KUALA LUMPUR, Nov 18 — Forget Edward Snowden’s revelations on the US spy scandal, Malaysians who have always feared being watched too closely by their government should know their insecurities are not unfounded, a local cybersecurity expert and lawyer have warned.
It is true that “Big Brother” is watching even in Malaysia, Akati Consulting founder and chief executive officer Krishna Rajagopal said, citing evidence he said clearly shows that the Malaysian government has been collecting and keeping the personal data of its citizens, or in other words, “spying”.
“We have intelligence reports of data collecting servers that were placed in Malaysia and are still active in Malaysia, spying servers, Big Brother servers.
“We don’t know who owns them but to put it in another way, this particular solution is what we call FinFisher and that particular product is only sold to governments so...,” he said, trailing of for a good measure of drama during a recent interview with The Malay Mail Online.
The software, also known as FinSpy, is a surveillance software marketed by Gamma International, a firm that promotes the spyware through law enforcement channels.
Krishna added that there are many other types of servers seen in Malaysia, called open source intelligence tools, which are usually used for national security purposes like tracking down terrorist activities.
“But what we have seen is when such a solution is placed, it gives a reason for abuse if there is no proper access control.
“For example, in Malaysia, all the municipalities became so gung ho and they started putting CCTVs all around, and they realised these officers in the municipalities started zooming those cameras into people’s houses, zooming and looking at women changing, that was what’s happening.
“So a knife can be used for cooking, it can also use for murder,” he said, suggesting the high risk of abuse should these surveillance tools be handled by the wrong persons.
The cybersecurity expert stressed that there must be a probable cause for inception activities to be considered lawful.
“That’s evidence gathering but if I just want to randomly collect data from a group of people, hoping to find something, that is not legal.
“We have also seen some open source intelligence being used, targeted at a specific group of people, which were not related to national security in Malaysia, these are intelligence information we got outside of Malaysia because we were dealing with Interpol”.
Krishna noted that Malaysia is not the only country, as Singapore, Australia, and the US are also similarly “spying” on their citizens.
“It all started off with a good purpose which was for national security, eventually it got abused and when they got busted, it became too big to control like this Edward Snowden thing.”
The US spy scandal caused major outrage in Malaysia late last month when top secret documents leaked by intelligence whistleblower Snowden revealed that the global superpower runs a monitoring station in its Kuala Lumpur embassy to tap telephones and monitor communications networks.
A map originally published by Germany magazine Der Spiegel and sighted by Australian dailiesSydney Morning Herald (SMH) and its Fairfax Media sister publication The Age, showed 90 electronic surveillance facilities worldwide, including in US embassies in Jakarta, Bangkok, Phnom Penh, and Yangon.
Dated August 13, 2010, the map however did not show any such facilities in Singapore, Australia, New Zealand, Britain, and Japan, which are the US’ closest allies.
On the heels of the US espionage storm, the SMH later reported that Australia’s electronic intelligence agency was using its diplomatic missions to spy on its Asian neighbours.
According to the Australian newspaper, Fairfax Media was told that signals intelligence collection occurs at Australia’s High Commissions in Kuala Lumpur and Port Moresby, as well as at embassies in Jakarta, Bangkok, Hanoi, Beijing and Dili.
Citing new information disclosed by Snowden and a former Australian intelligence officer, the Australian newspaper also reported that clandestine surveillance facilities at embassies were carried out without the knowledge of most Australian diplomats.
Three days after news leaked that the US and Australia had purportedly used their diplomatic missions here to spy on Malaysia, Wisma Putra finally summoned the US ambassador and Australian High Commissioner yesterday to formally file a protest.
Foreign Minister Datuk Seri Anifah Aman said in a statement on November 2 that he had met with Australia’s Foreign Minister Julie Bishop in Perth yesterday and told his counterpart that spying against “close friends” is not done as it could “severely damage” relations.
“In response, Minister Bishop informed that it is not the policy of the Australian government to comment on intelligence matters,” said Anifah in a statement released by his office.
“However, the minister accepted the concerns raised by Malaysia on the matter and assured that the Australian government places high importance on the close bilateral relations with Malaysia,” he added.
