The good, the bad, the ID: Tech experts weigh in on Putrajaya’s new national digital identity

Soo Wern Jun
Earlier this week, the Communications and Multimedia Ministry announced that the Cabinet has approved the implementation of the ID initiative, with studies expected to be completed by 2020. ― AFP pic

KUALA LUMPUR, Aug 29 — Putrajaya’s plan to implement a National Digital Identity (ID) is a good idea to make digital transactions seamless, but several tech observers are questioning its security and viability.

Speaking to Malay Mail, they raised concerns as to whether government infrastructure is ready and robust enough to protect the entire nation’s personal data, and whether there is a need for a separate system from the existing national identity card MyKad.

“Do we have sufficient expertise and infrastructure at this moment to support the national digital ID initiative? When our identity goes digital, the amount of effort and trust we need to protect digitised IDs will also increase,” asked Fong Choong Fook, the director of cybersecurity company LGMS.

While agreeing that the initiative is a good move, especially with the country moving towards a digital economy and Industry Revolution 4.0, Fong warned that a digital ID is more vulnerable to identity theft. 

“Imagine if a MyKad is cloned. The process of exploitation may not be simple, but the impact of any abuse is high. Particularly when there is still a large proportion of Malaysian consumers who are not information technology-savvy,” he said. 

Apart from identity theft and online scams, Fong also warned of data privacy issues — with everyone liable to be in “deep trouble” should the infrastructure for storing the data not be maintained securely.

“For example, if the government is accepting digital ID logins, whether the government and private sector have the capability to maintain the security protection is a big concern,” he said. 

“If third-party hackers or foreign nationals get hold of our digital IDs, they can mess with our identities, or use it against our government,” he added. 

Most recently in 2017, 46.2 million mobile phone numbers from Malaysian telecommunication companies and mobile virtual network operators were compromised and leaked online, with the offender believed to have been trying to sell the data for a quick profit. 

“Even our telcos could not protect our personal information. Can we hope that our government can do better?” Fong asked. 

Is the MyKad not enough?

Earlier this week, the Communications and Multimedia Ministry announced that the Cabinet has approved the implementation of the ID initiative, with studies expected to be completed by 2020.

This would be the second time Malaysia is proposing such a system, after the poorly-received and controversial 1Malaysia email project in 2011 that was supposed to form the basis of a national digital ID.

The 1Malaysia email project was a government initiative to provide a unique and official email account and ID for Malaysians and would allow them to receive statements, bills and notices from the government.

Cybersecurity expert and technology blogger Keith Rozario explained that the national digital ID is meant for online transactions, while the MyKad is meant for transactions which require you to be physically present. 

“You can’t use your MyKad to perform an online transaction, at least not without a hardware card reader,” he said. 

“Your identity throughout government systems is quite decentralised. In theory, your registered name and address at the Employees Provident Fund can differ from the income tax department, which in turn can be different from any local or state government system you use. 

“Think of it like logging on to a service using your Facebook ID — the concept is similar,” he added. 

Shawn Tan, a chartered engineer specialising in programming, explained that the MyKad has always had the ability to be used as an electronic identity, even since its inception. 

MyKad was introduced in 2001 by the National Registration Department as a replacement for the previous National Registration Identity Card.

“However, the cost of purchasing card readers, renewing public key infrastructure certificates every few years, and the fact that the certificates can only be purchased from selected authorities, as stipulated under the Digital Signatures Act 1997, make it inconvenient for most people to use,” said Tan. 

In addition, only select people could have benefited from it like government employees, said Tan, who was formerly involved in government jobs and designed a universal authentication platform system which uses the MyKad as one of its authentication methods. 

He admitted that any system that would pass on the costs to the end-users and the authenticating parties will likely be met with resistance.

“The system will also need to be designed in the open as any confidential or proprietary system will be met with distrust from the public,” he added. 

The way forward

On a brighter side, Fong highlighted that should the system be successfully implemented with ideal security measures in place, the country would be ahead of many others.

“As far as I know, Estonia is one of the earlier adopters of national digital ID. They can even vote online using their digitised ID. 

“Singapore will be launching theirs in 2020,” he said, adding that Thailand is also in the midst of rolling out a national digital ID.

In comparison, India is currently facing structural flaws after implementing its national digital ID in 2009 — personal data associated with the Indian national digital ID or Aadhaar ID, was reportedly being sold in alternative markets for as little as 500 Indian Rupees (RM29.35). 

Last year, Human Resources Minister M. Kulasegaran said Putrajaya is keen to update MyKad with something similar to India’s Aadhar model that uses unique random 12-digit numbers.

To remedy this, Tan suggested that the data is protected in a way that would prevent the government from having unfettered access to citizens’ personal data. 

“These things are achievable. For example, by ensuring that the keys are held by end-users, and not stored with the government,” he said, pointing out that it will be unnecessary to hold all the information in a central database. 

Tan said it is possible to have an identity be distributed across multiple databases, each holding a small subset of information, and the user is allowed to choose which identity to use when registering on a third-party site. 

“Every government ministry could run its own identity provider server, that is self-managed, holding only data that it needs, and we can choose to identify ourselves to a bank with data from the Finance Ministry identity, or identify ourselves to a hospital with our Health Ministry identity,” he said. 

Tan even went as far as saying that a well-designed system can even improve personal privacy, with respect to the third-parties relying on the system.  

“A website which requires registration does not even need to know who we are, to be able to authenticate us. 

“However, this was one of the difficulties we faced when trying to roll-out our system previously as many software developers found it hard to integrate into existing systems that needed personal information to be collected, for example, email addresses,” he added. 

As for Fong, he called for the government to increase awareness of IT-related crimes, such as online scams. 

“We still have many online scamming issues, happening almost on a daily basis. This is a clear indication of inadequate awareness. 

“If the digital ID is implemented, I think there is a lot more awareness and education the government needs to do in order to benefit from digital ID efficiencies,” he added. 

Related Articles The National Digital Identity initiative is a security nightmare Cabinet green-lights National Digital Identity Social media as a form of check and balance — Nadia Falisha Azlan Shah Aziz