An elderly uncle in Ipoh loses RM300,000 after believing a fake investment advertisement generated by artificial intelligence. A university student in Johor discovers her face has been digitally manipulated into explicit images and shared across social media. A businessman in Penang receives a cloned voice message that sounds exactly like his managing director, authorising an urgent bank transfer.
These are no longer scenes from a science-fiction movie. They are the new battlefield of crime.
Forty-eight MPs stood up in the Dewan Rakyat this week to argue over a bill most Malaysians will never read past the headline. By the time the voice vote came down on July 1, the Cybercrimes Bill 2026 was law-in-waiting and the country had, once again, traded a long debate for a short, decisive outcome.
The News Foundation
The Dewan Rakyat has passed the Cybercrimes Bill 2026, a 61-clause overhaul replacing the ageing Computer Crimes Act 1997. On paper, the case for it isn't hard to make: new offences for deepfakes and non-consensual intimate images, tighter penalties for identity theft and MyDigital ID abuse, and closer alignment with frameworks like the Budapest Convention. Deputy Prime Minister Ahmad Zahid Hamidi, who tabled and wound up the bill, told the House that none of the powers it grants investigators are absolute that data access is bound by strict legal procedure, not arbitrary use.
That reassurance didn't go unchallenged. MPs from both sides pressed the government on the bill's most consequential section: provisions letting investigators compel decryption, intercept communications, and access data in real time in some cases without a warrant, under an "urgent situation" exception. Civil liberties groups have flagged its resemblance to a warrant-bypass mechanism in the 2024 Cyber Security Bill, and questions about how seized personal data will be handled remain largely unresolved.
The Core Argument
Here's the uncomfortable truth beneath the Deputy Prime Minister's reassurances: a safeguard that can be waived is not a safeguard it's a suggestion. When a law requires a warrant, then carves out an "urgency" exception broad enough for an investigating officer to invoke on their own judgment, Parliament hasn't built a check. It's built a door with a "please knock" sign and no lock.
This matters more in Malaysia's specific context, where corruption and abuse of institutional power aren't hypothetical they're lived experience, visible in ongoing prosecutions and public distrust of official assurances. Zahid asking Malaysians to trust that these tools will only ever target fraudsters and identity thieves is, for many, not a big enough ask to match the power being granted.
That distrust has teeth. Since the 2023 discharge not amounting to an acquittal (DNAA) on all 47 corruption, CBT, and money-laundering charges against him granted after the court had already found a prima facie case Zahid's own record has stayed a live legal question. The Malaysian Bar's challenge to that DNAA decision cleared the Court of Appeal in May 2026 and remains unresolved. None of this proves misconduct; the AGC maintains the decision was lawful, and a DNAA isn't a conviction. But it does mean the man asking Parliament to trust new surveillance safeguards is doing so while his own case is still testing whether the system's safeguards worked the first time. That's not a footnote it's close to the whole point.
Balanced Analysis
To be fair, the underlying problem isn't manufactured. Deepfakes and non-consensual intimate imagery cause real, escalating harm, and Malaysia's cyber law was genuinely overdue for modernisation. Ransomware and identity-theft syndicates don't wait for legislatures to catch up.
Zahid's specific claims are also narrower than critics sometimes suggest he says data access is limited to what's named in a written notice, not a blank cheque, and that prosecutors still need to establish intent for AI-generated content rather than criminalising a deepfake's mere existence.
But good intent in a winding-up speech isn't a good clause in a statute. The critique was never that the bill's goals are illegitimate it's that the "urgent situation" exception lets the exception swallow the rule. A bill aimed correctly can still be built loosely enough to be misused not just by ministers, but by the investigating officer three ranks down deciding a matter "feels" urgent enough to skip the paperwork. That's how discretionary power actually gets used everywhere: cautiously by some, carelessly by others, abusively by a determined few and the law has to be written for all three.
The Test Case: Kuil Haram
Check a law against a case that's already happened. Malaysia has one ready: the "kuil haram" campaign, in which Hindu temples across Kuala Lumpur and Selangor were relabelled "illegal temples" on Google Maps, amplified by figures like preacher Zamri Vinoth, and pushed by waves of accounts some organic, plenty bot-driven or anonymous stoking exactly the racial and religious division the constitution was built to prevent.
Does the Cybercrimes Bill catch the people running that? Mostly, no. Its headline provisions target deepfakes, intimate imagery, identity theft, and unauthorised access not coordinated racial incitement, which still runs through older tools like Section 233 of the Communications and Multimedia Act and the Sedition Act. Watch the fake TikTok account that used AI to insult the King: authorities reached for the Sedition Act and the 1998 Act, not this new bill.
What the new law offers instead is faster unmasking real-time access and compelled decryption to identify who's behind an anonymous account. Three things stand in the way. Platforms remain the bottleneck: MCMC still has to issue a statutory demand just to get TikTok to explain itself. Cross-border hosting and VPNs blunt domestic powers when the infrastructure sits offshore. And a tool this broad only catches who the state points it at Kuil Haram was never short of legal tools, just consistent will to use them across the political spectrum. A wider net doesn't fix selective enforcement; it just makes the aim matter more.
A cybercrime bill that can be pointed at a temple-hate network with the same speed it's pointed at government critics is doing its job. One that can't, or won't, is just a bigger door with the same old selective lock.
Conclusion
Malaysia didn't need to choose between protecting people from deepfakes and protecting people from the state a bill can criminalise digital abuse and still route every intrusive power through a genuine, un-bypassable warrant. That the Dewan Rakyat passed this version anyway, loophole intact, rushed through despite the media council and MPs on both sides asking for more time, is the real story here.
The bill is now law, or very nearly. What happens next depends on whether "checks and balances" turns out to be a description of the statute or just a phrase used to get it past a vote. Malaysians will find out the difference not in the next debate, but in the first case where "urgent" is invoked and someone has to ask, after the fact, whether it actually was one.
Annan Vaithegi writes that when governments ask citizens to trust new powers, they must first show that those powers deserve the public's trust.
Annan Vaithegi (annanvaithegi@icloud.com) is a content creator under the Newswav Creator programme, where you get to express yourself, be a citizen journalist, and at the same time monetize your content & reach millions of users on Newswav. Log in to creator.newswav.com and become a Newswav Creator now!
The User Content (as defined on Newswav Terms of Use) above including the views expressed and media (pictures, videos, citations etc) were submitted & posted by the author. Newswav is solely an aggregation platform that hosts the User Content. If you have any questions about the content, copyright or other issues of the work, please contact creator@newswav.com.


