Missouri Supreme Court officials have acknowledged the issue after being alerted by the Post-Dispatch, and they fixed one vulnerability on Casenet. But thousands more documents with sensitive information remain online because they are considered open records. Those documents were filed by one state agency over several years, but it's unclear if other records may also expose private information.
The discovery comes at a challenging time for the court, as it prepares to broaden electronic access to documents this summer. It is the culmination of a yearslong effort requiring officials to balance access and transparency against the need to protect personal information.
"We in the judiciary take security of our systems very seriously, continuously take action to improve their security, and very much appreciate you sharing your concerns," Beth Riggert, a spokeswoman for the state Supreme Court, wrote in a statement.
The Post-Dispatch discovered two different situations in which private information was exposed, after a reader learned his Social Security number was publicly visible on Casenet and alerted the newspaper.
The Post-Dispatch reported the vulnerabilities to state, Supreme Court and local court officials, as well as to a state agency that had filed thousands of unredacted documents in prior years. The newspaper delayed publishing this story for three weeks to give officials time to address the issues.
Broken code and open records
For decades, the Casenet website has been a point of pride for the state's judicial branch.
The Missouri Legislature mandated the creation of a "statewide court automation system" in 1994. Court leaders eventually launched and expanded Casenet, along with systems for case management, electronic filing and more.
Today, the public can use the website for free to search nearly 26 million records from local and state courts across Missouri. Users can review basic case information, such as docket entries, charges and judgments. The website's "track this case" feature lets people get email or text updates about cases, and it allows defendants to plead guilty and pay fines electronically.
The Office of the State Courts Administrator, which reports to the Supreme Court, runs Casenet.
The first vulnerability discovered by the Post-Dispatch allowed any user to view all sorts of court documents — from amended criminal complaints to divorces to probation revocations — by changing the web address, or "URL."
The documents had elevated security levels, which should have restricted access to lawyers, judges or court employees with proper credentials, or to members of the public using special terminals at a courthouse. But the Post-Dispatch learned it was possible to see sensitive documents, which contained Social Security numbers, birth dates, names of minors and other personal information, from any computer and without being signed in.
"We have taken steps to correct the immediate issue and are considering additional modifications to address other possible issues related to URL manipulation," Riggert wrote in response to questions from the Post-Dispatch.
The newspaper verified that the issue was resolved.
The second issue involved a specific type of civil judgment documents that are typically considered open records and which the court allows for remote access on Casenet without being logged in. The Post-Dispatch found that neither the state agency that filed the documents nor local courts had redacted Social Security numbers from the documents.
The Post-Dispatch is not naming the state agency or describing the records in detail because they remain publicly available on the website. On Wednesday, a spokesperson for the state department that oversees the agency said it was "actively researching documents" from the relevant years and will work "to protect sensitive data."
Casenet lists thousands of such cases filed by the state agency in the St. Louis city and Kansas City circuit courts alone during a four-year period. The Post-Dispatch reviewed a small sample of the cases and found that at least half included hyperlinks to documents listing Social Security numbers.
The Supreme Court's statement to the Post-Dispatch noted that this type of judgment, as well as other kinds of civil judgments, were open records and had been accessible remotely to the public for more than a decade. It also said that agencies that file court records are responsible for redacting sensitive information.
"Court personnel are not required to expunge or redact personal information, including Social Security numbers, contained in documents filed with the court," Riggert wrote in the court's statement.
The responsibility to redact personal information as required by law, court rule or court order "rests solely with party filing the document," Riggert wrote, noting the court had made this expectation clear by revising its operating rules.
Representatives of circuit courts in St. Louis city, St. Louis County and Kansas City told the Post-Dispatch they would work with the Supreme Court and the Office of the State Courts Administrator to address the exposures.
"We are committed to educating all filers about the importance of securing confidential information, while balancing the public's right to access open court records," said Joel Currier, spokesman for the St. Louis Circuit Court.
'This could be a problem'
Several years ago, the state sent a letter to David Journey telling him that he owed the state money on a benefits claim.
"I made a mistake on a claim," Journey said. "An honest mistake."
Journey, 64, said the matter was resolved years ago, which court records confirmed.
