The twists and turns of personal data security in Indonesia

Read in Indonesian

data.jpg

In January 2020, senior journalist Ilham Bintang noticed that his phone did not catch any signal as he landed in Australia, even after he registered for an international data roaming plan for the number. Two days later, he found out that his Commonwealth Bank account was drained in transactions he did not authorise.

Just like all of us, Bintang uses his mobile phone for authorisation. This method requires him to connect his bank account to the number on his subscriber identity module (SIM) card. However, he later found out that his SIM card was hacked and used to authorise money transfers to 98 bank accounts.

This is just one among many identity theft cases that made it to the mainstream media. Every single day we heard people getting billed for a loan they did not authorise or simply being subjected to unwanted ads and phishing links left and right. These have been a part of our everyday life as Indonesians. The question is: why?

What is personal data?

If we talk about personal data, many of us would probably think of KTP (identity card), phone number and passwords/personal identification number (PIN). General Data Protection Regulation (GDPR), a regulation in EU law on data protection, defines personal data as “any information which are related to an identified or identifiable natural person.”

This means that an individual’s personal data is more than just their ID or passwords. Even though Indonesia does not have any regulation on data security, the government is working on the Personal Data Protection Bill (RUU Pelindungan Data Pribadi/RUU-PDP).

RUU-PDP classifies personal data into public data and specific data. Public personal data includes full name, sex, nationality, religion and data that needs to be combined to identify an individual. Meanwhile, specific data (or sensitive data, according to GDPR) covers health record, biometric data (facial recognition, fingerprint, etc.), genetic data, sexual orientation, political views, criminal record, children’s data and personal financial record.

However, disclosing these data are often unavoidable, especially during the pandemic when COVID-19 tests or vaccine shots require your data. “When we need to disclose the data, we have to give them in accordance with the data processing purposes,” said TIFA Foundation Executive Director Shita Laksmi.

What can happen if our personal data is breached?

The current situation reveals that data privacy goes beyond written information about an individual. A 31-year-old researcher, Lia, experienced discrimination after she informed her neighbours that she and her family were tested positive for COVID-19. The treatment varies from having their neighbours avoiding them albeit being in safe distance to packages being thrown carelessly into her front yard by snickering couriers.

In other cases, @ecommurz, an Instagram account popular among tech workers, talked about data privacy for workers who are supposed to report their workplace in Jakarta via JAKI if their workplace insisted that they work from the office at the beginning of the community activity restrictions (PPKM) period.

In the discussion, it was revealed that several workers were terminated or penalised for reporting their workplace. People then came up with many ways to protect their privacy if they were about to report the violation. The tricks include avoiding CCTV and paying attention to the angles from their work station.

This situation shows that indeed, any information that may be used to identify an individual can be sensitive and may subject the individual to persecution and discrimination. Especially that we are now heavily relying on digital services, it is getting harder to keep our data secure. Another factor is the non-existence of law that specifically protects our data and regulates authorisation requirements in applications that we use on a daily basis. To use financial features in an app, a copy of KTP is usually required, as well as a photo of the user holding the KTP. If bank data in the app is breached, millions of users would be easily subjected to harm.

“Reportedly, illegal fintech apps are using stolen data which are sold on the dark web,” said Alia Yofira Karunian, a Junior Researcher at Institute for Policy Research and Advocacy (ELSAM). “These stolen data are very detailed and well-integrated,” she added. Losses on a personal level is already out of the question. In the worst-case scenario, data breach can also be harmful at the state level.

In 2014, the personal data of 20 million South Koreans, which includes names, social security numbers and credit card data, including those of then-president Park Geun-hye, were stolen and sold to marketing firms. The data theft forced the South Korean government to take drastic measures, issuing new IDs as well as carrying out system overhaul that cost them 700 billion won ($650 million) and even more for the local industries to follow the security updates.

“We are already a ticking bomb,” she concluded, “If we don't address the issue, reorganise and work to pass RUU-PDP, privacy will be no more.”

Can we trust the government and business entities with our data?

In May 2021, dataset containing personal information of 279 million Indonesians, which includes ID card numbers, phone numbers, e-mail addresses, home addresses and about five million photographs were leaked from BPJS. The dataset was uploaded to Raid Forum by a user with the handle kotz.

Investigations were then rolled out; Periksa Data is reportedly going to legally challenge BPJS, while the Indonesia Cyber Security Independent Resilience Team (CISRT) estimated up to Rp600 trillion state loss from the data breach. However, there is still no concrete action taken to find a conclusion.

“We still need to find a way to investigate these cases further, how are we going to implement the law protection for this and how to ensure accountability on the incident,” Shita said, adding that, “Indonesia doesn’t have the system for this yet.”

EU countries once stood at the same place as Indonesia. Personal data protection was non-existent until they decided to target business entities that have been making profits in their territory while mining countless personal data. Only in 2016, GDPR Law was passed in the EU along with penalties for business entities that misuse personal data or mine more data than needed. They slowly created a safer environment with a law system that enables data protection, applied even to multinational tech companies.

In Indonesia, data leak is not even considered to be a crisis anymore. Not only BPJS, e-commerce app Tokopedia also had its own case of data leak, with 91 million users falling victim, while Bukalapak saw data of 13 million users breached. Data leaks keep happening, yet no one is held accountable.

On a smaller scale, there was also a data leak that might not be caused by malicious intent, but just as harmful. The Magelang regency administration uploaded resident population data, including their ID details, on its website. This is a fine example of the lack of digital literacy and awareness, even in the government, the entity we are supposed to entrust our data security to.

Only when people voiced out their opinions loud enough then the government responded. However, the response is never far off from how digital literacy is the key to avoiding illegal fintech loans and never about how the government can tighten digital security in the country by optimising all resources they have in their hands.

“We have to stir the government so they can be more responsible in providing data securities,” said Principal Investigator of TIFA Foundation Sherly Haristya. The responsibility to be digitally literate has always been imposed on the people. The National Digital Literacy Programme is one of good strategies to tackle digital literacy issues, but if the digital ecosystem is only built by the community, the programme won’t bring significant changes.

“The government is responsible to educate themselves, supervise RUU-PDP closely and, through the bill, assign more responsibilities on data processing entities in the future,” she explained.

How can we protect our personal data?

“Technically,” Alia said, “it is never our responsibility to be concerned about our data safety 24/7.”

By default, the government is the one responsible to regulate the protection of personal data at all levels, especially when they are disclosed to data processing entities, including government agencies. However, since RUU-PDP is not yet passed into law, there are some things that we can still do to enforce better protection for ourselves.

Spreading awareness is something that can make a great change in our society. When we see our associates uploading their vaccine certificate on social media with all their information displayed, we can reach out to and warn them. The lack of awareness about how sensitive some personal data are is highly prevalent among our communities. Small steps in improving digital literacy are better than nothing at all.

The digitally more fluent population can also implement basic security methods, such as strengthening password by combining lowercase and uppercase letters, numbers and symbols while avoiding full name and birthdate with a minimum of eight characters - the more the better.

When possible, always use two-steps authentication for every account. Deactivating the geo-tagging feature on apps we are using will also support data security even better. It is highly recommended that we visit the settings panel of our accounts to review our data privacy.

Lastly, when it comes to physical data like a copy of KTP or passport, the least we can do is to make sure we know where it goes once it is submitted. Only submit copies of your data when it is highly necessary, such as for vaccines, COVID-19 screening and other instances in which you are bound by law to abide.


Related articles


News