The Malaysian Bar refers to the recent Auditor-General’s Report pertaining to records stored in the MySejahtera application (“App”), which reveals a troubling state about leakage and possible misuse of data. Among these causes for concern is a “super admin” account that has downloaded three million information sets through various IP (Internet Protocol) addresses. Another disturbing fact is that the App has sustained 1.12 million attacks on it.1
Apprehension regarding data security goes back to more than a year ago when the Malaysian Cabinet made the decision to appoint a corporate body to take over the management and maintenance of the App through appointment, as opposed to the usual open tender. This decision was made by the Cabinet during a meeting in November 2021.2 Questions with regard to the decision were raised in a hearing on 24 March 2022 by the Parliament’s Public Accounts Commission.3
The Malaysian Bar notes that our previous Health Minister, Khairy Jamaluddin, regularly stressed that the Government owns all personal data collected through the use of the App. He also constantly emphasised that data collected from all 38 million registered users are protected by the Malaysian Government.4
However, despite such assurances, there have been multiple reports that raise more questions. These include the appointment of a corporate body to purchase the App as opposed to conducting an open tender,5 true ownership of the App, protection of privacy of App users, level of privacy accorded to all data collected, exposure of personal data to a foreign company, and the accountability of the corporate body appointed to purchase or license the App.
Searches at the Companies Commission of Malaysia led to the finding that a Singaporean company, Entomo Pte Ltd, is the sole shareholder of Entomo Malaysia Sdn Bhd (previously known as KPISoft Malaysia Sdn Bhd). The company claims to legally own the software used to develop the App.6
Not only is it of grave concern that the appointment of Entomo Malaysia was not conducted through open tender, no agreement was entered into between the Malaysian Government and KPISoft Malaysia, aside from a Non-Disclosure Agreement (“NDA”).7 The fact that a foreign company is the sole shareholder of Entomo Malaysia and owns the software for the App, is also deeply perturbing. It is also discovered that the Malaysian Government has no apparent control over a licensing deal between Entomo Malaysia and MySejahtera Sdn Bhd, giving the latter a perpetual licence to develop and support the App until 2025.8
The Malaysian Bar further notes that the Minister of Communications and Digital, Fahmi Fadzil, has instructed Cyber Security Malaysia to carry out investigations into the audit findings.9 On this note, we urge the Government to release the details of the NDA, the events that led to confusion of ownership, and the true names of all service providers. These disclosures should be made in the current Parliament sitting so that all issues can be debated to assure the public that national security and the privacy of App users are protected.
The issue of ownership between the Malaysian Government and MySejahtera Sdn Bhd is indeed disturbing.10 The ownership of the App, all source codes, the relevant user interface, and all personal data collected through the App should have been fully owned by the Government, and this should have been established from the outset.
Ownership and control of all personal data collected through the App is of utmost priority, as any entity or person armed with such massive data and the right technological tools will be able to map out demographics, social behaviours, and social norms with a greater degree of accuracy as compared to any other mobile application in Malaysia. If not governed, this may lead to unregulated management and abuse of personal data collected, and at worst, possible breaches of privacy, social engineering, and data abuses affecting national security.
Liabilities and responsibilities of any corporate body having anything to do with the App should not just be governed by a contract between a corporate body and the Government; it should also be governed by a privacy regime in Malaysia to protect all personal data collected by the Malaysian Government or any entity collecting personal data on its behalf. Currently, Malaysia does not have such a privacy regime.
Personal data in Malaysia is governed by the Personal Data Protection Act 2010 (“PDPA”), of which the Malaysian Government and State Governments are excluded from this Act. This Act is only applicable where personal data is collected in respect of commercial transactions, and is not applicable to personal data collected through the use of the App, as in this context, data is being collected and used for the purpose of public health.
With that in mind, the Malaysian Bar urges the Government to establish and enact a Privacy Act to protect the privacy of data collected by the Malaysian Government and/or State Governments, or any corporation under the aegis of one or the other.
We also implore the Government to provide federal legislative framework on freedom of information laws so as to ensure transparency and accountability relating to Federal Government and State Government contracts, and provision of information.
With Malaysia entering into the age of the Industrial Revolution 4.0, the protection of its citizen’s personal data is no longer a fringe benefit, but an absolute necessity. With more users moving into the metaverse, the privacy and security of users are increasingly threatened, unless the problems in relation to security and privacy are nipped in the bud right now. It is about time Malaysians are given the requisite protection from any possible manipulation by usage of the App.
Karen Cheah Yee Lynn
President
Malaysian Bar
27 February 2023
1 “Audit raises questions over MySejahtera records”, Free Malaysia Today, 16 February 2023.
2 “PAC recommends Govt to take ownership of MySejahtera via MAMPU”, The Edge Markets, 4 October 2022.
3 “Tindakan Susulan Kementerian Sains, Teknologi dan Inovasi (MOSTI), Kementerian Kesihatan Malaysia (KKM) dan Kementerian Kewangan (MOF) bagi Syor-Syor Laporan PAC Parlimen Berhubung Perolehan Vaksin COVID-19 dan Penggunaannya Terhadap Rakyat Malaysia”, Laporan Prosiding 08.03.2022 di dalam Laporan Jawatankuasa Khas Kira-Kira Wang Negara (PAC), Dewan Rakyat Parlimen Penggal Ke-14.
4 “MySejahtera app still under govt, not sold to private entity”, New Straits Times, 27 March 2022.
5 “Appointment of private company via direct negotiation to manage MySejahtera is worrying, says Tok Mat”, The Star, 28 March 2022.
6 “Singaporean Company Is MySejahtera Software Owner’s Sole Shareholder”, CodeBlue, 29 March 2022.
7 “Appointment of KPISoft to develop MySejahtera overpriced, inconsistent with govt procurement rules — PAC”, The Edge Markets, 4 October 2022.
8 “MySJ To Get MySejahtera Intellectual Property, Licensing For RM338.6Mil From App Developer”, CodeBlue, 28 March 2022.
9 “Cyber Security Malaysia probing audit findings on data leak”, Malaysiakini, 23 February 2023.
10 “Khairy: Details of MySejahtera users safe and protected”, The Star, 29 March 2022.