Journey became concerned after receiving letters from the Social Security Administration warning that scammers were targeting retirees after the agency approved a cost-of-living adjustment last year. Journey learned about Casenet, and he decided to run a search. That's when he found his old case, and he clicked a link labeled "Judgment."
"It turned up a PDF that had my full Social Security number on it for everyone to see," Journey said.
"Normally I'm not a big 'fraidy cat," he added, "but I was thinking this could be a problem."
After spending hours on the phone speaking to people in St. Louis city government and at the circuit court who wouldn't or couldn't help, Journey's fear turned to anger.
Everything changed when he called the help desk at the Office of the State Courts Administrator, which runs Casenet. Journey spoke with a representative and his old case was removed from the website.
"I told her if I was there, I'd give her a hug and a kiss," Journey said.
Catherine Zacharias, legal counsel for the Office of the State Courts Administrator, told the Post-Dispatch that its help desk cannot change a local court's records. The desk typically refers callers to the local court, she said, and changing the security level of a record may require a judge's order.
"If a member of the public wishes to raise the security on a previous judgment, they may petition the court to do that," said John O'Sullivan, spokesman for the St. Louis County circuit court.
'We can always do better'
Early on, the court relied on cookie-cutter, vendor-supplied software to power some of its systems. But Casenet was developed in-house, tailored to Missouri's specific needs, and over time the court has expanded that approach, developing more of its systems itself.
"Most other state court systems, if they could start from scratch, would do a statewide system like Missouri" rather than a patchwork of local systems, said Judge Gary Lynch, who chaired the Missouri Court Automation Committee before retiring in 2022.
The computerization efforts have yielded acclaim and awards. But the systems aren't perfect, and they're never really finished, Lynch said. The courts have to adjust when state and federal laws change, or when they get feedback that something isn't working.
"One of our guiding processes is continuous improvement," Lynch said. "What we have may be good, but we can always do better."
Today, Casenet can alert you when new documents have been filed in a case, but the public can't view most of those documents at home. That will change soon.
Now, only lawyers, judges and court employees can obtain Casenet accounts with special privileges for viewing open, but more sensitive, court records. Everyone else must visit a courthouse and use a special computer terminal.
Forcing the public to view documents at the courthouse long served as a second layer of privacy protection. So most documents, whether redacted or not, were in "practical obscurity," Judge Jeffrey Bates of the Missouri Court of Appeals said in a recent webinar about the coming expansion of access to court records.
And if someone does look at them, "there is very little likelihood that any confidential information contained therein could cause any harm to anyone," Bates said.
The expansion is set to phase in gradually beginning July 1, after years of work by the Missouri Court Automation Committee. This summer, anyone will be able get an account and access open court documents using Casenet from their home computers or cellphones.
It's a win for the public and advocates of transparency. But expanding access to records also means a heightened danger of private data being exposed, Bates said in the webinar.
The Supreme Court addressed this concern in part by deciding that expanded remote access would only be allowed for documents filed after July 1, under new and stricter redaction rules, Riggert said in her statement to the Post-Dispatch. People who want to see documents in older cases would still have to trek to a courthouse.
The court also has partnered with the Missouri Bar on a campaign to educate lawyers and other filers about the upcoming changes, reemphasizing the requirement to redact private information and explaining how to do so.
"The challenge of balancing access to public information with the protection of personal information — while ensuring the overall security and reliability of our underlying case management system and preventing any adverse impact on court systems or operations — is inherently complicated," Riggert said in her statement.
Threading those needles won't be easy. But Terry Lawson, an attorney at Legal Services of Eastern Missouri, welcomes the expanded remote access.
"Knowledge is good and the courts should do their business in public," Lawson said.
The move will level the playing field for poor and unrepresented defendants who couldn't access court records or couldn't afford to pay lawyers, he added.
But the data exposures found by the Post-Dispatch highlight the potential pitfalls of expanded access in the future.
"I'm disappointed that it was that easy to find documents that should have been elevated in security or hidden," Lawson said. "But I'm not surprised that the database of all filings hasn't been locked down as tightly as we would hope."
© 2023 the St. Louis Post-Dispatch. Distributed by Tribune Content Agency, LLC.