Originally published at: Missouri Likely to Prosecute Reporter for Viewing Web Page Source - TidBITS
The State of Missouri may pursue criminal charges against a reporter for discovering (and ethically reporting) Social Security numbers in the HTML source code of a state website. The mind boggles.
1 Like
Wow. Just wow.
How can looking at the stuff the web server actively sends you be in any way considered tampering.
Madness.
4 Likes
Missouri is not going to pursue anything based on the info from the article. The reporter and newspaper did everything right and greatly helped with the problem. Something is nuts so it could even be the article.
1 Like
According to the article:
The problem is that this is not picking any lock. This is viewing content that a legitimate request sent to you.
This is more like you sent a letter to someone asking for one piece information and they mailed back a thousand pages of classified material along with what you asked for. The law doesn’t say you aren’t allowed to read what they sent you.
If the prosecutor can’t tell the difference, then the prosecutor doesn’t know what’s going on and needs to be replaced with someone who does.
2 Likes
It’s precedent setting.
They will find a way not to prosecute but leave the door open to be able to prosecute those who do violate for nefarious reasons.
The headline should read Missouri Governor is a Dick
This isn’t lock picking. This is someone ringing your doorbell, and telling you you left your keys in the lock.
7 Likes
maybe a dumb question: Isn’t it possible to configure highly sensitive web pages to disable, or password-protect the ability to “view source”?
Not to mention, another dumb question(?): why in the heck would private data, not specifically displayed on a web page,
be embedded in the source code?
If you disable view source, how does the client browser know what to display? There is nothing magical about view source. It merely shows the user what the browser was sent to render that page.
2 Likes
Web browsers may make it possible (via some scripting) to disable context menus for a page and maybe also commands like view-source, but it’s ultimately doomed to failure.
As @Simon wrote, when you do a “view source”, you are viewing the raw HTML content that your web browser downloaded in order to generate the page. Ultimately, there is no possible way to completely block viewing it. In the worst case, you could run a command-line tool (like wget) to just download the page, which you could then load into a text editor.
Why would the page contain private data? Unless one of the web developers decides to tell us, we’ll never know. It could be a bug. It could be the result of some debug/test code that they forgot to delete before the site/script went live. It could also just be sloppy programming by a developer who didn’t know how (or was too lazy) to design the page properly.
If you are looking for a conspiracy theory, maybe someone was trying to exfiltrate data for a nefarious purpose and this journalist stumbled on to it. (Sounds like a movie trope that’s been massively overused.) I’m sure you can think of a dozen other possibilities.
You are right, however, that there is no good reason to embed private data like social security numbers into a page’s source. If the page needs to display data like this, it should use a script to make a (secure) request to a server, retrieve only the specific data required, and free it as soon as it is no longer needed. Someone debugging the web page or viewing the source (which usually includes insertions/changes made by scripts) might see the data while it is being used, but he would only be able to see his own data, not everybody else’s.
1 Like
Typical response from a politician these days - lash out at someone who finds something embarrassing about you. Never admit a blunder!
My ancient webpage (HTML) editing app Komposer, allows me to easily view a web page in source HTML. As indicated above, it is how web browsers receive the data for displaying the page as intended.
PHP or other server-based creation of the html code allows including private information in the server-based source code that is not sent to the browser as part of the web page. That’s only crude security, though, just a start.
To keep the discussion focused on the technical (View Source as a security vulnerability?) and security policy aspects (kneejerk reactions to ethical disclosure of vulnerabilities) of this situation, instead of broader political themes that may be unrelated, I’m trimming the last few posts and will delete future ones that stray off those topics.
2 Likes
I run a group which discusses difficult issues - we keep names (people, political parties, etc) out of it and refer only to the policy itself - and our thoughts on that policy - then respect the right to have differing opinions about a policy. Our members can determine whether they agree or not - but not at the expense of the person putting forward their opinion.
Politicians and parties don’t need to be part of a technical discussion - just what you think the policy should be and why.
It is possible to do that - and it allows people to maintain friendships when you only work to move the ball to a greater understanding of the issue.
David
3 Likes
I’m not trying to be the topic police here…but can we forego the political comments here? There’s enough of that going on on too many forums and lists and while discussing whether or not viewing the page source of a web page is illegal or should be prosecuted certainly has merit…without doing a lot of google research to see exactly who said what and to whom and what the total context of it was it’s not clear that the state is or is not interested in prosecuting or what the governor or DA or whoever actually did or did not say when the entire statement is taken in the context of the actual conversation.
Blaming the right as some posts are is just as distasteful as blaming the left as others do…and we should try to be better than that here. We already know that the left doesn’t like what the right says/does/wants…and we likewise know that the right doesn’t like what the left says/does/wants. I’m surprised that ACE hasn’t weighed in on it already.
Just sayin’.
2 Likes
IANAL, but I’d expect the defendants -if this actually goes to trial- to file an immediate motion-to-dismiss-with-prejudice on the grounds that no crime was committed.
Nah, he is just another “Missouri Puke”. 
But seriously, I can’t see where he has a case, and his staff should tell him so. If they don’t then the Missouri Attorney General should say the state will not support the governor.
Note that the AG isn’t involved. It’s the State Highway Patrol and the county prosecutor. The State Highway Patrol in Missouri can investigate state crimes likely rape, robbery, and financial and drug crimes. These are then handed off to the AG or the county prosecutors.
Although the AG could investigate this case and prosecute it, the AG is out of the loop.
The State Highway Patrol is under the Department of Public Safety whose head is appointed by the governor. The AG is elected separately.
So the top legal authority isn’t the Attorney General?
It appears there are multiple agencies that can investigate crime in the state. In most states, it’s not unusual for a local DA in the capital city to investigate government corruption. After all, the capital is in their jurisdiction.
The Highway Patrol (known as the State Police in other states) is a police force with detectives, labs, etc., so it’s not unusual they do investigations into murder, robberies, and other crime that’s not all that local or where the local police force might not have the expertise.
Usually paperwork crimes are handled by the AG in most states. The AG doesn’t have a police force, but has legal experts who know how to comb through books and how the law is applied. And usually, the AG can nose into investigations run by a local DA or the state police. In theory, the AG’s office is the one to press charges.
However, by using the State Highway Patrol, the governor is using an organization under his direct control. He can ensure that this incident is investigated fairly and justly until he gets the results he wants.
I assume that Highway Patrol investigations are handed over to the AG for prosecution. However, they’re handing it over to a county prosecutor and cutting the AG out of this completely.
They’re all on the same side. I take it that there’s some sort of agreement to leave the AG’s office out of it. As far as I can tell, the AG has said nothing. The AG might not want to go against the governor on this, but doesn’t want the stench of this case wafting over him.