State of Privacy Indonesia

Indonesia

Table of contents

Introduction

Acknowledgment

The State of Privacy in Indonesia is the result of an ongoing collaboration by Privacy International and The Institute for Policy Research and Advocacy (ELSAM).

Key privacy facts

1. Constitutional privacy protection: The constitution does not explicitly mention privacy.

2. Data protection law: Indonesia currently has no data protection law.

3. Data protection agency: Indonesia currently has no data protection law agency.

4. Recent scandal: the purchase of an internet censorship system by the Ministry of Communication and Information Technology triggered fears of surveillance.

5. ID regime: Indonesia has a biometrics-based identity card scheme, e-KPT required to obtain passports, driving licenses and the state health insurance card.

Right to Privacy

The constitution

Indonesia's Constitution does not explicitly mention privacy. However, Article 28(g) protects the right to dignity and "to feel secure", concepts that are often related to the right to privacy in national constitutions:

"(1) Every person shall have the right to protection of his/herself, family, honour, dignity, and property, and shall have the right to feel secure against and receive protection from the threat of fear to do or not do something that is a human right."

Article 28(f) guarantees the right to communication, though it does not mention privacy:

"Every person shall have the right to communicate and to obtain information for the purpose of the development of his/her self and social environment, and shall have the right to seek, obtain, possess, store, process and convey information by employing all available types of channels."

Regional and international conventions

The Indonesia has ratified a number of international human rights treaties with privacy implications. These include:

Communication Surveillance

Introduction

In 2014, there were 29.6 million fixed phone subscriptions in Indonesia, corresponding to just over 30 subscriptions per 100 people, according to statistics collected by the International Telecommunications Union. That year, there were 319 million mobile subscriptions, representing approximately 116.8 subscriptions per 100 people.

According to the International Telecommunications Union (ITU), 20.4 % of Indonesians used the internet in 2016. We Are Social, a social media consultancy, put this figure slightly higher at 72.7 million Indonesians using the internet as of 2015, representing a penetration rate of 28 % of the population.

Indonesians are active users of social media platforms. The most popular platforms in the country are Facebook, WhatsApp and Twitter, according to the same study.

Surveillance laws

The 1998 Decree of the Consultative Assembly (TAP MPR) No. 17/MPR/1998 asserts various protections around freedom of expression and association and communication, though it does not specifically enshrine privacy as a right.

Law No 39 of 1998 states that Indonesia has a responsibility to honour and implement the Universal Declaration of Human Rights and other international instruments on human rights, which by extension would ensure the right to privacy as per Article 12.

Law No. 36 of 1999 states in article 4 that "the state has authority on telecommunication and the government has power to its development," which could be construed as giving the government a wide mandate over communications content. Article 21 states:

"A telecommunications operator is prohibited from engaging in telecommunications operations business, which violates the public interest, morals, security or public order."

Article 41 of this law, also known as the "Law of Telecommunication", states:

"In order to prove the truth, the use of telecommunications facilities at the request by users of telecommunications services, the providers are obliged to record the use of telecommunications facilities used by the users, and to record the information in accordance with laws and regulations."

Article 42 outlines the procedure for access to intercepted communications:

"For the purposes of the criminal justice process, telecommunication service providers may record the information sent and/or received by telecommunication service providers and provide the information as needed, by:

  1. Written request from General Attorney and/or the Chief of Indonesian Police for specific criminal acts;
  2. Request from investigators for specific criminal acts in accordance with applicable law."

Furthermore, written requests for information must include "[o]bjects that were recorded; b. Recording period; and c. Period of time to report the results."

In 2006, the MCIT issued Ministerial Regulation 11/PER/M.KOMINFO/ 02/2006 of 2006 to facilitate intelligence and law enforcement's direct access to telecommunications networks. Article 1(9), for example, provides that "lawful interception" means the interception of information activities conducted by law enforcement agents for the purposes of law enforcement, the results of which are sent to a monitoring center controlled by law enforcement agencies.

A provision for communications interception is included in Law No. 11 of 2008 on Electronic Information and Transactions (EIT). Article 31(4) calls for the government to issue a regulation on the matter of wiretapping. The EIT also contains a provision (Article 26) that prohibits the use of any personal data through electronic media without the consent of that person.

The Law on State Intelligence passed in October 2011 broadly authorizes the Indonesian State Intelligence Agency (BIN) to engage in efforts "to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security" (article 6). This may include communications surveillance. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.

