Published in Astro Awani, MalayMail, and Asia News Today, image by Astro Awani.
Much was said by Health Minister Khairy Jamaluddin in Dewan Negara during the special motion on MySejahtera’s questionable dealings on March 31, 2022, but to the disappointment of many, little was clarified.
Khairy reportedly revealed that there was a non-disclosure agreement (NDA) between the National Security Council (NSC) and KPISoft Malaysia Sdn Bhd (now known as Entomo Malaysia Sdn Bhd) dated April 1, 2020, whereby the “ownership of all data and information obtained through the use of the MySejahtera application rests entirely with the government” was said to be part of the terms and conditions.
Even though an NDA is a normal starting point for any discussions between parties, it is also strange that this wasn’t mentioned earlier. The CSR “deal” was initially understood as a lack of any commercial arrangements or legal obligations with KPISoft.
Be that as it may, NDA’s have a defined timeframe after which the terms and conditions may no longer apply unless explicitly stated that the clauses would survive even upon expiry of the NDA.
If the NDA shares the same timeframe as the CSR deal, then it’s worth looking into the applicability of the terms once the CSR deal was over.
As far as ownership of data goes, Khairy’s statement appears to be consistent with what was reported by health portal CodeBlue in that based on a share sale agreement on December 31, 2020, between MySJ’s shareholders, Entomo Malaysia is the owner of “all rights, title, and interest, including all intellectual property (IP) rights” related to the MySejahtera app, and that this excludes “trademark and data collected through the operation of MySejahtera” that are owned by the Malaysian government.
Therefore, it would appear that even though ownership of the app itself may not be settled, ownership of the data appears to be with the Malaysian government.
However, these statements still do not clear the doubt that only the Health Ministry (MoH) has (exclusive) access to the data gathered and processed by MySejahtera, even if it owns it.
On this matter, Khairy also reportedly said that “All data and information obtained through MySejahtera is the property of the government and its security and confidentiality are guaranteed”.
We are left to take this at face value as only through examining the agreement in its entirety, especially clauses regarding “security”, “confidentiality”, “data ownership” and “accessibility” can we confirm finer details such as the names of party/parties defined to be governed under confidentiality clauses and data access and exclusivities, if any.
Khairy doubled down on this and asserted that the Malaysian government also owns “MySejahtera’s IP rights, modules, and source code, and personal data collected through the Covid-19 app”, as reported by CodeBlue.
What is the legal basis for this claim?
Aside from personal data ownership, this appears to contradict the mentioned share sale agreement whereby Entomo Malaysia is the owner of “all rights, title, and interest, including all intellectual property (IP) rights” related to the MySejahtera app, as reported by CodeBlue.
Additionally, there is also the licensing deal to transfer the app’s IP and software license from KPISoft/Entomo to MySJ, and Khairy reportedly mentioned that negotiations with MySJ would not continue should MySJ disagrees that the government owns the app.
Therefore, it is unclear what owning MySejahtera’s “IP rights, modules, and source code, and personal data collected through the Covid-19 app” means, if ownership of the app is still being negotiated between the government and MySJ and if Entomo Malaysia still retains all rights and IP.
As EMIR Research mentioned before, the implication of data ownership without ownership of the app and its rights (if that is indeed the case), may give rise to questions on accessibility, privacy, and security of the data which may not be exclusive to the Malaysian government given that another private entity owns all rights.
On the other hand, if the Malaysian government owns the data, including MySejahtera’s IP rights, modules, and source code, why are there still negotiations with MySJ?
One might even reasonably think that this claimed level of ownership could be tantamount to owning the app in its entirety.
Thus, the stated “far lower than RM300 million” amount in negotiation with MySJ would be questionable, especially if the value reflects any minor remaining items that the government does not already own.
A press statement by the MoH dated March 27 mentioned that on March 26, 2022, the Government has “decided” that the MySejahtera application is owned by the government and that the MoH has been appointed as the primary/main owner of this application for national public health management.
