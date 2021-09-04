JAKARTA, KOMPAS The impact of a number of cases of leakage and neglect of the protection of citizens’ personal data that occur repeatedly is becoming increasingly evident. President Joko Widodo’s population registration number is also known to the public.

Personal data believed to belong to President Joko Widodo has been the subject of a conversation on Twitter since Thursday (2/9/2021) and is still pending until Friday (3/9/2021) afternoon. The @huftbosan account uploaded a Covid-19 vaccination certificate in the name of Ir Joko Widodo, with the population identification number (NIK), date of birth and time of vaccination. The electronic certificate also displays the logos of the Covid-19 Management and National Economic Recovery Committee (KPC PEN), the Ministry of Communication and Information, the Ministry of Health and the Ministry of Public Enterprises.

The @huftbosan account uploaded a Covid-19 vaccination certificate in the name of Ir Joko Widodo, with the population identification number (NIK), date of birth and time of vaccination.

The Covid-19 vaccination certificate is accessible to the public via the PeduliLindung app or the online page Pedulilindungi.id managed by the Ministry of Health. To download it, users must log in and include their full name, NIK, date of birth, and phone number. The online application and website also offers the function of checking the vaccination status without downloading a certificate. To do this, users simply enter their full name, NIK, and click on authenticating as a real user or not as a bot.

Interior Ministry Director General of Population and Civil Status Zudan Arif Fakrulloh rejected the idea that the circulation of the Covid-19 vaccination certificate in the name of Joko Widodo was due to a NIK leak . According to him, currently a person’s NIK can circulate everywhere as residents often leave copies of their identity cards (KTP) and family cards (KK) when dealing with certain administrations.

Read also: President Jokowi’s NIK is left exposed on the KPU website

Zudan said that the appearance of the Covid-19 vaccination certificate allegedly belonging to the president indicated that there were parties who were using other people’s data to obtain certain information. This is not permitted by law. “There are criminal penalties for things like this,” Zudan said when contacted from Jakarta on Friday.

The provisions referred to are governed by Act No. 24 of 2013 amending Act No. 23 of 2006 on the administration of the population. In Article 79 paragraph (3) of Law No. 24/2013, it is stipulated that the agents and users referred to in paragraph (2) are prohibited from disseminating demographic data that is not in accordance with their authority.

Then, the violation of this article is further regulated in article 95A which stipulates that anyone, without the right to disseminate data on the population referred to in article 79 paragraph (3) and personal data referred to in article 86 paragraph (1a) will be punished with a maximum prison term of two years and / or a fine of not more than 25 million rupees.

Check for leaks

Contacted separately, the director of the Institute for Community Studies and Advocacy (Elsam) Wahyudi Djafar felt that the circulation of President Jokowi’s vaccination certificate was the impact of a number of cases of personal data leaks which kept repeating themselves. In May of last year, it was suspected that 279 million pieces of data managed by the Health Social Security Administration (BPJS) had been leaked, two months later it was revealed that 2 million BRI Life data had leaked, and ended August, there were indications of data leaks from 1.3 million users of the e-HAC app run by the Ministry of Health. . Data from the e-HAC app is currently integrated into the PeduliLindung app system.

The data elements exposed through these leaks include almost all of the information about the residents. It is possible, including the personal data of the president.

Also Read: NIK Used By Foreigners Referee Ridwan Had Failed Vaccination

This relates to previous cases where data has been leaked and then used by someone else. In addition, the system’s authentication did not properly ensure accuracy and security, Wahyudi said.

He added that the circulation of the Covid-19 vaccination certificate on behalf of the president also showed data protection issues in the PeduliLindung app. The in-app authentication process only requires a NIK and phone number. Naturally, the authentication is added with elements which can also ensure the safety and accuracy of the user.

The circulation of the Covid-19 vaccination certificate in the name of the President also shows the problem of data protection in the PeduliLindung application.

The application is also considered to always ignore the principle of the protection of personal data. One of them is related to integrity and confidentiality. The application should be built with a security system that does not allow unauthorized people to access other people’s data.

In addition, the data recovery mechanism is also considered incompatible with the purpose of the request. Too many types of data are required as a condition for citizens to use them. From identity, online location points, to access photo and video documents on the user’s mobile phone. In fact, originally the PeduliLindung app was only intended to track Covid-19 cases.

Also read: Experts suspect that some residents’ personal data is at risk of being complete

Safety discharge

National Cyber ​​and Crypto Agency (BSSN) spokesperson Anton Setiawan admitted that awareness among data management institutions to protect the personal data they manage is still minimal, especially among the ranks of leaders. So far, this is seen as the responsibility of the IT division, not the organization as a whole.

Of a number of leaks and hacking cases that have occurred in government agencies, Anton said, usually due to vulnerabilities at a grassroots level, and not due to the high level capabilities of hackers. Basic vulnerabilities, such as failure to implement encryption, authentication, database transparency and session management are common examples that are often overlooked, he says.

In fact, the BSSN has issued the BSSN Regulation number 4 of 2021 regarding the Guidelines for the Management of Information Security of Electronic Government Systems (SPBE) and the technical standards and security procedures for SPBE. The regulation is a guideline for SPBE to carry out the process of information security management, which includes definition of the scope, determination of the responsible, planning, operational support, evaluation performance and continuous improvement. However, there is no legal provision that can compel government agencies to comply with the guidelines.

We urge (the agencies) to implement BSSN Regulation No. 4/2021 as a form of accountability to protect the public / users and maintain the continuity of public service business processes, said Anton.

Also read: Personal data of 2.3 million Indonesians leaked