Privacy

Consumer Choice Center’s comment on the US government’s proposed KYC regulations for cloud servers

April 30, 2024
By Yaël Ossowski
In Blog, Privacy, Tech Regulation, Technology
0 comments

Earlier this year, the US Department of Commerce proposed a sweeping regulatory rule that would force cloud service providers to collect and retain personal information on their users, particularly those based outside the United States.

This regulation, prompted by President Joe Biden’s Executive Orders on the “National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” would require extensive record keeping and collection of user data for all Infrastructure as a Service (IaaS) providers, firms that offer what is commonly known as virtual machines, web servers, cloud computing and storage, Virtual Private Networks (VPNs), Bitcoin and cryptocurrency nodes, artificial intelligence models, and much more.

The intended targets are services that have customers based abroad, in order to stop malicious foreign actors and hackers, but the rule is written broadly enough that any cloud provider that doesn’t capture this information from its domestic US users would be liable for civil and criminal penalties.

The Consumer Choice Center submitted comments to oppose the Commerce Department’s proposed rule, requesting several changes and modifications to better protect data and consumer privacy.

It is found below:

Overbearing KYC Identity Requirements for Cloud Providers Put Consumers at Risk and Threaten Online Free Speech and Commerce

Dear Under Secretary Alan F. Estevez,

The Consumer Choice Center is an independent, non-partisan consumer advocacy group championing the benefits of freedom of choice, innovation, and abundance in everyday life.

As an organization representing consumers around the country, we are deeply concerned with the proposed rule to require significant Know Your Customer (KYC) procedures for any and all Infrastructure as a Service (IaaS) providers, as detailed in Docket No. DOC-2021-0007.

If these rules as they stand are brought into effect, they will have immediate consequences on consumers and online users who create, use, and deploy all manners of online services, servers, cloud systems, and virtual machines. This includes services that allow users to deploy servers to host their own private document and photo content, Bitcoin and cryptocurrency nodes, artificial intelligence models, Virtual Private Networks (VPNs), and more, in accordance with the terms of service offered by IaaS providers.

While these rules are intended to provide more immediate access to information and data on malicious foreign actors using American cloud infrastructure, they will instead result in significant risk to individual privacy, facilitate the loss or malicious use of data, and grant extraordinary powers to government agencies that are inconsistent with the US Constitution and the Bill of Rights.

We understand the intention is to target foreign hostile actors, but the requirement placed upon US service providers will inevitably require that every American provide this information as well.

The requirement that service providers maintain exhaustive personal and financial information on their customers presents not only a gross violation of privacy, but a significant risk, as the thousands of IaaS providers will be in possession of vast amounts of personal data liable to be hacked or leaked.

What’s more, law enforcement agencies already possess enough tools and authority to follow legal processes to acquire warrants and conduct information.

We believe this proposed rule goes much too far in restricting the ability for Americans to use online services they want to choose, and would limit their ability to use servers and cloud services without significant risk to their privacy and personal data.

In addition, the exhaustive information required by a service that wishes to offer users the ability to run a virtual machine, server, AI model, or more, will necessarily push most Americans to opt out of using domestic services entirely, creating economic consequences not calculated in the proposed rule’s costs of compliance.

We would recommend that this rule be revised entirely, removing the significant privacy risks that KYC collection on IaaS providers would require for domestic users, as well as the duplicative and extralegal authority that would be granted to law enforcement officers, in contravention of constitutional law.

Below, we list the two main areas of concern for US consumers.

KYC Requirements For Foreign Users Applied to Domestic Users

As noted in the Background provided in the Supplementary Information of the rule, these new powers would require service providers to segment users based upon their country of origin:

To address these threats, the President issued E.O. 13984, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” which provides the Department with authority to require U.S. IaaS providers to verify the identity of foreign users of U.S. IaaS products, to issue standards and procedures that the Department may use to make a finding to exempt IaaS providers from such a requirement, to impose recordkeeping obligations with respect to foreign users of U.S. IaaS products, and to limit certain foreign actors’ access to U.S. IaaS products in appropriate circumstances.

