We Are Personal Data That Is Sold And Purchased
Ilustrasi (Ilham Amin / VOI)

Welcome back to VOI's signature Series. This inaugural article will answer some questions regarding what personal data is, who we are if we are data, to the fact that it is almost impossible for us to get away from digital activities. There are many risks from misuse of our personal data. Especially in Indonesia, which does not have a strong legal basis to guarantee the protection of personal data. Until Friday, 7 August, we will look into this issue. Welcome to the "No Privacy for Personal Data".

Even Ben Cash (Viggo Mortensen) and his wife, Leslie (Trin Miller) are forced to return to modern civilization even though they have lived in the forest for years, isolating themselves from modernization. The film Captain Fantastic (2016) talks about the broad dimensions of human relations with modern life.

So many positive values that Ben got with his children in the wild. They are free from exposure to health-damaging junk food, free themselves from the grip of tempting capitalism through a variety of high-value products, and even succeed in playing the role of books, instead of using the internet as a source of information and a basis for thought.

Matt Ross in full detail describes a life that looks so good with various purities. It is also very complex that the director depicts the human struggle in the relationship of each member of the Ben family with the modern life that is revolving outside the circle of the life they live.

We are in more or less the same state in today's digital dimension of life. Dilemma, clear. There are so many concerns about the risks that may arise from the digital activities that we do everyday. The dangers are real. That's what we have to know. However, quitting digital activity is impossible. That's what we need to realize.

Cybersecurity expert, Alfons Tanujaya agrees with this fact. We all know the basic principle, there is no free lunch in this world. So, free applications and services are in the first spotlight. He said, think about the consequences we might pay when using applications and services that can be used for free.

"There is a price to pay. For free products, we must be careful," said Alfons, contacted by VOI, Monday, August 3.

From the perspective of personal data as a commodity, we must know that we are a product that is very likely to be a source of money for companies developing applications or other digital services. "Yes, we are the product. The user is the product. So, you have to calculate it yourself," Alfons.

Photo illustration (Mika Baumeister / Unsplash)
Us as personal data

A big loss when our personal data is monetized or cashed by certain parties. Before exploring personal data monetization schemes, we need to first look at ourselves as data. Who are we if we are data. At least, there are three classifications that can describe us as data.

First, we are "baseline". There are a number of things included in the basic data, namely Population Identification Number (NIK), Family Card (KK) information, "name, date of birth, name of biological mother, and so on. That is in Dukcapil," said cybersecurity expert Alfons Tanujaya.

Second, we are "credential data" which includes digital e-mail accounts, social media, to access to digital applications and services that we use every day. In the context of digital activities, credential data is the main commodity.

The third perspective is that we are the same as "financial data", which includes account data, pin authentication and other personal information related to our financial access, both online and offline. Each classification of personal data has a certain monetization scheme, can run independently or be related to one another.

"So now the most valuable thing in the e-commerce world is credential. Second, financial data. Money, accounts, pin authentication, and the like ... There are economic factors. The economic motivation behind it is why data like this is targeted," Alfons.

The case of leakage of personal data of the Directorate General of Population and Civil Registry of the Ministry of Home Affairs (Dukcapil) can be an illustration of how we as personal data are monetized by certain parties. In that case the police arrested a suspect.

As quoted by Tempo.co, the perpetrator admitted to selling the personal data on the friendmarketing.com site. Personal data are sold at various prices, including packages tailored to the needs of the buyer. From the arrest, it was found that the perpetrator had 50,854 families, 1,162,864 NIKs, 761,435 cellphone numbers, and 129,421 credit card numbers and 64,164 account numbers.

"It can be various (the purpose of buying and selling). If you see the most number is now a cellphone number. Fraud is via WhatsApp. The goal, the majority is (financial gain). There are various methods. Usually hijacked (WA) and ask for money from friends. -friends, for example, "said Alfons.

Another case just happened. Involving fintech company KreditPlus. Monday, August 3, the case was heavily discussed after cybersecurity activist Teguh Aprianto shared his findings on Twitter. In Teguh's upload, it is known that 896 personal data of KreditPlus users were traded in hacker forums.

The leaked personal data includes name, KTP, email, password, address, cellphone number, work data, and family data of the guarantor. KreditPlus itself is a multipurpose product financing service for motorbikes, cars, and heavy equipment owned by PT Finansial Multi Finance. This financial company that was founded in 1994 has also been registered and directly supervised by the Financial Services Authority (OJK).

