Secrets for sale

Kompas – November 24, 2021

Signs read "State secrets for sale", "Important data", "Private data" etc.

Writing on snail reads "Draft Law on Cyber Protection and Security (RUU KKS), Draft Law on the Protection of Private Data (RUU PDP)"

A string of recent cyber security threats has highlighted the vulnerability of Indonesia's data security systems to attacks and intrusions that endanger not only people's privacy rights but also state security.

In the latest incident a group of hackers was reportedly able to infiltrate the State Intelligence Agency's (BIN) server, although the agency has rejected the claim saying its servers were safe and regularly maintained to ensure their security and reliability.

Prior to this there were several reports of private data being leaked from various platforms managed by the government.

The Health Ministry's Indonesian Health Alert Card (eHAC) app, which is used to monitor people's mobility during the Covid-19 pandemic, was the latest app to fall victim to data leakage.

The incident was first reported by vpnMentor researchers who contacted the Health Ministry in mid-July and again in early August – neither effort received a response.

The group said it found that the personal information of some 1.4 million users, both Indonesians and foreigners, was not protected, as the developer had failed to deploy a proper data privacy protocol.

Communications and Information Minister Johnny G Plate has revealed that 29 state institutions had experienced data leaks in the past three years.

However the government's proposed solution to these problems – the Draft Law on Cyber Protection and Security (RUU KKS) – has been criticised over potential threats to privacy and freedom of expression.

The Southeast Asia Freedom of Expression Network (SAFEnet) for example has cited two articles in particular which are of concern. Article 11, which tasks the National Cyber and Encryption Agency (BSSN) with dealing with destructive or negative contents which could be used against those who express opinions legally, and Article 14, which allows the government to cut data connections from electronic systems to prevent the spread of information deemed a security threat.

The Draft Law on the Protection of Private Data (RUU PDP) meanwhile – which rights activists say is becoming increasingly urgent – continues to languish in parliament with disagreement between the government and the House of Representatives (DPR) over the need for an independent supervisory agency and the separation of personal data that is open and closed for access by third parties hindering the bill's deliberations.

[Based on a Jakarta Post editorial titled "Indonesia's data security system remains vulnerable to attacks".]