Communications and Multimedia Act 1998

BFM Podcast: LANDMARK #22: WHAT HAPPENS WHEN OUR PERSONAL DATA IS LEAKED

Late last year, it was reported that the private data of 46.2 million mobile phone subscribers were leaked sometime in the middle of 2014. All 14 telcos were affected in what is Malaysia’s biggest ever data breach. Explaining what this means for you and me is lawyer Foong Cheng Leong. He chairs the KL Bar’s Information Technology and Publications Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

SayaKenaHack.com and Privacy

Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-

SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:-

..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

Bread & Kaya: Are WhatsApp admins going to jail?

Bread & Kaya: Are WhatsApp admins going to jail?

By Foong Cheng Leong | May 02, 2017

– Two key elements in s. 233 are not fulfilled by a group chat admin
– To use s. 114A to attach liability on a group chat admin is stretching s. it too far

I REFER to the recent news reports stating that the Honourable Deputy Communications and Multimedia Minister Jailani Johari announced that group chat admins can be held accountable under the Communications and Multimedia Act 1998 (CMA) if they fail to stop the spread of false news to its members.

With due respect to the Honourable Deputy Ministry, the CMA, in particular s. 233 of the CMA, does not attach any liability to an admin of a group chat admin for spreading “false news”.

For ease of reference, I reproduce s. 233 of the Act:-

233 Improper use of network facilities or network service, etc

(1) A person who-

(a) by means of any network facilities or network service or applications service knowingly-

(ii) initiates the transmission of,

any comment, request, suggestion or other communication which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person; or

(b) initiates a communication using any applications service, whether continuously, repeatedly or otherwise, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address,

commits an offence.

(2) A person who knowingly-

(a) by means of a network service or applications service provides any obscene communication for commercial purposes to any person; or

(b) permits a network service or applications service under the person’s control to be used for an activity described in paragraph (a),

commits an offence.

(3) A person who commits an offence under this section shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both and shall also be liable to a further fine of one thousand ringgit for every day during which the offence is continued after conviction.

The offence under s. 233(1) of the CMA is committed by a person who uses any network facilities or network service or applications service knowingly makes, creates or solicits and initiates the transmission of an offensive communication with intent to annoy, abuse, threaten or harass another person. Two key elements in s. 233 are not fulfilled by a group chat admin namely “knowingly make or initiates the offensive communication” and “with intent to annoy, abuse, threaten or harass another person”.

As for s. 233(2), liability is only attached to a person who knowingly provide or permits an applications service to provide any obscene communication for commercial purposes. This is also not applicable to the present case.

It is noted that s. 114A of the Evidence Act 1950 provides for three circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her. The relevant section, namely s. 114A(1), states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.

In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content.

To use s. 114A to attach liability on a group chat admin is stretching s. 114A too far. It must be highlighted that s. 114A was introduced to “provide for the presumption of fact in publication in order to facilitate the identification and proving of the identity of an anonymous person involved in publication through the internet” (Explanatory Statement of Evidence (Amendment) (No. 2) Bill 2012). Common sense would dictate that a group chat admin is not a publisher of their member’s messages.

In fact, in the Delhi High Court case of Ashish Bhalla vs Suresh Chawdhury & Ors, the Court held that:-

Similarly, I am unable to understand as to how the Administrator of a Group can be held liable for defamation even if any, by the statements made by a member of the Group. To make an Administrator of an online platform liable for defamation would be like making the manufacturer of the newsprint on which defamatory statements are published liable for defamation. When an online platform is created, the creator thereof cannot expect any of the members thereof to indulge in defamation and defamatory statements made by any member of the group cannot make the Administrator liable therefor. It is not as if without the Administrator‟s approval of each of the statements, the statements cannot be posted by any of the members of the Group on the said platform

Perhaps the Honourable Deputy Minister should clarify which section in the CMA attaches liability to a group chat admin to avoid further confusion and panic to group chat admins.


First published on Digital News Asia on 2 May 2017.

BFM Podcast: LANDMARK #4: FACEBOOK

Subsequent to my update on the Malaysian 2016 cyberlaw cases, I was interviewed by BFM Radio to talk about general laws applicable to social media in Malaysia on 13 April 2017. I also covered the rules applicable to your digital data after your death and how to manage them in preparation of your death.


