230 - Malaysian ID Card by Roger Clark

Malaysian IDCard by Roger Clark


1. Introduction

The Malaysian Government Multipurpose Card (GMPC) or MyKad is a standard credit-card-sized plastic token with an embedded microchip. It has been issued progressively since 2001, with the intention of being obligatorily used by the entire population of 18 years and over by the end of 2005 (or perhaps 2007).

The card displays several items of data, carries several categories of data in the chip, including a biometric, is used by multiple government agencies, and has been designed for extensibility and 'function creep'. It is subject to highly inadequate protections.

Various reports state that versions of the card have been issued bearing respectively a 32Kb and a 64Kb EEPROM (Electrically Erasable Programmable Read-Only Memory) chip, using the M-COS operating system. The larger version supports a digital signature key and digital signing (often mistakenly referred to as PKI). It is unclear to what extent each of the various applications is used.

This document provides some background resources related to MyKad.

2. The 'New Scientist' Report on the Launch of MyKad
'Malaysia pioneers smart cards with fingerprint data' New Scientist, 21 September 2001


The world's first national smart card scheme to store biometric data on an in-built computer chip has been introduced in Malaysia. The cards are compulsory for Malaysia's citizens and are encoded with a copy of the owner's fingerprints.


Pressure is growing in other countries for improved identification schemes, especially since the recent terrorist atrocities in the US.


"A lot of governments including the US will be looking at better identification systems to monitor the movement of people within their countries after the terror attacks," said Wan Mohamad Ariffin, smart card project director at Malaysia's National Registration Department. "We are willing to share our technology. It could be part of the solution to the security issue."


Although the strongest opposition to such schemes will probably come from civil liberties groups, technical experts also say that such measures will not thwart criminals or determined terror groups.


Identity theft


Ross Anderson, an expert in computer security at Cambridge University, says that smart cards may make forging ID cards harder but they are unlikely to provide a complete solution.


"You can maybe exert some downward pressure on identity theft by incorporating machine readable fingerprints of some kind or another," Anderson told New Scientist. "But, in this situation, making identity cards harder to forge is solving the wrong problem."


Anderson says that terrorist groups will simply subvert the system another way, by using a stolen birth certificate, for example. He also points out that, unless an individual has been identified by the authorities as a threat, smart cards will not help.


Nevertheless, smart cards should make fraud more difficult. Although most cards will give up their digital secrets to a determined expert, combined with digital signatures they make forgery more complicated.


This is important because the Malaysian government has said that the new cards are likely to be used to authorise financial payments and withdraw cash, as well as identify individuals to the authorities.
Digital signature


Markus Kuhn, also at Cambridge University's computer science department, says that the biometrics stored on a modern smart card will be authenticated by a central authority when the card is created, in the form of a digital signature.


This means that even if a card is stolen and a new fingerprint data inserted, anyone with a government scanner could recognise it as fake. "You can put a new fingerprint on the card but not forge its overall signature," Kuhn says.
But opposition to this type of smart-card system remains from civil libertarians. "I don't think that these will stop terrorist acts," says Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties. "They are more controlling measures. They let a government track you and know more about you."


The US government is currently increasing its capacity to track citizens. The Combating Terrorism Act of 2001, proposed shortly after the devastation of New York and Washington DC, would increase the powers of federal agents to wiretap individuals.


3. The Privacy International Report
Extract from Privacy International's Country Report for Malaysia (November 2004)


Since 1999, the Malaysian government has begun gradually phasing in a multi-purpose national ID smart card, that it intends all Malaysians to adopt by 2005.[31] The card, known as "MyKad," incorporates both photo identification and fingerprint biometric technology and is designed with six main functions: identification, driver's license, passport information (although a passport is still required for travel overseas), health information (blood type, allergies, chronic diseases, etc.), and an e-cash function.[32] The card can also function as an ATM card, although it is MyKad's least attractive feature and banks have discouraged customers from using the card for such purpose.[33] There are plans for adding additional applications for digital signatures for e-commerce transactions.[34]


