Govt ready to audit MySejahtera to counter claims of personal data breach

Putrajaya may undertake an independent review of its MySejahtera mobile app following allegations of personal data breach, MalaysiaNow has learnt from sources close to government authorities in charge of digital security.

This comes amid apprehension from some quarters over data privacy that could affect millions of users of the app, launched in April to enable health authorities to keep track of people’s movements to contain the spread of Covid-19.

“The government has made it compulsory for the public to sign in using the app when entering premises. And there is no basis to claims that it is being used for other purposes,” a data privacy expert with a government agency told MalaysiaNow.

“But there are lingering trust issues which could undermine the battle against the pandemic,” he added.

It is believed that the issue cropped up during a recent meeting involving ministers and top officers tasked with managing the Covid-19 crisis.

The source said any suspicion of the government’s pledge to protect people’s privacy would cause problems in ensuring the effective tracking of the virus, which has so far infected over 50,000 people and claimed more than 320 lives.

At the heart of the concerns is the app’s ability to access a user’s location, in addition to having access to storage and phone contacts.

MalaysiaNow understands that an independent audit firm will be appointed to carry out the review of MySejahtera.

In August, Putrajaya announced that it would gazette the use of MySejahtera through the Prevention and Control of Infectious Diseases Act 1988, in the wake of difficulties in tracing close contacts at places where Covid-19 cases had been detected.

Despite repeated assurances from the government, the debate over MySejahtera’s data privacy has continued online, evoking strong reactions on social media.

At the heart of the concerns is the app’s ability to access a user’s location – crucial in contact tracing activities – in addition to having access to storage and phone contacts.

There are many free tools available for checking an app’s claim to data privacy.

One such tool is prepared by Exodus Privacy, a French data privacy organisation, to evaluate Android-based apps.

A check on its website reveals that MySejahtera allows 14 different permissions regarding various device features and contents.

Concerns over data privacy during the pandemic are not confined to Malaysia, as countries attempt to collect more personal information for contact tracing, a key part of containing the spread of Covid-19.

Despite government guarantees that such apps would not keep personal information, recent cases of massive data leaks have not helped to allay fears.

In March, details of hundreds of thousands of credit cards issued by banks in Malaysia, Singapore, the Philippines, Vietnam, Indonesia and Thailand were found online in a massive data breach.

Three years ago, the Malaysian Communications and Multimedia Commission confirmed that the personal data of more than 46 million subscribers of major mobile telco services had been leaked on the dark web, complete with phone numbers and home addresses.