On Tuesday, Florida state police entered the home of Rebekah Jones with guns drawn, seizing her computer and phone, in an attempt to prove that she’d sent an unauthorized “group text” through “a Department of Health messaging system” that is “to be used for emergencies only,” according to authorities.
There are now two reasons why that’s significant. First, as we reported at the time, Jones isn’t just any former Florida Department of Health employee: she’s the whistleblower who built Florida’s once-celebrated COVID-19 tracking dashboard, then accused her bosses of ordering her to manipulate Florida’s data to justify reopening the state.
Second, it’s now come to our attention that the supposedly private messaging system that Jones might have accessed might have effectively just been an email address — an email address that the Florida Department of Health may have inadvertently published for anyone to see on the open web.
As Ars Technica reports, Redditors discovered that not only does the Florida Department of Health have a single shared username and password, but that username and password is also freely accessible on the web. Here’s a redacted screenshot that Ars captured of just one of at least seven PDFs that contain the information, PDFs that I also easily found with a Google search. All of them are still online at the time I type these words:
But it’s not just the username and password that are listed: these pages also have the email address of the exact group Florida’s Department of Law Enforcement (FDLE) claimed was hacked: “StateESF8.Planning.”
In the FDLE’s affidavit — which is how it got a search warrant for Jones’ home — the department characterizes StateESF8.Planning as a “multi-user account group” and talks about how Florida uses it to “coordinate the state’s health and medical resources, capabilities, and capacities.” That all sounds very official and important:
However, the publicly available usernames, passwords, and email addresses suggest it might have just been a bog-standard mailing list with an awful lot of users, not something particularly private or secure. The email address still appears to be valid, though the Florida webmail application no longer seems to be online.
None of this necessarily means that Jones didn’t send the message (though she vehemently denies she did). An FDLE agent under oath says the “group text” was specifically sent from a Comcast ID associated with her home address, and that’s why her home was raided.
But if Jones did happen to send an email to a giant mailing list she used to be part of, one listed on the open web, would that be much of a crime? (I am not a lawyer.)
I asked the FDLE to explain how it could have been accessed illegally, if the email address might have required someone to use private credentials somehow, but a FLDE spokesperson declined, citing the active investigation, simply saying that my suggestions were “not accurate,” and that “this was not simply an email.” The Florida Department of Health didn’t respond to a request for comment.
Originally posted: Source link