[COLUMNIST] "Confusion" on MySejahtera: Incompetence or collusion?

The Public Accounts Committee (PAC) Chairman reportedly pointed to a “confusion” over the appointment of KPISoft (now known as Entomo) for the development of the MySejahtera application, based on responses the PAC received from the witnesses in a proceeding on April 21, involving senior officers from the National Security Council (NSC), the National Cyber Security Agency (NACSA), and the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), as reported by health portal CodeBlue.

As EMIR Research highlighted in earlier articles, even high-level officials from the Health Ministry and the Finance Ministry appear to have conflicting accounts on who appointed KPISoft.

If the government does not even know who appointed KPISoft, perhaps it was too much to expect them to conduct the necessary due diligence to uncover the potential risks surrounding data ownership and the clear conflict of interests given questionable names appearing on the companies involved and across international borders.

EMIR Research has now published six articles on the MySejahtera debacle, alongside other organisations such as health portal CodeBlue which has been at the forefront of this scandal with numerous reports and investigations.

But how has the government responded to these obvious red flags?

In what appears to be complete defiance of public outcry and utmost disregard for strict governance standards, there has been:

1. Severe confusion in providing sufficient and consistent details for the investigation of serious governance concerns regarding the appointment of KPISoft.

For example, there is an unexplainable and unacceptable direct appointment of KPISoft in a contract-less “Corporate Social Responsibility deal”, with only a non-disclosure agreement to govern data ownership (which we know nothing about or if it is still legally enforced), which subsequently appear to have “trapped” the government into having to deal with MySJ Sdn Bhd.

2. Baffling inconsistency on MySejahtera ownership status (app, data, platform), where statements from authorities keep changing. Initially, it was alluded that the government owns practically everything related to MySejahtera but then reported legal documents revealed a 3-way ownership split between the components related to the app which contradicts official statements.

3. Total silence regarding questionable individuals and governance red flags involved in the development of the MySejahtera app (KPISoft/Entomo), and the people who own MySJ.

Entomo reportedly sealed an exorbitant deal worth RM338.6 million with MySJ, making MySJ the effective "owner" of the MySejahtera app. Note that Entomo and MySJ share the same business address, and there are high-profile and potentially politically-linked individuals as directors in MySJ. There are also questionable and mysterious business figures, as reported by various sources.

MySJ will likely seek to recoup its large “investment” through lucrative and long-term deals with the government (which the government has no way of determining if the prices are fair given MySJ is the only option and will pay using public funds) or app features that require users to pay.

4. Complete downplay on the risk of foreign ownership as Entomo Malaysia is owned by Singapore-based Entomo Ptd Ltd, with corporate and private shareholders from various countries.

Although Malaysians appear to hold the highest number of shares in DreamTeam Inc (which is the major shareholding company in Entomo Pte Ltd) ultimately there are other shareholders from other countries.

5. Grossly insufficient explanation to back up statements on personal data safety and integrity.

The government asserted that they own the data, but EMIR Research questions in prior articles on the exclusive accessibility to the database, and data security/integrity prior to any contracts (aside from the NDA) were made (such as within the contract-less CSR period).

Questions the PAC need to ask include the following:

When was the data started to be stored at AIMS Data Centre in Malaysia? If it didn’t happen right at the start when KPISoft was directly appointed, where was the data stored before AIMS Data Centre? If it was initially stored in locations other than AIMS Data Centre, how was the transfer of data governed to ensure all data has been deleted from previous storage location, no copies have been made, or transferred elsewhere during the database migration without a contract to govern this transfer process ever being made?

Based on the above points, it is clear that only forensic digital investigation or audit of the entire ecosystem surrounding how MySejahtera processes and stores information and accessibility of this information can provide some level of confidence. Even then, it is unlikely to bring trust levels on the app back to pre-scandal days.

6. Questionable obscurity on deals with MySJ, such as not specifying what “below RM300 million” deal with MySJ really means in terms of the exact amount and what the deal is for.

Most recently, and related to point number 5, Health Minister Khairy Jamaluddin reportedly said that the private entity MySJ has access to the database as the “manager” of the app, subject to the supervisions of the Health Ministry.

Khairy previously referred to MySJ as the “operator”, but only said that the government is finalising a “far lower than RM300 million” deal with MySJ. As far as publicly available reports go, EMIR Research is not aware of the existence of any contracts or formal deals made by the government with MySJ to appoint them as manager/operator of the app.

