One of the positive outcomes of the COVID19 pandemic is the development and improvement of pandemic management from rolling out of the vaccines, quarantine procedures and close contact tracing using the MySejahtera app.
And thanks to these action plans, our medical front-liners were not overwhelmed by the number of severe cases and we were able to recover from strict lockdowns and a high number of cases.
Read these first:-
- Outbreak 2020: Covid-19 Big Data Projections Till Year 2022
- Lock Down in Malaysia 2020: Lessons from Italy, China, South Korea & Russia Part 2
- Outbreak 2022: Finally Getting Infected With Deadly COVID19 Virus
- Mandatory Quarantine 2020: Part 2 – Numerous Registrations, Strict COVID19 Screening
.
PAC Findings
Now there is a concern about the recent news with MySejahtera was supposed to be developed and owned by the Government but now it seems like things are not as what it suppose to be.
Although the government claims to own MySejahtera, Parliament’s Public Accounts Committee (PAC) reveals that the Covid-19 app was actually developed without a contract with the company that created it.
A Cabinet meeting on November 26 last year approved, in principle, direct negotiations to appoint a new company, MySJ Sdn Bhd, that had received the MySejahtera “system” developed by KPISoft Malaysia Sdn Bhd, Finance Ministry government procurement division deputy secretary Rosni Mohd Yusoff told a meeting last March 8 between the PAC and senior officials from the Ministry of Finance (MOF), the Ministry of Health (MOH), and the Ministry of Science, Technology and Innovation (MOSTI).
Harjeet said the Health Ministry’s negotiations with MySJ haven’t begun yet as it had only just received approval from MOF for direct negotiations.
The meeting transcript showed that both MOF’s Rosni and MOH’s Harjeet were uncertain about the status of MySJ – with Harjeet initially believing that MySJ was just a new name for KPISoft.
When Harjeet said MOH needed MySJ to show proof that it was the same company as KPISoft and that it had developed the MySejahtera system, with just a name change, PAC chairman Wong Kah Woh questioned why this would take four months since such checks would only take 10 minutes.
“The shareholders are also not the same as KPISoft Sdn Bhd,” said Wong.
“It looks like these two companies are not just different entities, but completely different ownership. They are not from the same people. So what I can conclude, or at least I can guess here is that KPISoft Sdn Bhd has sold all rights and interests in the MySejahtera application to a company named MySJ Sdn Bhd.”
(Source: Code Blue)
It has now come into the open several disturbing facts namely:-
- The Government did not develop MySejahtera
- The Government did not have any contract with the original developers of MySejahtera
- The Government now wants to make a new contract with a company that is not related to the original developers of MySejahtera
It is also stated that the new company that is negotiating with the Government have purportedly bought over the intellectual property and the rights to the MySejahtera app from the original developers of MySejahtera
CodeBlue reports that MySejahtera’s original developer, Entomo Malaysia, agreed to transfer the intellectual property and software licence for the app to MySJ Sdn Bhd for RM338.6 million. Court documents show that the deal would last until the end of 2025.
(Source: Code Blue)
Fears On Social Media
Understandably these revelations have gone viral and have triggered grave concerns on social media, especially on the issue of personal data security, invalid ownership and potential additional cost to the taxpayers.
@esshimself please investigate this MySejahtera fiasco being investigated by the PAC. Concerns National Security since public data of 38M people is subject to the app which is developed and owned by a private entity with no agreement in place with the Govt. There's no free lunch.
— Sayyed Alif Khan (@sayyedalifkhan) March 26, 2022
And even it is being raised by opposition politicians:-
It is shocking MySejahtera has been sold to a private company.Our data & details are no longer safe anymore. It is too late to uninstall.This is worrying and it must be rectified now. The govt is fully responsible for this mess & it must go. Our national security is at stake.🔥🔥 pic.twitter.com/VNUX115wiA
— Nga Kor Ming (@NgaKorMing) March 27, 2022
Interestingly the issue of data security was addressed in the PAC proceedings and this however seems to be in line with the industry practices:-
Dr Mahesh Appannan, senior principal assistant director of MOH’s disease control division, told the PAC that KPISoft is “still a vendor designated to develop all MySejahtera modules.”
“It still is, but all governance that will look at the development of MySejahtera is from various agencies, including Mampu, NSC, MOSTI, and also MOH.”
He also said MOH “has been the owner of all data” from “day one”, while NACSA controls cyber security over the MySejahtera app.
“They look at all our data acquisition, our data extraction to access and what not with the permission of our Director of Disease Control.”
