Cybersecurity Experts Flag Surveillance Data Breach Risks In Social Media Ekyc Plan

---

 


Cybersecurity experts have warned that handing national identity document (ID) data to social media platforms for electronic know-your-customer (eKYC) checks could increase the risk of that information being misused for surveillance.
Universiti Sains Malaysia professor Selvakumar Manickam told Malaysiakini that eKYC usage could eliminate anonymity online, allowing authorities or rogue government employees to trace dissenting comments and posts to specific MyKad numbers, which contain further information on users.
"There is also a chilling effect in which users self-censor because they fear the consequences of being identifiable.
“Inter-agency data sharing could expand into a broad surveillance environment that citizens cannot easily opt out of or challenge," the USM Cybersecurity Research Center director said.
On Sunday, Communications Minister Fahmi Fadzil said Malaysians below the age of 16 will not be allowed to sign up for social media accounts from next year as part of the government’s efforts to strengthen online safety for children.
USM professor Selvakumar ManickamSocial media platform providers are expected to be ready to implement eKYC by next year, The Star quoted Fahmi as saying.
The cabinet has raised the minimum social media age from the earlier proposed 13 to 16, requiring platforms to verify users’ ages via official documents like MyKad, passports, or MyDigital ID through eKYC.
The eKYC is a digital identity verification process that typically uses biometric technology to authenticate individuals, based on unique physical traits such as fingerprints, facial features, voice patterns, or iris scans.
Speaking on the potential misuse of data for surveillance, Digital Ihsan founder Aaron Ikram Mokhtar said the risk increases in jurisdictions with weak legal safeguards or limited oversight.
"Any central store of identity documents and face templates can be repurposed intentionally or under legal compulsion for surveillance: matching faces to accounts, tracking people across services, or identifying protesters/critics," the cybersecurity advocate said.
Adding to this, Universiti Malaya professor Ainuddin Wahid Abdul Wahab cautioned that the move may not only reduce abuse but also discourage honest speech without rules to prevent misuse.
The UM Computer Science and Information Technology Faculty lecturer said safeguards should ensure that the system strictly limits data use to its intended purpose while recommending robust access logs that are independently audited.
ADSPenalties must be imposed for any use of eKYC data beyond safety goals, he added.
‘Like a busy airport’
Aaron also raised concerns that any centralised database combining national ID details with biometric information would be seen as an especially attractive target for malicious actors.
Unlike normal data breaches, Ainuddin pointed out that leakages involving biometric data could have permanent consequences.
"If social media platforms collect eKYC at scale, a single breach could expose millions of people’s government IDs and facial biometrics.
"That raises the impact from nuisance (spam) up to life-long harm such as identity theft, doxxing, and targeted surveillance," he said.
Selvakumar noted that any resulting identity theft could lead to criminals using the data to apply for loans or register mule accounts using another person's name.
While social media platform providers do invest in security and employ specialist teams, Ainuddin said their systems are meant for the collection of data at a large scale as well as for sharing between apps, vendors, and regions.
He used the analogy of a busy airport to illustrate his point: "Strong security measures are in place, yet numerous doors and personnel increase the likelihood of mistakes.
"Multiple internal access points and third-party integrations can become weak links unless tightly controlled."
MyKad leaks
Data breaches have become a growing concern in Malaysia, with recent years witnessing a series of leaks of varying severity involving national ID information.
In December last year, dark web threat intelligence company Stealth Mole reported an alleged data breach, claiming that 17 million MyKad records were being sold on the dark web.
UM professor Ainuddin Wahid AbdulSome social media users said the image shared by Stealth Mole - which appeared to be photos of the front side of MyKads - indicates that the leak was of eKYC data.
In February the same year, an international hacker group claimed to have gained access to terabytes of data from the National Population and Family Development Board.
Addressing concerns that such incidents could recur, Selvakumar commented that social media companies are fundamentally advertising businesses, built for engagement rather than security.
He also warned of potential scope creep, cautioning that companies could eventually expand the use of eKYC data into areas such as targeted political advertising or surveillance, without securing proper consent.
Use parent verification instead
Instead of having social media platforms implement eKYC, the experts proposed alternative measures to safeguard minors online.
Aaron touted verification by a parent or guardian as the best way around the issue.
"The parent logs in using eKYC, then links their child’s account. Then the parents approve their child’s access.
"That way, the child’s data is not collected, and it works even when the child doesn’t have their own ID. Parents are also involved (in the process), and they are aware of which social media platform the child is using," he explained.
Ainuddin also recommended this approach, which he called “age-only proof".
Some European Union and United Kingdom approaches rely on third-party age-verification tokens, allowing platforms to avoid storing identity card scans altogether, he said.
Similarly, Selvakumar said the government should pivot towards exploring less invasive mechanisms before proceeding with mandating full ID uploads.
"Until there are absolute technical and legal guarantees, centralised ID storage should be approached with caution," he said. - Mkini

---