Despite the various controversies and potential scandals surrounding MySejahtera, it has been reported that the app would be expanded with an appointment-making system at public primary healthcare facilities.
Expansion plans for the app have been in the works before, and it has been suspected that new modules provide an income stream for the developers in addition to keeping the app relevant.
However, many questions remain and with the new administration in place, it is time for the endless speculations and theories regarding this troubled app to end, better alternatives formulated and those responsible held accountable.
With the expansion of the app, the first question is whether the government has signed a contract for the app’s procurement or not.
If yes, what are the terms, especially on costs, ownership, and parties involved? If not, under what deal is this module expansion happening and who is developing it?
It was reported on October 2022 that the Public Accounts Committee (PAC) recommended the government take ownership of MySejahtera.
For some historical context, KPISoft, now known as Entomo Malaysia (Entomo) was the directly-appointed app developer, in what was initially understood as a Corporate Social Responsibility (CSR) deal with the government.
However, during the supposed CSR period, Entomo reportedly entered into a lucrative commercial agreement (OEM license agreement) with MySJ, making MySJ the effective ‘owner’ of the app.
This is likely the reason why the government directly-appointed MySJ as the app manager-operator. They may not have a choice.
The rights transferred to MySJ from Entomo include the non-transferable and non-sublicensable license to use KPISoft software (owned by Entomo) to exclusively develop, test and support the app as well as owning the app’s trademark.
Entomo’s deal with MySJ ensures there was no need or use for open tenders, as no one else can legally operate MySejahtera other than MySJ.
Thus, the government was “trapped” into dealing with MySJ.
Most curiously, both MySJ and Entomo Malaysia share the same registered address and similar business address at Q Sentral—the same building but on different floors.
Even though Entomo Malaysia’s directors are different from MySJ, Entomo Malaysia’s single shareholder, Entomo Pte Ltd in Singapore, appears to share a common director with MySJ.
Needless to say, questionable insulation issues bring up governance concerns as MySJ and Entomo may not be completely independent of each other.
For example, an individual by the name of Raveenderen Ramamoothie is a director in MySJ as well as Entomo Pte Ltd. Note that Raveenderen is also one of the founders of KPISoft, which is now known as Entomo Malaysia.
As the sole shareholder, Entomo Pte. Ltd. has a controlling stake in Entomo Malaysia. It is reasonable for investigators to speculate if this is a typical characteristic of a proxy company.
The potential conflict of interest could be preventing MySJ from getting the best deal from Entomo, which could explain why MySJ’s biggest cash flow dent comes from its owing to Entomo.
Analogically, at worst this could be akin to the left and right hand dealing with each other, and the person who owns both hands is “laughing to the bank” as someone else (the government) is paying for what could be “orchestrated” transactions. See EMIR Research article “Intense acrobatics surrounding MySejahtera deals” dated March 30, 2022, for more information.
Trouble has been brewing in MySJ’s leadership, and according to supporting items of court documents, Hasrat Budi (one of MySJ’s shareholders) is asking for independent consultants to conduct technology assessment, price benchmarking analysis and independent legal advisors to review the fairness of the one-off IP transfer fee and the annual license service fee that MySJ has to pay to Entomo, and even to look into potential governance issues.
A similar, if not more in-depth due-diligence exercise to protect the government’s interest should have been done.
As reported by public health portal CodeBlue, by July this year a consent judgment was entered for Entomo and Raveenderen to purchase all of Hasrat Budi’s shares in MySJ at more than RM24 million.
Another MySJ shareholder, P2 Asset Management, had reportedly filed charges for a separate case (alleged breach of a share sale agreement) against MySJ, Revolusi Asia (the majority shareholder in MySJ, with Raveenderen as majority shareholder) and Entomo Malaysia.
However, according to MySJ data registered in the Companies Commission of Malaysia (SSM) on November 22, 2022, both Hasrat Budi and P2 Asset Management are still listed as shareholders. Both MySJ and Entomo Malaysia registered losses worth over RM76 million and over RM18 million respectively, according to the same SSM data for MySJ and SSM data registered on November 25, 2022, for Entomo Malaysia.
This is a troubled and controversial entity, with a past shrouded in mystery that operates a generic and failing (underutilised) app with questionable data security.
If anything, these are reasons NOT to acquire MySejahtera—what more at a premium price, using public funds?
Something is amiss.
There are no upsides for the government to stick with MySejahtera unless there’s something there that they feel must be acquired, no matter what.
Is there something that must be fixed and not become public knowledge?
Potential Data Security Issues
How do we know that only the government has exclusive access to the data, especially before any formal contracts were made? What legal document(s) and infrastructure governs data accessibility, exclusivity, security and integrity before and now?
In addition to probing legal documents, these can only be answered with forensic digital investigations or audits of the entire ecosystem.
Not only Entomo Malaysia is owned by a Singaporean entity, but as reported by CodeBlue, Entomo Pte Ltd has other shareholders, consisting of Singaporean, American, and Japanese corporate and individual shareholders, and individual shareholders from Malaysia, India, and Indonesia.
If the transfer of personal data out of the country did happen, even in the case of fulfilling a contract, users of MySejahtera i.e., data subjects (app users) have not been approached to give consent. This would mean that Malaysia’s Personal Data Protection Act (PDPA) has been breached.
This brings us back to the question of why procuring the app appears to be the only option if the government already owns the data as it claims. Why must the platform be MySejahtera?
The high download rate of the app cannot be the reason to overlook serious issues that plague the app, and it doesn’t matter if people don’t even trust it enough. MySejahtera had recorded plummeting usage due to mounting doubt and distrust by app users as well as from the reopening of the economy.
