The source code of MyTrace has yet to be released, despite the government’s previous announcement that it would release the code as early as April.
The process through which the app was introduced reveals a lack of communication between state agencies. Gerak Malaysia, which is an app that has already been discontinued, was first introduced to the public; however, it was introduced without obtaining the approval from the National Security Council (NSC), which did not approve the app because it included a geolocation tracking function. The public was able to use the app, despite the fact that there was no information available on how this function in the app was fixed.
Limited information is available on how the app treats personal data and protects the privacy of users.
Malaysia has the Personal Data Protection Act (PDPA) in place; however, the law is likely unable able to protect personal data with respect to the apps, because the law does not cover federal and state governments. The government is responsible for overseeing how the collected personal data from both MyTrace and My Sejahtera will be treated; as such, the regulations under the Act are unlikely to apply to the apps.
A. The Development of Digital Contact Tracing in Malaysia
Initially, Malaysia introduced three apps to assist authorities on their digital contact tracing efforts. These apps are MySejahtera, Gerak Malaysia, and MyTrace; Gerak Malaysia was discontinued on July 31. All three apps were launched around the same time between the months of April and May. They were designed to complement each other.
On August 3, the Malaysian government decided to mandate the use of MySejahtera at all premises nationwide. An exemption was given to those in rural areas who do not have stable Internet connectivity, and were allowed to keep manual records as an alternative. After the decision was made, the government held a discussion regarding the need to amend the 2010 Personal Data Protection Act. The discussion addressed the PDPA on its applicability to the federal government and the safety guarantees for personal data for users before they enter the premises. As of August 16, MySejahtera had been downloaded by 15.1 million users. The app was reported to have detected 322 confirmed cases of COVID-19, or approximately 3.4 percent of 9,200 positive cases.
MyTrace is a contact tracing app that uses Bluetooth Low Energy (BLE). It was developed by MOSTI, NSC, MOH, MAMPU, Malaysian Institute of Microelectronic Systems (MIMOS) and Malaysian Global Innovation and Creativity Center (MaGIC), with the International Islamic University Malaysia (IIUM) and Google Malaysia. Like other contract tracing apps, the app works by detecting and exchanging information with other installed devices that are located in close proximity. It was reported that the collected data from the app would be stored and processed only by the MOH. When a user is found to be COVID-19 positive, the MOH would contact the user via a phone call and SMS; the MOH would then guide the user to upload the data from their smartphone to a secured database that is managed by the MOH. The Minister of MOSTI, Khairy Jamaluddin, stated that the government has planned to make the MyTrace code open-source. He also stated that the data collected from MyTrace would be stored on the phone, and not on the centralized government servers. The data collected through MyTrace would be stored on the user’s phone for 21 days, and anonymized such that the location data could not be traced to an individual user.
B. Implications on Surveillance and the Right to Privacy
As the systems are not open-source and the white paper is not found, information is limited about how the apps work. It is also not easy to find the technical vulnerabilities in the contract tracing app used by the Malaysian government. In order to identify these technical vulnerabilities, a thorough analysis using a time-consuming reverse engineering process would need to be conducted. Apart from its technical vulnerabilities, the app reveals both a lack of transparency and policy enforcement, which has raised concerns about whether the apps can be trusted to protect users’ right to privacy.
1. Lack of transparency
Available information about the three contract tracing apps has mostly come from the government, while limited information about the apps can be found from independent sources. The government had announced its plan to release the source code of MyTrace when it was first launched; however, this plan has not yet been implemented at the time of the writing. In addition, the government has yet to introduce a plan to make the codes of MySejahtera and Gerak Malaysia apps more transparent.
The architecture, functions, protocols, data management, and security design of all three apps lack transparency. When an app is made open-source under an open source license, independent technical experts are able to examine the app for vulnerabilities; this, in turn, helps developers to improve upon the identified technical vulnerabilities. Releasing the actual code of the app provides greater transparency and may ease people’s concerns over their privacy when using the app.
Before the apps became available to the public, a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) were not conducted to examine the impact of Malaysia’s contract tracing apps on human rights and the right to privacy. An HRIA and PIA would allow those who are in charge of the app and its systems to identify the risks of the apps related to the privacy and security of personal data; these assessments also can educate public further about their human rights and how their right to privacy can be affected from using the app. An HRIA and PIA could increase transparency by demonstrating how users’ right to privacy is protected when using the apps. These assessments could encourage more people to become users of the app, thereby making digital contact tracing more effective. It is especially important for the apps to be transparent, due to the fact that they collect and handle a large amount of personal data.
2. Lack of policy enforcement
While Malaysia has passed the 2010 Personal Data Protection Act (PDPA), the protection of personal data and privacy in the case of digital contact tracing continues to be undermined. The PDPA does not apply to federal and state governments; as a result, all government agencies, including the MOH, that are involved in digital contact tracing efforts, are exempted from this law. There is currently no law in place to regulate the manner in which the government agencies are to treat the personal data collected by the apps. This lack of legislation makes the collected data especially vulnerable. If a data breach occurs on the government’s server, it is difficult to hold the government accountable to the incident due to its exemption from the law. The law also has no provision that requires any data breach to be reported to the Personal Data Protection Commission.
The government discussed whether to amend the Personal Data Act 2010 after the launch of the contact tracing apps; while this discussion is a positive development, it also shows a need for greater caution. The apps were rolled out hastily, during which the legislation and mechanisms to protect personal data have not yet been put in place. According to government, the personal data gathered from MySehjahtera app is stored in the federal government’s database and treated as confidential patient information under the Medical Act 1971 and the Prevention and Control of Infectious Disease Act 1988. However, these assurances are not sufficient protection measures. Aligning the Personal Data Act with global best practices would make the protection of personal data more robust and comprehensive.
C. Conclusion and Recommendations
The Government of Malaysia is urged to protect the right to privacy in its response to the pandemic through its digital contact tracing efforts. It is therefore recommended for the Government of Malaysia to take the following actions:
- Release the white paper and the source code of MyTrace and MySejahtera under an open source license. The white paper should contain the necessary details of the systems’ architecture, functions, protocols, data management, and security design. The source code should be of the deployed system, complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the apps.
- Issue data privacy regulations that specifically address the apps that are used for digital contact tracing. The regulation must stipulate that the collected data will not be used for other purposes apart from contact tracing as well as ensuring there are prevention methods (e.g. third-party audit where the result is publicly available) in place to keep the data secure from cyberattacks and data breach incidents.
- Conduct a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) for all the apps that are used, and other apps and platforms that may be implemented in the future for digital contact tracing purposes. The result should be made publicly accessible.