Our Data Are Everywhere
Following an investigation into the leak of personal data belonging to 279 million Indonesian citizens on May 20, Population and Civil Registration Director-General Zudan Arif Fakrulloh ascertained that it was not population data. As Indonesia’s Population and Civil Registration (Dukcapil) data is the world’s fourth largest big data after those of China, India and the United States, Zudan is constantly worried about the threat of hackers. Albeit Dukcapil’s system which is more sophisticated nowadays, Zudan admits that his agency’s infrastructure on the other hand is already out of date. To build a stronger system and upgrade the infrastructure, the home affairs ministry is planning to collect non-tax revenues from private companies that access Dukcapil data.
HOME affairs ministry saw itself once again dragged into a scandal when the personal data of 279 million citizens were leaked on an Internet forum on May 20. Population and Civil Registration (Dukcapil) Director-General Zudan Arif Fakrulloh personally intervened and clarified to the public that the data uploaded at the RaidForums website did not come from his agency. “The population data do not contain card numbers, mobile phone numbers, number of dependents or participation date,” explained Zudan, 51, during a special interview with Tempo at his office on May 25.
Zudan said that various institutions had used the population and civil registration directorate-general’s (Ditjen Dukcapil) data, the fourth largest big data in the world after that of China, India and the United States, for a myriad of needs. The banking and pawnbroking agencies, for instance, use passport photos and citizen registration number (NIK) to verify customer data. The police also make use of the population data to identify disaster victims or perpetrators of crime. “In a latest event, the police could immediately identify the terrorist who attacked the National Police Headquarters using the facial recognition technology,” he said.
Inside the population and civil registration directorate-general control room, Tempo witnessed the sophisticated facial recognition technology at work. Equipped with a comprehensive database, the system can quickly identify someone just via a facial image even though half of it is covered with a mask. The system sorts and provides images of people that closely match the features of the person in question. The rest is for officials to identify the right person. “The public must be careful. Don’t do mischief in public areas. Don’t vandalize during demonstrations because your identity will be known very quickly” warned Zudan.
Speaking to Tempo reporters Sapto Yunus, Mahardika Satria Hadi and Nur Alfiyah, Zudan touched upon many matters—from the population data management, hacking threat, the scope of electronic ID card, cooperation opportunities with the private sector for use of the population and civil registration data to the importance of personal data protection. He also affirmed that all electronic ID card (e-KTP) servers are in Indonesia. This interview was supplemented with WhatsApp chats on June 2.
What did the population and civil registration directorate-general’s team find from the investigation into the leak of personal data belonging to 279 million citizens of Indonesia at the RaidForums website?
As soon as we got the information about the leak via social media, our team promptly checked the said website where the perpetrator gave links to sample data that could be downloaded for free. There were one million rows of data. We downloaded and analyzed to see the data’s structure and pattern. Each data management system has its own distinct data structure. The structures of driving license, land certification, banking and Dukcapil data are different. We found that the data structure at the website included (certain) card number, email address, mobile phone number, number of dependents and the date of participation and from there we concluded that the data did not belong to Dukcapil. That’s why we were surprised: how come people kept calling it a population data breach.
What is the structure of the population data like?
It has KK (family card) number, NIK (citizen registration number), name, place of birth, date of birth, profession and marital status.
Communication and informatics ministry said that the leaked data resembled the data of the Health Care and Social Security Agency (BPJS Health Care). Did the Dukcapil’s team make the same conclusion?
We didn’t look further to see which institution the said data belonged to. We only made sure that the data weren’t ours. We have to wait for the result of the police investigation to determine which institution those data came from.
How has the home affairs ministry carried out the system audit so far to make sure that personal data are protected?
We use VPN (virtual private network), a special pathway like a toll road. Secondly, we use firewalls or network security applications. For the system audit, we are assisted by the national cyber and crypto agency, the technology assessment and application agency as well as the supreme audit agency which has IT (information technology) auditors.
Are our population data susceptible to hacking?
There are always many people trying to hack (everything). I’ve been constantly on edge in my six years as the director-general (of Dukcapil) managing the data. The cyber security is dynamic and a continuous process. It’s like raising a baby. You need to look after it 24/7/365. When all other offices are closed for the weekend, (Ditjen) Dukcapil isn’t. We have to keep watch over the data center. So, we can never rest completely. All the parties including hackers could help by not creating troubles.
Director-General of Population and Civil Registration of the Ministry of Home Affairs Zudan Arif Fakrulloh at the Coordination Meeting for the Implementation of Adminduk in West Java, June 2019. Dukcapil.bangka.go.id
Why are you so worried about the population data being hacked?