However, in order for IaaS providers to effectively determine the location of a user, they will be required by the force of law – and risk of civil and criminal penalties – to log, categorize, and document a user’s location and accompanying personal information regardless of their location, all in efforts of determining whether a potential user would be considered a “foreign user” or beneficial person.

This will lead to increased collection of information akin to bank accounts and financial transactions, leading to widespread “Know Your Customer” (KYC) requirements which have never been applied at this level to online services.

Beyond congressional approval, we believe this proposed regulation far exceeds the bounds of agency authority, whether from the Department of Commerce or via the mentioned Executive Orders, and would create significant areas of risk for ordinary users and customers location both abroad and within the United States.

In addition, the broad application and definition of a covered service – “any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications” – essentially means any cloud service would be within the scope of this regulation.

The Risk of Privacy Breaches

As service providers would be required to maintain a robust Customer Identification Program, as outlined in § 7.302, this would therefore place liability on all cloud providers to collect and retain the full name, address, credit card number, virtual currency numbers, email, telephone numbers, IP addresses, and more on any potential customer of their service.

While we appreciate that private cloud providers and IaaS firms would have the latitude to determine how they structure their Customer Identification Programs, we believe that the requirement to collect this information and store it locally will constitute a high potential for that information to be accessed without authorization, either by hacks, leaks, or other malicious activity.

Because service providers will be required to catalog this information for years on end, this will inevitably prove to be a high-value target for malicious actors, while providing minimal benefit to the law enforcement agencies that can already legally obtain this information via lawfully executed warrants.

Extraordinary and Duplicative Powers

Law enforcement agencies at the federal, state, and local level already possess the legal tools to subpoena or request data cloud providers or VPN providers with lawfully obtained warrants.

That IaaS providers would be required to not only retain this information, but also to preemptively “notify” law enforcement without any judicial order or suspicion of a crime, violates the Fourth Amendment and the Due Process Clause as interpreted from the Fifth and Fourteenth Amendments.

Section § 7.306(d) lays out the stipulation for being exempted from the requirements as “voluntary cooperation” with law enforcement agencies, then forcing providers to enable access to “forensic information for investigations of identified malicious cyber-enabled activities”.

We believe this would be easily abused, as it would provide a legal path for companies to divulge customer information to government authorities beyond what is necessary and lawful, and provide incentives for firms and companies to voluntarily submit information on their customers to government agencies, law enforcement agents, and more.

As written, we believe this proposed rule has been offered in haste, and will likely lead to significant harms and risks to consumers’ data, privacy, and their liberty to engage in free commerce. We would urge this rule to be rewritten with these concerns in mind.

Sincerely yours,

Yaël Ossowski

Deputy Director,

Consumer Choice Center

Our comments in PDF form

Experts Agree: ByteDance is Beholden to the CCP and Cannot Be Allowed to Exploit Americans’ Data

H.R. 7521, the Protecting Americans from Foreign Adversary Controlled Applications Act, is bipartisan legislation that will protect Americans by preventing foreign adversaries, such as China, from targeting, surveilling, and manipulating the American people through online applications like TikTok.

Here’s what experts and top voices are saying about the bill:

Speaker of the House of Representatives Mike Johnson:

“I support the bill being marked up by the Energy & Commerce committee. It’s an important bipartisan measure to take on China, our largest geopolitical foe, which is actively undermining our economy and security.”

Americans for Prosperity Chief Government Affairs Officer Brent Gardner:

“The fact is that we live in a world where Americans’ phones are being weaponized against them by a foreign adversary, and we cannot sit back and let that happen. We would never want the U.S. federal government to have the power to censor, surveil, and manipulate Americans—we absolutely should not permit that abuse of power by the Chinese government through TikTok.”

Deputy Director of the Consumer Choice Center Yaël Ossowski:

“Considering the CCP’s unique hold on TikTok and ByteDance, and the data privacy threats to US consumers, a forced divestiture is a balanced and reasonable solution.”

Read the full text here

Why does Ted Cruz want to empower Biden’s radical FTC?

