Cybernauts have been riled up over the suspicion that our national contact tracing app, MySejahtera, is being sold to a private company.
Data privacy concerns are at the heart of the discussion, following fear of the prospective abuse of millions of Malaysians’ private data. Anwar Ibrahim himself has addressed this issue in a Facebook media statement.
The post outlined how MySejahtera has recorded over 11 billion check-ins since December 2020, according to the Ministry of Health’s (MOH) published data on GitHub.
With Health Minister Khairy Jamaluddin denying it and other news sites reporting the sale price of the app, it is currently inconclusive whether or not the app has since been sold to a private entity.
What we do know though, is that ownership of MySejahtera has been transferred from the developer to a special purpose vehicle called MySJ Sdn Bhd, which was allegedly appointed through direct negotiation.
From what we’ve seen, it’s clear that Malaysians are against MySejahtera ending up in the hands of a private company. Although Khairy continuously reiterates that the data within the app belongs to only the government, what guarantees are there that there aren’t any backups of our data elsewhere by the current majority shareholders?
Here are 9 implications for Malaysians if MySejahtera indeed gets sold to a private company.
1. Exposure of current residences
MySejahtera required users to fill in and update their current residence for updates on red zones during the MCOs. And a mass database with the potential of being traded puts all of the app’s users in a vulnerable state, especially when it’s still unclear who will own the data and how they will be held accountable to protect it.
In the case of a data breach, even if the hacker can’t get direct access to one’s residence, this could be easily deduced just by tracing where an individual frequents based on their MySejahtera check-ins and finding a central point. This would open users up to the risks of stalking, targeted crime, and more.
2. Discrimination based on medical history
It is presumed that MySejahtera databases include private personal health data about individuals’ reported health symptoms and COVID-19 positive diagnoses. After all, these are questions probed upon signing up.
Individuals could lose their job, health insurance, or housing if the wrong type of information becomes public knowledge. Once part of someone’s medical history is leaked, a determined individual with malicious intentions could probe into further records.
There’s a likelihood that individuals could experience social or psychological harm as a result of this. For example, the disclosure that an individual is infected with HIV or another type of sexually transmitted infection can cause social isolation or other psychologically harmful results.
3. More targeted ads
The MySejahtera app contains some valuable data about its users’ whereabouts, consumption patterns, and social networks. If in the wrong hands, data can be sold or traded to third parties and advertisers, since it has huge commercial value.
Say you’ve tried a gambling site in the past and have your contact information and cookies tied to these sites. Such data can be sold to corporations for the marketing of goods and services to influence individuals.
Targeted ads, at its core, aren’t harmful—when speaking in less detrimental behaviours like what food to try or fashion recommendations—and could offer a higher level of customer personalisation. But they can get bothersome, especially when it comes to spam, and dangerous if they perpetuate unhealthy behaviours or addictions.
4. Unwanted and spam telemarketing calls, messages, and emails
Marketing spam is a nuisance, tied with persuasion tactics telling you that if you don’t hop on this offer now, you’ll regret missing out.
Again, they are rather harmless in the bigger picture. But when looked at through examples like gambling, those who aren’t financially literate could end up in larger debt if they’re not careful.
5. Increased scams or frauds
A total of more than 5,000 cases of phone call fraud were reported throughout 2019 with over RM250 million in losses, according to the Royal Malaysia Police (PDRM). Usually, the culprit behind these scams (the unknown caller) claims to be an officer from a government body such as the police, customs department, banking institutions, or the courts.
Apart from your name and home addresses, your contact numbers and IC numbers are tied to your login details on MySejahtera. Often, these are the information required when verifying financial account details.
With details that mainly bank entities and other authorities would be privy to, scammers posing as authority figures might more easily convince those vulnerable to such tactics.
Large amounts of money can be stolen from these accounts, along with financial data like a person’s spending habits, personal or business loans, amongst others.
6. Cybersecurity attacks
In the same light, hackers with access to data about a person’s lifestyle and finances can turn them into targeted cybersecurity attacks.
Hackers will be able to identify those who actually have the means to pay up, and continuously demand more when the victim is desperate and has taken the bait.
For workers or higher-ups with sensitive P&C company information on their personal devices, a breach of such data can be detrimental to shareholders.
7. Privacy breach of not just your personal data, but potentially your contacts too
Think the Cambridge Analytica scandal where an American voter-profiling company accessed the personal data of about 50 million Facebook users and their friends.
For the unaware, a personality quiz was spread around Facebook that was then filled in by thousands of users and the data was provided to Cambridge Analytica. Here’s an article by The Atlantic that succinctly summarises the story.
Cambridge Analytica then used it to make 30 million psychographic profiles about voters. Psychographics is a methodology used to describe traits of humans on psychological attributes, such as their personality, values, opinions, attitudes, interests, and lifestyles.
Of course, one might say that respondents were willingly giving up the information themselves, but even those of their friends were attained, most of whom didn’t answer the survey themselves.
The data misuse was referred to as a privacy breach, where systems were infiltrated, without passwords or information stolen or hacked.
This could very well happen to MySejahtera users too if their data is not guaranteed protection (with transparency on how it’s done) by the government. Not only might their contacts be affected, but even their dependents such as one’s elderly relatives or underage children might have their personal data breached.
8. Personal identity theft
Locally, it’s been often speculated and alleged that our elections involve phantom voters.
They include the identities of people who have died but still appear on the list, or people whose names have appeared without them registering.
If MySejahtera’s huge database of personal identities of individuals who are both dead and alive ends up in the wrong hands, it opens up the possibility of misusing individuals’ identities, or creating new ones based on personal information already in the system.
9. Skewed elections
Emphasising on the above points, this then leads to the potential of skewed elections.
With access to user behaviours, interests, social media, contact details, and more, third parties would have crucial information about the number of actual and potential supporters in any given constituency.
They can then send out surveys, questionnaires, contest entries, etc. to socially engineer a person’s voting tendencies. Otherwise, ads can come in the form of propaganda to target social media users.
In a worst-case scenario, a ruling party might even attempt to restrict voter movement in an area upon election time, using the dangers COVID-19 as a tool to prevent unfavourable votes from being cast.
Whether MySejahtera and its data end up fully in the government’s hands, a private company’s, or a mix of both, it doesn’t seem like Malaysians will be content either way. In fact, many have called for the total destruction of their collected data as well as the complete retirement of the app.
Critically thinking though, the data collected through contact tracing might come in handy for research and study in the future, whether it’s for creating more effective SOPs in the case of another (knock on wood) pandemic, identifying how the virus mutates and spreads through communities with better precision for predictive analysis, and more.
The ownership of MySejahtera and its collected data aside, there is now also debate on the relevance of or the need for contact tracing as we transition to an endemic phase.
Malaysian Medical Association (MMA) opines that the app has outlived its usefulness, and suggests that it could simply act as an electronic medical record system that’s used nationwide from here onwards.
Meanwhile, a politician suggested turning the app into a Green Pass, whereby individuals simply need to flash their green statuses (showing a clean bill of health) to gain access to premises or while travelling, instead of scanning codes.