By Derek Fernandez

KUALA LUMPUR, Malaysia--The government must take full control and absolute control of MySejahtera and all its data and place it under the highest levels of security protection.

The recent revelation by the Public Accounts Committee (PAC) and various MPs relating to the controversy regarding the ownership of the MySejahtera app and the security of the data inside is a matter of grave concern to Malaysians and a matter of national security.

In my opinion, a private company should not be allowed to own the app directly or indirectly or have any rights over or access to the data in it under any circumstances because the data was given on trust by Malaysians only to the Health Ministry for managing the COVID-19 pandemic.

In fact, an information announcement on this issue was previously posted by the government as part of the frequently asked questions.

No amount of conditions and terms will be sufficient to protect the public should a private company have ownership, use of source codes, or access to raw data.

A private company’s duty and responsibility can never be to take all steps to protect the national security of Malaysia and its people by protecting theft of the data, hacking, intrusion, or misuse of the data to the same degree as the government can do; nor does the company have the resources to do so.

Once fallen into the wrong hands, such data can be used by enemy states to undermine the national and economic security of Malaysia. 

Worse still, hackers and other third-party actors can use this data to wreck economic havoc in the financial system by building avatars to mimic persons for the purpose of criminal enterprises on a mass scale.

Data can be traded on the dark web for the purpose of targeting individuals. As the data has huge commercial value, this data can be sold to commercial enterprises for the marketing of goods and services, influencing individuals, or targeting business acquisitions.

There seem to be inconsistent and contrary statements as reported in the media as to who is the real owner of MySejahtera.

The PAC themselves found this question unanswered. Firstly, one cannot be the true owner of the MySejahtera app if one has to negotiate and pay licensing fees to a third party. Also, one cannot be the true owner of MySejahtera if the source codes are not deposited with the “owner” with all access rights to use, including the right to exclude the app developer.

In the event some unusual support is required, limited temporary access rights can be given to security-cleared contractors under strict supervision, where government agencies are totally unable to handle it. 
Furthermore, if a company says it has developed an app and given it to the government as part of a corporate social responsibility project, then they must surrender the source codes and all access rights and every right consistent with ownership.

In this respect, the PAC and the government security agencies must question the actual individual who developed the app, and not only his or her employer as to the facts and their associations or system vulnerabilities that could be exploited.

Lending an app for a period and populating it with the public’s private data, which they are forced to provide in order to live normally, and then saying we now want fees is not correct, even just to the public whose data was taken on the basis that the app is owned by the government and given for free.

In this respect it’s hard to understand why one would pay licence fees if one is the full owner of the app, or why there is a need to have a private company negotiate to buy an app that was publicly announced as given for free.

Surely these matters must be properly clarified and addressed with documented evidence and clearly explained.

As the data in the app and the ability to access it is critical to national security, the government must take full control and absolute control of MySejahtera and all its data and place it under the highest levels of security protection.

In my opinion, even if one byte of private data is accessed or given to any party other than the Health Ministry (and that too only for the present management of COVID-19), such an act would amount to a breach of trust and serious breach of data and national security.

In fact once COVID-19 has been effectively managed, the data must be destroyed.

I hope the Malaysian security services, auditor-general, and law enforcement agencies investigate and check everyone who had access to the data, and who developed the app to ensure that the national security in the private and personal data of millions of Malaysians is protected.

*Derek Fernandez is a Malaysian observer, local government expert and councillor in the city of Petaling Jaya.*