Teruskan Pakai Zoom atau Tidak?

Oleh: Sonny Zulhuda

Dikarenakan kondisi darurat pergerakan akibat pandemi Covid-19 saat ini, beberapa produk dan jasa bisnis meroket karena permintaan meningkat. Food delivery, e-commerce portal dan online meeting platform di antara yang menangguk keuntungan. Zoom sendiri sudah menorehkan peningkatan pemakaian 20 kali lipat. Biasanya hanya 10 juta meeting online perbulan, kini setidaknya ada 200 juta meeting online sebulan.

Pertanyaan yang kini banyak dilontarkan masyarakat: Amankah untuk memakai Zoom?

Zoom ini layaknya banyak platform media online lainnya seperti Skype, Google Hangouts dan lain lain. Masing-masing ada kelebihan dan kekurangan baik dari segi setting (setelan), features (spesifikasi) teknis dan non-teknis, ongkos ataupun fasilitas lainnya.

Zoom, seperti layaknya produk lain, sangat mungkin memiliki kekurangan dan kelemahan sistem. Apakah yang lain itu aman? Ketika banyak kasus curi mobil yang melibatkan mobil merek tertentu, apakah karena mobil mereka lain lebih aman? Tidak juga. Mungkin saja karena mobil merek itu adalah yang paling banyak penggunanya sehingga lebih mudah dipelajari, lebih mudah dicari kuncinya dan lebih mudah dijual hasil curiannya.

Ketika penggunaan Zoom meningkat sampai 20 kali ganda, perlu dipahami dari dua sisi: Pengguna dan Penyedia jasa. Dari sisi ppengguna, banyak sekali dari mereka yang baru pertama kali memakai platform seperti ini. Banyak diantara mereka yang baru sekali itu melakukan online meeting. Malah parahnya, banyak juga di antara mereka yang baru pertama kali menggunakan teknologi internet! Bisa dibayangkan apakah para pengguna ini mengerti tentang seluk beluk lalu lintas Internet yang penuh dengan risiko dan rambu-rambunya?

Kedua, pemilik Zoom bisa dijangka kewalahan saat mendapatkan durian runtuh ini. Ada tiga hal yang setidaknya harus mereka sediakan: 1. Setelan teknis, 2. Business process, dan 3. Sumber daya manusia. Apakah Zoom telah siap dalam ketiga hal tersebut untuk menerima luapan pengguna dalam sekelip mata?

Continue reading “Teruskan Pakai Zoom atau Tidak?”

Survey on Artificial Intelligence and Ethics

On this page, I’ve listed down some of the references I am gathering of late while surveying about AI, ethics and data protection. Here are some:

  1. Sidi Ahmed, Sidi Mohamed and Zulhuda, Sonny (2019) Data protection challenges in the internet of things era: an assessment of protection offered by PDPA 2010. International Journal of Law, Government and Communication, 4 (17). pp. 1-12, at https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3513528_code2666494.pdf?abstractid=3513528&mirid=1.
  2. Berkman Klein Center for Internet and Society at Harvard University. Ethics and Governance of AI, at https://cyber.harvard.edu/topics/ethics-and-governance-ai
  3. Berkman Klein Center for Internet and Society at Harvard University. Artificial Intelligence in Society, at https://cyber.harvard.edu/story/2019-06/artificial-intelligence-society.
  4. OECD, “Report on AI in Society”, Digital Journal 12 June 2019, at http://www.digitaljournal.com/tech-and-science/technology/oecd-issues-report-on-ai-in-society/article/551839.
  5. OECD, Artificial Intelligence in Society, Report published on June 11, 2019, at https://read.oecd.org/10.1787/eedfee77-en?format=pdf.
  6. Draft: A UN System-wide Strategic Approach and Roadmap for Supporting
    Capacity Development on Artificial Intelligence, at https://drive.google.com/file/d/1eVao9WvzDPyKIVp9Pcti9_BEDQc5cncy/view.
  7. “Artificial Intelligence & Human Rights: Opportunities & Risks,” Berkman Klein Center Research Publication No. 2018-6, at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3259344.
  8. International Telecommunication Union (ITU), Report on “Artificial Intelligence (AI) for Development Series – Module on Setting the Stage for AI Governance: Interfaces, Infrastructures, and Institutions for Policymakers and Regulators,” July 2018, at https://www.itu.int/en/ITU-D/Conferences/GSR/Documents/GSR2018/documents/AISeries_GovernanceModule_GSR18.pdf.
  9. World Economic Forum (WEF), Artificial Intelligence and Robotics, at https://www.weforum.org/agenda/archive/artificial-intelligence-and-robotics/.
  10. Princeton University. Dialogues on AI and Ethics: Case Studies, at https://aiethics.princeton.edu/case-studies/case-study-pdfs/

  11. Artificial Intelligence for Global Good, ITU News Magazine 01/2018, at https://www.itu.int/en/itunews/Documents/2018/2018-01/2018_ITUNews01-en.pdf.

  12. G20 Ministerial Statement on Trade and Digital Economy (Including on AI), at https://www.mofa.go.jp/files/000486596.pdf.

