Read on Twitter
If you do one thing today, go to this: https://www.mcmc.gov.my/en/national-digital-id/ra-ndid and submit your thoughts & questions abt a proposal for a national digital ID system for Malaysia. The deadline for input is today.
This is a thread.
#privacy #bigdata #digitalidentity
This is a thread.
#privacy #bigdata #digitalidentity
The first question probably is, what is a national digital ID system? Why should you care? How is it different from NRICs that we already have?
The idea basically is that every person is assigned a number or ID to do stuff online. This ID is then connected to your in person govt-issued ID, i.e. your NRIC. So basically, whatever you do online, is connected to your NRIC.
This can include registering for govt services like financial aid or schools (which is what is being promoted), to all your Grab deliveries (seems suggested), to making appt with doctor (& maybe even details abt that?), to.... your comments on @malaymail?
Maybe you think we’re already doing this. What’s the big deal? The difference is:
a) We’re only doing some of this, not all (you don’t need your NRIC to e.g. make a comment online, or call a cab)
a) We’re only doing some of this, not all (you don’t need your NRIC to e.g. make a comment online, or call a cab)
b) Our information and data are being held by different parties, and if it is commercial, in theory, it has some privacy protections under the Personal Data Protection Act #PDPA
c) It’s not at risk of being mandatory – i.e. potentially no digital ID, cannot do anything, because currently it’s not a system that is centralised and pushed for by the govt in the name of functional governance
d) The fact that we have to use our NRIC – which has sensitive info like name, address, age, gender, religion, and maybe even bank account details if linked – for all kinds of transactions, is already a big problem that needs to be looked at. This is adding fuel to flame.
What are some of the concerns?
1. We have very poor legal safeguard to collection, treatment and storage of personal data in Malaysia currently. The #PDPA is narrow in ambit, it needs a rehaul. It doesn’t cover any data transactions by the government.
1. We have very poor legal safeguard to collection, treatment and storage of personal data in Malaysia currently. The #PDPA is narrow in ambit, it needs a rehaul. It doesn’t cover any data transactions by the government.
The govt is potentially the largest collector and dealer of personal data.
It’s incredibly and incredulously rare for govts to be exempt from data protection regulations in any country. Why are we still here?
It’s incredibly and incredulously rare for govts to be exempt from data protection regulations in any country. Why are we still here?
Without adequate safeguards, all measures – whether by govt, private sector or GLCs – should be extremely modest in scope, reviewed for privacy & other human rights assessment, & we really shouldn’t be advocating for any kind of extra data collecting & monitoring measures without
This is also why I was really alarmed by SeLANGKAH, MySejahtera etc etc etc in the name of public health and crisis. It’s okay to do public health surveillance at a time of public health crisis – the question is, what are the safeguards to this data?
Where is data stored? What will it be expressly and limitedly be used for? Who will process it? Who can have access to it apart from the govt agencies in charge? What else can it be used for? Can we have access to data collected about ourselves? When will it be deleted? & so on..
None of these questions have been adequately responded to. And yet, we are seeing more moves to make this more and more mandatory. It’s worrying.
(And a relevant impt question is also, how effective has digital health surveillance been in meeting its objective? What about accompanying measures like broadbased testing?)
2. The govt keeps trying to lock us down to 1 ID online. Najib tried in 2011 and got strongly rejected, especially by community of digital and tech developers and content creators. Now, like a bad dream, it keeps recurring. Why is 1 centralised ID a bad idea?
I'm reminded of a joke a few years back, of someone trying to order a pizza. The pizza person asked for an ID, then gave recommendation on what kind of pizza they shld have based on health record, what they can afford based on their bank credit etc. It’s funny, except it’s not.
The MCMC survey is already laying out its ambitions for having this applied also for e-hailing & health. Health data is one of the **most sensitive** kind of info about you. It can subject you all kinds of prejudice & discrim – work, social stigma etc. Again, Q is on safeguards.
Next, e-hailing. Jst think about your habits with @GrabMY Grab over the #MCO period. The problem with one company having such large amounts of data is problematic enough: https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack.
Now imagine that is linked to your IC.
Now imagine that is linked to your IC.
And then picture all data linked to your IC – from taxi, to hosp, to going to the cinema, to makan, to considering what schools, to applying for loans, to a comment you make on @UMonline all being connected & available to one central body. With little to no privacy safeguards.
How does that make you feel? Safe? Protected? Surveilled?
Sometimes I think it's a bit like imagining you are a teenager, & your parents/guardians having ability to see, know, and in some ways, even predict, where you will go, what you will do, who you do this with, at all times.
