract the SSNs with minimal effort. No hacking is necessary whatsoever.

Just because the "state is unaware" does not mean there has been no misuse of this information.

This press release, and the governor's disgraceful press conference, are both a transparent attempt to deflect blame toward technology or some malicious actors.

The blame lies squarely with the government entity that had access to the teachers' sensitive personal information and made it all public.