On May 1, 2026, Malaysia's Road Transport Department made MyDigital ID the sole login for its MyJPJ app, retiring every alternative sign-in for an app with more than 14 million registered users. By May 4, The Star reported that seven million had already logged in through the national digital identity. It was not an isolated move. Three months earlier, the Malaysian Communications and Multimedia Commission (MCMC) had registered a Mandatory Standard threading MyDigital ID through prepaid SIM registration. The same credential already gates the MyNIISe immigration system at the border. One key is quietly being cut to open every public-facing door.
The convenience is real, and the security logic is not frivolous.
The case for consolidation is genuine
Start with the strongest version of the government's argument. Password reuse and weak credentials are the soft underbelly of digital government; a single verified identity tied to official records does cut the attack surface that fragmented logins create. Malaysia's official MyDigital ID page is explicit that the system authenticates against government databases rather than storing personal data itself, and uses device-side biometrics plus a password. On the telecoms side, the MCMC's February 26 Mandatory Standard — issued under Sections 55 and 104(1)(b) of the Communications and Multimedia Act 1998 — caps holdings at five prepaid SIMs per person per telco and layers MyDigital ID onto self-registration. Anonymous SIMs are the workhorse of scam syndicates across Southeast Asia; tightening registration is a defensible response to a documented harm. This is not surveillance theatre.
But a sound authentication layer and a sound governance regime are different things, and Malaysia has built the first while leaving the second conspicuously thin.
The legal floor is missing
The problem is not the cryptography. It is that the entity now holding the master key to citizens' road, telecoms and border identities operates largely outside Malaysia's own data-protection law. The Personal Data Protection Act 2010 explicitly does not bind the federal and state governments — and the much-touted 2024 amendment, which introduced breach notification and a data-protection officer mandate, left that carve-out untouched. As a May 8 Free Malaysia Today op-ed put it, a private company can be fined for losing your details, but Putrajaya cannot. The same op-ed catalogued why that asymmetry should worry Malaysians: a 2017 leak of 46 million mobile-subscriber records, a 2022 database of 22.5 million MyKad numbers offered for sale, and an alleged 17 million MyKad records surfacing in December 2024.
That track record matters precisely because consolidation changes the stakes of a breach. When identity is fragmented, a leaked telco database is bad but bounded. When a single credential authenticates driving records, SIM ownership and immigration status, the blast radius of any compromise — or any abuse by an authorised insider — expands accordingly. Centralisation concentrates value, and concentrated value attracts both attackers and mission creep.
Proportionate, not maximal
None of this argues for abandoning digital ID. Estonia, the usual reference point, runs a far deeper digital-identity stack — but it pairs it with the once-only principle, a citizen-facing data-access log that lets people see which official queried their records, and a data-protection authority with jurisdiction over the state itself. The architecture is only half the system; the accountability is the other half. Malaysia has shipped the architecture and is asking citizens to trust the accountability later.
Three fixes would make the rollout proportionate without slowing it. First, close the PDPA government carve-out, or pass a parallel statute binding public agencies to the same breach-notification and minimisation duties they impose on the private sector. A regime that fines Maxis but exempts the ministry holding 30 million identities has its incentives backwards. Second, keep the mandate functional, not absolute: the MyJPJ switch-off of all alternative logins on day one — which generated a wave of "something went wrong" errors and locked-out users — shows the cost of removing fallbacks before the system is proven. Mandatory-by-default with a documented exception path is more resilient than mandatory-by-decree. Third, build the Estonian-style access log now, before the credential spreads further, so that consolidation buys transparency rather than opacity.
The trajectory is the real question
The direction of travel is set: Prime Minister Anwar Ibrahim has stated that 95% of federal services should be delivered fully online by 2030, with MyDigital ID as the single key. That is an ambitious, broadly worthwhile goal — efficient digital government is pro-citizen. But a single key to 95% of the state is also a single point of failure, a single point of coercion, and a single point of exclusion for anyone the system glitches against. The op-ed's "gift or Trojan horse" framing is sharper than it needs to be; the honest answer is that it is neither yet. It is an unfinished building. Malaysia has poured a strong foundation. Whether it becomes a public good or a liability depends entirely on whether the legal and oversight scaffolding gets built before, not after, the whole of public life is wired through one login.
The technology is ahead of the law. In identity systems, that is exactly the wrong order.