Last week, a friend sent me a video of viral video by ‘Fat Bidin’, highlighting privacy concerns of the MySejahtera app. The same author (a.k.a Zan Azlee) also wrote a comment piece in Malaysiakini explaining his concerns over the Government’s contact tracing application.
Specifically, he was concerned that MySejahtera had a “slew of different capabilities that is very much of a concern, such as:”
- Pair with Bluetooth devices
- Directly call phone numbers
- Find accounts on your phone
- Read your contacts
- Read the contents of any external storage on your phone like SD cards
- Modify or delete the contents of your SD cards
- Prevent phone from sleeping
- Modify your contacts
Wow, that’s a worrying list. But just where did Fat Bidin get this list from?
It comes from fine folks at exodus-privacy, which claims itself to be “The privacy audit platform for Android applications“. Exodus Privacy is run by hacktivist, and although Fat Bidin claims it has an affiliation with Yale University I’m unable to find anything to verify that. Other than articles stating they’ve worked together once in 2017.
Permissions vs. Actions
I’m not saying that the Exodus-Privacy isn’t to be trusted, on the contrary I believe it to be very accurate, I disagree on the conclusion. This is a list of permissions the app requests for, not the list of actions the app actually performs. Exodus detail this difference on their site.
Sure it sounds like semantics, because why would the app ask for permissions for something it doesn’t use — well if you’ve been around in technology for as long as I have, you’ll recognize this to be a very(!) common pattern. My opinion (humble as it is) is that should never attribute to malice that which is adequately explained by poor design. An app asking for permission to do something, doesn’t necessarily mean the app will actually do it.
I have my wife’s permission to wash the dishes everyday — but that doesn’t mean I actually do it.
So let’s dig deeper.
Using exodus-privacy I looked up what permissions TraceTogether and NHS Covid-19 use, these are similar apps from the Singaporean and UK governments respectively. Lo’ and behold, they both request the same Bluetooth pairing request, with Australia’s CovidSafe going further and requesting bluetooth admin rights as well.
Perhaps MySejahtera isn’t made for the same purpose as these apps, but it goes to show that bluetooth pairing on a tracking app is quite normal. Another worrying action highlighted by Fat Bidin was “Reading external storage”. This permission was present in TraceTogether but not on the NHS or Australian apps — again, I’m no expert but I suspect it’s not abnormal either.
The cynics among you might point out that ALL governments want to spy, and this is indicative of government behavior. Then, let’s look at non-government apps.
If we continue to browse exodus-privacy for applications that request for external storage access, we find apps including MiFit, Weather App, and even Oral-B (like what?!). The Oral-B application had Bluetooth Admin access (which MySejahtera didn’t), and MiFit had more than twice the permissions requested by MySejahtera.
Let that sink in, an app from a toothbrush is asking for more permissions than a contact-tracer from the government.
Which all goes to show — this is common in the Android ecosystem, and the loose permissions of the MySejahtera app are more easily explained by the status quo of Android, than a government super app designed to spy on citizens.
But what about the contact information? Surely the app can’t have any business accessing and modifying contact information.
You’re right — it shouldn’t.
And it doesn’t!!
If you go into exodus-privacy, and type in MySejahtera, you’ll see that it doesn’t have those rights — at least not the current version (v1.0.25), it’s only the older version (v1.0.10) that had it. But why would Fat Bidin choose to reference the older more permissive version, instead of the latest version.
To be fair, the latest version was only scanned by Exodus-privacy on the 20-Nov (the same date as the Comment on Malaysiakini), so it probably just wasn’t there when he made the video or posted the comment. So at least some improvement is being made.
Did the developers change the app on the same day, because as Fat Bidin’s comment — it’s highly unlikely they’re that efficient (and I mean vanishingly unlikely). They’ve have to compile, build, test and release a new version, while simultaneously hoping Exodus pick up their latest release and scan it.
Which brings me to my next point.
Spying doesn’t suddenly make us competent
I find it fascinating that many Malaysians believe that the Government is incompetent in everything — except spying. When the topic of spying comes up, suddenly a sleepy, incompetent government bureaucracy kicks into hyper-efficiency.
Back in 2016, In the wake of the hacking team breach, I’ve read hundreds of emails between Hacking Team and various government agencies procuring their spyware. And believe me — it is rife with incompetence, just read this exchange where they discuss basic home networking equipment.
To reference more recent events, the MITI website crashed after only 100,000 applications — what more 13 million Malaysian users uploading their contact details?!
Of course, I’m not arguing we take comfort in incompetence, but we have to be realistic about what the government is trying to achieve. I’m no fan of the government, but I believe that many Government officials are just trying to do the best for Malaysia, with the limited resources they have.
And accusing them on abusing the MySejahtera application for spying, especially when there’s no evidence — isn’t very effective in helping us combat this novel problem.
Efficacy of contact tracing
I’m also not saying contact tracing is super effective, we’ve learnt that it only helped us identify 4% of the population, and a report to the Australian cabinet put it rather politely that “There is scarce evidence on the effectiveness of digital or automated contact tracing.”
But a peer-reviewed study on Swiss Covid (which uses the Google and Apple protocol) seems to suggest a contact-tracing app does indeed work. (I must admit the maths in the paper is beyond me, so happy to be proven wrong)
We’re not sure what works, and what won’t work. Novel problems require novel solutions.
Our best bet is to try things, and course-correct along the way. I’m sure mistakes will be made, but it’s better than doing nothing. Countries that do nothing will fail — look at America!
The richest country in the world, paralyzed by their own distrust of their government(s), make them unable combat the virus effectively. Ironic, that the country most likely to produce the vaccine is also the one least likely to have its citizens take it. And it’s in COVID that we see the weakness of a decentralize systems — all the countries (Malaysia included) that have had success in dealing with COVID have a strong central government calling the shots.
But if there’s one thing we learnt in 2020, it’s that Malaysian politicians are grimy slimeballs, something between a “a cockroach and that white stuff that accumulates at the corner of your mouth when you’re really thirsty”. And obviously we can’t let them call the shots without some checks and verification.
But we need to have a level of rationality about those checks, and perhaps even go so far as give them the benefit of the doubt in some cases, particular non-political government servants like D-G Hisham. Criticism for criticism sake, isn’t the best solution for now.
In conclusion, the app looks OK, it’ll be nice if they made it open-source though, although that doesn’t guarantee anything, unless some private third-party is willing to deep dive and audit the code. Android apps have always been somewhat troubling, and MySejahtera probably is not that different. Governments the world over are trying new things, and we should cut them a bit of slack, because if we sit around and do nothing, we’ll definitely suffer far worse.
What you can do
As a last section of this post, I wanted to let Malaysians know you can actually turn of permissions for apps if you’re worried about what they can do. You can still have the app on your phone, but at least you wouldn’t grant the app access to specific access (like Wifi, Bluetooth, External storage) etc.
I’m not an Android user, but I guess you can use the following: