Key Findings
A. The Development of Digital Contact Tracing in Malaysia
Initially, Malaysia introduced three apps to assist authorities on their digital contact tracing efforts. These apps are MySejahtera, Gerak Malaysia, and MyTrace; Gerak Malaysia was discontinued on July 31. All three apps were launched around the same time between the months of April and May. They were designed to complement each other.
Gerak Malaysia was launched with the aim to assist authorities in tracing and analyzing users’ movements nationwide in order to control the COVID-19 pandemic. The app required users’ personal details, including their full name, ID number or passport number, address, and email in accordance with its privacy policy. The location of users is tracked via their devices’ GPS. The app generates a QR code for each user which is used to “facilitate users with the authorized travel document during the period of movement control order (MCO).” Those who need to travel interstate could also apply for permission to travel via Gerak Malaysia. The app was launched by the Malaysian Communications and Multimedia Commission (MCMC), which tested the beta version of the app on April 17, 2020. However, the National Security Council (NSC) stated on the same date that it had not yet evaluated or endorsed Gerak Malaysia. The Ministry of Science, Technology, and Innovation (MOSTI) also said that it has not endorsed the app due to the app’s ability to track the location of users. The app works similarly to the highly-criticized digital contact tracing model used in South Korea and China. After 3 months of operating, the app was discontinued on July 31, because the interstate travel restrictions were lifted.
MySejahtera is a self-evaluation app through which a user can assess their own health condition. The government introduced the app as a pilot program in early April before its official launch on April 20. The app was developed by government bodies, including the NSC, the Ministry of Health (MOH), the Malaysian Administrative Modernization and Management Planning Unit (MAMPU), MCMC, and MOSTI. Users input their health status through the app. The app also provides users with information about the nearest clinics and hospitals where they can visit. The MOH is reportedly the agency responsible for managing and mitigating the pandemic by using the collected data from the app. According to the app’s privacy policy, users’ personal data are collected at the time when users register for the app; this data includes their name, address, ID number, phone number, birth date, email address, and gender. MySejahtera later introduced an extension called My Sejahtera Check-In through which people can scan a QR code when they enter locations such as buildings, shops, restaurants, educational facilities, and offices; this approach has been similarly adopted by Malaysia’s neighboring countries, Singapore and Thailand. Business owners and managers of the locations must register through the app in order to receive the QR code for visitors to scan. MySejahtera Check-in also uses health information from the MySejahtera app in order to identify their visitors’ health status. The check-in system was also later extended to apply for group check-ins, in order to support those with dependents. The check-in extension collects the name, phone number, and location of users according to its privacy policy.
On August 3, the Malaysian government decided to mandate the use of MySejahtera at all premises nationwide. An exemption was given to those in rural areas who do not have stable Internet connectivity, and were allowed to keep manual records as an alternative. After the decision was made, the government held a discussion regarding the need to amend the 2010 Personal Data Protection Act. The discussion addressed the PDPA on its applicability to the federal government and the safety guarantees for personal data for users before they enter the premises. As of August 16, MySejahtera had been downloaded by 15.1 million users. The app was reported to have detected 322 confirmed cases of COVID-19, or approximately 3.4 percent of 9,200 positive cases.
MyTrace is a contact tracing app that uses Bluetooth Low Energy (BLE). It was developed by MOSTI, NSC, MOH, MAMPU, Malaysian Institute of Microelectronic Systems (MIMOS) and Malaysian Global Innovation and Creativity Center (MaGIC), with the International Islamic University Malaysia (IIUM) and Google Malaysia. Like other contract tracing apps, the app works by detecting and exchanging information with other installed devices that are located in close proximity. It was reported that the collected data from the app would be stored and processed only by the MOH. When a user is found to be COVID-19 positive, the MOH would contact the user via a phone call and SMS; the MOH would then guide the user to upload the data from their smartphone to a secured database that is managed by the MOH. The Minister of MOSTI, Khairy Jamaluddin, stated that the government has planned to make the MyTrace code open-source. He also stated that the data collected from MyTrace would be stored on the phone, and not on the centralized government servers. The data collected through MyTrace would be stored on the user’s phone for 21 days, and anonymized such that the location data could not be traced to an individual user.
B. Implications on Surveillance and the Right to Privacy
As the systems are not open-source and the white paper is not found, information is limited about how the apps work. It is also not easy to find the technical vulnerabilities in the contract tracing app used by the Malaysian government. In order to identify these technical vulnerabilities, a thorough analysis using a time-consuming reverse engineering process would need to be conducted. Apart from its technical vulnerabilities, the app reveals both a lack of transparency and policy enforcement, which has raised concerns about whether the apps can be trusted to protect users’ right to privacy.
1. Lack of transparency
Available information about the three contract tracing apps has mostly come from the government, while limited information about the apps can be found from independent sources. The government had announced its plan to release the source code of MyTrace when it was first launched; however, this plan has not yet been implemented at the time of the writing. In addition, the government has yet to introduce a plan to make the codes of MySejahtera and Gerak Malaysia apps more transparent.
The architecture, functions, protocols, data management, and security design of all three apps lack transparency. When an app is made open-source under an open source license, independent technical experts are able to examine the app for vulnerabilities; this, in turn, helps developers to improve upon the identified technical vulnerabilities. Releasing the actual code of the app provides greater transparency and may ease people’s concerns over their privacy when using the app.
