‘Collection of metadata poses risks'

The Star

18-06-2025

PETALING JAYA: Like puzzle pieces scattered across a table, bits of digital data may appear meaningless on their own.
But with enough time, as well as location and behavioural clues, a recognisable picture can emerge.
That is the concern raised by cybersecurity experts over a government initiative to collect anonymised mobile phone data.
The Mobile Phone Data (MPD) programme, introduced by the Malaysian Communications and Multimedia Commission (MCMC), is intended to support public policy, particularly in tourism and infrastructure planning.
Although authorities have emphasised that the data excludes names and identification numbers, experts warn that by combining the anonymous data with other metadata such as tower location, timestamps and user behaviour, it could still expose individuals to reidentification and cyber threats.
According to AI Society president Dr Azree Shahrel Ahmad Nazri, even coarse location data such as cell tower logs can be used to build a person's detailed behavioural profile.
'From just a few days of movement data, researchers can predict who you are with over 90% accuracy,' he claimed when contacted.
'This is why metadata is not truly anonymous.'
MCMC, in a media briefing last week, clarified that IMEI numbers and SIM card IDs were not among the data fields requested.
However, Azree Shahrel cautioned that even without those identifiers, centralising metadata still poses significant cybersecurity risks.
He also warned that such repositories could become high-value targets for hackers, cybercriminals or foreign actors.
'If breached, this data could form a detailed map of user routines, enabling highly targeted attacks or surveillance,' he said.
He suggested that persistent identifiers, such as anonymised mobile numbers, be replaced with session-based tags, and that precise timestamps be aggregated to reduce the risk of tracking individuals.
Universiti Malaysia Sarawak lecturer Chuah Kee Man echoed those concerns, pointing out that the MPD does not currently violate the Personal Data Protection Act 2010 (PDPA), as anonymised metadata and government agencies fall outside its scope.
However, he argued that this legal blind spot still raises red flags.
'The collection is occurring without the public's explicit consent or even knowledge.
'And while it may not breach the PDPA directly, it creates ethical and legal issues surrounding the erosion of privacy rights,' he said.
He warned that once data is stored at this scale, it could potentially be used for political profiling, social control or surveillance.
'The integrity of how this data is used relies entirely on those managing it – both now and in the future,' he said.
He called for a shift in approach, including the principle of data minimisation, where only essential data is collected, and for the implementation of informed consent policies.
'If the government insists on collecting such data, it must demonstrate a clear need and adopt every possible measure to protect users,' he said.
Cybersecurity specialist Fong Choong Fook said public concern about the MPD programme is not unfounded, especially given previous data breaches involving government-linked agencies.
'One of the most notable cases was in 2017, when the personal data of 46 million Malaysians was leaked after the MCMC outsourced work to a contractor.
'Incidents like these continue to shape public scepticism,' he said.
The massive data breach in 2017, believed to affect almost the entire population of Malaysia, included lists of mobile phone numbers, identity card numbers, home addresses and SIM card data of 46.2 million customers from multiple mobile phone and mobile virtual network operators.
'Take note that the PDPA does not apply to MCMC. This means that if a data leak were to occur, MCMC would not be held liable,' he said, highlighting a gap in accountability.
Fong urged the government to be transparent about the anonymisation process and to release a clear set of guidelines outlining how the data is managed, what safeguards are in place and how privacy is protected.
'There should be a publicly accessible framework, or at least a white paper that can be scrutinised by independent experts.
'We cannot continue operating in a black box,' he said.