00:00Hi, welcome back to Consider This. I'm Melissa Idris. Let's continue our discussion about our
00:16mobile personal data. Now, this after it was revealed that MCMZ had directed telcos to hand
00:22over anonymized mobile personal data to be used as a new data source in producing official
00:30national statistics. Well, joining me now to discuss this further is C.F. Fung, who is the
00:36chairman of the cybersecurity consultancy LGMS Berhad. C.F., thank you so much for being on the
00:42show with me today. So, authorities are saying that this is anonymized data, but I'm just wondering
00:48from a cybersecurity standpoint, what does anonymization actually entail? Because I'm just wondering
00:55how easy is it to reverse or to re-identify individuals from that anonymized data?
01:04Thank you, Melissa. I think the key point here is re-identifying back the data. You see, anonymization
01:10is a very standard process. It basically means that you take a whole series of information,
01:14break it down, randomize it, or even adding noises to make it unrecognizable. And it means
01:21instead of showing your information, it becomes data. You know, we break the information down.
01:25Now, the question is that coming from a technical standpoint, my question is that
01:29what kind of anonymous process were there in place? And because the anonymizing process was not
01:36disclosed, there isn't much transparency involved. So, even coming from a technical standpoint,
01:41I will be a bit curious of how, what kind of effort, what kind of strength of this anonymity
01:47will be in place. Because data, if it's not anonymized properly, can easily be piece to piece
01:53back together and re-identify together. In a way, there's no secrecy, you know, as what we want to
01:59achieve earlier. I mean, the secrecies are gone. So, I think the major concern, why people are still
02:04still so concerned about this? Because it's also due to one of the massive data leak cases
02:10that happened back in 2017. It's also involved MCNC. It's also involved a contractor that MCNC
02:15contracting data outsourced to. And it's also concerned with transparency matters. Because when that
02:21incident happened, and there wasn't much transparency and public consultation of how the data were collected
02:27and how the data was managed, I guess this also applies in this case. Because there was lack of
02:32transparency. I mean, personal point of view is there was no public consultations. Therefore, I mean,
02:38coming from a technical standpoint, at least if we can justify how we anonymize the data, at least that
02:44will give some kind of comfort to the public. So, is there an industry standard for anonymization? Is there,
02:52I mean, a certain threshold that industry has to meet in terms of this? Or is this just kind of the
02:57wild west, anything goes? Well, unfortunately, there isn't any clear guideline to define what
03:02anonymization means. But then again, you see, if you have a clear, transparent ways, with algorithm,
03:10you know, a formula to do anonymization, and also you have a third party to do an oversight overview
03:16about how you do transparency and how you do anonymization, that will greatly establish the
03:20transparency and boost the confidence of the public. But in this case, which is lacking,
03:25and that's why the concerns are there. Okay, so you mentioned the 2017 data breach. I think many of
03:33us still remember and are quite traumatized by. When we think about how much time has gone and maybe
03:39advances in cybersecurity and the awareness of those who hold our data and PDPA coming into practice the
03:47past 10 years, how secure do you think this practice is of these large tranches of data being transferred
03:54from telcos to government? Are there still risks of leaks or hacks happening either during transit or
04:00during storage? Well, to be fair, I mean, I can't comment how, you know, how competent the government
04:06or the contractors are working on this data this round. But what I would like to emphasize is this,
04:10why Malaysians are still so concerned about MCMC's action in collecting data, because what happened
04:18back in 2017 are still haunting us. Today, we can still find personal data, Malaysian personal data,
04:24particularly down to IC number, home address, a phone name in the dark web. So if any hackers or any
04:31scammers want to look out for personal data of a particular person, they can do so easily in the dark
04:36web. And that itself has created a very significant impact into our lives. Today, we have unlimited
04:43number of scam calls, spam selling, and all these also attribute partially to this because of this
04:50data leak. Now, when it comes to this round, when MCMC given the instructions and directives to their
04:55telco, and this is also, I mean, I think MCMC could have done a proper, I would say more
05:01educate PR to at least inform the public and then share with the public in a transparent manner what
05:08kind of methods they're using to anonymize the data. And at least give some assurance, you know,
05:13assurance as in, yeah, we have PDPA, not that kind of assurance. Assurance is more technical,
05:19more comprehensive, and granular, where, you know, the assurance given can be validated, you know,
05:25by a third party, by experts. And this is kind of assurance that what we would be expecting MCMC to do.
