The Malaysian Communications and Multimedia Commission (MCMC) is investigating on a news report published on a local online news portal, The Malaysian Insider, yesterday.

The report, with the headline ‘Malaysia Uses Spyware against Own Citizen, NYT reports’, was based on the report published by New York Times.

According to MCMC, the report by the online news portal is "speculative and ill-researched".

"The online portal appears to have failed to verify the veracity of the report from the New York Times, nor checked the facts which are available online and had made its own conclusions on the matter," said the regulator in a statement today.

An excerpt from the full report by The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, states that the discovery of the FinSpy C+C server in a given country cannot conclusively indicate that the country is using the FinSpy on its citizens.

The report added, “Importantly, we believe that our list of servers is incomplete due to the large diversity of ports used by FinSpy servers, as well as other efforts at concealment. Moreover, discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies. In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country.”

A further report from another group of researchers based in the U.S.A., Rapid7 Community, also gave similar comments. They agreed that they are not able to determine whether the spyware is actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all.

MCMC has also conducted a review of currently available information and we have found that the server that is allegedly hosted in Malaysia also has similar Internet Protocol (IP) addresses linked to a commercial webhosting company called GPLHost which has similar IP hosting in Australia, Singapore and the United States.

"We have also found that the server that is claimed to be in Malaysia appears to be registered to a company called Iusacell PCS. Further checking of Iusacell PCS indicates that it could be a Mexican mobile operator," MCMC explained.

MCMC said that it wants to remind the public not to simply believe everything that they read online and to verify all the information that they receive before forming any views or conclusions on the issue.

It also reminded the public that the posting of false information constitutes an offence under Section 211 of the Communications and Multimedia Act 1998 and upon conviction, can be fined for a sum not exceeding RM50,000 or imprisonment for a term not exceeding one year.