PETALING JAYA: A cybersecurity expert is unconvinced by the assurances of the country’s internet authority over fears of a possible breach of data privacy in the use of an app to help Putrajaya manage interstate travel ahead of the “balik kampung” rush to celebrate Hari Raya.
The Malaysian Communications and Multimedia Commission (MCMC) developed the Gerak Malaysia app in collaboration with the police to facilitate people’s mobility under the conditional movement control order (CMCO), which eases major Covid-19 lockdown restrictions nationwide.
MCMC has encouraged Malaysians to download the app, saying it will aid in contact tracing efforts in the battle against the deadly virus.
But an IT specialist involved in testing app security for major local e-commerce brands said there has been no “clear indication” of thorough security tests being done on the app before its launch.
“There have been no details on how the testing was done, or who they appointed to do it,” the expert, speaking on condition of anonymity, citing the nature of his job, told FMT.
He said it was common practice for app developers to apply stringent procedures to test for loopholes in mobile applications before making them available to the public.
There have been concerns on social media over the amount of data collected by the app, which prompted MCMC to assure the public that all personal details would be deleted six months after the expiry of the movement control order (MCO).
The current phase of the MCO expires on May 12.
But the expert said in the absence of testing details, the app could be a “time bomb” of data leakage.
“There was a data leak before, and I am worried there might be another one in the future because of this.”
A massive data leak of mobile phone users’ personal details in 2014, only discovered four years later, led to action by MACC against a contractor.
Software developer Khairil Yusof, who is currently leading Sinar Project, an organisation promoting digital rights and government transparency, said the kind of data access the app requires is “overly broad”.
Users downloading the app will be asked for permission for access to phone cameras, GPS locations and phone storage.
The app also asks for permission to run foreground services, draw over other applications, prevent users’ phones from sleeping, receive data from the internet and pair with Bluetooth devices, among others.
Khairil said even though these permissions are normal for mobile apps, privacy concerns over the Gerak Malaysia app were amplified because the Personal Data Protection Act 2012 does not apply to the government.
“The government has powers of enforcement and surveillance that other mobile app developers do not have,” Khairil told FMT.
He said it was not unusual for governments to store information on its citizens such as their health status, address and income, with curbs in place on the sharing of data between government agencies.
“This is normal, in order for the government to plan and provide effective public services.
“But where you eat, where you go, who you meet, when you wake up, what you buy, where you live, the photos you take, who your friends are – these are not collected,” he said.
He said it was this “access to daily personal activities” and risk of “total surveillance” that had sparked concerns about Gerak Malaysia.
Khairil also said a major concern was the storage of data in a central server.
“This substantially increases the risk of a large-scale data leak. The public has been given few if any technical details on what steps have been done to reduce the risk.”
But another expert disagreed, saying the application was no different from other commonly used mobile applications.
‘No different from popular apps’
SL Rajesh, who heads the computer forensics department of the International Association for Counterterrorism and Security Professionals Centre for Security Studies, said the location data required by the app was not a problem.
“Waze has our location, GoogleMaps has our location. Many other applications have our locations, too. I don’t see any threat,” he said.
But Rajest agreed that a full audit was needed to systematically study the concerns over security.
He said access to messages and storage was also common with other applications made for iPhones and Android phones.
“The public does need not worry about whether or not the government is going to track us or whatever. It is just giving them access to control the app for whatever reason they’re publishing this app.
“If the people feel that this is bad, or that the government can track us, they can always uninstall the app. If you uninstall it, the government has no access.” - FMT
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.