The Malaysian government originally proposed placing the religious affiliation of all citizens on the cards, but complaints from the country's non-Muslim ethnic groups prompted the government to limit identification to Muslims only. In January 1999, it was announced that Islamic religious authorities in the capital, Kuala Lumpur, would be equipped with portable card readers in order to instantly verify the vows of Muslim couples found in "close proximity." In his 2002 budget speech, the Prime Minister proposed adding marital status and voting constituency information to the cards for the benefit of religious authorities and to minimize electoral fraud, respectively. Both proposals were sharply criticized by opposition Member of Parliament Teresa Kok as being an unnecessary invasion of privacy.[35] The anonymity of balloting is already a matter of concern for privacy advocates, even without MyKad. Traditional ballots are marked with a serial number that can be matched against a voter's name. While there is no evidence that the government has ever tracked individual votes, some opposition leaders allege that the potential to do so has had a chilling effect on some voters, particularly civil servants.
With so much personal information stored on the MyKad, even proponents of the card have acknowledged inherent privacy risks: "[h]aving the smart card will probably increase theft . . . because the attraction is there. There is a lot of personal information stored [on the card], including buying patterns which would attract (card cloning) syndicates," according to industry analyst Jafizwaty Ishahak. Recently, the National Registration Department (NRD) admitted that the practice of surrendering identity cards to security guards before entering certain premises may need to be changed because of privacy concerns.[36] The Consumers Association of Penang has argued that the cards make individuals' personal and confidential information too vulnerable and has recommended that the proposed Personal Data Protection Act address these risks specifically.[37]


The Federation of Malaysian Consumers Associations criticized the government for not implementing clear guidelines or consulting with the public on how MyKad is to be used, by whom and for what purpose. The Federation also challenged the security of the system, contending that the storage of personal information in a centralized database makes it vulnerable to tampering and sabotage. Later, in 2004, the Bar Council chief severely criticized the security and privacy risks related to the use of MyKad, and sought strong privacy laws to protect card holders against potential misuse, pointing out that personal data contained on the card could easily be accessed.[38] It is widely known that anyone with a card reader can access all information contained in the card.[39] In response to such critiques, the government is now reportedly drafting a bill to ensure the privacy of MyKad users and protect the information stored against unauthorized use.[40]


Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for Malaysians.


MyKad is currently optional, but it automatically replaces other forms of expired identification and is quickly becoming a de facto requirement to access certain government and private-sector services. In December 1998, the government began requiring cyber cafés to obtain name, address, and identity card information from patrons. However it lifted this requirement in March 1999.[41] In some cases there may be penalties for not carrying the card. In 1998, the government announced that persons not carrying identification cards risk being detained by immigration authorities.[42] It is the government's intention that all of Malaysia's population over the age of 12 will be registered in the MyKad system by 2005. Those under the age of 12 are encouraged to apply for a junior version of the MyKad, which differs only in its lack of a photograph and thumbprint biometric.


[31] "Privacy of MyKad Holders to Be Protected by Law," New Straits Times, May 19, 2004, at 6.
[32] "Wise Up to Role of Smart Card," The Star, December 15, 2002.
[33] "Privacy of MyKad Holders to Be Protected by Law," supra. See also "Free Upgrade of MyKad to 64K," New Straits Times, June 16, 2004, at 5.
[34] "Card Sharps," The Bulletin (Australia), May 14, 2003; Joe Celko, "The Road to Dystopia: How much Information Can the Government Control?" Intelligent Enterprise, May 9, 2002. See also Rozana Sani, "Utilising PKI Applications in MyKad," New Straits Times, December 18, 2003, at 4.
[35] News Release, "Government Proposal to Add Marital, Constituency Information to MyKad Should Be Debated," MP for Seputeh Teresa Kok, September 27, 2002.
[36] Rosnazura Idrus, "Leaving MyKad at Guardhouse under Review," New Straits Times, July 9, 2003.
[37] "Smart IC Open to Abuse," The Star, April 18, 2001.
[38] "Bar Council Chief Seeks Laws to Protect MyKad Data," New Straits Times, April 3, 2004, at 8.
[39] "Privacy of MyKad Holders to Be Protected by Law," supra.
[40] Id. See also A. Shukor Rahman, "Evaluating Risks in MyKad," New Straits Times, October 20, 2003, at 21.
[41] "Cabinet: Cybercafes not Subjected to Restrictions," New Straits Times, March 18, 1999.
[42] Annie Freeda Cruez, "Malaysians Told: Carry ICs or Risk Detention," New Straits Times (Malaysia), May 14, 1998.
4. A Report from Justice, UK
Extract from 'Information Resource on Identity Cards' Justice, London (November 2004). Warning: The document was prepared by interns and some caution is needed.


49. Malaysian Identity Cards, known to its citizens as ICs and to the Government as the `MyKad', were first introduced by the British in pre-independent Malaya to help control the communist insurgency. Today, the card has a multi-purpose smart chip and looks very much like an ordinary credit card, incorporating a host of technological features. Malaysia's technological development has far out-paced the development of the legal system, and identity cards provide such an example. The advances in data storage technology have not been matched with adequate legal protection and safeguards.


