On October 14, 2021, the St. Louis Post-Dispatch reported that the “Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state’s Department of Elementary and Secondary Education.” If unfamiliar, a Social Security number is a nine-digit number, ordinarily formatted as ###-##-####, assigned to individuals in the United States, considered sensitive, personally identifiable information. “Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.” A professor at the University of Missouri-St. Louis verified the security flaw.
The journalist has since been characterized by the state as a “hacker,” with the state’s governor threatening legal action. Not everyone agrees, with a member of the governor’s own party responding, “It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking.”
The department’s website remains “down for maintenance.”
- (3 points.) In no more than three sentences, argue, in technical terms, why viewing the source code of a web page should not, in fact, be considered hacking.
- (3 points.) In no more than three sentences, hypothesize in technical terms how teachers’ Social Security numbers (SSNs) could have been in pages’ HTML but not be visible to visitors (unless they viewed the pages’ source).
Per the St. Louis Post-Dispatch’s report, “The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” which is an example of responsible disclosure.
- (2 points.) Suppose that the newspaper had instead published its report right away, without notifying Department of Elementary and Secondary Education (DESE) first. In no more than three sentences, in what sense might that have been irresponsible?
- (2 points.) Suppose that the newspaper had waited even longer to publish its report, to give DESE even more time. In no more than three sentences, in what sense might that have been irresponsible?