KUALA LUMPUR, May 18 – A survey by CodeBlue on MySejahtera found that the majority of respondents at 62 per cent do not believe their personal data is safe and protected on the Covid-19 app.
Just one of five respondents, or 21 per cent, feels that their MySejahtera data — which includes information on visits to public premises, coronavirus vaccination certification, and personal details like name, identity card number, phone number or email address, and date of birth — is safe, while 17 per cent are unsure.
Out of the 806 total responses gathered from the three-week online poll, which ran from April 25 until May 16, slightly more than half distrust MySejahtera at 52 per cent, compared to 27 per cent who trust the ubiquitous app and 21 per cent who expressed ambivalence.
About 30 per cent (238 respondents) say MySejahtera cannot be trusted at all versus 12 per cent (99 respondents) who think MySejahtera can be trusted a lot.
A total of 175 respondents (22 per cent) said MySejahtera cannot be trusted somewhat, while another 121 respondents (15 per cent) felt that the app can somewhat be trusted; 173 respondents (21 per cent) were neutral about their trust or distrust in MySejahtera.
Public trust in MySejahtera took a major hit after controversy broke about whether a private company actually owns the national Covid-19 app and users’ personal data.
Among the survey’s 806 respondents, 284 respondents (35 per cent) thought MySejahtera was owned both by the government and private companies, while another 261 respondents (32 per cent) were under the impression that the app was owned solely by the private sector.
Some 131 respondents (17 per cent) said they didn’t know or were unsure about the app’s ownership, while 130 respondents (16 per cent) believed that MySejahtera was the sole property of the federal government.
71% Believe MySejahtera Data Accessible To Government And Private Companies
A whopping 576 respondents (71 per cent) felt their personal data on MySejahtera could be accessed by both the government and private companies, against 117 respondents (15 per cent) who believed only the government had access to their personal data on the Covid app.
About 44 respondents (5 per cent) felt the data was accessible only to private firms, namely, app developer Entomo Malaysia Sdn Bhd (formerly KPISoft Malaysia Sdn Bhd) and licence holder for MySejahtera, MySJ Sdn Bhd.
One anonymous respondent claimed that MySejahtera’s backend “at the very least” uses Alibaba’s content delivery network (CDN) as the “mysejahtera.malaysia.gov.my” domain name resolves to a Canonical Name (CNAME) record pointing to “mysejahtera.malaysia.gov.my.w.cdngslb.com.”
The “cdngslb.com” domain belongs to Zhejiang Taobao Network Co Ltd, a wholly-owned subsidiary of China-based e-commerce company, Alibaba.
A CNAME record is used to create an alias from one domain name to another domain name.
“All traffic to the MySejahtera backend currently must pass through Alibaba’s CDN before reaching whatever is behind it. We currently do not know where the TLS encryption between client and backend terminates,” claimed the respondent who declined to provide their name in CodeBlue’s MySejahtera survey.
“If Alibaba’s CDN transparently shuttles encrypted transport layer security (TLS) traffic to the MySejahtera backend (that is, if end-to-end encryption between client and true backend is applied), then at least Alibaba cannot inspect the content of client traffic, although it can make inferences based on the traffic’s metadata,” the respondent wrote.
TLS is a security protocol that protects data sent between applications over the Internet.
“But CDNs work best when they are able to inspect all aspects of traffic that passes through them, so that they can shuttle traffic to their destinations more efficiently.
“Therefore, if the TLS connection from the MySejahtera client terminates at the CDN, then at least two issues present themselves: (a) Alibaba can see everything that passes between the MySejahtera client and backend, and (b) if traffic between the CDN and the MySejahtera backend is unencrypted, then that leaves that traffic vulnerable to unauthorised monitoring, interception, and manipulation,” the respondent added.
Health Minister Khairy Jamaluddin told Dewan Negara in March that the Ministry of Health (MOH) owns not only individuals’ personal data collected on MySejahtera, but also the app itself, its modules, intellectual property (IP), source code, and trademark.
