Answering MySejahtera Public Concerns

Skip to first unread message

Chew, Kean Ho

Mar 27, 2022, 10:53:04 AMMar 27
to ZORALab Enterprise
Hi all,

In response to the most recent concerns about MySejahtera security and privacy leak to multiple private corporations and queries from our customers:
  1. Is that a legitimate data leak?
    1. Potentially = in terms of the databases and software (both server and client) are supposedly under Ministry of Health full control. However, the software part is allegedly being transferred between 2 private entities.
    2. No = Because you're using it to publish or disclose your Covid19 vaccination and check-in status already (the data exposure is already public). Attacker (red team) can use a long-range camera to secretly capture the phone screen while you are displaying the info to a local authority (e.g. security guard).

  2. Should I be worried?
    1. No. The issue has been politicized and badly amplified via social media networks.

  3. The database has my NRIC ID, are you sure I don't have to worry?
    1. Yes, you don't have to worry. NRIC was meant for general identification. Unless you're engaging in shady or illegal businesses where government is hunting you down, you're good.
    2. The most important part is NEVER leave your actual NRIC digitally scanned and stored unlabelled, and unencrypted. This is the actual one that can cause severe damage where the attacker can use it to apply loans.

  4. The database has my check-in location data, are you sure about it?
    1. Yes, you don't have to worry compared to 2017 MCMC and some insurance companies data leak. The nature of the check-in data can be reverse-engineered anyway by cross-checking each location's "hit zone" anyway.
    2. Speaking from a data analyst point-of-view, your telco (contact, behavioral, conversation recordings, etc), finance and banking, actual health data (e.g. are you chronically sick, etc), and access authentication data (analyze your thinking methodology of creating password) are far more valuable than location checked-in and some already public vaccination data.

  5. However, I'm concerned with shady private corporations selling my data from MySejahtera?
    1. Compared to social media apps with MySejahtera, the former is more concerning as mobile applications tend to have location tracing, in which the data is richer and far more updated. You can explore this with Google Maps' "Your Timeline" feature if it is permitted.
    2. The good news is that a lot of western governments are pushing to protect citizens' privacy, with the latest being the Digital Market Act (DMA) from the European Union a few days ago dating to this email.
    3. Otherwise, consult a lawyer if you're planning legal action against the government.

  6. Should I stop using MySejahtera?
    1. Absolutely NOT. You SHOULD and SHALL continue to use it, especially the one issued by the Ministry of Health Malaysia. It's not an option.
      1. The health hazard among all lives is far more vital than some petty privacy debates.
      2. It is even more suspicious and leaks your data easily if you try to use anything else.
      3. The ONLY safest privacy heaven is to live inside a deep underground cave away from civilization with ZERO digital equipment with you. Hence, please draw a balance point with the argument.

  7. What can I do to protect myself?
    1. The first step is having the correct attitude that "security is a continuous learning" and "my security is my own duty".
    2. NEVER leave plain sensitive data that has severe consequences in the open (e.g. your scanned NRIC card and your unexposable private photo [why create it in the first place]). If possible, only create them for the need and then destroy them after being properly processed and delivered.
      1. Also, NEVER EMAIL these sensitive documents. Use your share drive (e.g. Google Drive or Microsoft OneDrive) or Signal Messenger instead. Contrarily to what everyone is believing, email is NEVER confidential and encrypted. It's always publicly available.
    3. NEVER answer any banking calls and unidentified calls. Bank, hospital, and public clinic main policy is only you call them, not the other way round. If needed, identify the numbers before leaving the premises.
    4. If you still believe in love at first sight (as falling in love easily with an unknown stranger) in the year 2022, you need to consult a psychiatrist
    5. Protect your master password (e.g. Bitwarden master password) and NEVER expose them to anyone, including us, your tech support folks. Tech people like us, especially from ZORALab don't need to know your master password to get things done.

  8. Is ZORALab affiliated with MySejahtera?
    1. No. We're using it for securing health safety among the communities in Malaysia. This email is to answer some heated queries from some customers shared across all our networked customers.

  9. Who Am I?
    1. I'm Holloway who had been living under the alias "hollowaykeanho" in the cyberspace since 1998 and currently an open-source cyberspace developer and analyst, at least 7 years.
      1. That means I had been intentionally exposing some or almost all my personal data for public verifications ( for my audiences to perform self-defense, long passing beyond being living in private.
      2. That also means that even in a publicly exposed nature, I, along with many other official open-source developers, still can offer a technological way to mathematically authenticate our data for our respective audiences around the world.
    2. Hence, you can rest assured I can know and easily tell the differences among:
      1. being private (privacy);
      2. being authentic and trusted using only logic and mathematics (genuine);
      3. being malicious (simulating an attacker); or
      4. being in public (straight up publicity).

That's all. So please, relax, and have a good week ahead! Cheers!


ZORALab Enterprise (002599169-M)
Through Knowledge With Serve

If you are not the intended recipient, please contact the sender immediately and delete all copies. The sender holds zero liability for any damages caused. If the content is digitally and cryptographically signed and/or encrypted by GNU Privacy Guard (GPG) key, please seek out the public key with the sender email at

Reply all
Reply to author
0 new messages