Who owns the pictures you post on Facebook? Can comments you post on Facebook be used against you in court, even after it is deleted? How is defamation defined on social media? On this episode of Landmark, a series exploring how the law shapes society and vice versa, lawyer Foong Cheng Leong talks us through recent rulings involving the social media platform and explains where the law currently stands when it comes to Facebook.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

Bread & Kaya: 2016 Cyberlaw cases – Cyber Court, Facebook fights and hacking

SEPT 1, 2016 marks the commencement of Malaysia’s first Cyber Court. Consequently, pending cases relating to cybercrime such as PP v Mohd Zaid bin Ibrahim (for a charge under s. 233 of the Communications and Multimedia Act 1998 for allegedly making an offensive statement while calling for the resignation of Prime Minister Najib Razak) was transferred to the newly established Cyber Court before Kuala Lumpur Sessions Court Judge Tuan Zaman Mohd Noor. Practice Direction No. 5 Year 2016 was subsequently introduced to give a special category for cyber cases for both civil and criminal cases.

2016 saw a drop in civil litigation relating to publications on blogs, Twitter and online forums but civil litigation on Facebook thrived. Facebook became the top platform causing disputes between parties in Malaysia. However, Twitter is still a popular platform for criminal investigations as our Inspector General of Police a.k.a @KBAB51 frequently orders investigations against netizens on Twitter.

There is still no shortage of cases relating to disputes on blogs. In Khairulazwan Bin Harun v Mohd Rafizi Bin Ramli (Kuala Lumpur High Court Civil Suit No: 23NCVC-55-07 /2015), the Plaintiff, Deputy Leader of UMNO Youth Wing, filed an application for leave to initiate a contempt proceeding against the Defendant, Vice-President and Secretary-General of the People’s Justice Party (PKR), for sub judice.

The Defendant had apparently published an article in his blog issues which are pending in the Court. According to the Plaintiff, the contents of the article are such that they interfere with the due administration of justice and attacked the merits of the ongoing suit and cast aspersions on the independence and integrity of the judiciary and judicial process and therefore be an act of contempt.

The learned High Court Judge dismissed the application holding that there is no sub judice. The learned High Court Judge held that the general rule is that the law of contempt cannot be used to curtail public discussion of matters of public importance and public interest albeit that these matters may already be the subject of a court action.

In a case relating to a defamation action by a lawyer against the Defendant who is allegedly the infamous blogger, Papagomo, the High Court had rejected the Plaintiff’s action because he had failed to prove that the Defendant is Papagomo notwithstanding that the Plaintiff had called numerous witnesses to prove the same.

The Plaintiff even called a blogger who had allegedly met Papagomo in an event and had positively identified the Defendant as Papagomo, and also another blogger who had testified that Papagomo is the Defendant. The Court of Appeal ((Dato’ Sukri Bin Haji Mohamed v Wan Muhammad Azri bin Wan Deris (Court of Appeal Civil Appeal No. D-02(NCVC)(W)-783-05/2014)) overruled the High Court on this point and held:-

In our view it is reasonable to infer that in the world of bloggers it is highly probable that a blogger knows the other blogger next to him or her. This probability is real because blogs are circulated in virtual space and they are widely read. It is not something that is unusual or unthinkable that sometimes bloggers do engage in virtual debate or argument and respond to each other over issues which attract public interest such as corruption and misuse of power or position by public officials or public figures

In the same case, it is interesting to note that a witness from the Forensic Legal Department of the Multimedia Commission testified that the Commission monitors blogs and articles published through them; and would investigate any offence under the Communication and Multimedia Act 1998 relating to ‘blog-blog lucah, jelek, mengancam dan sebagainya’ when it received complaint from internet users. He also testified that the Commission has data and information for each blog.

Facebook

In Maricel Cabangon Peralta Perimaloo v Riccardo Rovati & 3 Ors (Kuala Lumpur High Court Suit No. 23VCVC-18-03/2015), the Plaintiff, a former maid of the 1st and 2nd Defendants, sued the Defendants for defamation. The Plaintiff left the employment of the 1st and 2nd Defendants and filed a complaint with the Labour Office at Kuala Lumpur.