In December 2014, the Parliament released a proposed list of bills to be considered priorities. The list included a number of bills relating to communications surveillance and privacy, including the Draft Bill on Interception Procedure, the Draft Bill on Mutual Legal Assistance, the Draft Regulation on Protection of Personal Data in Electronic Systems (passed in December 2016), and the Draft Presidential Regulation on a National Interception Center.

There is a general requirement under Government Regulation 82 that the electronic system operator must appoint a certified expert in the fields of electronic systems and information technology. The term "electronic system operator" is defined to mean any person, state official, business entity or society that provides, manages and/or operates, jointly or singly, an electronic system for the users of the electronic system for the operator's interest and/or others.

Surveillance actors

Intelligence/security agencies

The Indonesian government's law enforcement and intelligence functions are spread across a number of civilian and military agencies, each of which has some capacity for communications surveillance. These include:

  • The Strategic Intelligence Agency ('Badan Intelijen Strategis', BAIS): this agency is under the command of the Indonesia National Armed Forces Headquarters.
  • The State Intelligence agency ('Badan Intelijen Negara', BIN): formerly BAKIN, BIN is responsible both for co-ordinating information sharing and operations between other intelligence agencies, and is directly answerable to the President.
  • The "National Crypto Agency" (Lembaba Sandi Negara): this is a non-ministerial government agency engaged in protecting the security of state secret information, and in gathering signals intelligence. Its operations and structure are mandated by Presidential decree.
  • The Indonesian National Police (Kepolisian Negara Republik Indonesia): the nation's official police force also has communications surveillance capacities.
  • The Corruption Eradication Commission (KPK): according to Law number 30 of 2002, the KPK can carry out communications interception, though this has been challenged in court in 2003 by two Public Election Commissioners who alleged they had had their communications intercepted by the KPK.

A number of smaller operational units, like the Special Forces Unit (Komando Pasukan Khusus, or Kopassus), reportedly have communications surveillance capacities. In 2013, it was reported that the government was establishing a Central Intelligence Committee, which would be coordinated under the State Intelligence Agency (BIN).

Surveillance capabilities

Dual-use equipment

In 2013 UK-based surveillance company Gamma TSE sold the Indonesian military US$ 6.7 million worth of equipment as part of the military's weapons modernisation effort. The House Commission on Defense and Information assured legislators that the mysterious equipment would not be used for "purposes outside the TNI's duties and functions".

As early as 2005, Indonesian officials were soliciting the advice of a close partner of Gamma, Germany-based Elaman, to create a technical surveillance unit (TSU), according to a white paper published as part of the WikiLeaks SpyFiles. The nature of these technologies and/or advisory services is unclear.

A freedom of information request filed by members of the German parliament revealed that German companies obtained licenses to sell surveillance technologies to Indonesia in 2004, 2010, 2011 and 2012.

IMSI catchers

In response to a freedom of information request by Privacy International, Swiss authorities revealed that companies in Switzerland had received a license to export mobile phone monitoring technology, most likely an IMSI catcher, to Indonesia.

A Motherboard investigation has also revealed the UK had granted licenses to export telecommunications interception technology to over a dozen companies. Indonesia was among the countries to whom those companies were granted the right to export. Among those licenses, 33 were explicitly for IMSI catchers and two of those 33 licenses pertained to exports for Indonesia.

Intrusion malware and other software

In August 2012, researchers at the Citizen Lab scanned IP addresses and fingerprints for the characteristic command-and-control protocol of FinSpy, an intrusion malware sold to governments, on Indonesian servers. Among the observed servers was an IP address owned by Indonesia ISP Biznet. Researchers documented evidence of four additional command-and-control servers in Indonesia in March 2013 on three IP addresses belonging to Biznet, PT Matrixnet Global Indonesia, and PT Telkom.

Research by Citizen Lab showed Indonesia used FinFisher and based its server in Australia.

Foreign government surveillance

In February 2014, the New York Times reported that Australia's signals intelligence agency, DSD, had infiltrated an Indonesian mobile phone company and stolen nearly 1.8 million encryption keys used to protect communications.

In 2015, documents released by NS whistleblower Edward Snowden dating from 2009 revealed that New Zealand's Government Communications Security Bureau (GCSB) had also been spying on communications of neighboring countries, including Indonesia.

Internet crawling

The Ministry of Communication and Information Technology contracted state-owned company PT Industri Telekomunikasi Indonesia to implement an internet censorship stystem aimed at identifying and blocking websites containing pornography and content deemed reprehensible. Following concerns that the government would use deep-packet inspection to identify the content, the ministry issued a statement to say the system would only conduct crawling.