Data privacy is an increasing concern for consumers and tech advocates alike. Lawmakers from both the Republican and Democratic parties know this, and it’s why the Informing Consumers about Smart Devices Act, being championed by Sen. Ted Cruz (R-TX), is receiving bipartisan support.

Cruz says this bill would “inform” consumers about smart devices with “spying” capabilities, but it is just another opportunity for politicians to expand their ever-growing paternalistic role in our daily lives.

Sure, users value their privacy, but only to a certain degree. Case in point: the smartphones that roughly 310 million people voluntarily keep on their person 24/7, even while they’re in the bathroom. Does it really matter if a smart refrigerator is equipped with the same technology as the smartphone present in your pocket (especially when the refrigerator has the added bonus of assisting with food management)?

Despite what Cruz may think, consumers aren’t dumb when it comes to smart products. We don’t need a warning label for the presence of audio-video software or internet-enabled capabilities. If a device needs to connect to WiFi or an app to function, clearly it is internet-enabled. If lights, thermostats, or music can be controlled by voice commands, then of course these devices have a listening function.

Many of us have come to accept the trade-off of data collection by companies we trust in order to use certain products, services, or websites. For some time now, internet surfers and online shoppers have become acquainted with pop-ups asking to enable cookies on their browsers. Digital cookies were always there, but what changed was the notification of them due to policy pressures. Have the cookie notifications really changed online activities? I doubt it. Have more pop-ups in the name of transparency improved online experiences? Also doubtful.

Organizations gather data to know their consumer base, not to stalk us and discover our dirty secrets. In fact, I’d appreciate it if my tech-enabled Traeger grill was “spying” on me — that way, I might receive some coupons based on my grilling history or suggestions on how to improve my barbecuing skills.

Firms are well aware that their reputation hinges on the comfort level of consumers when it comes to tech use and data collection: If consumers feel a company is infringing too much upon their privacy, backlash will surely ensue. As such, government deliberation over this matter is simply unnecessary.

If passed, the proposed bill will, at best, require warning labels to be affixed to the packaging of smart products and, at worst, place the Federal Trade Commission in charge of establishing disclosure guidelines and enforcement mechanisms. Any cost a company incurs related to regulatory compliance deemed necessary by the FTC will be felt in the marketplace, and manufacturers will take into account the potential for fines from the FTC when establishing their price points.

The expense of FTC interference will be borne by all taxpayers, and the cost to companies for new packaging and labels will spill over into higher prices for consumers.

It is unclear why members of the Republican Party would want to expand the regulatory mandate of the FTC, given that Chairwoman Lina Khan has proven her position as an anti-business ideologue ever since she was appointed by President Joe Biden. Our independent purchase decisions do not need to create an economic burden for all taxpayers nor serve as a means for furthering the FTC’s inquisition against corporate America.

At the end of the day, it is important to remember that every individual consumer has authority over what tech products are used within his or her home. Rather than increase the power of the regulatory state over our consumption habits, consumers concerned about their appliances having spyware capabilities should simply shop accordingly, and any nefarious activities should be handled by the court system.

The “Internet of Things” is meant to predict wants, persuade actions, and improve consumer experiences. Some in-home smart devices can even be literal lifesavers. Thanks to advancements in wearable tech and telehealth, real-time assessments can be transmitted to healthcare providers to allow for independent living at home. Take WalkWise, a smart mobility aid attachment benefiting those in need of senior care. Devices such as these shouldn’t be bogged down by FTC interference or government oversight.

Products that advance our well-being, and that we buy according to our preferences with our own money, should not be vilified by politicians and used to grow the nanny state. Although Cruz claims this bill to be “common sense legislation,” that assumes you (the consumer) have no common sense of your own.

Originally published here

Technological neutrality is the best mechanism of cyber security and protects consumer data privacy

June 26, 2023
By Tarmizi Anuwar
In Blog, Press Release, Privacy, Tech Regulation
0 comments

KUALA LUMPUR, 26 th June 2023 – The Consumer Choice Center (CCC) emphasizes the
importance of governments supporting and maintaining technological neutrality in putting in
place the best mechanisms for cybersecurity systems and consumer data protection.