Tracing the leakage of KreditPlus customer data (Source: CISSReC)

Cybersecurity observer from CISSRec, Pratama Husada, said that the leakage of KreditPlus' personal data had actually been shared since last 16 July. All personal data is wrapped in a download data of 78 MB. The download still has to be extracted to get CreditPlus customer data of 430MB. These data contain 819,976 customer information, complete with some other sensitive data that is very dangerous if used for fraud and other crimes.

The leakage of KreditPlus personal data is important to highlight because it involves at least three types of personal data, be it basic data, credential data, to financial data. And about the danger, obviously. According to Alfons, in the context of crime, basic data is a very important element. Apart from being a 'provision' to carry out operations, criminals also use personal data to open new accounts they need to accommodate the proceeds of crime.

"This is very closely related to population data leakage. Because this fraudster needs a means to accommodate the transferred money. Now the leakage of ID card data is very much needed to open a new account. If it is properly guarded (data) will be very supportive to prevent fraud," Alfons.

Hanging but unprotected

Indonesia's potential as a mine of personal data is enormous. In the digital realm, especially. Research conducted by HootSuite and We Are Social entitled Global Digital Reports 2020 shows that the number of internet users in Indonesia has reached 175.4 million or 64 percent of Indonesia's 272.1 million population. This figure shows a significant penetration compared to the previous year's data, where the number of internet users was only 25 million or 17 percent of the total population of Indonesia.

The potential as a mine of personal data is even greater if you look at the lifestyle of modern humans with the internet. A research with a comprehensive description has been released by the Pew Research Center and Nielsen. The report reveals that 24 percent of teenagers in the world are always connected to the internet. Meanwhile, most adults spend an average of ten hours per day accessing electronic media, including digital media.

Other research has been conducted by the UK Post Office. The observation in collaboration with the YouGov research institute shows that 53 percent of cellphone users in the UK experience anxiety when their cellphones are not there, run out of credit, experience network problems, even when their cellphone batteries are low. Of the 2,163 respondents, 55 percent of them said that the anxiety occurred because they had lost their connection with the outside world, especially family and friends.

This condition is experienced by almost all citizens of the world, including people in the country. For Indonesia, this year is an important moment to continue efforts to protect and manage personal data. Reflecting on the case, in the first semester of 2020 alone there were at least five cases of large personal data leaks.

The personal data leaks are estimated to have cost hundreds of millions of Indonesians. Three of these cases involved three giant e-commerce companies: Tokopedia, Bukalapak, and Bhinneka.com. Meanwhile, the other two cases involved government agencies, namely the leak of data on COVID-19 patients and the leak of data from the General Election Commission (KPU).

Photo illustration (Rasheed Kemy / Unsplash)

In Indonesia, personal data security guarantees are far from ideal. In the cases above, for example. We as the true owners can sue the personal data managers. However, there is no comprehensive regulation that can solve this kind of problem completely.

Technically, the legal basis that can be used in the case of personal data is the Civil Code (KUHPer). Article 1365 explains that every act which causes harm to another person requires the party causing the loss to compensate.

Losses and violations in the context of personal data are regulated through the Information and Electronic Transactions (ITE) Law. Owners of personal data can seek legal action when personal data leakage occurs. First, by suing hackers of electronic systems for stealing personal data.

The ITE Law also regulates that the use of personal data in electronic media must be based on an agreement with the party concerned, in this case the data owner. The terms of approval are regulated in the derivative regulations of the ITE Law, namely Government Regulation (PP) Number 71 of 2019 and Regulation of the Minister of Communication and Information Number 20 of 2016. Still in the ITE Law, claims for damages can be filed by the owner of personal data if the conditions for approval are not met.

In that point of view, the thief of personal data is placed as a violator of the law. Meanwhile, from a criminal standpoint, hackers or parties who trade personal data can also be subject to imprisonment. The ITE Law provides for a maximum imprisonment of eight years and a fine of Rp. 800 million for hacking and a maximum of ten years in prison and a fine of Rp1 billion for the crime of selling personal data.

However, these regulations are considered insufficient because they do not specifically regulate the complex dimensions of personal data protection. The issue of approval called the ITE Law, for example. In practice, application developers often provide irresistible terms and conditions. When a user does not agree with a number of points, for example, the application cannot be used at all.

In addition, there are many other field conditions that require clarity of legal procedures. Therefore, Alfons said, more detailed regulations are needed to regulate the protection and management of personal data for Indonesians.

"Now that (personal data protection) is related to law enforcement. So it must be compact. The DPR must also act quickly. So every person who exploits it must be punished as severely as possible. So people are afraid. There must be a deterrent effect," said Alfons.

Follow the Writing of this edition of Series: We are Traded Data


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)