The Malaysian Bar refers to the recent Auditor General’s Report pertaining to records stored in the MySejahtera app, which reveals a troubling state about leakage and possible misuse of data.
Among these causes for concern is a “super admin” account that has downloaded three million information sets through various IP addresses. Another disturbing fact is that the app has sustained 1.12 million attacks on it.
Apprehension regarding data security goes back to more than a year ago when the Malaysian cabinet made the decision to appoint a corporate body to take over the management and maintenance of the app through appointment, as opposed to the usual open tender. This decision was made by the cabinet during a meeting in November 2021. Questions with regard to the decision were raised in a hearing on 24 March 2022 by Parliament’s Public Accounts Committee.
The Malaysian Bar notes that our previous health minister, Khairy Jamaluddin, regularly stressed that the government owns all personal data collected through the use of the app. He also constantly emphasised that data collected from all 38 million registered users was protected by the Malaysian government.
However, despite such assurances, there have been multiple reports that raise more questions. These include the appointment of a corporate body to purchase the app as opposed to conducting an open tender, the true ownership of the app, the protection of privacy of app users, the level of privacy accorded to all data collected, the exposure of personal data to a foreign company, and the accountability of the corporate body appointed to purchase or license the app.
- Sign up for Aliran's free daily email updates or weekly newsletters or both
- Make a one-off donation to Persatuan Aliran Kesedaran Negara, CIMB a/c 8004240948
- Make a pledge or schedule an auto donation to Aliran every month or every quarter
- Become an Aliran member
Searches at the Companies Commission of Malaysia led to the finding that a Singaporean company, Entomo Pte Ltd, is the sole shareholder of Entomo Malaysia Sdn Bhd (previously known as KPISoft Malaysia Sdn Bhd). The company claims to legally own the software used to develop the App.
Not only is it of grave concern that the appointment of Entomo Malaysia was not conducted through open tender, no agreement was entered into between the Malaysian government and KPISoft Malaysia, aside from a non-disclosure agreement. The fact that a foreign company is the sole shareholder of Entomo Malaysia and owns the software for the app, is also deeply perturbing.
It is also discovered that the Malaysian government has no apparent control over a licensing deal between Entomo Malaysia and MySejahtera Sdn Bhd, giving the latter a perpetual licence to develop and support the app until 2025.
The Malaysian Bar further notes that Communications and Digital Minister Fahmi Fadzil has instructed Cyber Security Malaysia to carry out investigations into the audit findings.
On this note, we urge the government to release the details of the non-disclosure agreement, the events that led to confusion of ownership, and the true names of all service providers. These disclosures should be made in the current Parliament sitting so that all issues can be debated to assure the public that national security and the privacy of app users are protected.
The issue of ownership between the Malaysian government and MySejahtera Sdn Bhd is indeed disturbing. The ownership of the app, all source codes, the relevant user interface and all personal data collected through the app should have been fully owned by the government, and this should have been established from the outset.
Ownership and control of all personal data collected through the app is of utmost priority, as any entity or person armed with such massive data and the right technological tools will be able to map out demographics, social behaviours and social norms with a greater degree of accuracy as compared to any other mobile app in Malaysia. If not governed, this may lead to unregulated management and abuse of personal data collected, and at worst, possible breaches of privacy, social engineering and data abuses affecting national security.
Liabilities and responsibilities of any corporate body having anything to do with the app should not just be governed by a contract between a corporate body and the government; it should also be governed by a privacy regime in Malaysia to protect all personal data collected by the Malaysian government or any entity collecting personal data on its behalf. Currently, Malaysia does not have such a privacy regime.
Personal data in Malaysia is governed by the Personal Data Protection Act 2010, of which the Malaysian government and state governments are excluded from this act. This act is only applicable where personal data is collected in respect of commercial transactions, and is not applicable to personal data collected through the use of theaApp, as in this context, data is being collected and used for the purpose of public health.
With that in mind, the Malaysian Bar urges the government to establish and enact a privacy act to protect the privacy of data collected by the Malaysian government and/or state governments or any corporation under the aegis of one or the other.
We also implore the government to provide a federal legislative framework on freedom of information laws to ensure transparency and accountability relating to federal government and state government contracts, and provision of information.
With Malaysia entering into the age of the Industrial Revolution 4.0, the protection of its citizen’s personal data is no longer a fringe benefit, but an absolute necessity. With more users moving into the metaverse, the privacy and security of users are increasingly threatened, unless the problems in relation to security and privacy are nipped in the bud right now.
It is about time Malaysians are given the requisite protection from any possible manipulation by usage of the app.
Karen Cheah Yee Lynn is president of the Malaysian Bar
This piece is reproduced from here and has been edited for style only.