Representative of the Malaysian Consumer Choice Center, Tarmizi Anuwar said: “Technology
changes very quickly and faster than amendments or changes in laws. In this regard, laws that
are friendly to innovation and technology or so-called neutral technology need to be prepared so
that healthy competition between private companies becomes the best method of determining
the mechanism in data privacy regulations.”

In addition, Tarmizi commented on the recommendation of the Minister of Communications and
Digital that the private sector makes investments related to aspects of cyber security and data
privacy according to the appropriateness of their respective operational levels which is
considered positive. However, it is necessary to remain consistent and not put an excessive
burden on the private sector.

“The recommendation can be considered good because the enforcement of interoperability
standards can be prepared and implemented by the firm that handles the data, and is not
necessarily determined by law. This will also give space to start-up companies to operate at a
cost that matches their capabilities.”

“Basically, every company has its own interest in protecting the cyber security or privacy data of
their consumers. Excessive legal stipulations such as imposing specific software will cause an
increase in business costs and subsequently increase prices for consumers”, he said.

Explaining Malaysia’s efforts to collaborate with Southeast Asian countries in creating a data
sharing protocol to become a regional data processing hub, he said the government must make
the concept of industry-based data portability as the main standard.

“In order to become a regional data processing hub, the government needs to use industry
standards as the main policy and strategy. This standard is a faster and more efficient way and
is able to coordinate the differences in laws in each country to enforce and regulate portability
over the law.” he concluded.

COMMENT ÉCHAPPER À LA CENSURE GOUVERNEMENTALE ?

Un outil se démocratise qui permet d’accéder à plus de contenus… tant que l’Etat ne s’en mêle pas directement.

De plus en plus de consommateurs utilisent des VPN sur leurs appareils qui accèdent à Internet. Ce qui était autrefois une technique plutôt obscure permettant d’accéder à des sites différents par l’intermédiaire de serveurs virtuels est devenu un outil de plus en plus courant, qui a suscité l’intérêt des utilisateurs d’internet et des autorités de régulation.

Un VPN (Virtual Private Network), en français RPV (réseaux privé virtuel) permet à ses utilisateurs de se connecter à un serveur différent de celui où ils se trouvent actuellement. A travers diverses techniques cryptographiques, le VPN masque l’adresse IP de l’utilisateur et lui donne accès à d’autres contenus.

Déménager sans bouger

Il existe différentes utilisations d’un VPN : l’une d’entre elles, très courante, est l’accès à des contenus vidéo en streaming. En effet, alors qu’une nouvelle émission de télévision populaire peut être disponible aux Etats-Unis, il n’est pas possible de la regarder depuis la France. En connectant votre VPN à un serveur situé à New York, vous aurez accès au contenu qui peut être vu de l’autre côté de l’Atlantique, depuis le confort de votre propre maison.

Les fournisseurs de services de streaming tels que Netflix ou Amazon Prime n’aiment pas cette pratique, car ils craignent d’avoir des problèmes avec la réglementation sur les droits d’auteur. La raison pour laquelle certains contenus télévisés ne sont pas distribués en France est que ces chaînes n’ont pas acquis les droits pour ces émissions dans l’Hexagone – parfois en raison du prix, parfois parce qu’elles ne pensent pas qu’une certaine émission suscitera beaucoup d’intérêt en France, par rapport aux Etats-Unis.

Cela dit, l’utilisation des VPN dépasse de loin les avantages qu’il y a à regarder Game of Thrones sur son canapé. En masquant votre adresse IP, ils réduisent considérablement les risques de piratage ou de surveillance lorsque vous vous connectez à un réseau Wi-Fi public. Au fur et à mesure que les VPN sont devenus plus populaires, les fournisseurs de services VPN ont trouvé d’autres moyens de protéger vos données lorsque vous êtes en public.