50. The Malaysian Constitution does not provide for the issuance of ID cards. The National Registration Act 1959 (the 1959 Act) provides for the establishment and maintenance of a registry of all persons in Malaysia (Section 4 of the 1959 Act) and that every person in Malaysia be registered under the Act (Section 5 of the 1959 Act). The Register extends to all residents of Malaysia, and includes noncitizens who work or reside there. More importantly, the 1959 Act gives the Minister in charge of the National Registration Department, historically the Home Affairs Minister (the equivalent of the British Home Secretary), extremely wide and discretionary powers in respect of virtually every aspect of the national identity system under Section 6.


51. Under the 1959 Act, Malaysians citizens and permanent residents above the age of 12 years are eligible to apply for and ID card. Because an ID card is required for many legal activities, including opening bank accounts or dealing with the state, most Malaysian apply for an ID card when the reach the age of 12. Under the National Registration Rules 1990, every citizen or permanent resident over the age of 18 is required to apply for an ID card, and late applicants are fined a nominal sum.


52. The new ID cards are `smart cards' with an embedded 64K chip in each card that carries the personal information of the holder. The face of the card no longer has the holder's thumbprints, but has his or her ID number, full name, address, nationality, sex, and photograph. These cards are called the Government Multipurpose Card (GMPC) and were introduced as part of the Government's IT initiative, the Multimedia Super Corridor. The GMPC was marketed to the public as `MyKad'. Significantly, the Government sees the card as an interface device with not only government agencies, but also the private sector. The MyKad project is run by five different agencies, all of which have access to the data on the card - the National Registration Department (NRD) as the lead agency; the Road Transport Department (RTD); Royal Malaysian Police (RMP); Ministry of Health (MOH); and the Immigration Department (IMM).


53. The new ID cards replace the old identification cards and, if individuals choose, the driving license. In addition, it uses chip and biometrics identificationtechnology to identify individuals, can allow the Police and the Road Traffic Agency to access its information (driving license version only), and supplements the Malaysians International passport to facilitate efficient exit and re-entry from Malaysian Immigration checkpoints. Currently, even Malaysian passports are chip based. The new cards will be used for intra-Malaysia travel and by Malaysians when leaving or re-entering the country. Basic and critical medical information, such as allergies and blood type, are also stored in the chip. The new card, once registered with a local bank, can be used as an ATM or debit card [not recommended by banks], and once registered with the national transportation payment system, Touch n' Go, can be used to pay for things like bus tickets or road toll fares. The card can be used in lieu of three different bankcards.


54. The Public Key Infrastructure (PKI) in every MyKad [sic - the 'infrastructure' is external to the card] enables users to conduct secured e-commerce and transactions using a digital certificate over networks such as the Internet. Authenticity and integrity of the data is protected and inaccessible to anyone, apart from the relevant government agencies and the owner of the MyKad. Information contained in the chip can be accessed using three different devices, all of which are largely inaccessible to the public, but will soon be carried by the police.


55. Issues relating to the cards can be divided into legal and technological categories.


56. The Personal Data Protection Act was passed in 2002 and provides similar safeguards as the UK's Data Protection Act 1998, including the appointment of a Data Protection Commissioner. However, the Act has yet to come into full effect, on the grounds that it will be a burden to businesses. There are no other safeguards against the abuse and privacy of data in the new ID cards. Even the Malaysian Constitution does not provide for the protection of privacy.


57. The Malaysian Government asserts that the new ID cards employ state-of-the-art technology that incorporates multiple layers of security features: `these features include the card authentication using symmetric key cryptography, a multi applications Operating Systems with firewalls and a secure chip platform.' However there is real concern that there are no adequate protections for personal data. The smart card readers can be used by virtually any government agency. Further, the willingness to share data with the private sector without the prior consent of the citizen concerned is worrying.


58. A joint survey by the Electronic Privacy Information Centre in Washington and Privacy International in the UK summed up the risks: Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for individual Malaysians. 40


59. Malaysia leads the world in the frequency and scope of everyday use of ID cards. However, the system employed is not without problems. Although the issuing and scanning procedures appear to be sound, there are significant concerns over the lack of legal and technological provisions to ensure data protection; a fact which is particularly worrying considering the wide range of personal information stored. Concerns have been voiced about both function creep and access to information with regard to the draft Bill in the UK, and the Malaysian experience highlights the fact that any legislation needs to incorporate strict controls on access to, and subsequent use of, personal information.