Surveillance oversight, checks and balances

The Ministry of Communication and Information Technology (MCIT) is responsible for policymaking around the telecommunications industry. The Ministry's functions include the "formulation of national policy, policy implementation, and technical policies in the field of communication and informatics, including the postal, telecommunications, broadcasting, information technology and communications, multimedia services and the dissemination of information."

The Directorate General of Post and Telecommunication (DGPT), which falls under MCIT, is responsible for licensing and legal compliance, apparently also in relation to surveillance, and supervision of operators. Another industry regulatory body, albeit with a less clear function, is the Indonesian Telecom Regulatory Authority. It is responsible for developing regulatory policy around telecommunications, including through public consultation.

On October 2016, the Indonesian Parliament introduced the right to be forgotten with an amendment to Law No. 11 of 2008 on Electronic Information and Transactions. The amendment requires electronic system operators to delete irrelevant electronic information and/or documents under their control at the request of the relevant person, once a court decision has approved the request.

 

 

Surveillance case law

Privacy International is not aware of any surveillance case law in Indonesia. Please send any tips or information to: research@privacyinternational.org

Examples of surveillance

A 2015 poll revealed that Indonesians consider technology to have had a mostly negative impact on privacy rights and think there is a lack of sufficient legal safeguards in the country to protect privacy.

Indonesia has seen both high-level surveillance scandals and widespread reports of surveillance against activists, journalists and other public citizens. In 2011, Human Rights Watch revealed systematic surveillance of activists and journalists in West Papua, a highly militarised region of the country that has witnessed significant separatist activities. According to leaked documents, Indonesia's Special Forces unit 'Kopassus' had been illegally surveilling "a broad swathe of Papuan political, traditional, and religious leaders, and civil society groups." Kopassus has also been accused of torture and other grave crimes.

Activists and journalists routinely allege physical and communications surveillance.

Data Protection

Data protection laws

The Communications and Information Ministry is aiming to have the House of Representatives debate the draft of the personal data protection bill, it was listed in the 2018 national priority legisltaion programme.

In December 2016, the Minister of Communication and Informatics issued a Regulation on Personal Data Protection in Electronic Systems. It is an implementing regulation for the Electronic Information Law and Government Regulation 82. The regulation provides detailed instructions on how to properly acquire and collect, process and analyse, store, display, announce, transmit, disseminate and/or provide access to, and/or delete personal data. The Regulation also provides for sanctions for companies failing to comply.

Currently, data protection is regulated under the constitution. Article 28G that reads:

"Every person shall have the right to protection of his/herself, family, honour, dignity, and property, and shall have the right to feel secure against and receive protection from the threat of fear to do or not do something that is a human right."

According to ELSAM in their publication "Protection of Personal Data in Indonesia, A Proposal for Policy Institutionalisation from the Human Rights Perspective", protection of personal data have also been included in various pieces of legislation in Indonesia, including:

  • Law No. 1 of 1946 on the Criminal Code (KUHP);
  • Law No. 8 of 1981 on the Criminal Procedure Code (KUHAP);
  • Law No. 8 of 1997 on Corporate Documents (Corporate Documents Law);
  • Law No. 10 of 1998 on Banking (Banking Law);
  • Law No. 8 of 1999 on Consumer Protection (Consumer Protection Law);
  • Law No. 23 of 1999 on Bank of Indonesia (Bank of Indonesia Law);
  • Law No. 31 of 1999 on the Eradication of the Crime of Corruption (Anti-Corruption Law);
  • Law No. 36 of 1999 on Telecommunications (Telecommunications Law);
  • Law No. 39 of 1999 on Human Rights (Human Rights Law);
  • Law No. 30 of 2002 on the Commission for the Eradication of Corruption (Anti-Corruption Commission Law);
  • Law No. 15 of 2003 on Stipulation of GR in Lieu of Law No. 1 of 2002 on the Eradication of the Crime of Terrorism (Anti-Terror Law);
  • Law No. 18 of 2003 on Legal Advocates (Advocate Law);
  • Law No. 29 of 2004 on the Medical Practice (Medical Practice Law);
  • Law No. 23 of 2006 on Population Administration (Population Administration Law);
  • Law No. 21 of 2007 on the Eradication of the Crime of Human Trafficking (Anti-Human Trafficking Law);
  • Law No. 11 of 2008 on Electronic Information and Transaction (EIT Law);
  • Law No. 14 of 2008 on Freedom of Information (FOI Law);
  • Law No. 21 of 2008 on Islamic Banking (Islamic Banking Law);
  • Law No. 35 of 2009 on Narcotics (Narcotics Law);
  • Law No. 36 of 2009 on Health (Health Law);
  • Law No. 43 of 2009 on Archiving (Archival Law);
  • LawNo.44 of 2009 on Hospitals (HospitalLaw);
  • Law No. 8 of 2010 on the Prevention and Eradication of the Crime of Money Laundering (Anti-Money Laundering Law);
  • Law No. 18 of 2011 on the Amendment of Law No. 22 of 2004 on the Judicial Commission (Judicial Commission Law);
  • Law No. 21 of 2011 on the Financial Services Authority (Financial Services Authority Law);
  • Law No. 9 of 2013 on the Prevention and Eradication of the Crime of Terrorism Funding (Financing of Terrorism Law);
  • Law No. 7 of 2014 on Commerce (Commerce Law);
  • Law No. 18 of 2014 on Mental Health (Mental Health Law); and
  • Law No.36 of 2014 on Medical Personnel (Medical Personnel Law).