Certains services VPN proposent également une fonction appelée « Internet Kill Switch ». Dans le cas où votre connexion VPN est interrompue ou déconnectée, cette fonction protège votre appareil et ses données des regards indiscrets. Elle bloque tout le trafic Internet vers votre appareil jusqu’à ce que la connexion avec votre VPN soit rétablie.

Quand l’Etat adopte les VPN

Les VPN sont également un bon moyen d’échapper à la censure gouvernementale. Bien que cela soit moins problématique dans de nombreux pays européens, les VPN sont couramment utilisés par les consommateurs en Autriche pour contourner les réglementations gouvernementales. Pendant longtemps, Wikipédia n’a pas été accessible en Turquie sans l’utilisation d’un VPN. Les VPN sont également très utilisés dans les dictatures, car les utilisateurs accèdent à des services d’information internationaux qui seraient bloqués dans leur pays.

Toutefois, bon nombre de ces Etats se sont ralliés à cette tendance. Il est légal d’utiliser un VPN en Chine, mais le gouvernement impose de nombreuses restrictions. Les VPN nationaux doivent être approuvés par le gouvernement et ceux qui ne le sont pas sont interdits. Les citoyens peuvent faire l’objet de sanctions, contrairement aux étrangers, qui peuvent rester impunis s’ils sont pris en train d’utiliser des VPN non autorisés. Evidemment, vous pouvez vous imaginer que les VPN locaux chinois sont contraints de ne pas débloquer du contenu interdit par le parti communiste.

En Europe, l’utilisation des VPN n’est pas limitée. Cela dit, le monde occidental a connu des textes législatifs susceptibles d’enfreindre l’utilisation des VPN.

Par exemple, un projet de loi récemment proposé aux Etats-Unis dont le but principal est d’interdire l’utilisation de TikTok fait vaguement référence à la possibilité pour les utilisateurs de contourner cette interdiction. Bien que la loi ne mentionne pas les VPN en tant que tels, Reason Magazine explique que « cette formulation laisse encore plus de place à la loi RESTRICT pour toucher un large éventail d’activités. Peut-être qu’un tribunal finirait par la juger inutilisable contre des personnes essayant simplement d’échapper à une interdiction de TikTok, mais cela ne signifie pas que les procureurs n’essaieraient pas, ni que les autorités n’utiliseraient pas des mesures de surveillance invasives pour essayer de détecter une telle évasion. »

Des services inégaux

Il y a un dernier point dont les consommateurs doivent être conscients. Si les VPN garantissent une plus grande sécurité en ligne, ils sont loin d’être une panacée. De nombreux VPN populaires vous promettent que vous pourrez « surfer sur le web de manière anonyme » ou que vous serez « complètement à l’abri de la surveillance gouvernementale ». Malheureusement, le simple fait de payer pour un VPN ne vous mettra pas totalement à l’abri de la surveillance et des menaces de piratage.

L’anonymat complet en ligne est très difficile à atteindre, car il nécessite une vaste gamme d’appareils et de logiciels de brûlage qui vont bien au-delà de votre utilisation quotidienne.

Lors de la mise en place d’un VPN, il est important de s’informer sur le produit que vous achetez. Il est également conseillé de s’abstenir d’utiliser des VPN « gratuits ». Si le VPN est gratuit, vos données sont le produit. L’utilisation d’un VPN devrait devenir un comportement banal en ligne, mais elle continuera à exiger que vous fassiez vos propres recherches.

Originally published here

Generational Endgame: The government needs to avoid repeated MySejahtera data leaks

March 14, 2023
By Tarmizi Anuwar
In Blog, Press Release, Privacy, Statements
0 comments

KUALA LUMPUR, 6th March 2023 – The Consumer Choice Center (CCC) voiced concerns
over the implementation of the generational endgame and urged the government to drop the
generational endgame from the Tobacco and Smoking Products Control Bill.

According to Tarmizi Anuwar, the Malaysian Consumer Choice Center representative, he
believes that the Minister of Health is hasty in wanting to implement generation endgame
and is not consistent with the statement at the beginning that wants to implement it
incrementally and in stages.