The Plaintiff alleged that, among others, the 2nd and 4th Defendant had published defamatory statements on Facebook. However, on the application of the Defendants, the High Court struck out the Plaintiff’s claim against the Defendants on the ground that the statements made were honest, based on facts and raised during a proceeding at the Labour Office at Kuala Lumpur and thus it is protected by absolute privilege and immune from an action for defamation.

In Chan Fei Yu & Yang Lain lwn. Siow Rong Jeing & Yang Lain (Kuala Lumpur High Court Suit No. 23NCVC-12-03/2015), the Plaintiffs sued the Defendants for publishing certain statements on Facebook that allegedly had defamed the Plaintiffs.

The 1st and 3rd Defendant had apparently published the 3rd Defendant’s allegation that the Plaintiffs had been negligent in grooming the former’s dog until it suffered injury. Further in this case, the Plaintiffs initiated contempt proceeding against the 3rd Defendant for allegedly providing fake residential addresses in his affidavits filed in Court.

The 3rd Defendant explained that one of the addresses was his former addresses whereas the other address is his mother’s residence. Fortunately for the 3rd Defendant, the Court accepted his explanation and held that the 3rd Defendant did not provide fake residential addresses to avoid service of the legal papers and interfere with or impede the administration of justice.

In Wedding Galore Sdn Bhd v. Rasidah Ahmad [2016] 6 CLJ 621, the High Court affirmed the Sessions Court’s decision in granting a public apology on Facebook and general damages of RM10,000 after the Defendant had taken the Plaintiff’s photographs from her Facebook account and published them in sales brochures for use at a wedding carnival without permission.

In Lim Yun Min & 7 Ors v Ng Han Seng & Anor (Shah Alam Sessions Court Suit No. B53F-7-03/2016), the Plaintiffs sued the Defendants for allegedly defaming them on Facebook. The Defendants applied to strike out the Plaintiffs’ claim for failing to:-

(1) state the Facebook URL address where the statements were published;

(2) state the exact time of publication of the statements; and

(3) identify or name the parties whom the Defendants are alleged to have published the statements and the Plaintiffs did not give the particulars of those parties who have read the alleged Impugned Statement.

The Plaintiffs have also failed to plead the statements in original language i.e Chinese.

The Sessions Court held that the Plaintiffs have failed to provide complete the Facebook web addresses and the identity of the parties that have read the statements. Instead of striking out the case, the Court used its discretion to order the Plaintiffs to amend their pleadings with cost payable to the Defendants.

In GGC v CCC & Anor (Kuala Lumpur High Court Divorce Petition No: 33-1415-08/2013), the Petitioner Wife (PW) sought damages from a lady (CoR) for allegedly committed adultery with her husband (RH). To prove adultery, PW relied on CoR’s Facebook postings to prove that RH and CoR had gone for a trip to various places. The Court stated:-

[84] The PW alluded to the CoR’s Facebook comments, status and photos uploaded by Co-R Pangkor Laut Resort, Maxim Hotel stay. However, there is no name or image of RH that appeared in any of these photos referred by PW. It was only by inference from some of the comments made by CoR’s friend that PW alleged RH was in those photos with the CoR. Nevertheless, none of these people who commented on the Facebook had been called by PW as witness. These comments or observation by public are therefore merely hearsay and cannot constitute evidence that this Court may rely on with respect to its truth.

[100] It is also in keeping with the times. In this day and age where with increased mobility, both physical and electronic and the easy access to new-fangled means of communication via the Internet, Wechat, WhatsApp, Skype, Blogs, Twitter and the like, there has been ushered in a whole new world of unlimited opportunities to communicate with anyone anywhere at anytime. With certain communication between the sexes, chemistry develops and opportunities to meet abound. While private investigators may be hired to track and collect evidence of a spouse’s infidelity, logistical costs have become prohibitive for many who have every reason to suspect a spouse is cheating on him or her but always a challenge to prove adultery. The time is both right and ripe for a realignment of the standard of proof even in adultery in a divorce petition to that of on a balance of probabilities.

Last year, I reported in Rina Simanjuntak v PP (Criminal Appeal No: P-05-256-09/2014), a Yahoo Messenger Chat log saved the life of Rina Simanjuntak who had been sentenced to death by the High Court for drug trafficking. In 2016, Facebook chat messages saved the life of a German by the name of Rudolf Tschernezow who was charged with drug trafficking. The High Court in PP v. Rudolf Tschernezow [2016] 1 LNS 654 held the Accused managed to prove that he is an innocent carrier using those messages [Update: Court of Appeal in PP v Rudolf Tschernezow (Criminal Appeal No J-05(LB)-345-12/2015) overturned the High Court’s decision).

