Malaysia’s Proposed Social Media eKYC Risks Repeating South Korea’s Mistake

-


When Malaysia’s Communications Minister, Fahmi Fadzil, introduced a mandatory identity verification for social media platforms, it sparked quite a heated national debate.

The proposal, under Malaysia’s upcoming Online Safety Act, aims to make electronic Know-Your-Customer (eKYC) checks mandatory for all social media users. This is a process where users verify their identities using MyKad, passport, or MyDigital ID before being allowed to post, comment, or even create an account.

While eKYC is an established practice in high-risk services like banking, requiring it for the dynamic and expressive world of social media would vastly increase both its intended purpose and its potential for misuse.

There are no denying the problems the government seeks to tackle: curb widespread online scams, hate speech, and child exploitation. Proponents insist that removing anonymity is a necessary and effective deterrent against these abuses. But looking closer, there are serious concerns from this measure that need to be discussed.

The South Korean Precedent

Malaysia is not the first nation to consider tying online identity to real-world verification. Perhaps the most instructive example is South Korea, where in 2007 the government made it mandatory for top websites to adopt a "real-name" system. The law was repealed in 2012 not just for its ineffectiveness in reducing cyberbullying, but because the nation's Constitutional Court ruled it unconstitutional, stating it disproportionately restricted freedom of speech. Furthermore, while the system itself was not the direct cause, the centralized collection of identities exacerbated a catastrophic 2011 cyberattack that leaked the data of 35 million users. This history demonstrates that the promised safety benefits are often illusory all while failing their core objectives.

The Uncomfortable Trade-Offs

1. Effect on Speech and Dissent

While the intention to enhance online safety is clear, the proposed method carries far-reaching consequences. First on the chopping block would be anonymity. Journalists, whistleblowers, victims of abuse of power and vulnerable communities rely on pseudonyms to speak safely. They all would risk exposure if their online activities and associations are tied to a verified identity. 

The risks are exacerbated by Malaysia’s existing legal framework. The government already possess powers to prosecute online speech under Section 233 of the Communications and Multimedia Act (CMA). This is a broadly worded law frequently used to investigate and prosecute online criticism. Linking online activity directly to a verified identity would supercharge such instruments and create a severe effect on free expression.

2. Ineffectiveness and Catastrophic Security Risks

The fundamental effectiveness of eKYC in stopping the very abuses it claims to eliminate is highly questionable. Sophisticated malicious actors are unlikely to be deterred by a verification wall. They will simply adapt, using stolen identities, sophisticated bots, virtual private networks (VPNs), or offshore SIM cards to bypass the system. This creates a dangerous "false positive" of security: while law-abiding citizens are forced to surrender their anonymity and privacy, malicious actors will continue their activities with minimal disruption. 

Furthermore, Malaysia has suffered several major data breaches, including the 2017 incident with 46 million mobile subscriber records. The creation of a centralized identity repository for social media would become a prime target for cybercriminals, and the government's uneven record in this area offers little confidence that such an information treasure trove can be safeguarded.

Compounding this is a critical loop in our data protection laws. Malaysia’s Personal Data Protection Act (PDPA) explicitly excludes the federal and state governments from its provisions. This means that if a government body holds the verified social media data of millions of citizens, that data is not legally protected by the PDPA, leaving it vulnerable to misuse without clear legal recourse for the public.

3. Deepening Social Exclusion and Marginalization

A nationwide eKYC requirement would grant visibility only to those who are documented and connected. The unregistered foreign workers, refugees, and stateless individuals, many of whom live and work in Malaysia do not possess officially recognized identification documents required for eKYC. Under a mandatory verification framework, these groups would be effectively denied the ability to access information or participate in public dialogue. For communities already marginalized, this would further entrench their social and informational isolation.

