Heal and protect? Global Voices

ByLance T. Lee

Jul 6, 2022

Image via EngageMedia

This article by Siti Rochmah Desyana is part of Pandemic of Control, a series of articles that aims to deepen public discourse on the rise of digital authoritarianism in Asia-Pacific amid COVID-19. Pandemic of Control is an initiative of EngageMedia, in partnership with CommonEdge. This edited version of the article is republished in Global Voices as part of a content partnership.

As the COVID-19 pandemic continues in Indonesia, the government app PeduliLindungi is still an integral part of daily life. Named by merging the Indonesian words for “care” (peduli) and “protect” (lindungi), the app claims to do just that, tracking and filtering COVID-19 statuses and providing resources and information about COVID-19. It has become commonplace in everyday life, as most restaurants, businesses, and all public transportation require users to check in by scanning a QR code through the app.

Its existence has become synonymous and inseparable from the pandemic itself in Indonesia. But people’s reliance on the information, access and resources it offers to protect themselves from COVID-19 can come at the expense of data privacy rights.

As of this writing, over 50 million people have downloaded the app from the Google Play Store, making it the top medical app in the country. But, as more and more users sign up and use the app, the seriousness of concerns about the app’s security and in-depth tracking have also increased.

In September 2021, Indonesian President Joko (Jokowi) Widodo’s vaccination certificate was leaked online, just one month after the alleged breach of the Indonesia Electronic Health Alert Card (eHAC) app, which compromised the data of 1, 3 million users. The leaks have since boosted public discourse on data security and the amount of personal information collected and stored by PeduliLindungi.

Following the breaches, the Indonesian government has since asserted that the app has secured all users’ data, a response not unlike previous assurances it has given after similar breaches in the past. PeduliLindungi therefore potentially poses a greater threat due to its frequent use, large user base, and unique type of information stored, while leaving individuals with little or no legal recourse to protect their data.

A daily ritual: how PeduliLindungi controls people’s freedom of movement

While usage of the app varies from region to region, no other government platform matches its scale and reach. The app’s main interface has also been integrated into 15 other consumer-facing apps; there are even plans to turn it into a digital wallet.

To enter any public place in Indonesia, one must first scan the location’s required QR code via PeduliLindungi or an interconnected app, such as Jakarta regional app JAKI and Indonesian giant GOJEK. The information collected – such as the user’s legal name, ID number, COVID-19 susceptibility, current location and time spent at the facility – is then recorded and stored on PeduliLindungi servers. Those who have not officially registered with PeduliLindungi or the other interconnected applications are only allowed to enter public areas if they present valid vaccine certificates, which are also hosted by PeduliLindungi and must be accessible through its portals.

When an Indonesian is not officially part of the PeduliLindungi system, a number of challenges and obstacles disrupt their daily routine. For example, without a ticket to get vaccinated – whether by choice or unavailability of vaccines – one will not be allowed to freely use and enter bus stops, train stations, airports, markets, hospitals, office buildings and other public spaces. Unvaccinated people have even reported difficulty in seeking treatment at medical institutions, which rely on the PeduliLindungi database to access COVID-19 status.

Using the app is now not only necessary, but socially obligatory in order to maintain freedom of movement. Such measures were justified to curb the spread of COVID-19, despite questions about their ability to do so.

PeduliLindungi users can request vaccine certificates through the website. As long as you have a full name, ID number, date of birth, and date and type of vaccination, you can access anyone’s vaccination certificates. Screenshot of Siti Rocmah Desyana

How secure is the data?

There are also many unanswered questions regarding the digital security of PeduliLindungi. Although no classified information stored online can ever be completely secure, the Indonesian government has not yet taken adequate measures to ensure the security of its various databases.

When the eHAC database was leaked in 2021, the government chose to deflect and point out that only the “old separate eHAC” was compromised. The government simply asked citizens to remove the old eHAC app from their phones.

PeduliLindungi is no exception to this lack of responsibility. For one thing, the president’s leaked vaccine certificate only showed how easy it was to get any certificate, even ones that didn’t belong to you. To access it on the app, all you need is a full name, ID number, date of birth, date and type of vaccination – information that can easily be found on social media or even through carelessly discarded paper documents.

In the president’s case, investigators found that his information was obtained through PCare, a separate Health Ministry app, which is used by healthcare providers to upload a user’s immunization data to PeduliLindungi servers. The link between the two applications remains unclear.

The problem only worsens the interconnectivity of PeduliLindungi with other third-party applications. For example, the app is connected to Google and other third-party software providers that track users’ locations as they enter and exit public spaces and when they use public transportation. A previous version of the PeduliLindungi mobile application would have contained anomalies, including manually storing data in the app and sending said data to an external non-Indonesian website. In the past, the app had also sent user names and device types to a subsidiary of PT Telkom, the Indonesian public telecommunications company with servers in Singapore.

But, despite evidence that third-party apps may have led to data breaches on other government apps, PeduliLindungi’s latest privacy policy maintains a disclaimer for “breaches or unauthorized access”, which includes how third parties use PeduliLindungi data.

Limitation of liability of PeduliLindungi on the mobile version of the application. Screenshot of Siti Rocmah Desyana

Lack of protection, regulation and accountability persists

Despite a large number of infections, the public continues to question whether the surveillance and monitoring carried out by PeduliLindungi is necessary to curb the spread of COVID-19. Regardless of your side in the debate, the Indonesian government’s responses to past data breaches and other concerning events fail to address the root of the problem: the security of PeduliLindungi’s servers and the privacy of its users’ data. .

The government never released the results of PeduliLindungi’s initial security audit, which would have informed the public about the app’s safety and security before it was implemented.

PeduliLindungi is also still not registered with government electronic system organizers – a requirement for public servers as per regulations.

Citizens are once again bearing the brunt of this lack of protection, regulation and accountability. Indonesians have sacrificed their freedom of movement and privacy and handed over their data to the government, on the assumption that it will prevent the spread of the virus and pave the way for the pandemic to end.

Worse, Indonesia currently has no specific legislation regarding data privacy protection. Although there are provisions governing consent to the use of individual data, they are dispersed at different levels of law.

The ministerial regulation currently in force concerning the protection of private data in electronic systems is more like a directive that does not contain any punitive or consecutive clause for those who violate the terms of the rule. Although there is a bill on the protection of personal data, it is still stuck in the deliberations of the House of Representatives and little improvement has been made so far.

As PeduliLindungi and the government continue to fumble in its operations, and these concerns have been glossed over, one has to ask: Does PeduliLindungi really care and protect the Indonesian public?

Siti Rochmah Desyana is a human rights observer with a particular interest in issues of equality and justice. She currently works with the International NGO Forum on Indonesian Development (INFID) for the In-Equality program and writes about the world in her spare time.

Source link