  13. SMU Centre for AI and Data Governance (CAIDG), at https://caidg.smu.edu.sg/.

 

From Privacy Suit to EU GDPR: Data Protection Updates from Malaysia – As reported in the Borneo Post

By: Sonny Zulhuda

data breach
Credit: https://www.getfilecloud.com/blog/wp-content/uploads/2018/02/ORVZDV0.jpg

The beginning of the year saw my interview with the Malaysian daily the Borneo Post that was published on 1st January 2019. This interview was initiated by my colleagues from the consultancy firm Straits Interactive. The report was entitled “Malaysians increasingly aware of risks with data breach.” It can be found in this link.

The article started to to note that Malaysians now are more aware about the risks associated with breaches of their personal data. In fact, we in Malaysia have seen in the past five years, that there is a sharp increase in data privacy civil suits in the local Malaysian courts.

Among the points I highlighted in the interview are as follows:

What are the costs of data breaches?

  • The cost of data breaches can be seen in many areas. In terms of legal liabilities, companies in breach of the Malaysian PDP Act 2010 can be fined up to RM500,000 – for offences such as unlawful sale or unlawful collection of personal data, as well as collection of data without the required certificate of registration.
  • And when a data breach occurs, costs can also be incurred through technical repairs and loss of reputation. Business can also suffer because of bad publicity.
  • Civil suits can also be brought against companies, and these can cost businesses a lot of money. Malaysians are becoming increasingly more aware of the risks associated with breaches of their personal data, and we have seen a sharp increase in data privacy civil suits in the local Malaysian courts in the past five years.

Are we prepared? Here is what I said:

  • Unlike companies in the US and Europe, many companies in the Asean have yet to reach an acceptable level of preparedness. Data protection does not tend to be a part of the business culture, however some industries (banking and finance) are more prepared due to legislation and legal requirements.
  • To bolster the understanding and preparedness of other industries, we need more public awareness, training, and certified professionals in the field of data protection.

What are among the common concerns?

  • One major concern in Malaysia is how much our MyKad (ID cards) details are easily and unnecessarily exposed. Many people needlessly impose the collection or retention of MyKad details before people start business communication or interactions, enter premises, or participate in events. Unfortunately, lots of people are happy to submit these details and this gives the impression that these practices are approved and not an issue.
  • Another problem is direct marketing, as well as unsolicited commercial calls, emails and text messages. While it’s clear individuals have the right to refuse direct marketing, it still regularly happens.

What has been prepared?

  • I highlighted that leading consultant like Straits Interactive plays the role to champion a public-private partnership by establishing alliance with academia, industries and the government. This partnership will ensure Malaysia as a nation moves together and responds to data privacy issues with a common understanding and comprehensive programmes.

Does the European Union GDPR (General Data Protection Regulations) have anything to do with the Malaysians?

  • With the passing and enforcement of the EU General Data Protection Regulation (GDPR) in May 2018, Malaysia needs to gear up for these stronger laws and better enforcement.
  • The GDPR applies to companies who also interact with European citizens, and this requires short-term training programmes and certifications in the field of data protection.
  • A collaboration at the regional level is also timely and necessary. We are heading towards that.

Credit on this Interview to the Straits Interactive and the Borneo Post.

Intellectual Property Rights and Open Data in the Digital Environment

By: Sonny Zulhuda

postermaker-1541067967396

A close forum named Focus Group Discussion (FGD) on IPR and Open Data in the Digital Environment was recently held on 9th November 2018 at Al-Nawawi Conference Room, Ahmad Ibrahim Kuliyyah of Law, International Islamic University Malaysia (IIUM). The event was involving two universities from two countries which are the International Islamic University Malaysia (IIUM) and Universitas Padjadjaran (UNPAD), Indonesia.

In his welcoming remarks, the Dean of Ahmad Ibrahim Kuliyyah of Laws, Prof. Dato’ Sri Dr. Ashgar Ali Ali Mohamed extended his gratitude and warm welcome to the delegations from UNPAD. He believed that this two-way discussion should be conducted more regularly in promoting the intellectual discourse between two countries. In a reciprocal gesture, Prof Dr H Ahmad M. Ramli from the Faculty of Law, UNPAD in his keynote address appreciated the initiative by IIUM in conducting this group discussion.

This FGD was part of the research work under the Fundamental Research Grant Scheme, funded by the Ministry of Education, Malaysia. The group discussion was divided into 4 sessions, involving 11 speakers altogether; 7 from UNPAD and 4 from IIUM. Here are some excerpts:

Session 1: IPR Between Tradition and Innovation Continue reading “Intellectual Property Rights and Open Data in the Digital Environment”

Apapun Disiplin Ilmumu, Pelajarilah Ekonomi Digital!

APAPUN DISIPLIN ILMUMU, PELAJARILAH EKONOMI DIGITAL!

Oleh: Sonny Zulhuda

APAC Cyber Summit 2016_1

1. Indonesia dan Malaysia melalui pemimpinnya masing-masing telah menetapkan bahwa Ekonomi Digital menjadi fokus utama dalam membangun negara dan meningkatkan ekonomi bangsa. Tidak hanya jalur lebar Internet yang diperhebat, namun penguasaan konten lokal dan industri kreatif kini menjadi generator baru bagi kemajuan bangsa.

