Alberta MLA Thomas Dang has published a document entitled “HOW I DID IT“, which details his hacking of Alberta’s COVID Vaccination Record website using Jason Kenney’s personal information.
The hack in question occurred in September 2021, at which time Dang successfully managed to bypass whatever security measures were in place for the website and access the private medical information of Albertans.
Dang subsequently alleges that he reported his actions to NDP caucus staff, who alerted others in the government of his actions. It is unclear if ex-Premier Rachel Notley was aware and signed off on the hack before it occurred.
Dang later offered to leave the Alberta NDP (becoming an independent), but so far refuses to resign his seat following an RCMP raid on his residence.
Dang has not been criminally charged and remains under active forensic investigation.
Hacking a government website and accessing private medical information are serious crimes in Canada and Alberta, and usually carry lengthy prison sentences.
As Dang writes, “I am currently under RCMP investigation for conducting this test. I am cooperating fully and have offered ongoing assistance should the RCMP ask for it. While I have not been arrested or charged with a crime as of the publishing of this paper, it is possible the RCMP may still proceed with criminal charges. However, I remain hopeful that the public interest will be fully considered in this process and that charges will not be laid.”
In his whitepaper, Dang details his motivation for hacking a government website and writes the following:
“When the COVID Vaccination Record website was first released to the public, numerous concerns about the security of the PDF document were reported. The document appeared editable by the average computer user and easy to alter and falsify. While this appeared to compromise the integrity of the record itself, it was not until I was contacted by a member of the public—who reached out to me as a Member of the Legislative Assembly owing to my information security background—with a concern related to the security of the website that I began to investigate these concerns. Specifically, the website appeared to lack security features that would prevent a malicious attacker from scraping the website for the personal health information of Albertans.”
“As an MLA, I believed I had an obligation to verify if such a negligent vulnerability could exist.”
Dang did not ask for permission from the government to conduct a monitored ethical hack to reveal and subsequently address any weak points on the website.
Moreover, when Dang was verifying whether he did successfully hack into the website, it is questionable as to why he chose to hack the private medical information of a political opponent, in this case Premier Jason Kenney’s.
According to Dang, “Basically, to reasonably continue the testing I needed to do two things: narrow the scope —or reduce the set of possible inputs—and limit the possibility that I would gain access to the private health information of a private citizen. The Premier had publicly disclosed both his birthday and date of vaccination on social media, which made that information available for two inputs in a modified script. Using publicly available information about the Premier also had the added benefit of providing the Government of Alberta information that would be easily verifiable.”
Dang continues, saying that he succeeded in finding a PHN record of someone who received a vaccination in the same month as Kenney, with the same birthday. However, this person was not Jason Kenney. Instead, it was a private citizen.
Once Dang realized this, he says that he “immediately exited the website and did not save any information.”
One journalist noted while grilling Dang during a press conference, “On the question of ethics, too, you used Jason Kenney’s details. Why not use your own boss? Why not use Rachel Notley? Her birthday’s out there publicly. Why use the Premier? I mean, it’s the same data that’s out there and, again, that’s down to that question of identity and hacking.”
Moreover, as another journalist points out, why does Dang write that he took steps to “minimize harm”?
“That tells me you knew when you were doing this that you were causing harm,” the journalist says.
The Counter Signal has reached out to MLA Dang for comment and will update this story if we receive a response.
