CAPE GIRARDEAU, Missouri. (OIC) On April 26th, 2023 at 4:49 PM CDT, FM Monica Hanson received an email from Chris Martin on behalf of Southeast Missouri State University (SEMO) closing a Sunshine Request investigating the data collected on SEMO’s networks after granting an excessive amount of time to investigate the request.
After reviewing your request against applicable statutory and legal authorities, it has been determined that any documents that may be responsive to your request would be closed pursuant to Chapter 610 of the Revised Statutes of Missouri. As such, there are no documents to provide. Specifically, RSMo 610.021(21), which protects records that identify the configuration of components or the operation of a computer, computer system, computer network or telecommunications network; and RSMo 610.021(22) that pertains to digital certificates, physical and virtual keys, access codes or authorization codes that are used to protect the security of electronic transactions. As stated in previous responses provided to you on other but similar topics, disclosure of the type of information that you request would impair the University’s ability to protect the security and safety of its systems and networks and it could expose the University’s internal procedures and security controls, all of which are the very things the law protects.
Chris Martin on behalf of Southeast Missouri State University, 4/26/2023
The scope of the request has no pertinence to how computers and networks are configured as well as sensitive authentication mechanisms such as certificates, keys, or codes for the network. Additionally, the scope of the request only pertained to data specific to FM Monica Hanson. The only way for this information to be relevant would be if passwords were stored in plain text when logging in or for data to be mishandled. Should passwords be stored in plain text, a potential threat actor to SEMO’s network would ultimately result in easy access to user’s accounts.
In the response email, we also see that he specifically omits a part of the Revised Statues of Missouri 510.021(21) regarding unauthorized access. The full text for that section reads:
Records that identify the configuration of components or the operation of a computer, computer system, computer network, or telecommunications network, and would allow unauthorized access to or unlawful disruption of a computer, computer system, computer network, or telecommunications network of a public governmental body. This exception shall not be used to limit or deny access to otherwise public records in a file, document, data file or database containing public records. Records related to the procurement of or expenditures relating to such computer, computer system, computer network, or telecommunications network, including the amount of moneys paid by, or on behalf of, a public governmental body for such computer, computer system, computer network, or telecommunications network shall be open;
Revised Statutes of Missouri 510.021(21), italicized parts to show omissions, bolded parts to show relevant details.
The important operative word in this context is “and”, necessitating a requirement of the configuration of computers or networks to be true in addition to unauthorized access for a Sunshine request to not be fulfilled for this reason. Along the same line, in prior Sunshine requests he cites court case Jones v. Jackson County Circuit Court from 2005 about not being able to create documents for the sole purpose of a Sunshine request. However, he omits this statement, suggesting that the data does in fact exist.
As per usual, all data obtained from this request will be provided on SEMO’s public records page.