Data are solely used for Covid-19 monitoring and not shared with 3rd party as they are subject to secrecy, says expert
by RAHIMI YUNUS / Pic by RAZAK GHAZALI
PERSONAL information stored in the MySejahtera application will not be shared with any third party, CyberSecurity Malaysia said.
CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab said data on the national Covid-19 tracing app are confidential and subject to the right governance.
The information stored in MySejahtera is subject to scrutiny by the government on ways the data are handled and stored to ensure they are safe and protected.
“These data are solely used for Covid-19 monitoring and not shared with any third party as they are subject to secrecy,” Amirudin told The Malaysian Reserve (TMR) when contacted.
So far, he said there are no reported cases received by the agency related to any data leak on the MySejahtera app.
He advised users to instal the app via the official link of their respective mobile phone’s app stores to prevent being a victim of cyber attack.
With daily usage of mobile devices now as the main source to retrieve sensitive information — which ranges from travel details, family relations to personal photos and financial details — he said users’ data loss, modification or exposure that a mobile device might face could directly impact end users’ safety and privacy.
For example, he cited the case in which a mobile application that monitors one’s body composition is exploited by an adversary to gain access to sensitive data.
“They may seek to interfere with the user’s health status. The possible damages caused by this data breach can impact both the psychological and physical aspects of the user,” Amirudin added.
As prevention, he said privacy policies are the best practices for apps to connect with personally identifiable information.
The MySejahtera app is governed by the Health Ministry, and assisted by the National Security Council and the Malaysian Administrative Modernisation and Management Planning Unit, also known as Mampu.
The government assures that the collection of personal information is aligned with the Personal Data Protection Act (PDPA) 2010.
Information collected is used for monitoring and enforcement purposes by government authorities in dealing with the Covid-19 pandemic and it is not shared with other organisations for other purposes, unless specifically stated.
It noted that users’ personal information might be shared with enforcement authority for follow up and resolution of any complaints submitted via the app.
Address, identity card numbers, passport numbers, phone numbers and dates of birth are among the data collected by MySejahtera.
Cyber security experts called for transparency on the collection and management of data on MySejahtera.
“I think the government can be more transparent. It can engage third parties to do testing and audit on how the data is managed.
“It is noteworthy to point out that the PDPA does not apply to the government.
“So, the government is exempted from the PDPA, which means if anything happens to the data, the government is not liable,” LE Global Services Sdn Bhd CEO Fong Choong Fook told TMR.
He said the cyber security risk of using MySejahtera is far lesser compared to other widely popular apps, for instance, WhatsApp, which has more privileges on the phone.
The data security expert said MySejahtera uses 14 permissions, while WhatsApp uses 56.
“We give more data and control to WhatsApp than MySejahtera,” he added.
Fong said hackers typically attack applications by reverse engineering and study how the apps make calls to servers using the application programming interface.
Besides MySejahtera, Malaysia has few other Covid-19 tracing apps that are usually state-owned initiatives, such as Selangor’s SELangkah, Penang’s PGCare and Sarawak’s Qmunity.