26 June 2020
H.E. Johnny G. Plate
Minister of Communication and Information Technology
Ministry of Communication and Information Technology (KOMINFO)
Jl. Medan Merdeka Barat no. 9, Jakarta 10110
Republic of Indonesia
Open Letter to KOMINFO Requesting for Strong User Privacy Protections in the PeduliLindungi App
In April 2020, Indonesia launched an exposure notification app, PeduliLindungi, whose objective is to track and reduce the transmission of the novel coronavirus (COVID-19) by assisting contact tracing. While the app is relevant, it also has a high potential to put users’ privacy at serious risk. We therefore urge you to provide more transparency and to ensure the privacy of users
We request the Ministry of Communication and Information Technology (KOMINFO) to release the white paper and the source code of PeduliLindungi under an open source license. This will help independent experts to examine any vulnerabilities in the system, which in turn can help secure the privacy and security of users and their data. The white paper should document the system’s architecture, functions, protocols, data management, and security design. The source code should be of the deployed system, complete, up-to-date, and buildable.
Indonesia’s data privacy regulation lags behind international best practices. Strengthening data privacy regulation in Indonesia is essential to safeguard citizens’ privacy and personal protection. As COVID-19 exposure notification and surveillance efforts have already been implemented, we request the Government of Indonesia to issue a regulation specifying that the data collected by this exposure notification app will, without exception, only be used for contact tracing purposes. It should also specify the steps being taken to secure individuals’ data from cyberattacks and security breaches. We would also welcome an independent audit of the app as well as an official committee to oversee privacy protection in relation to the government’s contact tracing efforts
Privacy is a fundamental right and is recognized as such by international human rights instruments including Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Indonesia is a member state of the United Nations and has ratified the ICCPR in 2006. It is also emphasized in Indonesian Constitution Undang-Undang Dasar 1945 particularly Article 28 G (1) and 28 H (4) which often become a strong recommendation in order to protect privacy as well as data protection. Thus, Indonesia’s contact tracing efforts must be aligned with international human rights standards to safeguard privacy. We also recommend the authorities to explore the international best practices and guidance on protecting the right to privacy in relation to COVID-19. This includes the recent guidance provided by the World Health Organisation (WHO) on May 28 on ‘Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing’ (WHO reference number: WHO/2019-nCoV/Ethics_Contact_tracing_apps/2020.1). The WHO initial guidance cautions that the effectiveness of digital proximity tracking to assist contact tracing remains unknown, while also identifying 17 principles to guide governments, public health institutions, and non-State actors on the ethical and appropriate use of digital proximity tracking technologies to address COVID-19.
Summarizing the above statements, we request KOMINFO and the Government of Indonesia to take the following actions:
- Release the white paper and the source code of PeduliLindungi under an open source license. The white paper should contain all necessary details of the system’s architecture, functions, protocols, data management and security design. The source code should be that of the deployed system, complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the app.
- Issue data privacy regulations that specifically address PeduliLindungi. The regulation must stipulate that the collected data will not be used for purposes other than contact tracing, as well as ensuring there are prevention methods (e.g. third-party audit where the result is publicly available) in place to keep the data secure from cyberattacks and data breach incidents.
- Be transparent about the data breach incident that occurred from the PeduliLindungi’s database, including extent of the data breach, type (s) and volume of personal data involved, cause or suspected cause of the data breach, whether the data breach has been rectified, and measures and processes that KOMINFO had in place at the time of the data breach. The ministry should conduct a formal investigation and report on the incident and take steps to harden the system to prevent a reoccurrence.
- In keeping with its international commitments to protect the fundamental human right to privacy, KOMINFO and the Indonesian Government must protect the right to privacy of citizens in any upcoming contact tracing efforts. Transparency must be provided to the furthest extent possible in relation to how privacy is treated.
Yuyun Wahyuningrum, Representative of Indonesia to the ASEAN Intergovernmental Commission on Human Rights (AICHR)
Southeast Asia Freedom of Expression Network (SAFEnet)
Institute for Policy Research and Advocacy (ELSAM)
Commission for the Disappeared and Victims of Violence (KontraS)
Protection Desk Indonesia/Yayasan Perlindungan Insani Indonesia (YPII)
Indonesia Legal Aid Foundation (YLBHI)
Human Rights Working Group (HRWG)
CIVICUS: World Alliance for Citizen Participation
Combine Resource Institution (CRI)
Asia Democracy Network (ADN)