Without further information and transparency, it is difficult to verify the government’s claim that the personal data collected by MyTrace is stored in the user’s device, and not in the centralized government’s server. The government should follow through on its previous claim to make the source code of MyTrace open-source as soon as possible in order to bring more transparency to the app. The MyTrace app also does not have its own privacy policy; the links provided from the app’s privacy policy on Google Play and the App Store were found to be the same privacy policy from MOSTI’s website. As the app’s privacy policy is not available, there is an absence of information on the following key issues: what type of personal data is collected by MyTrace, how the personal data is processed and stored, and how long the data is retained for. The MySejahtera app has its own privacy policy which provides details about the type of data the app collects, the purpose of its data collection, data confidentiality, and data security, as well as other information. However, since the app is not easily examined, the technical details provided in the privacy policy—including how the data in transit are encrypted and how the data at rest is stored in a highly secured server— cannot yet be verified. The app collects a substantial amount of personal data from users; as such, it is unlikely to have been built to protect privacy by design.
The Gerak Malaysia app, while already discontinued, continues to reflect an important lesson regarding transparency and the right to privacy. The app’s beta version was not endorsed by the NSC because it tracked the movement of its users. Limited information is available on how the app has been fixed or improved with respect to users’ privacy before it was rolled out to the public. The app also collects a substantial amount of personal information from users, including their name, phone number, ID or passport number, home address, and email. According to its privacy policy, the app continuously collected the location data of users, and maintained a record of the places where they visited once users have permitted the app to access the device’s location services. Much information may be revealed about a person through tracking their movements. This information could increase the vulnerability of certain groups, including LGBTQI+ and HIV positive people, who may face social stigmatization if this information is divulged. Furthermore, the model of the app had the potential to enable mass surveillance.
Before the apps became available to the public, a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) were not conducted to examine the impact of Malaysia’s contract tracing apps on human rights and the right to privacy. An HRIA and PIA would allow those who are in charge of the app and its systems to identify the risks of the apps related to the privacy and security of personal data; these assessments also can educate public further about their human rights and how their right to privacy can be affected from using the app. An HRIA and PIA could increase transparency by demonstrating how users’ right to privacy is protected when using the apps. These assessments could encourage more people to become users of the app, thereby making digital contact tracing more effective. It is especially important for the apps to be transparent, due to the fact that they collect and handle a large amount of personal data.
2. Lack of policy enforcement
While Malaysia has passed the 2010 Personal Data Protection Act (PDPA), the protection of personal data and privacy in the case of digital contact tracing continues to be undermined. The PDPA does not apply to federal and state governments; as a result, all government agencies, including the MOH, that are involved in digital contact tracing efforts, are exempted from this law. There is currently no law in place to regulate the manner in which the government agencies are to treat the personal data collected by the apps. This lack of legislation makes the collected data especially vulnerable. If a data breach occurs on the government’s server, it is difficult to hold the government accountable to the incident due to its exemption from the law. The law also has no provision that requires any data breach to be reported to the Personal Data Protection Commission.
The government discussed whether to amend the Personal Data Act 2010 after the launch of the contact tracing apps; while this discussion is a positive development, it also shows a need for greater caution. The apps were rolled out hastily, during which the legislation and mechanisms to protect personal data have not yet been put in place. According to government, the personal data gathered from MySehjahtera app is stored in the federal government’s database and treated as confidential patient information under the Medical Act 1971 and the Prevention and Control of Infectious Disease Act 1988. However, these assurances are not sufficient protection measures. Aligning the Personal Data Act with global best practices would make the protection of personal data more robust and comprehensive.
C. Conclusion and Recommendations
There remains a lack of balance between tackling the pandemic and protecting privacy in Malaysia’s contact tracing efforts. All the apps used for the purpose of contact tracing were not transparent, as they were not made available as an open-source app for independent technical experts to examine. The limited information that is available about the apps are mostly from the government’s sources. There is also no evidence that an HRIA and PIA have been conducted before the public launch of the apps. Gerak Malaysia has already been discontinued after having collected the personal data and having tracked the movements of users; its beta version that was tested in April was also not endorsed by the NSC. However, little is known on whether the app had been fixed in order to better respect the privacy of users and whether the NSC later endorsed the app. While MySejahtera has a privacy policy in place, some key aspects of the app cannot be verified because the apps are not open-source. The privacy policy of MyTrace is also not available. The absence of a personal data protection law in Malaysia means that there is no legislation stipulating how personal data should be treated by the government agencies; this makes the personal data collected by the app vulnerable for misuse. Without such legislation in place, it is also difficult to hold the government accountable in the case of a data breach.
The Government of Malaysia is urged to protect the right to privacy in its response to the pandemic through its digital contact tracing efforts. It is therefore recommended for the Government of Malaysia to take the following actions:
- Release the white paper and the source code of MyTrace and MySejahtera under an open source license. The white paper should contain the necessary details of the systems’ architecture, functions, protocols, data management, and security design. The source code should be of the deployed system, complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the apps.
- Provide a clear privacy policy for MyTrace on all the downloadable platforms. All the elements about how the data is collected, processed, and stored must be transparent. This should be in line with the international standards and best practices for privacy protection. Users’ informed consent must be obtained before the app can be downloaded.
- Issue data privacy regulations that specifically address the apps that are used for digital contact tracing. The regulation must stipulate that the collected data will not be used for other purposes apart from contact tracing as well as ensuring there are prevention methods (e.g. third-party audit where the result is publicly available) in place to keep the data secure from cyberattacks and data breach incidents.
- Conduct a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) for all the apps that are used, and other apps and platforms that may be implemented in the future for digital contact tracing purposes. The result should be made publicly accessible.