Indonesia is the largest digital market in Southeast Asia, boasting around 202 million citizens that have access to the internet. Despite a persistent digital gap and issues in financial inclusion, Indonesia has seen an astonishing rise in domestic unicorns such as Gojek, Tokopedia, Bukalapak, Traveloka, and most recently, Ajaib.
Government services are also increasingly becoming digitalized. The tax filing system, for example, has almost been fully digitized, allowing citizens to file taxes without visiting the tax office. During the COVID-19 pandemic, government-issued vaccine certificates were also distributed online through the contact-tracing app, PeduliLindungi, in lieu of traditional paper certificates.
This massive drive towards digitalization, however, has yet to be accompanied with adequate cybersecurity measures. In July 2021, a group from VPN Mentor discovered vulnerabilities in the electronic Health Alert Card (eHAC) application which put the personal data of around 1.3 million Indonesians at risk. The application was developed during the Covid-19 pandemic as a tracing application for domestic and international travelers. The government’s response, however, leaves much to be desired. VPN Mentor contacted the Indonesian Ministry of Health twice in July 2021, but the ministry failed to respond. Another report was filed to the Indonesian Cyber Security Agency (BSSN), and following the report, the eHAC server was shut down. In September 2021, the police officially closed the investigation, citing a lack of evidence that a breach has occurred.
The recent eHAC breach is one among many high-profile data breaches that has happened in Indonesia over the last two years. According to the Ministry of Information and Communications, since 2019, there have been 29 government agencies that have experienced data breaches of varying severities. Though public sector data breaches or leaks are One of the worst breaches occurred shortly prior to the eHAC breach. The National Social Security Agency (BPJS) in June 2021 announced the social security information of around 279 million Indonesians were leaked, which includes national ID numbers, names, telephone numbers, and email addresses. All of this data can be used to conduct identity theft, particularly in applying for loans and other financial services, and government services such as vaccinations.
The most recent data breach involved the National Child Protection Agency (KPAI), which was confirmed on 21 October 2021. On 13 October, a database of personal details (names, ID numbers, addresses, and email addresses) was uploaded to RaidForums. The KPAI reported the breach to the National Cyber and Crypto Agency (BSSN) on 19 October, which in turn coordinated with the Ministry of Information and Communication to investigate. At of the time of writing, the agency’s complaint service, where citizens can report cases related to child welfare, continued to operate as usual.
The private sector has also seen some high-profile breaches. In May 2020, Tokopedia, one of the largest e-commerce platforms in Indonesia, experienced a data breach which exposed personal data of its 91 million users. Bhinneka and Bukalapak also experienced data breaches.
The porous legal defenses
The formulation of a legal framework for personal data protection (PDP) in Indonesia has been remarkably slow, especially when compared to the legal frameworks of its ASEAN neighbors. Malaysia’s PDP Act was passed in 2010 and implemented in 2013. Singapore and Philippines promulgated PDP acts in 2012, which were then fully implemented in 2014 and 2016 respectively. Thailand recently passed its own PDP Act in 2019.
A draft PDP bill has been in the works since early 2020 and is targeted to be completed in mid-2021. Deliberations, unfortunately, have been slow as regulators have yet to agree on the relevant enforcement agency. The Ministry of Information and Communication insists on serving the role, whereas the House of Representatives prefers an independent, ministry-level commission to carry out the task. Experts prefer the latter, citing the possibility of conflicts of interests, especially in cross-ministerial investigations.
In the absence of a comprehensive PDP legal framework, data breaches are often resolved using other relevant legislation. The closest legislations are the Ministerial Regulation (Peraturan Menteri) issued by the Ministry of Information and Communication in 2016 and Governmental Regulation (Peraturan Pemerintah) no. 71/2019. The regulations ensure users the right to alter, access, or delete their personal data stored in electronic service providers’ (ESP) databases. However, it does not necessarily compel ESPs to protect personal data based on government-issued standards. Instead, service providers are expected to enact internal bylaws or guidelines related to personal data protection, with the bare minimum expectation being to store user data on encrypted servers and to report to users should a breach occur. This essentially leaves users to fend for themselves when ESPs experience data breaches, or when malicious actors abuse leaked personal data. Follow-up actions would then be contingent on internal company guidelines.
Achieving better personal data protection
The longer policymakers remain in deadlock on the draft PDP bill, the more likely data breaches in the future will continue to remain poorly addressed. Accelerating the passage of the PDP law is non-negotiable.
While legislation alone might not deter data breaches, it does compel ESPs, both government and non-government, to provide adequate safeguards for the protection of personal data in their servers. In addition, legislation should also compel ESPs, particularly government agencies, to be more forthcoming of the way user data is collected and processed. The PeduliLindungi app has recently come under fire for its alleged weak safeguards that allowed users to download Joko Widodo’s vaccine certificate simply by inputting his national ID number which has been circulated online. Given the app’s central role in Indonesia’s return to a ‘new normal’, it cannot avoid public scrutiny over its safeguards.
An independent ministerial-level commission remains the ideal enforcement agency despite its high upfront costs to establish. Personal data breaches should not be a partisan issue, especially if it can befall anyone. The PDP bill should also include strict measures to protect the commission’s independence and integrity. The gutting of the Corruption Eradication Commission (KPK) due to political interests provides a cautionary tale for any enforcement agency working for the greater good.
In preventing data breaches, the government, through the BSSN, should resume its voluntary vulnerability disclosure program (VVDP) which was suddenly halted in 2020. This represents a great setback in cybersecurity, as it limits the role of concerned citizens to report vulnerabilities, which inevitably leads to delays in applying security patches. Singapore’s VVDP, established in 2019, for example, openly encourages its citizens to report vulnerabilities found on government websites. This led to a discovery of almost 500 ascertained vulnerabilities out of 1,000 reports as of March 2021.
A resumption of Indonesia’s VVDP should also protect citizens from being criminally charged by relevant government agencies for their ethical activities. This concern comes from a previous case in 2019 where a ‘white-hat hacker’ was charged by the General Elections Commission for illegally accessing their database after the hacker reported a vulnerability in the Commission’s website to the BSSN. Though the hacker has been acquitted, the case will likely deter any further efforts by citizens to report vulnerabilities.
There is also room for the development of public-private partnerships in PDP. It is in the interest of the large private ESPs, particularly e-commerce platforms, to retain customer trust by implementing stricter data security measures. Private sector ESPs may also consider partnering with relevant government agencies to write up guidelines on best practices or standards for general use. A similar approach has been conducted in the European Union in various forms.
All in all, as Indonesia progresses into its digital future, it would need to seriously consider the best practices to protect its citizens’ personal data. Otherwise, it risks jeopardizing its digital future.