JAKARTA - Leakage of personal data of users of government applications or state institutions has occurred again. This time eHAC or Electronic Health Alert Card belongs to the Ministry of Health (Kemenkes). An estimated 1.3 million users' personal data was leaked. Let's dive into the issue of personal data.

eHac is a Ministry of Health application that functions to track people who came to Indonesia during the COVID-19 pandemic. This private data leak case was first reported by VPN Mentor, a site that focuses on virtual private network (VPN) security.

The Ministry of Communication and Information (Kemkominfo) said it was conducting an investigation. "We are conducting an investigation," said Ministry of Communications and Informatics Spokesman Dedy Permadi, quoted from Antara, Tuesday, August 31.

Head of the Ministry of Health's Data and Information Center Anas Ma'ruf responded to the alleged leak of eHAC users' personal data by asking the public to delete or uninstall the application. He also said that eHAC had been inactive since July 2 and was replaced by PeduliLindungi.

PeduliLindung application (Source: Antara)

"The government asks the public to delete or delete or uninstall the old eHAC application, which is separate (from the PeduliLindingi application)," said Anas in a virtual press conference, Tuesday, August 31.

"The existing system in PeduliLindung, in this case eHAC is different from the old eHAC system. So I emphasize that the existing system in the old eHAC is different from the eHAC system under PeduliLindung. The infrastructure is different," explained Anas.

Anas suspects that the personal data leak occurred on the partner's side. "And this has been known by the government. Currently the government is taking preventive measures and making further efforts by involving Kominfo and the authorities related to the mandate of Government Regulation Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions," said Anas.

What is personal data? What is included in the example?

As explained in the WRITTEN SERIES article entitled We are Personal Data that is Traded, it is very important for us to instill the understanding that we are all basically personal data, especially in the digital dimension.

First, we are basic data. Second, we as credential data. Third, we are the same with financial data. What is meant by basic data is the Population Identification Number (NIK), Family Card (KK) information --name, date of birth, biological mother's name, and so on.

[SERIAL WRITING: No Privacy for Personal Data]

Credential data includes digital email accounts, social media, to access to digital applications and services that we use every day. In the context of digital activities, credential data is the main commodity.

Then, financial data, which includes account data, pin authentication, and other personal information related to our financial access, both online and offline. Cyber security expert, Alfons Tanujaya explained that all data is a commodity that can be monetized.

"So now the most valuable thing in the e-commerce world is credential. Second, financial data. Money, accounts, pin authentication, and the like ... There is an economic factor. The economic motivation behind why this kind of data is being targeted," said Alfons.

What are the risks of personal data leakage?
Illustration of data theft (Source: Cyber Insurance)

We are data. Data is a commodity. So basically personal data can be monetized by the controlling party. In the context of theft or theft of personal data, the perpetrators usually collect the data and then resell it illegally. The monetization schemes vary and cause different losses for the owner of personal data.

Associate Professor of the Department of Communication Science, Universitas Gadjah Mada, Novi Kurnia, in her article in The Conversation, explained that in general there are four risks of personal data leakage. First, personal data can be used to break into financial accounts. Tempo's data recorded at least six cases of bank account burglary from January to April this year. Losses are estimated at IDR 57 billion.

In this context, the perpetrators of personal data theft usually trick the victim by sending emails and messages that provoke the victim to disclose personal data and bank service information in one attachment. Not just a bank account. This mode can also be used by perpetrators to break into digital wallets such as GoPay or OVO. If the perpetrator has a user number he will send a fake message that lures the user to reveal the OTP (one time password) code.

[SERIAL WRITING: No Privacy for Personal Data]

Second, the leakage of personal data can also be used to commit illegal online loan fraud. The most common mode, the perpetrator will pretend to be the owner of personal data to borrow money. It will be the owner of the personal data who will have to pay the loan along with the interest enjoyed by the perpetrator. Third, if the leaked personal data is in the form of population data or social media, it can be used to map the profile of the data owner.