It is even more worrying when the Ministry of Health wants to implement it in the next year,
which is 2024. However, until today it is still not clear what mechanism will be used to
ensure that the implementation process is not misused or pose other risks to consumers.
Recently, the Deputy Health Minister, Lukanisman mentioned that the government intends to
make the MySejahtera application as a national public health management tool or digital
public health super apps.

“If the government uses the MySejahtera application or any similar form of application to
implement the generational endgame, this may bring other risks to consumers such as
breach of information or personal data.”

“This is clear in the Auditor General’s Report 2021 Series 2 has revealed that 3 million
Malaysians’ personal data in the MySejahtera application was downloaded by the super-
admin account between 28 October to 31 October 2021,” he said.
In addition, according to Tarmizi, it is more worrying when the Deputy Health Minister’s
answer in parliament contradicts to the response given by the Ministry of Health to the
National Audit Department.

“The statement of consumer details downloaded by the super admin as part of security
measures against attempts to hack the application is contrary to the response given by the
Ministry of Health to the Auditor General’s Department.”

“In the report, the Ministry of Health’s response clearly states that there is an element of
misuse by the super admin account and a police report has been made.”
“The government needs to be more realistic in drafting and implementing laws so as not to
put consumers’ personal data at risk.”

Commenting further on the implementation of the finishing generation in the Tobacco and
Smoking Products Control Bill, he said, “The government needs to drop the generational
endgame and adopt more practical practices; harm reductions such as the United Kingdom
or the Philippines.

“Instead of a full ban these two countries recognize harm reduction as one of the methods
to reduce smoking in their countries.”

In addition, Tarmizi emphasized that the discussion about fundamental rights or individual
freedom in this matter must take into account various opinions and not just one school of
thoughts. He referred to the statement of Tun Zaki, Former Chief Justice, regarding the
generational endgame can be considered to be discriminatory and violate Article 8 of the
Federal Constitution.

“The law must operate equally on all people in fair conditions for all generations and every
group of society. The law cannot give only one advantage to one generation and deprive it
from another.”

MoH urged take immediate recommendations in the AG’s Report on MySejahtera data leak

KUALA LUMPUR: The Malaysia Consumer Choice Center (MCCC) urges the Ministry of Health (MoH) to implement immediate security measures to prevent the continued theft of personal data from the MySejahtera application.

This follows the Auditor General’s Report 2021 Series 2, which revealed that the super-admin account downloaded three million Malaysians’ personal data in the MySejahtera application from October 28 to October 31, 2021.

MCCC representative Tarmizi Anuwar urged the MoH to improve security measures to ensure the safety of consumers and that such incidents do not happen again.

“The MoH needs to act immediately to tighten the data security management system and the MySejahtera application as recommended by the Auditor General’s Report to prevent the intrusion of consumer data again.

Read the full text here

Kenapa KKM gagal kenal pasti data MySejahtera dimuat turun ‘Super Admin’, soal kumpulan pengguna

Wakilnya menggesa KKM segera bertindak memperketatkan sistem pengurusan keselamatan data dan aplikasi tersebut.

PETALING JAYA: Pusat Pilihan Pengguna (CCC) mengecam kerajaan kerana masih tidak mengenal pasti medan data peribadi yang dimuat turun daripada akaun “Super Admin” menerusi aplikasi MySejahtera, selepas lebih setahun laporan polis dibuat.

Wakilnya, Tarmizi Anuwar, menggesa Kementerian Kesihatan (KKM) mempertingkatkan langkah keselamatan bagi memastikan keselamatan data pengguna terjamin.

“KKM perlu segera bertindak memperketatkan sistem pengurusan keselamatan data dan aplikasi MySejahtera seperti disarankan laporan ketua audit negara bagi mengelakkan pencerobohan data berulang.

“Tindakan ini perlu diambil secepat mungkin kerana selepas satu tahun tiga bulan (laporan dibuat), kementerian masih tidak dapat mengenal pasti medan data peribadi telah dimuat turun.

“Hal ini sangat membimbangkan kerana lebih tiga juta data pengguna berisiko disalah guna pihak berkenaan,” katanya dalam kenyataan.