How can the MoH make the confirmation of app ownership while the above-mentioned uncertainties remain?
Another question left unanswered is what the MoH meant when it stated that it has been appointed as the primary/main owner of the application. Who are the other owners of the app? What rights and level of access to the data do these other owners have?
As for server location, Khairy reportedly stated that the server is located at AIMS Data Centre in Malaysia and that “the data can only be accessed for MySejahtera’s usage, as well as support applications that are related to the Covid-19 pandemic only”. He added that these data are guarded through the combined efforts of the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) and the National Cyber Security Agency (NACSA).
The explanation regarding the level of security surrounding the data in these servers does not confirm that only the government has access to all data and information obtained through the usage of the MySejahtera app, regardless of the physical location of the servers.
Also, for such important data, it is normal to have “mirror” servers and cloud databases elsewhere that have duplicated data for backup purposes.
Specifically, if this is true, what do these rights, titles, and interests that Entomo Malaysia supposedly owns mean when it comes to accessibility to the data collected by MySejahtera?
As emphasised by EMIR Research in prior publications, ownership, and access to data in MySejahtera must remain exclusively with the MoH, and authorities must not only reaffirm that user personal data are fully protected, but also that it has not and could not have been transferred, intentionally or otherwise, to any other parties in whatever form.
Downplaying direct negotiations with MySJ
In an attempt to clarify what appears to be a direct appointment of MySJ, Khairy was reported to have stated the following:
“On the issue of direct negotiations, why this company, this is because when the corporate social responsibility (CSR) period ended, we found a lot more requests for modules and we found that rather than stop and find a new operator, we continue with the existing operator”
This apparent confirmation of direct negotiation and its reasonings are perplexing.
Note that the CSR deal with KPISoft/Entomo started on March 27, 2020, and ended on March 31, 2021.
The cabinet reportedly made the decision for the full transfer of MySejahtera’s ownership to the MoH on November 26, 2021.
What happened within a presumably “limbo period” of eight months between March 31 to November 26?
Within the eight months, was there really no room to “stop and find a new operator” and open up a request for proposal to other potential providers?
So far, there are no indications that the arrangements with KPISoft were exclusive. This means that there was no legal basis to wait for the CSR period to even be over for the government to approach other companies.
That is why, another potential explanation for this questionable sequence of events is that the cabinet’s decision on the matter could be a consequence of the original CSR “deal”, which appears to have “trapped” the government into dealing with whoever KPISoft/Entomo transferred their IP and license to, which in this case is MySJ.
If that was truly the case, was this consequence by mistake or by design?
Vaguely-explained deal with MySJ
The reported RM338 million licensing deal between Entomo Malaysia and MySJ may be quite steep to say the least, especially if MySJ was reported to only acquire a license to KPISoft’s software specifically for MySejahtera “and does not acquire any other rights or ownership interests”.
If that is the case, what can the government get from MySJ with anything “far lower than RM300 million”, as Khairy also reportedly said?
It was reported that the negotiation with MySJ involves “subscription terms”.
What is exactly being subscribed to? What do the terms entail?
If we go by Khairy’s reported statements, then the “far lower than RM300 million” deal cannot be the ownership of data and information gathered from MySejahtera as that has been agreed through the NDA to be fully owned by the government, assuming the terms have not expired.
It cannot be MySejahtera’s “IP rights, modules, and source code, and personal data collected through the Covid-19 app” as reported by CodeBlue, which Khairy asserts the government already owns.
Whatever the amount ends up to be, it cannot be MySJ’s fee for being a mere private operator/manager of the MySejahtera app.
If it’s more than just their operator fee, then surely MySJ wouldn’t want to make a loss either. What company would buy a license for a higher price, and then agree to provide “subscription” services at a lower price?
Unless of course, we speculate that in addition to their “subscription” deal with the Malaysian government, there are other revenue streams for MySJ. If so, what could those be?
