The distrust in Indonesia’s vaccination programme is not only an issue for those seeking to work abroad, but has also created a headache for the government.

It recently emerged that e-HAC, the country’s now-defunct test-and-trace mobile app for travellers, exposed the data of 1.3 million users because it lacked proper data privacy protocols.

Coronavirus: Widodo’s jab record leaked

To add to the credibility concerns, there have been repeated forgeries of vaccination certificates. Last week, Jakarta police arrested four suspects for such forgeries, two of whom had created 93 fake vaccination documents through Indonesia’s national Covid-19 tracking app called PeduliLindungi. One of the perpetrators was a civil servant who had access to input data. The app needs to be shown before travelling or entering shopping malls or government buildings.

Fake vaccine certificates have also been found in Central Java, Southeast Sulawesi and Bali.

Jabs rule change allows Hongkongers in Philippines, Indonesia to return

Trubus Rahadiansyah, a public policy expert with Trisakti University in Jakarta, said the proliferation of fake vaccine certificates was the result of a hastily-made government policy requiring people to show proof of inoculation to go about their daily activities.

“This policy is forced as the immunisation programme in Indonesia is not equal between regions,” he said. “The requirement to use vaccination proof for any kind of need spurs an opportunity to score [cash] for some individuals.”

Trubus warned that the forgeries could foster widespread distrust of the country’s immunisation programme. “The international community might ask, ‘is it true that 65 million Indonesians have been vaccinated?’”

It is also hard to verify the vaccination data as this has been “monopolised by the government”, he said.

Weak data protection

Indonesia is not alone in dealing with counterfeit vaccine certificates, with cases reportedly found in Hong Kong, Malaysia, the Philippines and France. But only a few countries have allegedly exposed the personal data of millions of people through a Covid-19 tracking app.

In July, cybersecurity experts from US-based vpnMentor found that the personal data of 1.3 million e-HAC users was stored in an open server, allowing them access “with zero obstacles”.

The personal data includes Indonesian and foreign users’ national identity, passport and phone numbers, as well as their Covid-19 test results.

Asia’s rich, powerful grab Covid-19 booster shots at common folk’s expense

According to the vpnMentor website, the team immediately notified the Indonesian Ministry of Health, the country’s Computer Emergency Response, and Google, the app’s hosting provider, but none of them responded.

“By early August, we had not received a reply from any of the concerned parties. We tried to reach out to additional governmental agencies, one of them being the BSSN [National Cyber and Crypto Agency], which was established to carry out activities in the field of cybersecurity. We contacted them on August 22 and they replied on the same day. Two days later, on August 24, the server was taken down,” the company said.

The Health Ministry last month acknowledged that the data leak was sourced from the old version of the e-HAC app.

The ‘hero’ of Asian financial crisis now faces a grim reality in Indonesia

“Now, e-HAC is integrated into the PeduliLindungi app, whose server and infrastructure is located in the national data centre and [secured by] the Ministry of Communications and Informatics and BSSN,” Anas Ma’ruf, head of the health ministry’s data and information unit, told reporters.

The e-HAC leak underlines how much of the government-managed information and technology system still does not adhere to the principles of personal data protection, said Wahyudi Djafar, executive director at the Jakarta-based Institute for Policy Research and Advocacy (Elsam).

“It’s important for the government to immediately audit the personal data protection in the PeduliLindungi system to give a safety guarantee to the public. They cannot just say ‘your data is safe, we store it in a national data centre’. That does not mean anything,” Wahyudi said.

Legislation

This is not the first time that a massive data leak has hit the Indonesian government-backed system. In May, the personal data of 279 million Indonesians was sold in an online forum for the price of 2 bitcoin. The data belonged to the policyholders of national health care and insurance agency, BPJS.

Last year, personal data of 2.3 million Indonesians was breached via the General Elections Commission (KPU) database, as well as the data of over 230,000 Indonesian Covid-19 patients, which ended up on the dark web.

Last week, personal data protection advocacy group Periksa Data said it will file a lawsuit to a Jakarta administration court against BPJS, the Ministry of Communications and Informatics and BSSN over the data breaches.

Wahyudi also pointed out that the PeduliLindungi app does not have proper user authentication methods. Widodo’s vaccination certificate was easily accessible by anyone who knew his NIK, which was made available on the election commission’s website during the 2019 presidential campaign.

Indonesia has yet to pass a comprehensive Personal Data Protection bill, which has been delayed after first being proposed in 2014. The lack of stringent personal data protection could hinder Indonesia’s ambition of being Southeast Asia’s largest digital economy, Wahyudi said.

“If Indonesia wants to boost its digital competitiveness, it needs to pass the Personal Data Protection bill, which could balance the need to protect people’s rights to privacy and the companies’ economic interests,” Wahyudi said.