When PAC member Azizah Mohd Dun asked who was currently managing MySejahtera, Dr Mahesh replied: “We only use the platform provided by the said company.
All of the data management, module management, and the like are under the Ministry of Health together with the technical committee comprising various agencies.”
(Source: Code Blue)
It is acknowledged that KPISoft is the original developer of MySejahtera but the Government through its relevant cyber and technical department have also taken the necessary steps on data security.
The standard in software development consists of several phases such as planning, requirement, development, deployment, testing and maintenance. However, there should be a valid contract to ensure both parties’ rights are protected and delivered as per the agreed scope. Photo by ThisIsEngineering from Pexels
Ideal Procurement Practice
A lot of comments being made on social media which is related to MySejahtera are made by people who are not familiar with how the system works and this includes a number of politicians. It will be good if we can get an app system analyst or database admin to provide a technical summary on this.
Note: we are not privy to the contracts made between the Government and the app developers, so this will be based on an ideal situation. The Government would be the customer who provides the scope of the app but they cannot be the owner of the app as it was not developed by the Government or any of the Government agencies (the owner is the app developer would be KPISoft).
The Government are licensed (probably exclusively) to use the app and may pay an annual license fee for bug fixes, upgrades and other support. Now an app is different from the database – a lot of people seems to be confused between these two as they are raising about data security with the app itself.
An app is a program that is installed on the phone whilst the database stores the data that is inputted via the app or data analysis is done on the raw data collected from the input in the app. The database is usually located at the Customer’s data centre because the data belongs to them whilst the app source code is kept by the owner (KPISoft) because the intellectual property belongs to them.
So is the database is in danger if the IP of the app is sold to another party? The answer is no because the app developer will not have access to the production database.
To give an analogy, it is the same as the Government using Ms Word in its offices – it is licensed to be used by the Government but Ms Word source code and programs belong to Microsoft. However, the documents created using Ms Word belongs to the Government. Same case here.
The app developer usually will use dummy data for apps development and bug fixes. It is the customer’s (Government) obligation to ensure the integrity and security of the data in their care (because the database servers are in their care), not the app developer.
The customers (Government) will need to deploy security infra such as firewall, data encryption and multilayer passwords to ensure no breach of data happens. They need to mask the data if it is required for troubleshooting by the app developer. They must also force regular pentest to ensure the security standards and best practices are deployed for the app backend and frontend.
The confusion between the two is, unfortunately, fuelling unnecessary concerns.
.
Final Say
Despite the assurances from the Government, one has to wonder how the Government intends to take ownership of the MySejahtera app if there was no contract in the first place:-
Khairy Jamaluddin told MySJ Sdn Bhd today that the government would not continue with negotiations on MySejahtera if the company insists that it owned the Covid-19 app.
The health minister said the Ministry of Health’s (MOH) current discussions with MySJ – which received MySejahtera’s software licence and intellectual property rights from the app developer, Entomo Malaysia Sdn Bhd (formerly known as KPISoft Malaysia) – revolved around the management of the platform, or provision of software as a service.
“MySejahtera is owned by the government, its data is owned by the government,” Khairy told a press conference after launching the United Nations University-International Institute for Global Health’s launch of a book titled “Malaysian Health Care: Building for Future Excellence, Equity & Resilience”.
“If they disagree that MySejahtera is owned by the government, except maybe certain platforms that need their source code and such, then we won’t continue with the agreement.”
(Source: Code Blue)
If the new company have paid RM338.6 million for KPISoft’s intellectual property and software licence for the MySejahtera app and there was no prior contract between the Government and KPISoft, how the Government intends to make the app theirs without addressing the RM338.6 million?
No forward-thinking company will be in their right mind would sell off their golden goose. No doubt, it is a public interest and sensitive considering that the MySejahtera is mandatory and is a vital component of the national COVID19 management initiatives; we are focussing on the wrong side of the issue.
Both KPISoft and MySJ Sdn Bhd are private entities and are not linked to the Government and since there is no prior contract that stops any sales on the MySejahtera app, nothing stops KPISoft from selling their MySejahtera app to MySJ Sdn Bhd provided MySJ Sdn Bhd keeps the existing obligations and terms of work for the MySejahtera app.
So, it is very doubtful that the Government will be able to get hold of the intellectual property and the source code to”own” MySejahtera. Not without throwing RM338.6 million of taxpayers’ money into the deal.
The Government should instead look at keeping the database secured and safe from any manipulation, abuse and inaccessibility to others. This is the key area that we all should be focussing on at the moment.