Dukcapil’s data is the fourth largest big data in the world after the data of China, India and America in line with the population size. Just by typing your name, you get all your data. Type your NIK number and you get your data. Our data are used by many agencies. The National Police, for example, use them to identify disaster victims as well as victims or perpetrators of crime.
How accurate are they?
DNA (Deoxyribonucleic Acid) tests are no longer needed (to identify persons). Facial images and fingerprints would suffice.
Can all Indonesian citizens be identifiable via facial images?
If they already have their photos taken for electronic ID cards, it would take just two to three minutes to identify them. It’s that easy now.
How can the system recognize someone who may already look different from the photo in the ID card?
Facial features don’t change. As regards the photo, the public are encouraged to update their photos from time to time as their styles change. For example, wearing hijab (headscarf) from not wearing, or removing moustache. If you no longer sport a moustache but your ID card photo still has it, it could be a problem when you need to deal with banks.
How could that problem be tackled?
(Ditjen) Dukcapil encouraged the digitalization process in all the sectors, particularly the financial industry. With the face recognition technology, one can open an account anywhere any time with just the NIK and photo without having to go to the bank.
Given the rapidly increasing capabilities of hackers, is Dukcapil’s system already secure enough?
The system relies on the infrastructure such as servers and storage. Our infrastructure is relatively far behind compared to the era. Our data center was built in 2004 and the electronic ID card data center in 2010. So, we are still using the old servers, storage and equipment. We are updating the applications gradually. To be honest, Dukcapil’s system is surviving by the power of God.
What is the status of the e-KTP project which was shelved due to corruption?
(Ditjen) Dukcapil has gone through a bitter experience. In the first three years of my tenure as the director-general, many employees were dispirited because they were questioned by the KPK (Corruption Eradication Commission) almost every day. The auction for electronic ID cards project failed because people were scared. The system went into limbo during the period of 2015-2017 and then it was restored in 2018 after undergoing a repair. When I arrived, the number of people holding the electronic ID card was still around 70-80 percent. Now it’s already 99.11 percent—still about 4 million to go. The project was eventually auctioned through the e-catalogue system, not publicly.
What about the regions that are still complaining of blank e-KTP shortages?
I can assure you that there are no more such cases. I just went to 12 regions—from Bekasi Regency (West Java) to Solo (Central Java). None had any shortage. We still have around nine million cards to be distributed to the regions.
The public in several regions also complain about the complicated e-KTP application process that needs a lot of paper work.
In the past, they needed reference letters from neighborhood and community unit heads to apply for electronic ID card. After I came, that requirement was eliminated. Granted, many regional Dukcapil officials are still not aware of that. Many subdistricts still ask for the reference letters although we no longer make it a requirement in the presidential and ministerial regulations. Just provide the KK (the family card).
(M.A. Murtadho from Tempo went through the electronic ID card application process in Tanah Sareal District, Bogor, West Java, on May 31. Albeit the family card, birth certificate and degree certificate he submitted, he was also asked to provide reference letters from neighborhood and community unit heads. The Tanah Sareal subdistrict head, Shahid Khan Bustomi, said the letters are needed to validate the data and prevent data falsification by the applicant.)
One of the questions raised by the public when the e-KTP corruption case surfaced was where the card servers were located. Where does the Ditjen Dukcapil keep e-KTP servers?
They’ve been here all the time.
From the beginning, the electronic ID card data were stored at the data center in Jalan Medan Merdeka Utara, next to the home affairs ministry. Other SIAK (Population Administration Information System) data such as data of birth and death certificates and migration are kept in the Dukcapil office in Kalibata which is now being used by the ministry of villages. Dukcapil still occupies one floor there. Then also in DRC (Disaster Recover Center). So, all our servers and data centers are here in Indonesia.
Is it true that Dukcapil is experiencing server shortages to store e-KTP data?
It’s sufficient just to store the data. Servers are old so it’s difficult to upgrade them.
Does it mean Dukcapil servers are good for data storage only?
Yes, correct. We lack servers so much so that it’s difficult to innovate and develop creativity.
Director-General of Population and Civil Registration of the Ministry of Home Affairs, Zudan Arif Fakrulloh demonstrates the face recognition system technology for population data collection in Jakarta, May 25. Tempo/Hilman Fathurrahman W
The home affairs ministry plans to collect non-tax revenue from private companies that access data from (Ditjen) Dukcapil. Can you explain about that?
We’ve provided free use of data for data verification for the past eight years since 2013. We want to develop a strong and secure system and renew the infrastructure because our infrastructure is archaic especially when the technology is rapidly evolving. We need funding sources to help us achieve that. Hence, our plan to generate non-tax revenue from access to data verification. So, we won’t give data but verification access.
Are the regulations already in place?
We are discussing it with the finance ministry and also the justice and human rights ministry.
How much can the state potentially earn under the scheme?