In Norfariza Binti Harun v Dr Yusaidah Binti Yusof & Anor (Negeri Sembilan Sessions Court Civil Suit No. A53KP-04-11/2014), the Plaintiff sued the 1st Defendant for medical negligence while treating the Plaintiff. In support of the Plaintiff’s case, the Plaintiff had relied on various medical articles obtained from websites such as Healthline.com, webMD, Medicine Net.Com. However, the Court held that Plaintiff’s reliance on various websites to establish the effects of medications, misdiagnosis of Plaintiff’s symptoms and the prescriptions given is insufficient to establish the Plaintiff’s case without calling any medical expert. The Plaintiff’s case was therefore dismissed.

In Reka Setia Playground Sdn. Bhd. v Siow Wee Hong (Berniaga sebagai AZ Playground Builder) (Shah Alam High Court Suit No. 22NCVC-553-10/2015), the Plaintiff sued for copyright infringement over certain designs and works. In attempting to prove that the Plaintiff has no valid copyright claim over the design and works, the Defendant referred to a Prior Art Search Report.

The said Report utilised, among others, Google Search Results as a gauge or yard stick to determine whether or not there are contradicting copyright claims. The Court held that Google cannot be a credible copyright database. Google is merely an internet search engine and cannot be a determinant of any copyright claims or contradictions. Therefore, this Court held that it will not take into account any portions of the Search Report pertaining to Google Search Results.

On a slightly technical side, in the case of Wing Fah Enterprise Sdn Bhd v Matsushita Electronic Components (M) Sdn Bhd (Shah Alam High Court Suit No. 22-753-2005), the High Court held that s. 90A of the Evidence Act 1950 was not enacted to allow admissibility of documents downloaded from the internet. The High Court said that the meaning of computer producing the document must be a computer in the course of its ordinary use.

This refers to dedicated computers kept in organisations to do a certain function of general purport. This provision would cover for instance computers producing receipts on payments. In the present case the Plaintiff’s computers keeping details of accounts for instance would be covered by this provision. The production of the account sheets of the company from this computer would therefore be admissible under this provision. However information downloaded from the internet in no way form the ordinary use for the Plaintiff’s computers.

Computer Crimes Act 1997

Before 2016, it’s a rarity to find reported judgments relating to the Computer Crimes Act 1997. However, three (3) judgments relating to the same were published by the High Court in 2016.

In Basheer Ahmad Maula Sahul Hameed & Anor v Pendakwa Raya (Kuala Lumpur High Court Criminal Appeal No. 42(S)-44-06/2015), the High Court dismissed the appeal by the accused over their sentencing for, among others, stealing from the accounts of a few victims from the MH370 air flight tragedy using their ATM cards and online banking.

In Roslan bin Mohamad Som & Anor v Pendakwa Raya (Kuala Lumpur High Court Criminal Appeal No. 42(S)-69- 05/2014 and 42(S)–131–11/2014), the 2nd accused’s appeal over his conviction for making unauthorised modification to Tabung Haji’s database by inserting certain information therein was dismissed by the High Court.

However, in Pendakwa Raya v Vishnu Devarajan (Kuala Lumpur High Court Criminal Appeal No. 42(ORS)-60-07/2015), it was reported that the accused’s 36 charges under the Computer Crimes Act 1997 were struck out by the Sessions Court and subsequently upheld by the High Court as the charges failed to state the physical location where the alleged crime had happened. The High Court also held that an internet protocol (IP) address is not an address where a crime had happened in a charge sheet.

Communications and Multimedia Act 1998 (CMA)

Numerous netizens were subject to an investigation under s. 233 of the CMA (“s. 233”). Notable, a 19 year old boy, Muhammad Amirul Azwan Mohd Shakri, was given the maximum sentence of 1 year for a charge under s. 233 for insulting the Crown Prince of Johor on Facebook notwithstanding that he had pleaded guilty and was unrepresented.