Accountability mechanisms

There is currently no specific accountability mechanism to which data protection breaches can be referred. However, the EIT law states that complaints on criminal allegations regarding personal data should be submitted to officers from the Ministry of Communication and Information.

Data breaches: case law

Privacy International is not aware of any case law related to data breaches in Indonesia. Please send any tips or information to: research@privacyinternational.org

Examples of data breaches

Privacy International is not aware of any examples of data breaches in Indonesia. Please send any tips or information to: research@privacyinternational.org

Identification Schemes

ID cards and databases

In 2010, the Indonesian government launched the e-KPT (Karty Tanda Penduduk), a new biometrics-based identity card to replace the former cards. The ID card registration involves taking a photo, a digital signature, ten fingerprints, both iris images and biographical information, including religion. The project was launched to address voter fraud and terrorism.

The e-KPT is required to obtain passports, driving licenses and the state health insurance card. In August 2016, the Home Affairs Minister called for all citizens to apply for an e-KPT before 30 September, as over 22 million Indonesians had not yet registered for it.

Voter registration

According to the Asia Foundation, in 2009 up to 20 % of the electorate was unable to vote due to inaccurate voter rolls. As of 2014 there was still a large discrepancy between election commission voter registration figures and ID card data from the Ministry of Home Affairs.

Currently, voters can vote with either their e-KTP or a residence certificate issued by the Civil Registry and Demography Agency. According to the Regional Elections law, the e-KTP will become mandatory in order to vote in elections starting in 2019.

SIM card registration

In August 2014, it became mandatory for all prepaid SIM card users to register their personal information with mobile operators. Existing prepaid mobile customers were given a six month period to register their mobile line at their operator's outlets, according to the industry regulator.

A ministerial decree is making it mandatory to register SIM cards with the national ID card (KTP) and the Family Card (Kartu Keluarga) by February 28th 2018. Phone users who fail to register will face suspension of their phone service.

Policies and Sectoral Initiatives

Cybersecurity Policy

According to the Minister for Political, Legal and Security Affairs, Indonesia is experiencing 50,000 cyber attacks every day. In June 2015, the minister announced the creation of a National Cyber Agency with the aim of defending the country against cyber attacks and raising public awareness about the issue. One of the Agency's expected task will be to "monitor all online activity for indications of attack, such as hacking."

Cybercrime

Law No. 11 of 2008 on Electronic Information and Transactions (EIT) defines a number of cybercrimes and sets out punishments for them. Chapter 7 lists the following prohibited acts:

  • Material against propriety (article 27(1));
  • Gambling material (article 27(2));
  • Material amounting to affront and/or defamation (article 27(3)); and
  • Extortion and/or threats (article 27(4)).

On October 2016 the Indionesian Parlement amended the law. The amendment included a provision on criminal investigations. It allows investigatiors to request information in electronic systems and "to receive reports, investigate and arrest internet users suspected of violating the law." They are also allowed to "access restricted Election Data or Electronic Systems that are engaged in criminal conduct such as cybercrime, and are authorised to carry out raids (without a court warrant)."

Encryption

Privacy International is not aware of any privacy issues related to encryption in Indonesia. Please send any tips or information to: research@privacyinternational.org

Licensing of industry

Indonesia's largest telecommunications network and service provider is Telekomunikasi Indonesia (Telkom). At 38.2 % of the market share, the mobile phone business segment (particularly prepaid) still accounts for the largest share of Telkom's revenues, according to Indonesia Investments, an advisory service. Other major providers include Indosat, 3, XL Axiata and Smartfren.

