Contradictheory: A buffet of personal data up for grabs?

The Star

9 hours ago

It must have been about 25 years ago when I attended a talk about the power of integrating databases, and back then we were lucky governments hadn't quite figured it out yet. But obviously all that has changed now.
The speaker was from Canada, and he illustrated the concept with an example: On one hand, the government struggled to catch welfare recipients who were quietly nipping across the border to work in the United States. On the other hand, it would have been trivially easy to catch them if someone just thought to cross-reference the welfare database with weekday border crossing records.
The technology wasn't the issue. The stumbling block was getting different government departments to cooperate. But while this was an opportunity begging to be taken, the speaker also highlighted the potential dangers: The power inherent in data sharing, when coupled with the reach and authority of national governments, could lend itself to a wide scope of abuses.
Which is precisely what is happening in the United States at the moment. Reports indicate that Elon Musk's Department of Government Efficiency (DOGE) has equipped agents with 'backpacks full of laptops, each with access to different agency systems... to combine databases currently maintained separately by multiple federal agencies'.
Why are they doing this? Because DOGE wants to collate immigration data and cross-reference it with tax records, welfare claims, and even state voting records. According to critics, they allegedly want to target immigrants not just for tracking, but possibly for persuasion, prosecution, and persecution. Civil liberties groups are sounding the alarm, pointing out that this level of cross-agency integration is ripe for abuse.
Truth is, this isn't something new or foreign for Malaysia. Back in 2018, politician Rafizi Ramli openly discussed how his startup, Invoke, was leveraging big data to support the then Opposition candidates. Using electoral roll data, phone polls, and surveys, they constructed detailed voter profiles based on age, postcode, gender, race, and religion to create a 'microtargeting' strategy to identify and win over swing voters with a 40%-60% chance of flipping.
Fast-forward to today, and the government's interest in big data is no secret. From the MyDigital Blueprint to the freshly minted Data Sharing Act 2025, the rhetoric is all about 'digital transformation' and 'evidence-based policymaking'. Then in April, the Malaysian Communications and Multimedia Commission (MCMC) told telcos to hand over mobile network usage data, down to your call records, IP connections, and yes, your location coordinates.
Failure to comply could result in a fine of RM20,000 or up to six months in jail.The official line is that this is for the 'generation of official statistics to support evidence-based policymaking' in the ICT and tourism sector. (Specifically, to identify the number of mobile broadband subscriptions, and to track the number of visitors and 'domestic tourist trips'.)
The government assures us that all data handed over is anonymised and contains no personally identifiable information. But I've learned to be sceptical following alleged breaches that reportedly had data from millions of Malaysians in government databases being sold online.
Now we are to trust the authorities when they say they want the data for policymaking? It's a bit of an overkill, like queuing up for an hour for a free plate of nasi kandar. (Which I have done before.) But why settle for a plate when you could have the whole buffet of personal information data?
A tech news website said what many of us might be thinking: 'What just happened doesn't feel like planning. It feels like surveillance.' Local technologist and computer scientist Dinesh Nair was more colourful, labelling MCMC's explanation as (if I may paraphrase) horse excrement, noting that location data coupled with the time could be used to positively identify individuals.
This isn't theory. We've known for decades how it's possible to do 'data re-identification'. In 1997, MIT computer scientist Latanya Sweeney famously cross-referenced public voter records with anonymised health data to identify then-governor of Massa-chusetts, Bill Weld. She even mailed him his own medical records as proof.
And a few years later, I was reviewing drafts of what would eventually become Malaysia's Personal Data Protection Act (PDPA). While the PDPA was a good step forward in defining personal data rights – like requiring consent and allowing individuals to revoke it – it had one gaping hole: it doesn't apply to government entities. Section 3(1) of the Act explicitly exempts federal and state bodies.
I was told at the time that government departments handled so much data, it would bog them down in red tape to comply. That was the official line. I suspect the unofficial thinking has evolved into: 'Why would we give up control of such a rich treasure trove?'
Fixing this isn't hard. Step one: remove the PDPA exemption for government agencies. Just cross out a paragraph. Step two: appoint an independent oversight body where people can lodge complaints if their rights are violated. The latter's nearly in place, given that the current government has promised an Ombudsman Bill this year that could serve this very function.
At the very least, amending the Act would allow us to point to a breach and say, 'That's illegal', instead of shrugging and saying, 'Well, it's the government. What can you do?'
Because we were warned. We just didn't listen. In his fortnightly column Contradictheory, mathematician-turned-scriptwriter Dzof Azmi explores the theory that logic is the antithesis of emotion but people need both to make sense of life's vagaries and contradictions. Write to Dzof at lifestyle@thestar.com.my. The views expressed here are entirely the writer's own.