PAC chairman Wong Kah Woh reportedly said that a ceiling price worth a whopping RM196 million has been set by the Finance Ministry to procure MySejahtera over two years.
How was this figure reached? What was the valuation process to justify this hefty price tag?
As pointed out by CodeBlue, this figure is more than the Health Ministry’s entire annual radiotherapy and oncology budget for 2022 of RM137 million.
One way for MySJ/Entomo recoup their investment and prevent further losses is to create more modules that they could charge the government, or sell everything at a premium. Even if the combined losses of MySJ and Entomo Malaysia are worth RM94 million and it’s their interest to sell everything at cost-plus, the value of a company and its assets isn’t determined by the total losses incurred.
As explained in the EMIR Research article “MySejahtera: Investigating Costing FairPlay” dated May 19, 2022, according to court documents, MySJ shareholders have agreed to a minimum of 30% profit margin at all times.
Referring to the meeting minutes provided as supporting documents in the court documents, this could be related to the fee that MySJ charges the government and the fee that Entomo Malaysia charges MySJ.
Therefore, however absurd MySJ’s costs may be (which appears to be mostly due to its financial obligations to Entomo), they would have to be repaid through fees paid by the government i.e., taxpayer’s money.
Whatever the amount ends up being, comparisons with other countries and expert opinions point to it being highly overpriced.
EMIR Research has reported previously that Singapore’s SafeEntry digital check-in system and TraceTogether app and tokens were reportedly developed and acquired at S$13.8 million (roughly RM45 million).
That is assuming acquisition costs are accounted for, which would have profit margins built in. Even then, RM45 million is still far from RM196 million. This wouldn’t be the case if it was truly a “free” CSR deal, or minimal cost if the app was developed in-house.
For some indications of KPISoft’s actual costs, according to reports, KPISoft incurred over RM47.8 million throughout its “CSR commitment” from April to November 2020.
Even that could be questionable. Expert opinion reported in technology ecosystem news portal Digital News Asia (DNA) pointed to a cost of not more than US$238,000 (RM1 million) to develop the first three modules of MySejahtera, after studying its features.
A press statement released on March 29, 2022, by a Malaysian software developer offered to not only replicate MySejahtera but also improve it, for about RM6 million.
EMIR Research’s sources indicate the total development cost could be around RM8-12 million.
New Zealand’s initial contact tracing app design proposal was reportedly developed by a Malaysian-born technocrat in New Zealand within two weeks and the inventor charged no royalties for it.
Is there a high-value novelty in the MySejahtera app that only KPISoft/Entomo could deliver?
If the government is paying well above market price despite this information, is it because there is something that either Entomo and/or MySJ is holding, owning, or having knowledge of that gives them stronger negotiating power against the government?
Hold Those Involved Accountable
The direct and obscure appointment of KPISoft/Entomo in a contract-less CSR deal with only a non-disclosure agreement (NDA) to govern data ownership (which we know nothing about or if it is still legally enforced) is the catalytic domino piece that led to subsequent commercial, technical, and legal “traps”.
Without a contractual obligation, nothing stopped Entomo Malaysia from entering a commercial agreement with MySJ during the supposed CSR period.
Nevertheless, one might wonder what is the purpose of the NDA then? Was the NDA was breached when KPISoft/Entomo was dealing with MySJ?
According to Sunway University economics professor Dr Yeah Kim Leng and as reported in The Star on December 1, 2022, urgency and security reasons are some of the reasons that could make the open tender process infeasible.
No doubt the government could use the Covid-19 pandemic to justify urgency, but that doesn’t explain the lack of contracts or the opting for a CSR deal.
It is unthinkable that there were security reasons behind the direct appointment either. The need for data security and privacy calls for a clearly-defined and legally-enforceable agreement.
Someone (or a group of people) overlooked (deliberately or accidentally) simple governance and due-diligence procedures, or they were “conned” with a bad deal.
If there are other explanations for how the government ended up with the MySejahtera debacle, then it’s time the new administration lets the cat out of the bag.
The issues raised warrant further probing and EMIR Research did recommend that an independent commission be formed for the investigation.
Was there any investigation on the companies and individuals involved? What actions can be taken regarding the breached governance process? What are the considerations of the PAC to make its recommendation?
Taking over the app in its entirety is an obvious and convenient solution to the ownership issue, but we cannot sweep massive things like this under the rug.
Justice would not be served as the exorbitant cost will be paid using public funds, and there are no recommendations to hold those involved accountable.
Someone must pay for this mess, and it shouldn’t be the Malaysian people.
Evidently, we are left with more questions than answers.
Unlike geopolitical and/or economic repercussions potentially associated with cancelling the East Coast Rail Link (ECRL) project, it could be that in the case of MySejahtera, it is the associated applications, rights or data that are “being held as ransom”.
Whatever it may be, the government appears to be held at gunpoint and finds total acquisition as the only option.
While these questions remain unanswered, the expansion of new modules to bring back relevance to the app should be stopped until the necessary investigations are satisfactorily completed and presented to the public.
As suggested before, if the Malaysian government already owns the data (as it claims) and if there are ways to securely migrate (and integrate) all data to a new app, then the government should change the platform, relieving the government from its perpetual dependency on MySJ/Entomo, or from the need to make a costly procurement.
As for the new platform/app, the government should then proceed with an open tender.
If there are contractual penalties that we are not aware of, then the investigation becomes ever more important as contracts that breach the law is null and void and illegal conducts can invalidate the deal altogether, relinquishing the government from penalties.
In line with Datuk Seri Anwar Ibrahim’s brand of administration that is reformed, the MySejahtera debacle must be investigated fully and thoroughly, detailed and transparent explanations are provided by the authorities on all the questions raised, better deals are formulated and those in the wrong are held accountable.
Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.