The Malaysian Government is considering making the MySejahtera app mandatory at premises nationwide, for contact tracing, in order to curb the spread of the Covid-19 virus. The move however, have raised privacy concerns.
Data security experts have raised concerns about the government’s proposal to make the MySejahtera app compulsory in tracing people’s movements.
Fong Choong Fook, an IT specialist involved in testing app security for major local banks and e-commerce brands asked whether the government had done extensive testing on the app’s security.
“What has the government done in terms of protecting our personal information? So far, the PDPA that we have doesn’t govern the government itself,” he told FMT News, referring to the Personal Data Protection Act (PDPA) 2010.
So the government may not be accountable for any data leak due to negligence. “We can’t do anything against the government, that’s the limitation of the PDPA.”
Meanwhile, a privacy lawyer, Foong Cheng Leong, said the government should ensure that the data collected would only be used for contact tracing and related purposes.
He also wanted a timeline to be set for the data collected to be destroyed.
Foong called for accountability if there was misuse of the data by anyone, including civil servants.
He also raised the issue of the app’s accessibility as not everyone had a smartphone that could have the MySejahtera app installed.
The MySejahtera system was developed through a strategic cooperation between the National Security Council (NSC), the Ministry of Health (MOH), the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) and Malaysian Communications and Multimedia Commission (MCMC) and Ministry of Science, Technology and Innovation (MOSTI). The MySejatera app itself is created by KPISoft Sdn Bhd, said to be a company founded by Malaysians with its Asia HQ in Singapore.
MySejahtera requires various personal details from users who downloaded the app, such as their contact number, email address, full name, identity card (IC), age, gender, ethnicity, and home address. The mobile app also require permissions to access the smartphone camera, photo/media/files, contacts, location, pair with Bluetooth devices, control flashlight, full network access, prevent device from sleeping, among others.
However, MySejahtera does not record people’s temperatures upon checking in at a particular location.
According to the Government, providing false information in the MySejahtera app is an offence under Section 22 of the Prevention and Control of Infectious Diseases Act 1988 [Act 342] and Section 233 of the Communication and Multimedia Act 1998 [Act 588.]
Personal data stored in the government’s MySejahtera system are supposedly treated as confidential patient information under the Medical Act 1971 and the Prevention and Control of Infectious Diseases Act 1988. It also follows the provisions under the Personal Data Protection Act (PDPA) 2010 although the legislation does not apply to the Government.
It was revealed that some 15.1 million users have registered for the MySejahtera app as of 16 August 2020.
In 2017, Lowyat.net reported that personal data of “millions” of Malaysian citizens has reportedly been listed for sale online in what could potentially be the biggest information leak in the country’s history. The breach leads to MCMC’s Public Cellular Blocking Service. In 2018, MCMC terminated the appointment of Nuemera (M) Sdn Bhd following investigations, which found it had breached basic provisions of the contract agreement. MCMC also said that it submitted “investigation papers” to the Attorney General’s Chambers (AGC) for further action. However it is unknown if any action was taken since 2018.