The two largest in terms of subscriber base, Telkom and Indosat, are partially government-owned. The government holds 51% ownership of Telkom and 14 % of Indosat.

Indonesia has over 300 internet providers. Thirty-five of these own network infrastructure, according to RedWing, a tech industry advisory service. Indonesia has at least two internet exchange points. The Indonesia Internet Exchange (IIX) is maintained by the Association of Indonesian Internet Service Providers (APJII). Another internet exchange point, OpenIXP, is operated by the Indonesia Data Center (IDC).

In 2014, the government created the 'Indonesia Broadband Plan'. Through the project, it hoped to provide broadband internet to 30 % of the Indonesian population by 2019.

E-governance/digital agenda

E-governance was first officially introduced to the Indonesian public administration by Presidential Directive No 6/2001 on Telematics.

A 2014 UN Survey revealed that Indonesia had not reached the same level of e-government penetration that other countries in the same income group had. In May 2015, Indonesian President Joko 'Jokowi' Widodo issued Presidential Instruction No 7/2015 to request the creation of an online system to prevent corruption. It would be an "integrated online system for central and local government budgeting, procurement, purchasing, auditing and taxation [and] could strengthen monitoring and improve government accountability."

The city of Surabaya in East Java has developped a platform to allow its resident to manage their financial matters online.

Health sector and e-health

The e-KPT is needed to obtain a state health insurance card, in order to gain access to free health insurance and a wide range of public health services.

Smart policing

In November 2017, the Indonesian police announced they were working on an advanced CCTV system designed to detect the faces of wanted criminals. Once the system identifies a wanted person, it activates an alarm. The CCTV is expected to be deployed at police stations, airports and harbors.

Transport

Buses are currently the only public transport available in Jakarta and customers uses prepaid tickets that can be purchased in cash at the stations. Jakarta is expected to open the first phase of its Mass Rapid Transit track to the public in 2018.

One focus of Jakarta's Smart City Program (see below) is to ease traffic congestion and improve efficiency of public transport by providing accurate information on services. The privacy implications are not yet clear, but the city appears to be moving towards more digital management of transport and other services.

 

 

Smart cities

In December 2014, the government announced that Jakarta would invest US$ 2.4 million on a smart city project in Jakarta, called Smart City Jakarta. An operation centre was created to "Monitor and respond to complaints from citizens".

Until then, residents had already been using Qlue, an app to report traffic accidents, crimes and natural disasters by submitting location-tagged photos. The new operation centre integrates reports from Qlue. The government plans on integrating the largest government units -- transport, public utilities, health, sanitation, tax and local government -- to the operation centre.

In July 2017, Jakarta hosted the Indonesia International Smart City Expo & Forum, a trade show where stakeholders met to promote the development of smart cities in Indonesia. According to Metro TV News the Indonesian government plans on spending more than US$ 420 billion for "various infrastructure projects including telecommunication infrastructures."

Other cities than Jakarta are turning to smart city intiatives: Bandung was the first city to have a Command Centre, Makassar offers resident a smart cards for cashless transactions and has implemented a surveillance system for road monitoring, Medan is workign on developping a smart transportation system.

Migration

In 2011, Indonesia started issuing biometric passports. The passports contain a chip and personal data including iris scans, fingerprints and dental records.

Emergency response

With regular flooding, seismic activity and volcanoes, Indonesia is a country that is prone to natural disaster. The Indonesia Agency for the Assessment and Application of Technology (BPPT) is collecting data from the environment but also from the public. According to GSMA, which has organised a workshop with the BPPT, the BPPT collects a huge amount of data that it may share with key contacts. A slideshow from the National Agency for Disaster Management also reveals that this agency collects information about the public.

Humanitarian and development programmes

The US Agency for International Development (USAID) is providing support to Indonesia on disaster response. Their Jakarta office includes "information management" as one of their missions. It is unclear whether USAID accesses the data collected in humanitarian and development programmes or whether this is exclusively retained by the Indonesian government.

Humanitarian OpenStreetMap Team (HOT) has worked to develop maps of populations at risk of natural disaster. They have worked with universities, local governments and ACCESS, a USAID programme.

Social media

According to a report from Global Information Society Watch 2014, Papuan activists said they feared being "physcially harmed by security forces" if they posted controversial content on social media and were largely resorting to self-censorship.