We haven’t calculated the numbers in detail. But you can calculate it by yourself. Access to ID card data verification per year could be more than a billion times. If each access costs Rp500 for example, it means Rp500 billion a year. If we give free service to state institutions which provide free public services, such as the BPJS Health Care, we will lose half of it but still earn Rp300 billion per year. The revenue will go first to the state and then be redistributed to (Ditjen) Dukcapil for infrastructure development, application upgrade and human resource training as we have employees in regencies and towns.
What about the cooperation for data verification that have been running so far?
We currently have 3,466 institutions working together with (Ditjen) Dukcapil, a sharp increase from around 10 institutions when I first took over the job, including the BPJS Health Care and BPJS Labor Services.
What are the terms and conditions for cooperation with state institutions and private entities?
They must first enter into a cooperation agreement. Then we will check their application systems to see if they are secure. Afterwards, we will determine the type of data to be verified. For example, we give the National Police access to a lot of data for verification, including fingerprints and names of family members of persons of interest. They can check all the family members in the family card. Meanwhile, mobile phone network providers can only verify the NIK and KK number.
Is there still a potential for data breach under such stringent regulations?
What we all need to be aware is that our data are everywhere. We are asked to provide ID card and family card for school or university admissions. Likewise, for land certificates, driving licenses, and the BPJS. Try googling “electronic KTP” and you will see millions of electronic ID card photos. The same goes for family cards, NPWPs (taxpayer identification number) or even bank accounts and land certificates. It’s a global phenomenon because people easily share their data via instant messages, emails or the social media. We provide them for free. Google is much richer in data compared to all our agencies. It even has mobile phone numbers.
What should the public do?
The public need to be wary and concerned about personal data protection. We need to educate each one other that our data are out there. We often give out our mobile phone numbers indiscriminately. So never say my data are secure. Not really.
How can the public be more vigilant if in reality, they are still asked to submit copies of their ID cards to take care of administrative matters in government institutions?
We in all institutions still like to hold on to the old tradition of keeping documents while the data is all they need to store. If all state agencies are willing to work with (Ditjen) Dukcapil, they only need to store NIK data (at Ditjen Dukcapil) and access those when they need them.
Electronic ID card data forgery cases still happened. How will Ditjen Dukcapil prevent it?
In future, we will use two-factor authentication, that is, ID card number and passport photo or fingerprints. Fingerprints can be accessed at the data center or with card reader. The ID card with card reader. Many have been duped because they only use one-factor authentication using ID card. If the ID card is forged, there’s no other way to compare the data. In two-factor authentication, one of the factors serve as a comparison, as in NIK and head shot, NIK and fingerprints or NIK and digital signature.
(From Tempo’s observation at the Tanah Sareal subdistrict office, Bogor, on May 31, an official in charge of making e-KTP applied a four-step verification and document check. The validity of the documents was checked via Dukcapil’s internal application to detect duplicate data. Then using biometric scanning, the applicant’s data were cross-checked with the e-KTP card data bank. The new data submitted by the application were also cross-checked with the old data in the database. In case of data change, for example, marital status, address or profession, the applicant is obligated to present proof such as court order, transfer letter or other pertinent documents.)
ZUDAN ARIF FAKRULLOH | Place and Date of Birth: Sleman, Special Region of Yogyakarta, August 24, 1969 | Education: Bachelor of Law, Sebelas Maret University, Surakarta, Central Java (1988-1992); Postgraduate Law in Diponegoro University, Semarang (1993-1995); PhD Program in Law, Diponegoro University (1996-2001); Professor of Law (since 2004) | Career: Lecturer of Law, Wijaya Kusuma University, Surabaya (1993-2002); Lecturer of Law, University of 17 August 1945, Surabaya (2002-2004); Lecturer, Borobudur University, Jakarta (since 2005); Lecturer, Sebelas Maret University (since 2017); Civil Servant, Ministry of Finance (1995-1996); Civil Servant, Ministry of Home Affairs (since 1999); Head, Legal Bureau, Secretariat General of the Ministry of Home Affairs (2011-2014); Head of Doctoral Program in Legal Studies, Borobudur University (2011-2016), Expert Staffer to Minister of Home Affairs for Law, Politics and Human Rights (2014-2015); Acting Governor of Gorontalo (October 2016-May 2017), Independent Commissioner, Bank Mandiri Taspen (since 2018), Director-General for Population and Civil Registration, Ministry of Home Affairs (since 2015) | Organization: Chair of Executive Board, Indonesian National Civil Service Corps (since 2015), Chair, Indonesian Traditional Karate Federation (2015-2019), Chair, Faculty of Law Alumni Family Association, Sebelas Maret University (since 2018) | Awards: Satya Lencana PNS X and XX, Minister of Home Affairs Award (2014)