05:31But regardless, I mean, even if MCMC does give us the assurance or the information of how the data
05:39is anonymized, it's not like we can opt out from it. Yeah, I think it's beyond our call to say MCMC
05:46can't do this. But then again, we also want to clarify this, PDPA does not apply to government.
05:51That is the thing, that's the catch. Right. Okay, so can I ask you then what kind,
05:57what guardrails you would like to see. So this directive, as we've just heard previously from
06:03our previous guest, is in line with law. So it's the government's prerogative to ask for these types
06:09of data sets from telcos. But what would you, as a cyber security expert, looking out for users who
06:16are concerned about their data and their privacy, what guardrails would you like to see for project,
06:23mobile phone data, and other types of projects in the future like that?
06:26Yeah, I'm pretty sure the reason there's a rationale behind why MCMC wanted to collect the data for the
06:30benefit of the country. Then again, what gives me the comfort is that if MCMC will establish a series
06:37of workflow where it can include oversight of independent parties, oversight of parties that
06:45have no conflict of interest, and experts. And together with all these, then at least we have
06:50some kind of assurance. Whatever has been planned, executed accordingly, and with the correct steps,
06:58correct protection measures being in place, and that will give us the comfort.
07:04Do you worry or see any risk that this type of mass data request could set a precedent for
07:13more routine surveillance? And I'm just wondering whether this one was just a one-off, and maybe with the
07:19rationale of using it for national planning or for national statistics, is there any part of you
07:24that is concerned that this could open the floodgates for routine state surveillance?
07:29Absolutely. This is also one of my major concerns, because you see, when this directive was given,
07:35it was not shared with the public in a public way. It was only addressed to the telco. Now, one of my
07:43fears is that would this become a routine surveillance, or would it become a something that's, you know,
07:50become part of the routine? This is also my concern. That's why I say end of the day is back to the PR,
07:57you know, of whether any, it's not regardless of just MCMC upload. Any government agency for any kind of
08:05activities or any kind of initiatives that involve the public's interest, I think it is fair to be open,
08:11transparent and shared initiatives as much as possible to the public, at least a public consultation,
08:18and also have experts, neutral parties to provide the assurance and do a check and balance. Right now,
08:25nobody is expecting you, and that's a concern.
08:29I just, on the flip side, I do want to say there are certain camps of people who say, well, you know,
08:35it's just mobile phone data. What is the worst that could happen? I've got nothing to hide.
08:42As someone within the industry who has seen kind of the edges of where this, of where, you know,
08:51how data can be misused, can I ask you how you would respond to push for more privacy or to convince
09:04those that we should be considering the privacy, upholding the right to privacy for our personal data?
09:11So if you don't mind me going back to the basic principle, you see, when all these data fields,
09:16when they are all by itself, it basically is meaningless, it's harmless. For example,
09:19if I put a spreadsheet of all the IC numbers, just IC number alone, it is not harmless. However,
09:25if I tie the IC number with a home address, and then further with a full name, then it becomes
09:31information. When you have a lot of information put together, then you have intelligence. Now,
09:36intelligence is something kind of scary because it allows the authorities, it allows the bad guys,
09:42it allows the people to, based on intelligence, we can do a lot of, we can derive through a lot of
09:49knowledge and that can further help us to do what we need to do. For example, if I have a group of,
09:56a set of data that, that belongs to a certain age group, and then I can, based on the data, I can look
10:02at where do they live, I can give, I can get some kind of intelligence of what needs to be, what can I
10:08do with this kind of data later on. So that's why, regardless whether today we are talking about
10:16personal data, national secrets, I think any information, any information should be treated
10:22seriously. We need to put in safeguards in place, because we will never know when are these
10:28informations that are going to be exploited, whether by the good guys or the bad guys,
10:32regardless, but I think any information should be treated equally.
10:37Yeah, our data is ours, right? Sia, thank you so much for being on the show with me today and kind of
10:43giving some insight into what risks lie ahead if this data is not utilised properly, and what we
10:50can do to protect ourselves. Thank you, Sia, for your time. Sia Fong there from the Cyber Security
10:55Consultancy, LGMS Berhad. That wraps up this episode of Consider This. I'm Melissa Idris,
11:01signing off for the evening. Thank you so much for watching. Good night.
Comments