Key Findings
A. The Development of Digital Contact Tracing in Indonesia
The Ministry of Communications and Information (KOMINFO) launched PeduliLindungi, a contact tracing app in mid-April 2020. With this launch, Indonesia became the second country in Southeast Asia to respond to COVID-19 with a digital contact tracing app, following Singapore’s app, TraceTogether. Indonesia’s app was launched after two legislations, Decree 159 and 171 of 2020, were passed. The first legislation authorizes the use of health surveillance, including through tracing, tracking, and warnings. Telecommunications operators in the country are required to support the government’s efforts in using the telecommunication infrastructure, system and information technology. It also requires the telecommunications operators to support the government in providing access to internet and telecommunication services and distributing information, among other activities.
The Decree also requires telecommunication operators to disseminate information about COVID-19 through SMS to their customers. People are also able to access government websites without any additional mobile data charges. Broadcasting, online media and other media institutions are also required to support the government through information dissemination and public service announcements.
Decree 171 was issued on April 6, 2020, which officially appointed PeduliLindungi as the national contact tracing app. The app was developed by the state-owned telecom provider, PT Telekomunikasi Indonesia Tbk (Telkom Indonesia). It is licensed to the government of Indonesia. According to the official website, the app uses Bluetooth technology and works in a manner similar to other contact tracing apps. Installed devices communicate to each other and collect data of other contacts that it has been in close proximity to during the previous 14 days. The app is not open-source, and publicly available information about PeduliLindungi remains very limited; as a result, little is known about the system’s architecture, functions, protocols, data management, and security design.
In June, it was revealed that the data of a number of people who have undergone COVID-19 testing in Indonesia were posted online for sale. The leaked data included their user ID, gender, age, telephone number, residence address, and patient status. The government denied that the data breach was associated with PeduliLindungi, and stated that the details of the investigation would not be published.
However, the data breach incident did not stop the government from moving forward with its digital contact tracing efforts. At the end of June, Gojek, a well-known multi-service digital platform in Indonesia, made PeduliLindungi assessible through its platform. Gojek, which has around 29 million monthly active users in Indonesia, displayed a banner for PeduliLindungi on the app’s homepage; this banner directed Gojek users to the PeduliLindungi page on the Google Play Store. The purpose of this banner was to increase the number of PeduliLindungi users. In fact, 82,000 users were reported to have downloaded PeduliLindungi through Gojek after a period of only one week following its launch.
Following the campaign with Gojek, the government has continued its collaboration with the private sector to increase the use of PeduliLindungi. KOMINFO collaborated with OVO, a digital platform for financial services in Indonesia. In this collaboration, OVO aimed to encourage its users to download PeduliLindungi by providing information about the app on its platforms.
It has been reported that the Indonesian government has planned to develop more functions on PeduliLindungi, which includes a QR code scanning function when people enter buildings and places; this function is similarly found in Singapore’s SafeEntry and Thailand’s Thai Chana apps. On September 19, 2020, the House of Representatives of the Republic of Indonesia approved the 2021 budget allocation for KOMINFO for Rp. 16.9 trillion (approximately 1.137 million USD); the development of PeduliLindungi was included in KOMINFO’s work plan for 2021.
B. Implications on Surveillance and the Right to Privacy
This section discusses the implications on surveillance and privacy from the adoption of PeduliLindungi. The app has a number of issues regarding the technical vulnerabilities, transparency, and policy enforcement. These issues reflect the concerns over how personal data and the right to privacy are treated, and how the system can be trusted.
1. Technical vulnerabilities and lack of transparency
According to the information that has been made publicly available, the app’s function is not considered to be privacy-by-design. Through the app, the government can monitor the gathering of people to ensure that they practice social distancing; this function is done through smartphone movement data, which includes the Mobile Subscriber Integrated Services Digital Network Number (MSISDN). From this data, warnings are issued via SMS to those who are not practicing social distancing. The collection of this data can be used to build a social and proximity graph of a person, which carries a number of risks. In particular, this usage can increase the vulnerability of certain groups of people, such as those who are LGBTQI+ or HIV positive people, if their real identities are disclosed. These risks are especially high for LGBTQI+ individuals due to the social stigmatization and discrimination they face, as several regulations are still in place which suppress their rights.
As the app is not open-source, this raises great concern over its transparency. The information that is available about the app itself is still limited, and it remains unclear how the app operates. The benefit of an open-source software is that it allows programmers to examine the code; in doing so, open-source software can help programmers discover any technical vulnerabilities in the app. Little information is known about PeduliLindungi’s architecture, functions, protocols, data management, and security design.