4. Economic and Diplomatic Friction with Tech Platforms

Next, it must address the monumental burden on international platforms. These platforms would be imposed to build and maintain complex, secure verification systems tailored to Malaysia. This creates a direct conflict with their own global privacy frameworks and could violate stricter international regulations like the EU's General Data Protection Regulation (GDPR) -- which bans the processing of government-issued IDs. Faced with these legal conflicts and operational costs, platforms are more likely to respond by limiting functionality or adopting a minimal compliance approach, such as by restricting some app features for Malaysian users. This would degrade the digital experience and economic opportunities for Malaysian users and businesses and thus undermine the very benefits of a connected internet.

A Prerequisite for Consideration

This proposal can be seen as an evolution of state control over the digital realm in Malaysia. While past measure like DNS blocking focused on restricting the availability of information, the eKYC plan addresses online harm by the surrender of personal confidentiality, trading anonymity for a promise of accountability. The greatest long-term risk for this may be "function creep" which means the inevitable expansion of a system beyond its original purpose.

Given the profound implications, launching such a system without a transparent and inclusive public consultation that it is entitled to would be a profound mistake. The government must move beyond general assurances and present a detailed plan that addresses the following non-negotiable points:

  1. First, it must provide absolute clarity on data governance. The public needs to know precisely who holds the data (the platforms or a government body) and the exact chain-of-custody protocols that will be legally enforced.
  2. Second, the proposal must be backed by ironclad, specific legislation that goes beyond the general framework of the existing Personal Data Protection Act (PDPA). This new law must define strict, independent oversight for data access and severe penalties for misuse.
  3. Finally, the government must demonstrate that this invasive measure is both necessary and proportionate. It has not yet exhausted less restrictive alternatives, such as enforcing stringent, platform-level moderation standards, investing in advanced law enforcement capabilities to trace criminal activity, and launching aggressive national digital literacy programs to empower users.

Rushing this policy risks causing irreversible damage to Malaysian democracy and digital freedom. The burden of proof lies with the government to show that this drastic step will not simply trade our digital liberty for a false promise of security.

 

Other references:

https://www.yalejournal.org/publications/real-names-and-responsible-speech-the-cases-of-south-korea-china-and-facebook

Comments

Post a Comment

Popular posts from this blog

Afghanistan's Internet Blackout and Malaysia's DNS Censorship - What it means for Digital Freedom

-
Image
  An entire country has effectively vanished from the internet. On September 29, 2025 in Afghanistan cell and internet services nationwide were flatlined dropping to near 0% connectivity, affecting a population of 40 million. This was not a slowdown or restriction but an abrupt full-scale blackout. This all came to light through NetBlocks, a watchdog group that tracks internet connectivity. Traffic graphs did not dip; they nosedived straight to zero within an hour , a level that has since hovered at a negligible 0–1%. Blackout by Blade The regime employed no fancy, sophisticated cyber technology. They went old-school: they just started cutting the fiber optic cables in various regions in the country. Their official statement claimed that “alternative options” would eventually be provided to maintain connectivity needs. The official justification provided by the regime was to prevent 'vice'. A vague, sweeping excuse that invariably becomes the default mask for deeper state co...
Read more

Grand Theft FOMO 📈🤑

-
Image
  There are two things you need to do to survive in bad economy which is 1) Live below your means  2) Avoid scams The worse the economy gets, the more scams there will be. Desperate people scam, and desperate people get scammed.  These terrible people have quite mastered the art of manipulation. They sell illusion of opportunity with the intention of theft. Opportunities of romance, a new job, escape from trouble, etc etc. Even if it loooks and sounddss convincing 🤨, your discernment could always fail you.       “There are 200 phone numbers in this WhatsApp group chat. There’s no way all ofthem are scammers.”     Yes — all of them are.     “This is way too elaborate to be a scam.”     Scamming is a lucrative business. It need and can afford to look convincing.     “If they’re not legit, how did they get my IC, my address?”     Do you know your personal details are being s...
Read more