KUALA LUMPUR, April 28 – Anwar Ibrahim today told the Ministry of Health (MOH) to allow a full data forensics audit on MySejahtera and to immediately stop all mandatory and optional data collection on the Covid-19 app.
The opposition leader also urged Parliament’s Public Accounts Committee (PAC) to continue investigating the development and procurement of MySejahtera, including summoning the private companies involved both in the development of the app and data handling, as well as technical experts to “track down the exact servers where the Malaysian people’s data has been stored”.
“I fear there is reason to believe that the people are being misled regarding the Minister’s words concerning the servers which MySejahtera data has been stored on,” Anwar said in a statement.
“Without robust contracts and agreements, the non-disclosure agreements (NDAs) the Minister have promised to ease our woes are insufficient and worth less than the paper they are printed on. It is now of the highest importance that the government actually proves our data has and continues to be secure on government servers only.
“The collection of data by any organisation or government without an expressly stated objective leaves said data highly vulnerable to abuse and represents a clear and dangerous dereliction of duty on the part of the collectors.”
Health Minister Khairy Jamaluddin told the Dewan Negara last March 31 that MySejahtera’s data server is located at AIMS Data Centre in Kuala Lumpur and that data transactions from the app are uploaded daily onto the cloud server.
He also said the National Cyber Security Agency (NACSA) runs periodic security audits every month and conducts penetration tests from time to time, besides running an audit trail on the server hosting MySejahtera data.
“The PAC’s investigation thus far, corroborated with my own investigation, leads me to believe the government has not only erred in remaining transparent and securing ownership of the MySejahtera app throughout development, but also in allowing politically connected individuals to take a cut of the profit from an emergency measure established to fight a pandemic that has killed over 35,500 Malaysians and in securing the data of over 38 million residents,” Anwar said.
“Most troubling is the high potential for data leaking which makes our information available to foreign owned entities.”
MySejahtera app developer Entomo Malaysia Sdn Bhd (formerly KPISoft Malaysia Sdn Bhd) is fully owned by Singapore-based company Entomo Pte Ltd.
Anwar, who is Port Dickson MP, questioned the security of Malaysians’ personal data collected on MySejahtera over the past two years, after PAC chairman Wong Kah Woh revealed, after two weeks of hearings, that the government was “confused” about who had appointed KPISoft to develop MySejahtera when the contact tracing app was launched in April 2020.
“This news dismantles our confidence in the promises of the Minister of Health at a time when not only his reputation, but the protection of the Malaysian people’s personal data and our national security, hangs in the balance,” Anwar said.
“I call on the Minister to prove that Malaysians’ data has not and continues not to be at risk to commercial or nefarious interests at home or abroad. This government must do all in their power to prevent such negligence while reaffirming that the data rightfully belongs to the people, not the government.
“The Ministry of Health must be upfront and fully transparent on this, including allowing for a full audit with data forensics.”
The Opposition Leader also told the PAC to investigate the direct negotiations in the development of MySejahtera.
“The people are depending on the PAC to leave no stone unturned and perform at the highest standard to prevent negligence and abuse.”
The PAC, which is empowered to examine government procurement and expenditure, told the government last Saturday not to make any decision involving financial implications on the Covid-19 app, until the PAC tables the findings from its MySejahtera investigation in the next Parliament meeting in July, and its report is debated by MPs.
However, Khairy yesterday snubbed the PAC’s request, saying that MOH’s decision to sign a contract over the MySejahtera app was not subject to the parliamentary committee’s report. MOH is currently believed to be in the final stages of negotiations with MySJ Sdn Bhd, a legally separate entity from Entomo Malaysia, on MySejahtera.
The health minister also announced yesterday that MySejahtera check-ins at public premises for contact tracing would no longer be mandatory from May 1.
“As a post-colonial state, we must have zero tolerance for any potential new forms of colonialism that this data affords to anyone with enough money to buy it. To begin to rebuild the rakyat’s confidence, this government must also immediately cease all data collection, mandatory and optional, from the MySejahtera app until they can guarantee our data’s protection and justify the continued collection of said data,” Anwar said.