PeduliLindungi also does not have a privacy policy in place on both App Store and Google Play. Furthermore, there is no evidence that a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) have been conducted before the app was rolled out to the public. The HRIA and PIA enable those in charge of the app and its systems to understand the risks of PeduliLindungi with regard to the privacy and security of personal data. It also provides a source of information to the public to understand how using the app may affect their human rights and their right to privacy. If the HRIA and PIA can sufficiently demonstrate how the right to privacy is protected when people use the app, this information could increase the number of users of the app, thereby making digital contact tracing more effective.
When a contract tracing initiative applies to the mass population and concerns their personal data, transparency is an important element that the government should not overlook. Greater transparency of the system enables people to place more trust in the app. Respecting the privacy of users and maintaining transparency could make digital contact tracing efforts more effective by increasing the adoption rate of the app.
2. Legitimacy of surveillance and lack of policy enforcement
Indonesia’s response to the pandemic illustrates how privacy is sidelined during the government’s efforts to control an emergency situation. Indonesia is the only country in Southeast Asia that has issued specific legislations, Decree 159 and 171 of 2020, for its digital contact tracing efforts. Both legislations legitimize the use of health surveillance while overlooking people’s privacy. Decrees 159 and 171 also raise questions about the legitimacy of both legislations. Even though the 1945 Constitution of Indonesia does not specifically guarantee the right to privacy, Article 28 (g) states that every person has the right to the protection of themselves, their families, respect, dignity and possessions under their control. It also states that every person has the right to security and protection from the threat for doing, or not doing, something that constitutes human rights. Therefore, it remains a question whether KOMINFO’s decrees authorizing the use of health surveillance are constitutional or not.
Indonesia also does not have a robust law on personal data regulation and enforcement mechanism, which has heightened privacy concerns over the digital contact tracing. The government has made efforts to promote the use of PeduliLindungi, including by partnering with well-known digital platforms in the country; however, little is known on how the data collected from the contact tracing app will be treated to protect people’s privacy. A robust law on personal data and regulation that shares the same standards as international best practices can protect people’s personal data. Necessary regulations includes requiring the government to provide more transparency about PeduliLindungi on the type of personal data it collects, where the data are processed and stored, and the retention period of the data collected.
The data breach incident, which was allegedly from the database of PeduliLindungi, is also a lesson about the lack of policy enforcement in the country. While the government has denied the allegation that the data breach was from the government database of PeduliLindungi, the investigation has been conducted without any transparency. As a result, this type of incident has made it difficult for people to trust the app as well as the government.
C. Conclusion and Recommendations
PeduliLindungi‘s lack of transparency has prompted many questions regarding the app’s treatment of personal data and the privacy of its users. As the app is not open-source, it does not provide opportunities for independent technical experts to examine the app for any technical vulnerabilities in the system. This examination includes the system’s architecture, functions, protocols, data management, and security design. The privacy policy for the app on both App Store and Google Play has also not been put in place. Further, there has been no evidence that a HRIA and PIA have been conducted before the public launch of the app.
There also remains an absence of legislation to protect the privacy of users. While the government has issued two legislations prior to PeduliLindungi to enable the use of health surveillance, privacy was not been mentioned with respect to these laws. Without a legislative framework to protect personal data, users’ right to privacy is at risk. The data breach incident that allegedly occurred from the database of PeduliLindungi was also not investigated in a transparent manner.
In keeping with its international commitments to protect the fundamental human right to privacy, KOMINFO and the Indonesian Government must protect the right to privacy of its citizens in any upcoming contact tracing efforts. Transparency must be provided to the furthest extent possible in relation to how privacy is treated. It is recommended for the government of Indonesia to take the following actions:
- Release the white paper and the source code of PeduliLindungi under an open source license. The white paper should contain the necessary details regarding the system’s architecture, functions, protocols, data management, and security design. The source code should be of the deployed system, complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the app.
- Provide a clear privacy policy for PeduliLindungi. All the elements about how the data is collected, processed, and stored must be transparent. This should be in line with the international standards and best practices for privacy protection. Users’ informed consent must be obtained before the app can be downloaded.
- Issue data privacy regulations that specifically address PeduliLindungi. The regulation must stipulate that the collected data will not be used for other purposes apart from contact tracing as well as ensuring there are prevention methods (e.g. third-party audit where the result is publicly available) in place to keep the data secure from cyberattacks and data breach incidents.
- Conduct a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) for PeduliLindungi and other apps and platforms that may be implemented in the future for digital contact tracing purposes. The result should be made publicly accessible.
- Be transparent about the data breach incident that occurred from the PeduliLindungi’s database including the extent of the data breach, type(s) and volume of personal data involved, cause or suspected cause of the data breach, whether the data breach has been rectified, and measures and processes that KOMINFO had in place at the time of the data breach. The ministry should conduct a formal investigation and report on the incident and take steps to harden the system to prevent a reoccurrence.