The sentence was subsequently substituted the jail term and sent Amirul to the correction school. In another case, A 76 year old man who goes by the name of “Pa Ya” was arrested and remanded for 3 days for uploading an allegedly insulting photo of Prime Minister Najib Razak. Activist Fahmi Reza was also charged under s. 233 for posting an edited image of Prime Minister Najib Razak on his Instagram account.

On the independent media side, the access to The Malaysian Insider had been blocked pursuant to the direction of the Malaysia Communications and Multimedia Commission (MCMC) vide its powers under s. 263 (2) of the CMA. The MCMC frequently uses the said s. 263 to direct its licensees (i.e. Internet Service Providers) to deny access of netizens to websites to prevent the commission or attempted commission of an offence in Malaysia.

Further, Malaysiakini’s editor-in-chief Steven Gan and KiniTV Sdn Bhd were also charged under s. 233 for airing an allegedly offensive video on KiniTV’s website. The alleged offensive video was of a press conference held by Khairuddin Abu Hassan titled “Khairuddin: Apandi Ali is not fit to be AG and he should quit immediately. Steven Gan was also charged on his capacity as a director of KiniTV Sdn Bhd pursuant to s. 244 of the CMA.

Others

In an interesting case regarding Groupon (an e-commerce marketplace), a user of Groupon Malaysia purchased a tour package vide its platform from one of Groupon’s merchant. However, the said merchant allegedly cancelled the tour and no refund was made by the said merchant to the user. Groupon, however, made a refund to the user. Dissatisfied, the user demanded that Groupon bear the payment he made to Groupon’s merchant.

Groupon rejected the demand and the user made a complaint to the Consumer Tribunal. The Consumer Tribunal held in favour of the user and held Groupon liable for the payment to its merchant. Groupon thereafter filed an application for judicial review against the Consumer Tribunal’s decision in Groupon Sdn Bhd v Tribunal Tuntutan Pengguna & Anor (Kuala Lumpur High Court Judicial Review Application No. 25-332-12/2015)

In the said application, Groupon stated that, among others, that it is merely an online marketing platform and never an agent of the travel company and pointed out that this was highlighted in its terms and conditions – as agreed by the user.

According to the Court’s records, the High Court overturned the Consumer Tribunal’s decision. Unfortunately, no grounds of judgment had been published. But one can assume that an online marketing platform is not necessarily liable for its merchants’ actions.

There are some interesting developments in the realm of cyber and electronic world not seen in Malaysia.

In Lancashire County Council v M & Ors (Rev 1) [2016] EWFC 9, Mr Justice Peter Jackson and published online is thought to be the first in English legal history to incorporate an emoji, or web symbol, to explain a point of evidence. In paragraph 27(13), the Court said:-

In the United States case of In the Matter of the Search of an Apple iPhone Seized during the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 (popularly known as the Apple v. FBI case), the FBI requested the Court to compel Apple, Inc to assist the FBI to access an Apple phone found in a car of one of the San Bernardino shooters.

The FBI had requested Apple, Inc to remove some features from its phone such as the auto erase function, the requirement for passwords to be entered manually and any software-invoked delay-upon-failure functions. Apple, Inc contested the request heavily. However, the FBI dropped its case after it found other ways to access the phone.

Closing

We can expect that amendments to the Communications and Multimedia Act 1998 to be introduced this year. The amendments of the CMA were supposed to be tabled in the 2016 Dewan Rakyat sitting but it never came to light. It is still unclear what are the exact proposed changes. However, we do know that the punishment for contravention of s. 233 will be increased.

There should also be an increase of harassment case be brought to Court with the advent of tort of harassment (Mohd Ridzwan bin Abdul Razak v Asmah Binti HJ. Mohd Nor (Federal Court Civil Appeal No 01(f)-13-06/2013 (W)). One may bring a person to Court with a help of a lawyer without relying on the authorities.

The cost of hiring a lawyer should now decrease with the advent of many new start-up law firms in Malaysia. Furthermore, there are now online platforms that can match lawyers and members of public such as BurgieLaw and CanLaw.

First published on Digital News Asia on 2 March 2017 (Part 1) and 3 March 2017 (Part 2)

BFM Podcast: LANDMARK #3: INSULTS

I was interviewed by BFM Radio to talk about online insults and the Communications and Multimedia Act 1998 on 18 July 2016.