Read the full text here

The Ministry of Health Needs to Immediately Take the Recommendations of the Auditor General’s Report

February 20, 2023
By Tarmizi Anuwar
In Blog, Press Release, Privacy, Statements
0 comments

KUALA LUMPUR, 20^th February 2023 – The Malaysia Consumer Choice Center (CCC) urges the Ministry of Health of Malaysia to immediately present security measures to protect against the theft of personal data of the MySejahtera application from continuing.

This follows the Auditor General’s Report 2021 Series 2 which revealed that 3 million Malaysians’ personal data in the MySejahtera application had been downloaded by the super-admin account on 28 October to 31 October 2021.

According to the representative of the Malaysian Consumer Choice Center, Tarmizi Anuwar urged the Ministry of Health to improve security measures to ensure the safety of consumers and things like this do not happen again.

“The Ministry of Health needs to act immediately to tighten the data security management system and the MySejahtera application as recommended by the Auditor General’s Report to prevent the intrusion of consumer data again. This is important to ensure that consumers are safe,” he said.

Based on the report, after one year and three months of the police report being made, the government has yet to identify the data fields that have been downloaded and are still under investigation by the authorities.

“The Ministry of Health needs to immediately take this action because after one year and three months, the Ministry still does not know or identify the personal data fields that have been downloaded. This is very worrying because more than 3 million user data is at risk of being misused by those who have downloaded it,” he added.

According to Tarmizi, the Ministry of Health also needs to take seriously the questionnaire conducted by the audit department regarding the perception of consumers of the MySejahtera application. Based on the survey, a total of 2,699 responses or 49.8 percent disagree that personal data is stored in the My Sejahtera application database. While only 1,168 responses or 21.8 percent agreed and the rest were neutral.

“Based on the survey conducted by the audit department, consumers are not confident about the level of security of the MySejahtera application and have concerns if their information or personal data is invaded by irresponsible parties.”

“Although it has entered the endemic phase and this application is not used as before but the consumer’s personal data is still stored in this application.”

“Therefore, the Ministry of Health needs to take immediate action and explain to public the steps that will be taken to deal with this matter seriously and be responsible in ensuring that this won’t happen again.”

The Great Danger of CBDCs

February 9, 2023
By Aleksandar Kokotović
In Blog, Cryptocurrencies, Privacy, Tech Regulation
0 comments

There have been numerous announcements of central banks starting to explore the idea of introducing Central Bank Digital Currencies (CBDC).

From e-naira, a CBDC issued by the central bank of Nigeria, to the digital yuan in China to the European central bank exploring the idea of the digital euro. In fact, according to the Bank For International Settlements research, 90% out of 81 central banks surveyed have been in some shape or form investigating the idea of introducing a central bank digital currency.

According to the same survey, an increasing number of countries are adjusting the legal authority of central banks giving them provisions that allow for a launch of digital currencies.

These central banks argue that CBDCs will help with financial inclusion by providing more access to financial services for underbanked and unbanked, they would lead to a significant reduction in fraud and money laundering, and they would improve efficiency and ultimately allow for a better and more efficient monetary policy through more control over the money supply.

I just spent 1000 Naira from my Naira @Mastercard by @gtbank to buy 10,000 Naira cash from a @palmpay_ng POS. The Nigerian government is intentionally forcing its citizens into a cashless Keynesian economy while they position their surveillance CBDC – eNaria as final destination. pic.twitter.com/HkjVhYtqKg
— Oluwasegun Kosemani (@MrlamilamiKosch) February 2, 2023

CBDCs are often thought of in terms of the government’s response to crypto, the way that central banks are trying to get with the times and digitize money. However, except for utilizing similar technologies, they are fundamentally different from Bitcoin and many other cryptocurrencies.

The most significant difference between CBDCs and Bitcoin lies in the level of centralization and control. While Bitcoin is a fully decentralized currency operating on a decentralized ledger that not one person or organization can control, CBDCs are issued and fully controlled by the central bank that controls its supply, issuances, and use.