Khairy also gave his assurance that the MySejahtera data is secure as it’s hosted on a server in Malaysia and is owned by MOH.
“I’m sceptical of Mr Khairy’s claim that MySejahtera’s database resides in a single server in a single location.
“Firstly, I doubt that a single machine can handle such volume at such a scale.
“And secondly, having everything in a single server, if Mr Khairy’s claim is to be taken at face value, introduces a single point of failure and completely disregards the wisdom of redundancy, especially for such supposedly critical digital health infrastructure,” the same anonymous survey respondent noted. MySejahtera has 38 million registered users.
MySejahtera Users Still Hesitate To Delete App
Disliking MySejahtera does not necessarily translate to an automatic removal of the app.
CodeBlue’s survey showed that while 419 respondents (52 per cent) disliked using the app, 42 per cent said they would not uninstall the app immediately even if check-in mandates were lifted. MySejahtera check-ins were dropped on May 1.
About 18 per cent of respondents (146 respondents) said they were unsure if they would drop the app immediately, while 40 per cent (321 respondents) said they would.
Those who hesitate to delete MySejahtera said they needed to keep their digital Covid-19 vaccination certificate on MySejahtera for overseas travel. Others are keeping the app in case they get infected with Covid or for future Covid-19 vaccination appointments.
Those who are dumping MySejahtera cited personal data concerns as their primary reason for uninstalling the mobile app. Many think their data on MySejahtera is accessible to private companies and that the government cannot be trusted to take care of their data.
Others are uninstalling the app to avoid being spammed and they don’t find MySejahtera to be useful.
However, should they decide to uninstall the Covid app, a total of 582 respondents (72 per cent) want all their data on MySejahtera to be erased from the server.
Most respondents found the Covid-19 vaccination certificate to be the most useful feature on MySejahtera, followed by vaccination appointments, and Covid self-test reports. Very few found the MySJ Trace via Bluetooth feature or the Helpdesk to be useful.
57% Won’t Use MySejahtera For Personal Health Records, 50% Won’t Download New Government Health App
Half of survey respondents (402 people) said they would not download a new government health app, amid calls for a new platform to be created.
Only 23 per cent (185 respondents) said they would download any new health app created by the government, while another 27 per cent (219 respondents) were undecided.
However, keeping MySejahtera for electronic health records will also prove to be a challenge, as 57 per cent (459 respondents) said they would not keep their personal health or medical data on the app if such features were made available.
Examples of potential medical data records for MySejahtera cited in CodeBlue’s survey were blood pressure or blood sugar readings, weight, menstrual cycle, steps taken a day, diagnosis of any illness, medical test results, and medical images.
MOH recently converted MySejahtera’s Covid-19 hotspot tracker into an infectious disease tracker that lists the active case numbers of other communicable diseases besides Covid-19 like rabies, measles, hand-foot-and-mouth disease (HFMD), dengue, and tuberculosis in one’s vicinity.
The MOH was also considering using MySejahtera for Malaysians to sign up as organ donors and to monitor non-communicable diseases (NCDs), including cancer.
Seven Of 10 Respondents Live In Klang Valley
Out of the survey’s 806 total respondents, 55 per cent were male and 40 per cent were female. The remaining 5 per cent preferred not to disclose their gender.
About 38 per cent of respondents were ethnic Chinese, 32 per cent Malays, 15 per cent ethnic Indians, 3 per cent were Bumiputera Sabah and Sarawak, and 3.5 per cent were foreign nationals.
The majority of respondents (23 per cent) were aged between 30 and 39, followed by those aged 40 to 49 (22 per cent), 50 to 59 (20 per cent), 20 to 29 (18 per cent), 60 years and older (16 per cent), and less than 20 years old (1 per cent).
Nearly 42 per cent of respondents currently live in Selangor, followed by Kuala Lumpur (29 per cent), Sarawak (5 per cent), Penang (4 per cent), Perak (3.7 per cent), and Johor (3.6 per cent).
Most respondents (25 per cent) are currently earning a monthly gross salary of RM5,000, with a further 21 per cent currently retired or unemployed.