Last month, a 76-year-old man was arrested by the police for allegedly posting an insulting picture in a Whatsapp group chat. The man, identified as Pa Ya in media reports, was arrested in Petaling Jaya, where he lives, and taken into custody for investigation, under Section 233 of the Communications and Multimedia Act 1998, in Johor. On this month’s episode of Landmark, a series examining how the law shapes society as vice versa, lawyer Foong Cheng Leong explains what constitutes an insult and when it is considered an offense.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

Sarawak Report should sue MCMC for blocking site, say lawyers

I was quoted by Malaysia Insider on their report “Sarawak Report should sue MCMC for blocking site, say lawyers” on 22 July 2015. The relevant extract is below.

However, personal data protection expert and lawyer Foong Cheng Leong told The Malaysian Insider that none of the provisions in the Communications and Multimedia Act 1998 explicitly provided for blocking access to sites.

In justifying its decision, MCMC on Sunday said it had acted according to Section 211 and 233 of the act. Both these sections provide for criminal prosecution against those who have been deemed to publish “offensive” content, or content that intends to “annoy” or “harass” any person.

Under both sections, an offender can be sentenced to not more than one year jail or RM50,000 fine, or both.

But Foong said the more relevant act that MCMC could have used to justify its action was Section 263, which said licensees, which were network providers, had the general duty to assist MCMC in preventing the network being in commission of any offence under Malaysian laws.

“This is the provision that is used to compel service providers to help block a website upon request by MCMC,” Foong said.

However, even this section did not explicitly provide for the blocking of a website.

Service providers are not obligated by law to cede to requests to block certain cites, but they normally comply with such requests since MCMC regulates their licences.

“It is possible to bring this matter to the court and challenge it, one possibility is to say that this is ultra vires what is provided for in the act itself,” Foong said.

Section 3 (3) of the same act states that the act does not allow for the censorship of the Internet, in line of the Multimedia Super Corridor (MSC) Bill of Guarantees, which promised the same.

“And because the act doesn’t explicitly provide for blocking of a website, one can also argue that MCMC is acting beyond its scope (with the block).”

There’s a slight clarification on the use of s. 263. If we look at MCMC’s notice, it did state that the blocking order is made pursuant to s. 263 of the CMA. The exact section is s. 263(2) of the CMA provides the following:

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

The sentence “preventing the commission or attempted commission of an offence” is key here. No actual offence needs to be committed but an attempt is sufficient to enable MCMC to act against a website. The section does not expressly state “blocking order” but such blocking order is commonly used against unlawful websites such as pornography or drugs websites.

I made further comments in the Malay Mail in their article “Sarawak Report blockage shines light on ‘abusive’ MCMC powers” on this matter:-

Lawyer Foong Cheng Leong, who is well-versed with cyber law, said Section 263(2) has a wide scope and could be interpreted “very liberally” to mean that MCMC can ask ISPs to block a website even when no complaint or police report has been lodged.

“You don’t have to wait for the court to convict the person to block the website,” the KL Bar Information Technology committee chairman told Malay Mail Online when contacted, adding that even prosecution was not a requirement for the section to apply.

Foong said there is “room for abuse” as the MCMC can cite the broadly-worded clause to block websites without reasonable basis, but noted that website owners could seek legal remedy by attempting to have unjustified blocks declared unlawful and beyond the MCMC’s authority.

Both Foong and Amer Hamzah said there appears to be no tribunal available for website owners to appeal to and it is unclear whether the CMA’s Section 82 on resolving disputes through negotiation covers such cases.

The two lawyers suggested safeguards to curb any possible power abuses by MCMC under Section 263 (2), with both saying that the regulator should notify the website owner when it makes a written request to the ISPs to block the websites.

“If you look at the Home Ministry’s website, there is a list of books being banned. Why can’t we have say a list what kind of website has been banned?” Foong asked, adding that a clear avenue for website owners to appeal to the MCMC decision must be provided.

Foong said, however, that some curbs were justifiable, citing as example Islamic State militants’ propaganda as well as existing restrictions on pornography, gambling and drugs.