2. Pengalaman saya selama 15 tahun sebagai peneliti, akademisi dan praktisi hukum teknologi informasi, melihat semakin perlunya kita untuk memparalelkan segala ilmu, pengetahuan dan teori yang kita pelajari dengan perkembangan dunia digital. Ekonomi digital yang didominasi dengan penguasaan teknologi informasi dan optimalisasi data mengharuskan kita menjawab berbagai tantangan digital.

3. Saya saksikan sendiri di berbagai universitas top di dunia seperti Oxford, Sydney, UNSW, Tsinghua, Toronto dan Yonsei University mereka sudah mendirikan lembaga kajian yang fokus terhadap isu konvergensi teknologi informasi dalam berbagai aspeknya. Universitas Indonesia dan UNPAD saya pikir sudah memulai lebih awal dalam konteks Indonesia. Yang lainnya, belum kelihatan! Sementara, semakin banyak pula lembaga internasional yang menyediakan program, beasiswa, fellowship dan event-event yang bertujuan mencari bakat-bakat muda dalam kajian konvergensi informasi ini.  Continue reading “Apapun Disiplin Ilmumu, Pelajarilah Ekonomi Digital!”

Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda

seoul.jpg

Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.

IMG_20170319_095449

The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading ““Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions “

Open Government and Cyber Security in Malaysia

By: Sonny Zulhuda

Open government is the notion that allows transparency of governments in running matters pertinent to public interests. According to that concept, the government shall allow its citizens an access to government documents and a right to obtaining information relating to public matters.

In Malaysia recently, the Open Government initiative was represented in the Public Sector Open Data Portal programme which was launched in September 2015 by MAMPU, a Unit under the Prime Minister’s Department. It declares that the aim of such initiative is to open and share government data to public and hence to enhance transparency and efficiency of government and to create a digital innovativeness.

 

With this background, the question of how the Government deals with the increasing demand of freedom of information and other challenges ranging from personal data to the government data security is worth examining. I was invited to talk about this at an international conference hosted by Sydney Cyber Security Network, the University of Sydney, Australia. In my presentation, I highlighted a recent initiative of open data in Malaysian public sector and the related challenges on data security, privacy and information surveillance.

I was also looking at the recent developments in Malaysia relating to the enactment of personal data protection law and recent policies relating to critical infrastructure protection. Lessons from cases and incidents surrounding information security and personal data breaches were discussed to trigger discussions on relevant solutions and best practice.

Among the key summary of my talk in Sydney was as following:

  • Open Government is underway, but more economically-motivated and narrowly looked at “open data”. A long way to the “open government”.
  • Cyber security governance enhances the security of data in the Malaysian cyberspace. However:
  • There is a striking imbalance in the legal framework between the protection of secret on one hand, and the freedom of information on the other.
  • The data privacy law boosts the transparency in the private & commercial sector, but it is a missed opportunity for an open government.
  • The open government initiative needs to be supported as national agenda, to be backed by a stronger law and national policy.

Developing Privacy-Friendly Mobile Apps: Takeaways for Mobile Developers

By: Sonny Zulhuda

Image credit: computerworld.com
Image credit: computerworld.com (click on the image for full display)

This week (28th Aug) I will be participating in a national event dedicated for the modern digital lifestyle in Malaysia, named KL CONVERGE! which runs from 27th-29th August 2015 at Kuala Lumpur Convention Centre (KLCC) in the heart of the Malaysia’s capital. Visit the site here: http://www.klconverge.my/.

As the site highlights, KL CONVERGE! is a multi-platform digital content and creative industry event showcasing the world’s latest achievements and opportunities in the music, film, gaming and Internet space. It seeks to provide an immersive experience to show “how technology and content is an everyday part of our lives.” The event is bringing together leading industry executives from multimedia, applications, Internet and creative content to discuss, deliberate, showcase and celebrate the issues, opportunities and successes in digital space.

I have a honour to be part of the event to speak about key privacy issues for mobile apps developers – thanks to my friends and partners at the Data Protection Academy (DPA) LLP (Noris and Eddie). The discussion will reflect the new legal landscape brought about by the Personal Data Protection Act 2010 that concern mobile apps designers and developers. It’s this Friday, 28th August 2015 at 4.00PM (not one of the best time to listen a talk – sigh) at Room 306 KLCC Convention Hall. It is adjacent to the majestic Petronas twin tower, and it is a free admission event 😉 (ugh.. still..) (*_*)

In the one-hour talk, I will demonstrate the salient features of the data privacy laws in Malaysia and the emerging global trend, especially concerning the users/consumers of mobile apps. Issues such as data collection, notification and retention will be touched. Not less importantly will be the issue of personal data security that each mobile apps developer will have to consider when they decide to retain users’ personally identifiable information (PII). But on top of all those, I am posing a big question: “Should you ever collect the users’ personal information at all?” — I am at the moment finalising my presentation and will share here the key points in due course. See you there, if you make it:)