On Tuesday, Florida state police entered the home of Rebekah Jones with guns drawn, seizing her computer and phone, in an attempt to prove that she’d sent an unauthorized “group text” through “a Department of Health messaging system” that is “to be used for emergencies only,” according to authorities.
There are now two reasons why that’s significant. First, as we reported at the time, Jones isn’t just any former Florida Department of Health employee: she’s the whistleblower who built Florida’s once-celebrated COVID-19 tracking dashboard, then accused her bosses of ordering her to manipulate Florida’s data to justify reopening the state.
Second, it’s now come to our attention that the supposedly private messaging system that Jones might have accessed might have effectively just been an email address — an email address that the Florida Department of Health may have inadvertently published for anyone to see on the open web.
As Ars Technica reports, Redditors discovered that not only does the Florida Department of Health have a single shared username and password, but that username and password is also freely accessible on the web. Here’s a redacted screenshot that Ars captured of just one of at least seven PDFs that contain the information, PDFs that I also easily found with a Google search. All of them are still online at the time I type these words:
But it’s not just the username and password that are listed: these pages also have the email address of the exact group Florida’s Department of Law Enforcement (FDLE) claimed was hacked: “StateESF8.Planning.” You don't even need a username and password to send an email to an email address, anyone can do that.
In the FDLE’s affidavit — which is how it got a search warrant for Jones’ home — the department characterizes StateESF8.Planning as a “multi-user account group” and talks about how Florida uses it to “coordinate the state’s health and medical resources, capabilities, and capacities.” That all sounds very official and important:
However, the publicly available usernames, passwords, and email addresses suggest it might have just been a bog-standard mailing list with an awful lot of users, not something particularly private or secure. The email address still appears to be valid, though the Florida webmail application no longer seems to be online.
None of this necessarily means that Jones didn’t send the message (though she vehemently denies she did). An FDLE agent under oath says the “group text” was specifically sent from a Comcast ID associated with her home address, and that’s why her home was raided.
But if Jones did happen to send an email to a giant mailing list she used to be part of, one listed on the open web, would that be much of a crime? (I am not a lawyer.)
I asked the FDLE to explain how it could have been accessed illegally — if the email address might have required someone to use private credentials somehow — but it declined, citing the active investigation. A spokesperson simply stated that my suggestions were “not accurate,” and that “this was not simply an email.” The Florida Department of Health didn’t respond to a request for comment.
On Wednesday, a Republican attorney appointed by Florida governor Ron DeSantis to nominate judges resigned in protest over the raid on Jones’ house, calling it “unconscionable.”
“You don’t send 12 armed officers to raid her computer for doing that. That’s Gestapo. That’s authoritarian dictator tactics. That’s not America. It really viscerally bothered me,” he told the Sarasota Herald-Tribune.
Update, 7:00PM ET: Added info about the resignation of Ron Filipkowski.