Bread & Kaya: Cyberstalking, harassment … and road rage

Bread & Kaya: Cyberstalking, harassment … and road rage
Foong Cheng Leong
Jul 17, 2014

– No specific Malaysian law that criminalises stalking or harassment
– Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

– Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
– Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
– Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

It is noted that s. 233 of the Communications and Multimedia Act 1998 criminalises harasses but such harassment must be in a form of electronic harassment which is obscene, indecent, false, menacing or offensive in character.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.



First published on Digital News Asia on 17 July 2014.

Net censorship: BBC story on kangkung fiasco blocked?

I was quoted in Digital News Asia’s article “Net censorship: BBC story on kangkung fiasco blocked?


Net censorship: BBC story on kangkung fiasco blocked?

Gabey Goh
Jan 16, 2014

– Netizens report difficulty accessing BBC article on PM Najib’s kangkung calamity
– Fears raised over violation of MSC Malaysia’s no-censorship of Internet guarantee

NETIZENS in Malaysia are having difficulty accessing a BBC story on Prime Minister Najib Razak (pic) being derided online for a comment on rising prices, raising fears that the Internet was being censored in the country.

This goes against the Multimedia Super Corridor (MSC Malaysia) charter, in which the Malaysian Government guarantees the Internet would not be censored, barring special circumstances.

The BBC article, entitled #BBCtrending: Be careful what you say about spinach, chronicles the recent uproar over a statement made by Najib that the price of kangkung (or Chinese water spinach) has gone down. In a video that has gone viral, he lamented the fact that the Government has not been praised for this, but is being criticised for the rising cost of living.

His statement has been attacked by Opposition leaders and civil advocates for being insensitive to the plight of average Malaysians, who this year face a slew of price hikes and subsidy reductions.

Internet users in Malaysia reported difficulty accessing the specific BBC post beginning late last night (Jan 15), with timeouts occurring after a long wait for the page to load, while the rest of the BBC site remained accessible. The block seemed to have been lifted at noon today (Jan 16).

Consumer technology website Lowyat.NET also reported difficulty accessing the page, “even after changing the DNS setup from TM’s to Google DNS,” with ‘TM’ referring to Telekom Malaysia, which owns TMnet, the country’s largest Internet service provider (ISP).

As reported by The Malaysian Insider, the kangkung statement sparked much derision by the Malaysian public, with many netizens airing their frustrations and displeasure on social networking sites such as Facebook and Twitter.

[Update 1]

Meanwhile, in a statement to The Malay Mail Online, industry regulator the Malaysian Communications and Multimedia Commission (MCMC) denied it was responsible for the block.

In a text message, its corporate communications chief Sheikh Raffie Abdul Rahman told the online newspaper, “To my knowledge no blocking.”

When referred to this article, he added, “As I said, to my knowledge no. MCMC nak block macam mana? (How can the MCMC block it?)”

As the time of this update, the MCMC had yet to respond to queries from Digital News Asia (DNA) on whether it was investigating the issue to determine who was responsible for the action that contravened the Government’s MSC Malaysia pledge.

Access to the BBC article had eased up a bit by noon today (Jan 16), although more reports started coming in that YouTube videos lampooning the Prime Minister and his wife Rosmah were also being blocked.

[End Update 1]

Responding to queries by DNA, security expert and freelance IT solutions provider @sniiffit said that in a nutshell, what was being done is that all packets requesting the specific page were being dropped at the ISP level.

“This effectively doesn’t allow the page to load at all,” he said.

Asked whether it could be a case of Malaysian ISPs being hacked or compromised, or whether it was a case of traffic overload on BBC’s servers, @sniiffit said it was neither.

“BBC or any large portal uses a CDN (content delivery network) which handles page requests to its servers – if the servers are being overloaded, the main site bbc.co.uk would have been inaccessible.

“If it was hacked, the whole domain would have been inaccessible. This blocking of a specific URL would have only been possible by filtering the packets and manipulating the network traffic,” he said.

This block will mostly affect those who are tied to the TMnet service or Telekom Malaysia’s network, and users accessing the page via their mobile may or may not be affected, @sniiffit added.

According to Khairil Yusof, cofounder of Sinar Project, a non-profit organisation which uses open source technology and ideas to track and measure corruption, this is a similar filtering technique with the one deployed during Malaysia’s 13th General Election (GE13) in May last year.

“According to our tests, it’s the same type of filtering as done during GE13. It is not new and this confirms the Government still has these filters in place and is willing to use it,” he said in response to queries made by DNA via Twitter.

