Open Letter to KOMINFO Requesting for Strong User Privacy Protections in the PeduliLindungi App

Open Letter to KOMINFO Requesting for Strong User Privacy Protections in the PeduliLindungi App

26 June 2020

H.E. Johnny G. Plate
Minister of Communication and Information Technology
Ministry of Communication and Information Technology (KOMINFO)
Jl. Medan Merdeka Barat no. 9, Jakarta 10110
Republic of Indonesia

Your Excellency,

Open Letter to KOMINFO Requesting for Strong User Privacy Protections in the PeduliLindungi App

In April 2020, Indonesia launched an exposure notification app, PeduliLindungi, whose objective is to track and reduce the transmission of the novel coronavirus (COVID-19) by assisting contact tracing. While the app is relevant, it also has a high potential to put users’ privacy at serious risk. We therefore urge you to provide more transparency and to ensure the privacy of users

We request the Ministry of Communication and Information Technology (KOMINFO) to release the white paper and the source code of PeduliLindungi under an open source license. This will help independent experts to examine any vulnerabilities in the system, which in turn can help secure the privacy and security of users and their data. The white paper should document the system’s architecture, functions, protocols, data management, and security design. The source code should be of the deployed system, complete, up-to-date, and buildable.

Current information about PeduliLindungi is limited. At the time of writing, there is no privacy policy available on App Store nor on Google Play for users to access or download. We request KOMINFO to provide clear privacy policies of the app on both app platforms, in line with international standards and best practices. The privacy policy must provide clear details of how the app collects, uses and stores data.

Indonesia’s data privacy regulation lags behind international best practices. Strengthening data privacy regulation in Indonesia is essential to safeguard citizens’ privacy and personal protection. As COVID-19 exposure notification and surveillance efforts have already been implemented, we request the Government of Indonesia to issue a regulation specifying that the data collected by this exposure notification app will, without exception, only be used for contact tracing purposes. It should also specify the steps being taken to secure individuals’ data from cyberattacks and security breaches. We would also welcome an independent audit of the app as well as an official committee to oversee privacy protection in relation to the government’s contact tracing efforts

Privacy is a fundamental right and is recognized as such by international human rights instruments including Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Indonesia is a member state of the United Nations and has ratified the ICCPR in 2006. It is also emphasized in Indonesian Constitution Undang-Undang Dasar 1945 particularly Article 28 G (1) and 28 H (4) which often become a strong recommendation in order to protect privacy as well as data protection. Thus, Indonesia’s contact tracing efforts must be aligned with international human rights standards to safeguard privacy. We also recommend the authorities to explore the international best practices and guidance on protecting the right to privacy in relation to COVID-19. This includes the recent guidance provided by the World Health Organisation (WHO) on May 28 on ‘Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing’ (WHO reference number: WHO/2019-nCoV/Ethics_Contact_tracing_apps/2020.1). The WHO initial guidance cautions that the effectiveness of digital proximity tracking to assist contact tracing remains unknown, while also identifying 17 principles to guide governments, public health institutions, and non-State actors on the ethical and appropriate use of digital proximity tracking technologies to address COVID-19.

Summarizing the above statements, we request KOMINFO and the Government of Indonesia to take the following actions:

  1. Release the white paper and the source code of PeduliLindungi under an open source license. The white paper should contain all necessary details of the system’s architecture, functions, protocols, data management and security design. The source code should be that of the deployed system, complete, up-to-date, and buildable so that the system’s security and privacy treatment can be independently verified. The white paper and the source code must be regularly updated along with the app.
  2. Provide a clear privacy policy for PeduliLindungi on both the App Store and Google Play. All the elements of how the data is collected, processed, and stored must be transparent. This should be in line with international standards and best practices for privacy protection. Users’ informed consent must be obtained before the app can be downloaded.
  3. Issue data privacy regulations that specifically address PeduliLindungi. The regulation must stipulate that the collected data will not be used for purposes other than contact tracing, as well as ensuring there are prevention methods (e.g. third-party audit where the result is publicly available) in place to keep the data secure from cyberattacks and data breach incidents.
  4. Be transparent about the data breach incident that occurred from the PeduliLindungi’s database, including extent of the data breach, type (s) and volume of personal data involved, cause or suspected cause of the data breach, whether the data breach has been rectified, and measures and processes that KOMINFO had in place at the time of the data breach. The ministry should conduct a formal investigation and report on the incident and take steps to harden the system to prevent a reoccurrence.
  5. In keeping with its international commitments to protect the fundamental human right to privacy, KOMINFO and the Indonesian Government must protect the right to privacy of citizens in any upcoming contact tracing efforts. Transparency must be provided to the furthest extent possible in relation to how privacy is treated.

Yours Sincerely

Yuyun Wahyuningrum, Representative of Indonesia to the ASEAN Intergovernmental Commission on Human Rights (AICHR)
Southeast Asia Freedom of Expression Network (SAFEnet)
Institute for Policy Research and Advocacy (ELSAM)
FORUM-ASIA
Commission for the Disappeared and Victims of Violence (KontraS)
Protection Desk Indonesia/Yayasan Perlindungan Insani Indonesia (YPII)
Indonesia Legal Aid Foundation (YLBHI)
Human Rights Working Group (HRWG)
Access Now
ARTICLE 19
CIVICUS: World Alliance for Citizen Participation
Combine Resource Institution (CRI)
Asia Democracy Network (ADN)
DigitalReach

The PDF version of the open letter is available to download in both English and Bahasa Indonesia.

Close Menu