There are important questions to ask such as:

Has the government entered into some contract or understanding with MySJ for MySJ to become the manager/operator? If so, why wasn’t this made public and what is the government’s cost of (directly) appointing MySJ as the operator/manager? If it was only a deal to be a mere manager of the app, why was there no open tender?

EMIR Research understands that unless MySJ has sub-licensed their license to the MySejahtera app to other entities, then the government has no choice but to appoint MySJ as the manager/operator. In this case MySJ is both owner and manager of the app.

The government must exercise full transparency as the deal involves public funds, and the issue involves the personal data security of 38 million app users.

The government’s misplaced “respect” for the shareholders of MySJ (by brushing aside their ongoing disputes as something that does not concern the government, not addressing governance concerns, commercial red flags etc.) reflects how the government forgets the people as its true shareholders.

The government should be reminded that it is to the people that the government is accountable—not private entities or political masters.

Thus, upholding proper governance and ensuring the interests of the people surpass any NDAs signed by the government with a (questionable) company with mere commercial interests.

In the past article titled “Find MySejahtera alternatives, move away from MySJ deal” dated April 18, 2022, EMIR Research recommend that the government put any deals with MySJ on hold until investigations by the PAC have concluded.

On April 23, CodeBlue reported that the PAC urged the government not to formalise its deals with MySJ before the tabling of the PAC’s report in the Dewan Rakyat in July, and urged for the report to be debated by Members of Parliament for at least one day.

EMIR Research is glad that the PAC is echoing its call, but investigations must be comprehensive. Historical appointment and development mechanisms regarding the app are important to be elucidated, but there are many other questions. Also, it is likely more than one day will be needed to debate the topic.

At the moment, it is likely that the PAC has only scratched the surface of the scandal.

EMIR Research urges the PAC to ensure all questions raised by various parties are satisfactorily answered (in-depth and sufficiently backed up), and if not, for the report to be tabled with a strong recommendation to halt deals with MySJ and for the setting up of an independent commission to carry out further investigations.

The surprising role MySJ is playing as operator/manager of the app without any publicly-known contracts in place indicates the government is adamant to move ahead with the MySejahtera application and continue dealing with MySJ, despite the ongoing investigations.

This is happening in the backdrop of mounting distrust over the app as evident through the plunging check-in rates nationwide despite increasing mobility, calls by certain quarters to delete MySejahtera, and various reports and publications surrounding the scandal by various parties.

The apparent “rush” to finalise deals with MySJ is peculiar, and unbecoming of authorities who should be focusing on good governance and due process, particularly as Malaysia’s transitioning into endemicity and relaxation of standard operating procedures provide the opportunity to move away from the app and therefore, MySJ.

The only speculative explanation is that MySJ is in a severe financial pressure, and is pushing for the deals to go through, no matter what. How can they not be, after committing to RM338.6 million licensing deal with Entomo?

Until investigations are over and concerns have been addressed (if ever), there would be decreasing use of the app, if not complete deletion by users.

This wouldn’t solve previous concerns, and the government’s requirement for check-ins and things such as vaccine certificates for international travels may “force” the people to use the app, but perhaps it’ll make MySJ’s future business plans worth a lot less.

The authorities must understand that addressing the people’s concerns and respect for proper governance is a priority over the so-called future modules of the MySejahtera app, which can always be developed later.

Khairy was reported to have said “If we don’t have MySejahtera, how can we monitor the condition of those under self-isolation at home? Maybe Utusan Malaysia has an app that we can use, I don’t know,” when commenting on Utusan Malaysia’s call for the deactivation/deletion of the app.

Reasonings behind that call—real concerns over data security and integrity, governance issues plaguing the MySejahtera scandal, usefulness in endemicity, and many other factors—were met with an underserving sarcastic remark.

If the people don’t trust MySejahtera because their concerns have not been addressed (faults on the part of the government), issues such as “monitoring those under self-isolation” or any other uses of the app are responsibilities that the government must bear.

If it requires using an alternative app, manual monitoring, dropping the need for check-ins etc. then these are the steps that must be done, at least until investigations are over and the scandal has been resolved.

These repercussions are of the government’s own doing, and they must take full responsibility.

---