The censorship test conducted by Sinar Project yielded the following:

## Test 1: Check DNS, and IP block: Testing Same IP, different Virtual Host
HTTP/1.1 404 Not Found
## Test 2: Emulating a real web browser: Testing Same IP, actual Virtual Host, single packet
Timeout — waited 5 seconds
## Test 3: Attempting to fragment: Testing Same IP, actual Virtual Host, fragmented packet
HTTP/1.1 200 OK

[Update 2]

The tests check for three conditions, Khairil told DNA. The first is to test if the page is being blocked by its IP (Internet Protocol) address or DNS (Domain Name Server) lookup. “This is where your browser asks, ‘Where is bbc.co.uk?’ A block at this level would mean all of BBC is not accessible and users [would need to use] another DNS service such as Google,” he explained.

“Test 2: Does a normal request go through? This simply mimics a normal request as if it were made by a user using a browser, to confirm that it is blocked.

“Test 3 checks to see if there is a specific filter in place that checks for some specific text in the browser request, such as the URL, and purposely breaks apart the request so that the filter doesn’t match and block the request,” he explained.

[End Update 2]

This filtering would be a violation of the Multimedia Super Corridor Malaysia Bill of Guarantees, which specifically states that the Government would “ensure no Internet censorship.”

In the case of the BBC article, lawyer and DNA columnist Foong Cheng Leong raised a question regarding the legal grounds for blocking the BBC article.

“Section 263(2) of The Communications and Multimedia Act CMA 1998 only allows blocking of a site if it is reasonably necessary in preventing the commission or attempted commission of an offence,” he noted on Twitter.

The BBC article, while written in a slightly cheeky vein, only recounted facts however, and could not be construed as having committed any offence under Malaysian laws.

This is not the first time that attempts to restrict access to certain content online has been recorded and reported.

During the GE13, DNA reported that there was mounting evidence that certain ISPs may be throttling access to both alternative news portals and Opposition content on the Internet.

In a post published on Google Plus in May 2013, Sinar Project reported strong suspicions that some sort of basic content filtering to censor online media in Malaysia was taking place.

“Many people have reported difficulties with viewing the following video interviews linked from (independent news portal) Malaysiakini’s interview article” conducted with the widow of private investigator Balasubramaniam, popularly known as ‘PI Bala.’

PI Bala was a crown witness in a trial over the controversial 2006 murder of Mongolian national Altantuya Shaariibuu. He himself died of a heart attack in March 2013, at the age of 53.

The Altantuya trial saw two special forces police officers being found guilty of murder and sentenced to death, although they were both acquitted by the Court of Appeal in August, 2013.

In the original trial, a third accused, Abdul Razak Baginda, a close family friend of Najib, then Deputy Prime Minister, was acquitted without his defence being called.

Sinar Project had conducted its investigation into possible Internet filtering on multiple networks based on the ID/URL of these videos served from Google’s +YouTube cached servers located in on TMnet’s network.

“We strongly condemn the actions of TMnet and parties involved in censoring access to free media in Malaysia,” its report said.

[Update 3]

When asked what kind of person(s) or organisations would be able to block a webpage this way, Sinar Project’s Khairil said it has to be someone who has access to TMnet’s network infrastructure.

“Tests for similar filtering during GE13 showed that it stopped at the first gateway server. I cannot confirm it for this one filtering, but to do this, somebody would have to have access to enable a processing-intensive filter that is applied to almost all servers accessed by users on TMnet’s network.

“This also implies that the software or hardware to apply the filtering has been installed,” he added. “Think of the firewall on your WiFi router at home, which you can configure. You would need to have access to do the same on TMnet’s equipment at its network centres.”

[End Update 3]

When asked for his opinion on the incident, @sniiffit said “trying to censor the Internet is a really bad idea,” in addition to the fact that the United Nations also condemns the filtering of content as “it is a human rights violation and against international law.”

[Update 4]

Readers who want to read the BBC article in question can do so at the blog of Opposition politician Lim Kit Siang, who has reposted it in its entirety here. Alternatively, they can find the article on Google Cache page here. Users who want to bypass such blocks can try surfing from  multiple locations using such services as LocaBrowser.

[End Update 4] 

 

1 2  Scroll to top