On Tuesday, Florida state police entered the home of Rebekah Jones with guns drawn, seizing her pc and telephone, in an try and show that she’d despatched an unauthorized “group textual content” by way of “a Division of Well being messaging system” that’s “for use for emergencies solely,” in accordance with authorities.
There at the moment are two the reason why that’s important. First, as we reported at the time, Jones isn’t simply any former Florida Division of Well being worker: she’s the whistleblower who constructed Florida’s once-celebrated COVID-19 monitoring dashboard, then accused her bosses of ordering her to manipulate Florida’s data to justify reopening the state.
Second, it’s now come to our consideration that the supposedly non-public messaging system that Jones might need accessed might need successfully simply been an e mail deal with — an e mail deal with that the Florida Division of Well being could have inadvertently printed for anybody to see on the open internet.
As Ars Technica reports, Redditors found that not solely does the Florida Division of Well being have a single shared username and password, however that username and password can also be freely accessible on the net. Right here’s a redacted screenshot that Ars captured of only one of no less than seven PDFs that include the data, PDFs that I additionally simply discovered with a Google search. All of them are nonetheless on-line on the time I kind these phrases:
However it’s not simply the username and password which might be listed: these pages even have the e-mail deal with of the precise group Florida’s Division of Legislation Enforcement (FDLE) claimed was hacked: “StateESF8.Planning.”
Within the FDLE’s affidavit — which is the way it bought a search warrant for Jones’ dwelling — the division characterizes StateESF8.Planning as a “multi-user account group” and talks about how Florida makes use of it to “coordinate the state’s well being and medical assets, capabilities, and capacities.” That each one sounds very official and vital:
Nevertheless, the publicly accessible usernames, passwords, and e mail addresses recommend it might need simply been a bog-standard mailing checklist with an terrible lot of customers, not one thing notably non-public or safe. The e-mail deal with nonetheless seems to be legitimate, although the Florida webmail software not appears to be on-line.
None of this essentially implies that Jones didn’t ship the message (although she vehemently denies she did). An FDLE agent below oath says the “group textual content” was particularly despatched from a Comcast ID related along with her dwelling deal with, and that’s why her dwelling was raided.
But when Jones did occur to ship an e mail to a large mailing checklist she was once a part of, one listed on the open internet, would that be a lot of a criminal offense? (I’m not a lawyer.)
I requested the FDLE to elucidate the way it might have been accessed illegally, if the e-mail deal with might need required somebody to make use of non-public credentials by some means, however a FLDE spokesperson declined, citing the energetic investigation, merely saying that my recommendations have been “not correct,” and that “this was not merely an e mail.” The Florida Division of Well being didn’t reply to a request for remark.