The Malaysian Communications and Multimedia Commission (MCMC) was exposed via leaked documents, to be collecting Mobile Phone Data (MPD). This has triggered past trauma and sparked new concerns among Malaysians about digital privacy, how data is handled, and who can be trusted with it.
If this information hadn’t been leaked, the public probably wouldn’t even know it was happening.
Recent commentary defending the MPD initiative argues that critics are overreacting, that no personal data is being collected, and that social media companies collect more data anyway. But that sidesteps the core issue.
Let’s stop blaming each other or dodging the issue here. This isn’t about whether data is useful. It is. What Malaysians want to know is: Is this kind of data collection really necessary? And if it is, how can we make sure it’s done in a way that is transparent, safe, and fair?
Let me be clear: I’m not against using data to make things better. In fact, data plays a huge role in our lives today—from apps we use to planning for public transport and tourism. But that doesn’t give the government a free pass. Data collection must be done the right way. That means being clear about what’s being collected, how it is protected, and why it is needed.
If MPD is supposed to help with national planning and public policy, then MCMC needs to do more than just send out a vague statement after the fact. We need proper communication, strong privacy protections, and an open dialogue with the public.
If MCMC is serious about doing this properly, here’s where I think they should start.
Yes, the dataset excludes names and IC numbers. But it still contains persistent unique IDs, timestamps, and location data. This makes it pseudonymised, not anonymised — and there’s a big difference.
Anonymised data removes all identifiers so no one can trace it back to a person. Pseudonymised data uses proxies or codes but can still be linked to individuals if cross-referenced with other datasets. Currently, this is the case with the way MCMC is handling MPD. Bottom line, it can be traced back to you.
With mobile phones acting like real-time trackers, when you collect enough of even these “harmless” data points like tower pings and movement logs, it can create a detailed user profile — where people go, when they move, how often — the pattern starts to look like a fingerprint.
Malaysians aren’t being alarmist. These are legitimate risks. And let’s face it, with our track record of major data breaches, the concern is justified. So instead of brushing off questions, MCMC should clearly explain what data it collects, why it’s needed, and how it will be protected.
This isn’t about paranoia. These are real risks.
Right now, the public still doesn’t know:
- If mobile data is encrypted in transit from the telco to MCMC and when it is stored at MCMC
- How long the data will be stored and who certifies that it has been cleared
- Who will audit it and certify that the data is indeed secure, anonymised and safe
- Most importantly, who takes responsibility if there’s a data breach
We’ve asked these questions before. They remain unanswered.
It’s not unreasonable to ask how a government-backed dataset involving the movement of millions of Malaysians will be protected. It’s responsible. And at the time of writing this, it’s still unclear.
Given Malaysia’s history of major government data breaches, we have every reason to be cautious. With this initiative, MCMC is presented with an opportunity to set the benchmark for national data security and yet, it chose the opposite — deflect and hope for the best.
Yes, private platforms like Facebook and Google collect data — but users have a choice. They can opt out, revoke access, or delete their accounts. With the way MCMC collects MPD, Malaysians have no such option. We didn’t even know that our data was being collected.
Transparency and consent are not optional in a digital society. If the government wants to collect user data for public planning, the public must be part of the conversation.
Let’s be clear, data collection is not the problem. It’s how traffic is managed, how public health responses are coordinated, how telco towers are upgraded, and how apps like Waze or Google Maps work. It powers the services we use every day.
We’re not asking to live in a cave. We’re asking to live in a country that handles data responsibly.
Which is why public comments like “turn off your phone” don’t just miss the point. They shut down the opportunity for honest, constructive dialogue.
This isn’t about expecting zero data collection. It’s about expecting clarity, choice, and accountability — especially when we don’t even get the chance to say yes or no.
Is this a pilot test or a permanent program? What ministries are involved? How will success be measured? Will the public be updated on the pilot test results?
If the government wants trust, it must earn it by defining exactly how this mobile phone data will be used, how often it will be collected, and who’s ultimately responsible.
We can’t say it’s a pilot and at the same time insist that everything is finalised. If the public is included in the test, the public deserves to know what the test is for.
Criticism doesn’t mean rejection. In fact, most people understand the value of data-driven policy. But what they’re asking is simple:
- Who collects the data?
- What exactly is being collected?
- How is it anonymised?
- Who audits it?
- How long is it kept?
- What happens if it’s breached?
- Can I opt out?
- Who is accountable?
None of these questions were answered clearly in the recent MCMC briefing. Yet all of them are central to public trust.
Instead of dismissing these as distractions or calling critics irresponsible, why not answer them? A simple website with a roadmap, a timeline for improvements, and clear safeguards would go much further than any opinion piece.
Some have argued that concerns about data governance are overblown. But here’s the reality: we’ve been here before — more than once.
Since 2017, Malaysia has experienced a series of serious data breaches involving government-linked platforms and agencies:
2017: 46 million telco user records were leaked from a database managed under MCMC oversight. The contractor, Nuemera, was suspended. No prosecutions were reported.
2021–2023: Several MySejahtera breaches, including a “Super Admin” who downloaded 3 million vaccine records without authorisation. No charges have been announced.
2022: A leak allegedly involving 22.5 million personal records from the National Registration Department was offered for sale online. No public enforcement updates.
2024–2025: Ransomware attacks targeted Prasarana, Big Pharmacy, and KLIA, with hundreds of gigabytes of sensitive data stolen. Most investigations remain open, with no reported convictions.
In many of these cases, investigations were announced, but outcomes remain vague or unresolved. So when Malaysians say they’re concerned about the MPD initiative, they’re not imagining threats. They’re responding to a very real history of failure to secure citizen data — and a lack of accountability.
Data isn’t the enemy. And neither is scrutiny.
Data is vital to modern life. It improves planning, infrastructure, and public services. But that doesn’t excuse weak governance or evasive communication.
If MPD is truly for public good, then it must be built on public trust. That starts with transparency, clarity, and the willingness to admit when something could have been done better. MCMC says mobile phone data is essential to Malaysia’s future. Then show the public that it’s being handled with care.
This is your chance to lead with clarity, not confusion. You can still shape the narrative.
So, MCMC—what are you going to do about it?