The teenager is you. The other party is the govt.
The teenager is you. The other party is the govt.
3. The argument is that digital IDs help the govt to provide services.
Concerns have been raised that needing to have a digital ID for govt services turns it into a **precondition** for services, rather than to make it easier to access.
Concerns have been raised that needing to have a digital ID for govt services turns it into a **precondition** for services, rather than to make it easier to access.
Because digital IDs require all kinds of literacy to make it work in a way that can help everyone.
From basic reading skills (how many Malaysians are not registered for NRIC because of generational poverty and literacy issues?) to digital literacy, and critical info literacy.
From basic reading skills (how many Malaysians are not registered for NRIC because of generational poverty and literacy issues?) to digital literacy, and critical info literacy.
Not to mention issue of statelessness https://theaseanpost.com/article/malaysias-stateless-children
4. Also, identity theft and fraud is a familiar issue in Malaysia. All linked to data linked to NRIC. See this for example: https://www.theedgemarkets.com/article/news-protect-yourself-identity-theft
The burden is always placed on individuals to be smarter, better. & at the same time, the govt is introducing more digital infrastructure we often have no choice but to enter into, w/o similar investment in building people’s capacity to make independent, critical decisions online
To introduce any kind of digital identification infrastructure, some fundamental check and balances need to be there. And there’s been a lot of work already done by digital rights advocates from diff places on what this can look like.
E.g. some recommendations from @accessnow’s research on digital IDs in #India #Estonia and #Tunisia (also cited by MCMC in the survey) can be found here: https://www.accessnow.org/cms/assets/uploads/2019/11/Digital-Identity-Paper-Nov-2019.pdf
Here are some I’m pulling out:
1) Governance - transparent, inclusive & open consultations at the initiation of programmes – this survey is great, but the timeline is short (24 jul – 7 aug = 2 weeks).
It also reads more like customer survey than consultation on public interest.
1) Governance - transparent, inclusive & open consultations at the initiation of programmes – this survey is great, but the timeline is short (24 jul – 7 aug = 2 weeks).
It also reads more like customer survey than consultation on public interest.
2) Ensure a defined and restricted scope of use for the digital ID programme,provided for in the law
:: No laws being proposed for this AFAIK. Not even on improved legal safeguards on data related issues. And the scope seems happily expansive than clear or limited.
:: No laws being proposed for this AFAIK. Not even on improved legal safeguards on data related issues. And the scope seems happily expansive than clear or limited.
3) Make enrollment and use of the digital ID voluntary
:: Gobind when was the Minister who proposed this, said it would be: https://www.cio.com/article/3331296/which-countries-are-implementing-digital-ids-in-se-asia.html. No mention of this in the survey – whether compulsory or voluntary. Lets call for the latter
:: Gobind when was the Minister who proposed this, said it would be: https://www.cio.com/article/3331296/which-countries-are-implementing-digital-ids-in-se-asia.html. No mention of this in the survey – whether compulsory or voluntary. Lets call for the latter
4) Institute robust data protection frameworks to which digital ID programmes are subject
:: This is the minimal call we need to make around this. Have a much stronger and better legal protection framework. And espcially one that applies to the govt.
:: This is the minimal call we need to make around this. Have a much stronger and better legal protection framework. And espcially one that applies to the govt.
5) Ensure that data collection and storage are not centralised
:: Having some information and transparency abt who are the data collectors, processors & where wld it be stored would be good also.
6) Institute "privacy by design" principles in the programme
:: At all levels
:: Having some information and transparency abt who are the data collectors, processors & where wld it be stored would be good also.
6) Institute "privacy by design" principles in the programme
:: At all levels
It’s timely – we’re moving more and more into a digital environment where it is going to be more and more bound up with all aspects of our lives, whether we have access to the internet or not (see how Vevenoah had to climb a tree to take her exams).
It’s time the governance structure and legal framework match the technological and corporate ambitions.
Have tech strengten democratic participation. Not subject us to more centralised control.
Have tech strengten democratic participation. Not subject us to more centralised control.
Again, please go fill in your thoughts in the survey. Ask all the questions you have, including what is this? Ask for better data protection frameworks at the very least.
Deadline is today, 7 Aug.
https://www.mcmc.gov.my/en/national-digital-id/ra-ndid
// #privacy #data #governance
Deadline is today, 7 Aug.
https://www.mcmc.gov.my/en/national-digital-id/ra-ndid
// #privacy #data #governance