There are various uses, it can be for political purposes or infiltration of advertisements on social media. In a political context, the owner of personal data can be the target of disinformation according to his political preferences. We know of a major case in 2018 involving Cambridge Analytica who misused the personal data of 87 million Facebook users for political purposes, including in Donald Trump's bid to win the 2016 US election.

Fourth, still in the dimension of social media, hacking of personal data can be a mode of online blackmail. One of them is sexual blackmail alias sextortion. This usually happens when the data owner makes a sex video call (VCS) or sexual conversation. That audio or visual material can be stored and used to blackmail the owner of the data. Not only that. Material uploaded on digital devices, including the cloud, can be hacked and trigger sextortion.

Who controls our personal data? How is the simulation in daily activities?

The asymmetric war between the United States (US) and China over personal data has suddenly become so open. US President Donald Trump outright banned the Chinese-made video-sharing app TikTok. Trump is concerned that ByteDance's app could be a tool for China to collect personal data of US citizens for supply to the Chinese Communist Party.

TikTok is responding to this resistance. They announced a commitment to users and regulators to enforce a high level of transparency, including giving permission for those wishing to check their algorithms. "We are not political. We do not accept political advertising and have no agenda."

"Our goal is to continue to be a lively and dynamic platform for everyone to enjoy. TikTok has become the latest target (of politicization). But we are not the enemy," said TikTok CEO Kevin Mayer, quoted by the BBC.

The above confusion is important to illustrate how real the risk of personal data theft is. We look at our habits, what do we access the most? Google, for example. What can Google gather from our daily digital activities?

Referring to the WRITTEN SERIES article entitled Who is the Master of Personal Data and Why is it Important to Control it? Google may have collected more of our personal data at a rate that we may never even be aware of. Google's algorithm records every search we make, monitors the YouTube videos we watch, to record our movements.

Every location we travel to, Google will know and record it, bringing up a pattern of which route we travel the most, how long we stay somewhere, even when we never open the application.

Photo illustration (Yudhisthira Mahabharata/VOI)

This is a reality we need to face, although according to CNET, Google has improved the way it stores and manages user data. Google accounts registered as of June 2020 are said to be able to automatically delete users' personal data.

That too only after 18 months of use. Meanwhile, Google account users before June, which amounted to 1.5 billion Gmail users or 2.5 billion Android users, the data will be embedded forever on Google's servers, unless the user wants to delete it.

There is a lot of data that Google can get. These include our name, date of birth, gender, email address, passwords for digital accounts, and phone numbers. Google can even identify our faces. Some of them are listed as public information.

Google can also record online activity data, such as when we surf the search engine or while watching YouTube videos. If you are aware of the security of your data but still want Google's services to personalize the results of its services like on a search engine, it is advisable to set the data to be deleted automatically after three months.

If not, feel free to delete all data and set Google to stop tracking. Granted, for most of the day-to-day things we do with Google it won't make much of a difference.

However, if used regularly, then Google can find out all our habits. Google's algorithms can even find out what things we want, from vacation destinations to our favorite soccer clubs.

And the accuracy of Google knowing our whereabouts can be terrifying, even when we're not doing anything on our phones. If you're signed in to Google Maps on a mobile device, Google's eyes are watching your every move.

Even if we have set Google not to track our online or offline activities, it does not mean that Google's access to our personal data has been completely cut off. Google can still track your physical location even if you turn off location services.

Google can still access our data, information they collect from Wi-Fi networks and other wireless signals connected to our devices. Even Google doesn't have to wait for us to log in first to be able to track us.

So our awareness that there is no privacy to our personal data becomes very important. We need to be more careful in digital activities. The earliest way can be to increase our awareness of the terms and conditions when installing an application, especially a free one. Remember, there is no free lunch.

"There is a price to pay. If the product is free, we have to be careful... We could be the product. The user is the product. So you have to do the calculations yourself," said cybersecurity expert Alfons Tanujaya when contacted by VOI.

*Follow other information about PERSONAL DATA PROTECTION or read other interesting articles from Diah Ayu Wardani, Detha Arya Tifada, Putri Ainur Islam, Ramdan Febrian and Yudhistira Mahabharata.

Other BERNAS


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)