As nations across the globe continue to debate the legal extent of government spying and privacy issues, Krishna said it was important that only a limited, selected few individuals should have access to the throve of information collected.
The current system in Malaysia, however, is not ready yet although it is ready for lawful interception, he said, in reference to the government’s cability to trace for information only when the need arises.
“That means when there is a probable cause for a case, the police can go in and tap the phones and e-mails, that’s fine but not on a blanket,” he said, adding that unlike most countries in the world, Singapore’s constitution allows the government to collect information on its citizen, making it legal to “spy” on its people.
'Scary' laws need to be amended
To protect an individual’s privacy, Krishna said two “scary” laws should be amended immediately.
The amendment to the Criminal Procedure Code Act 2010, which has yet to be passed, and Section 114A of the Evidence Act, which was gazetted and enforced in July 2012, shifts the burden of proof to Internet users for presumed publication and ownership of offending items posted online, he noted.
“That goes against the age-old principle that you are innocent until proven guilty.
“Here you are guilty until proven innocent, so that part is very scary and that is a law that we cannot keep up with,” he said.
He explained that if if someone posts something offensive on the prime minister’s blog, it can be assumed that the police will not arrest him.
“What people are concerned is with these two laws and with the Big Brother, people are scared because it leads to a blanket because with these two laws and with the big brother kind of spy system being put in, it can go out of hand, it can turn into a tornado, out of control just like the CCTV story,” he said.
He also said that the two “scary” laws would lead to more abuse than anything else because both are too vague and are something that “we can’t even hold on to, we can’t even keep our word to it”.
“The law needs to be a little more clear.
“At the moment, that law is the most draconian cyber-security law in the world, Evidence Act 114a, put that together with the Multimedia Act, it is the most draconian cyber-security law in the world, we are at the top for that because it is something that the world is talking about it and we all know we can’t hold on to it.
“So we have become a laughing stock because of that,” he lamented.
“Transparent” intelligence gathering
Krishna and New Sin Yew, a lawyer attached to Chan Weng Keng and Associates legal firm said the government should be more transparent with the process of gathering intelligence.
“The government has to come out clean… say you’re doing it and these are the people, so they have a specific unit in the country and a specific location in the country that has access to this and it will only be used for purpose A, B, C, D and what happens is there are ways to set it up using triggers, that system will only trigger when it matches a keyword,” he explained in a recent interview.
New told The Malay Mail Online that there must be a the check and balance and this should come from the role of the courts, and the public prosecutor to a certain extent.
“For them to start spying, they need a court order, you may not be there and it would only be just the police, and the public prosecutor and the judge.
He said, however, that the current system should be strengthened, and that Malaysia should emulate the UK, where in certain cases, there would be special advocates to argue for the general public in seeking justification on the need to spy, even though the judge makes the final decision.
“I don’t think that’s the only system but they should at the very least have a system of check and balance before they can say yes, go ahead and tap his phone.
“Here, they only need to go to the public prosecutor and the public prosecutor can just sign but here’s the problem, when they go to a public prosecutor, I feel that the public prosecutor’s role is then compromised because it’s the investigation stage and then you have the prosecution stage.
“There is always this saying, those who investigate don’t prosecute, those who prosecute don’t investigate because you can’t be objective,” he said.
New claimed that most of the time, investigators would say, “we actually have no evidence, so let’s wiretap to get some evidence”.
“I think they are already doing something illegal, if you read the federal constitution, Article 5, the right to life,” he said.
In June, it was reported that Communications and Multimedia Minister Datuk Seri Ahmad Shabery Cheek claimed that the government does not engages in any kind of hacking or ‘spy’ work on its people or on other countries.
“Yes we are not [spying]. I’m not saying Malaysian [citizens themselves are not doing it] but as far as the government is concerned, we are not condoning it, and we are not doing it,” he told Astro Awani.
Meanwhile, Personal Data Protection Act (PDPA) 2010 which took last week, with businesses given three months to comply, provides provisions to protect consumers’ personal data from being misused by other parties.
The government however is exempted from the new law.