THE Election Commission (EC) website where voters can check their voting constituency and polling station by entering their MyKad number is not secure, tech blogger Keith Rozario said.
The creator of sayakenahack.com, aimed at helping victims of a massive data breach to find out if they were affected, said in a blog post that the EC site was marked as “insecure by Google Chrome because it doesn’t even have TLS”.
TLS or Transport Layer Security is meant to ensure privacy and data integrity between two communicating computer applications. In the case of a voter checking their status on the EC website, TLS would ensure that data travelling between the voter’s browser and the EC on a WiFi or data connection used would be encrypted.
“In *** 2017, your website doesn’t have TLS??” said Rozario.
Without TLS, he said that someone searching for their voting information on the EC website could have their data “transferred in clear across the internet for anyone in the middle to see”.
“It also means that your browser is not authenticating the site, and anyone can create a fake (EC) website and make it look identical.
“If you’re logged onto the (EC) website from a kopitiam WiFi, I can see the data you’re sending (and receiving) just by logging on the same WiFi,” he said.
Rozario was defending the security of sayakenahack.com, which has been blocked by the Malaysian Communications and Multimedia Commission on grounds that it violated the Personal Data Protection Act, under which it is an offence to disclose private information without the consent of users through any platform.
But Rozario said sayakenahack.com was more secure than the EC’s website as he had gone through great lengths to protect it – “definitely more effort than the EC”.
He said while government websites were exempt from the Personal Data Protection Act, the damage when a breach of information occurred was the same whether the data came from the government or private companies.
The personal data on sayakenahack.com are from a breach involving 46.2 million mobile service subscribers, believed to have taken place between 2014 and 2015.
Rozario, who said he believed he was doing the right thing by providing a service to victims of the breach, said he had “masked” the data on the site so that only users affected could identify their numbers and no one else.The breach was first revealed by Lowyat.net in an article last month but the online forum removed it on MCMC’s instructions.