THE Malaysian Communications and Multimedia Commission (MCMC) does not have the right to close down sayakenahack.com on grounds of unlawful collection of personal data as it violates overarching anti-censorship laws, say lawyers.

The internet regulator blocked the website on Thursday over data privacy concerns as it allowed the public to use their MyKad number to check if they had been hacked.

SayaKenaHack.com was created by IT expert Keith Rozario to allow the public to check if they were part of a data breach that affected 46.2 million mobile phone subscribers. He denied allegations it was a phishing website to obtain MyKad numbers. 

“The MCMC does not have the power to shut down websites,” said Lim Wei Jiet, deputy co-chairperson of the Malaysian Bar’s constitutional law committee

The regulator could only request licensees, which are network providers, to shut down websites.

Section 263(2) of the Communications & Multimedia Act states: “A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.”

Lim said: “Network providers usually comply with MCMC’s request, since MCMC regulates their licenses to operate.

“Any attempt by MCMC to shut down or censor website is not allowed. This is because Section 3(3) of the Communications & Multimedia Act states: ‘Nothing in this Act shall be construed as permitting the censorship of the Internet’.”

The leak is believed to have occurred between 2014 and 2015, and involved records of various telcos and medical councils and associations.

The breach was revealed in an article published by online forum Lowyat.net last month, which was subsequently removed on orders from MCMC.

Malaysian Bar constitutional law committee co-chairman Surendra Ananth said Section 263 of the CMA required a licensee to assist in the prevention of any offence under Malaysian law.

“Even if this section can be read in a manner that requires a website to be blocked, the question is whether the website offends Section 130(1) of the Personal Data Protection Act 2010.

“If the data (on sayakenahack.com) was ‘masked’ to ensure that other users could not identify the subjects from the ‘masked’ information, arguably, it could fall outside the ambit of the PDPA as the data user is not ‘identifiable from that information’.”

Constitutional lawyer Syahredzan Johan said MCMC had been operating in a “grey area” ever since the Communications and Multimedia Act (CMA) and its relating anti-censorship guarantees were made law under Dr Mahathir Mohamad’s administration in 1998.

“MCMC does not have the powers under either CMA or MCMC to block websites,” Syahredzan said.  

“They operate within a grey area by enforcing the conditions imposed on service providers to block websites at MCMC’s behest. So it is not pursuant to any specific law, and thus its legality has always been suspect.”

Instead of blocking sayakenahack.com, the government should have created a site to provide a similar service as it is the people’s right to know whether their data had been compromised, he added. 

“Unfortunately very little information has come from the government and people like Keith Rozario has had to pick up the slack,” said Syahredzan.

Meanwhile, the Bar Council’s cyber law and information technology committee co-chairman, Foong Cheng Leong said Rozario had not violated the law and the onus would be on the MCMC to prove if he had committed an offence.

“If the website allows people to download the personal data of others, (only) then it will be a violation of PDPA,” Foong told The Star. 

Separately, the data leak has been traced to an IP address in Oman, Inspector-General of Police Mohamad Fuzi Harun said.

Fuzi said a police-MCMC investigating team traced the data leak to an Internet protocol address in the Arabian Peninsula country.

He also said no arrest had been made so far as the case was “complicated”. – November 18, 2017.