Following this train of thought, and assuming the government’s deal with MySJ is only for said subscriptions, who are the other customers of MySJ for the other revenue streams?
The “CSR Trap” notion appears to hold water
Despite the lack of information, it is becoming more apparent that as we attempt to go down the rabbit hole, not only the “corporate social responsibility” sounds more like a sham as it grotesquely mutates without shame into a full-fledge commercial transaction, but it also appears to be “trapping” the government to deal with a questionable private entity without competition.
Relatedly, there should also be an explanation regarding why Malaysia could not develop it in-house. Was there any consultation with ministries and agencies for this?
Singapore reportedly spent SGD13.8 million for the development and acquisition of the SafeEntry digital check-in system and TraceTogether app and tokens
The TraceTogether app was developed by Singapore’s Government Technology Agency (GovTech) with their Health Ministry, reportedly in just over eights weeks and at a fraction of the reported cost for MySJ to license from Entomo.
Technology ecosystem news portal Digital News Asia (DNA), reported that Ravee Suntheralingam, who is a Cambridge-educated Gerak Independent candidate with 23 years in the information and communication technology sector, opined that MySejahtera is not costly to develop after studying its features, and doubts it would cost more than US$238,000 (RM1 million) for the first three modules.
Conflict of interests and risk of foreign ownership not fully addressed
Despite the clear indication of conflicting interests given similar names and individuals appearing across companies and international borders which should warrant deeper investigations, to EMIR Research’s understanding, reports regarding Khairy’s statements have not included any satisfactory clarifications on the matter.
Khairy also appears to have downplayed the issue of foreign ownership by explaining that although Entomo Malaysia’s parent company, Entomo Pte Ltd is based in Singapore, the major shareholders are Malaysians.
On this matter, EMIR Research reiterates the following:
Although Malaysians appear to hold the highest number of shares (if we combine Raveenderen Ramamoothie and Anuar Rozhan’s shares which reportedly account for over 75% of 40.6 million total shares) in DreamTeam Inc (which is the major shareholding company in Singapore-based Entomo Pte Ltd) ultimately there are other shareholders from other countries.
CodeBlue reported that Singapore’s Entomo Pte Ltd has 28 shareholders, consisting of Singaporean, American, and Japanese corporate and individual shareholders, and individual shareholders from Malaysia, India, and Indonesia.
Malaysians reportedly account for only three out of the 28 shareholders, and even if Malaysians appear to have the “controlling” stake by way of majority shares and directorship (Raveenderen and Rekha Mani), by indirect consequence, data gathered by MySejahtera could be accessible, if not outrightly and equally shared to other shareholders.
Again, this is based on the premise that Entomo Malaysia is reportedly the owner of “all rights, title, and interest, including all intellectual property (IP) rights” related to the MySejahtera app, and subject to what these rights and interest mean concerning the data.
Ravee expressed confidence in that many spin-off commercial opportunities can arise from predictive analytics of MySejahtera data, including various types of behavioural modelling for different purposes, as reported by DNA.
Due to the seriousness of the implications of data leak, Ravee reportedly suggested permanent and complete deletion of location data, consolidated or otherwise, and any data arising from predictive analysis. Furthermore, he suggested that anyone or any other parties (aside from the Malaysian government) in possession of such data to face strict punishment such as jail terms.
Despite the assurances given by Khairy in Dewan Negara during the special motion filed on the MySejahtera issue, EMIR Research finds that many assertions and claims are not sufficiently backed up, if not contradictory. Many questions appear to be unsatisfactorily answered, while other issues remain unaddressed.
The Public Accounts Committee (PAC) has summoned both Khairy and the Finance Minister, Tengku Datuk Seri Utama Zafrul Tengku Abdul Aziz to provide clarifications regarding the development and acquisition of the MySejahtera app sometime in mid-April.
Even so, it has been shown that public statements by authorities on this matter are insufficient and there could be limitations for the PAC to investigate the matter. Thus, an independent commission to investigate the MySejahtera debacle must be formed.
Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.