Bitcoin was created as a decentralized alternative to traditional fiat currencies and as a response to the monetary policies of central banks creating uncertainty and being responsible for the devaluation of money with ripple effects throughout the economy. CBDCs would equip governments with tools providing fast and easy total control over monetary policy to the extent of targeting businesses, organizations, and individuals.

The level of control that a government would have over every transaction and the ability to apply transaction censorship over anyone would give leaders a level of control unprecedented in history, a tool that any totalitarian leader from a few decades ago could have only dreamed of.

One could argue that most money already is digital, an endless collection of 0s and 1s. However, the crucial distinction is that no single database can track and oversee every transaction that exists. There are a number of laws and regulations in place that allow law enforcement to request access to records of interest where courts are required to give approval for such actions.

Forgoing these checks and balances currently in place and allowing one-click access to accounts of citizens would give not only an unprecedented power in terms of privacy violations but also an opportunity to monitor or deactivate undesirable accounts based on any perceived or real violation.

Taking away all of one’s ability to sustain themselves by locking their accounts is equivalent to jailing them. Giving officials the option to freeze or ban certain accounts without due process could seriously damage the principles of rule of law on which our society rests.

The potential for any elected or appointed officials to affect a citizen’s livelihood in such a way could lead to serious consequences, such as endangering the ability of citizens to use their right to free expression in fear of their lives being ruined in a single click. It is not hard to imagine many possible ways that any malicious actor could use this centralized power. Many other unintended consequences could be possible and some could create immense levels of social distrust.

Then there is privacy. Transactions made using CBDCs may be recorded on a public blockchain, making it possible for others to track and analyze financial data. Having citizens using a tool that could fundamentally affect their privacy on an unimaginable scale thus far in human history would be a grand violation of rights to privacy and would, without a doubt, lead to additional problems.

You thought your browsing history could be turned against you? Anyone having access to any monetary transaction you have made would definitely not be fun either and it is easy to imagine dozens of ways that bad actors could exploit access to that kind of information.

Another often overlooked potential consequence of introducing Central Bank Digital Currency is the digital monetary competition. If we see a rise in digital currencies issued by central banks, it is likely that they will enter a race with other country issued currencies as well as private or decentralized ones, such as Bitcoin. Having this sort of competition would potentially open up unknowing citizens to currency fluctuations which cannot be foreseen and create even larger instability with some national currencies. The ways this could affect purchasing power and lead to potential civil unrest is evident.

This is only a few ways that adoption of Central Bank Digital Currencies could affect life as we know it. It is easy to see how an extremely centralized, highly controlled and surveilled currency would be an end of many of the freedoms that our societies enjoy and shows why in contrast, Bitcoin, a highly decentralized, secure and censorship resistant currency is immensely important and represents one of the most potent tools humanity has today.

Aleksandar Kokotović is the crypto fellow at the Consumer Choice Center.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID	past	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
__sharethis_cookie_test__	session	This cookie is set by ShareThis, to test whether the browser accepts cookies.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
__gads	1 year 24 days	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_111177680_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 4 months 8 days 16 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
_tt_enable_cookie	1 year 24 days	Tiktok set this cookie to collect data about behaviour and activities on the website and to measure the effectiveness of the advertising.
_ttp	1 year 24 days	TikTok set this cookie to track and improve the performance of advertising campaigns, as well as to personalise the user experience.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	2 years	This cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.
yt.innertube::nextId	never	These cookies are set via embedded youtube-videos.
yt.innertube::requests	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
_gtm_session_start	1 hour	Description is currently not available.
_mailmunch_visitor_id	never	This cookie is set by MailMunch which is email collection and email marketing platform. We do not know the exact purpose of the cookie.
AnalyticsSyncHistory	1 month	No description
asp_transient_id	7 days	No description available.
GoogleAdServingTest	session	No description
li_gc	2 years	No description
mailmunch_second_pageview	never	This cookie is set by MailMunch which is email collection and email marketing platform. We do not know the exact purpose of the cookie.
raygun4js-userid	never	Description unavailable.
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Articles and publications written by the CCC about Privacy.