Indonesia’s Covid tracker app PeduliLindungi: To care for and protect? · Global Voices
EngageMedia

Image via EngageMedia
This article by Siti Rochmah Desyana is part of Pandemic of Control, a series of articles that aims to further public discourse on the rise of digital authoritarianism in the Asia-Pacific amid COVID-19. Pandemic of Control is an initiative by EngageMedia, in partnership with CommonEdge. This edited version of the article is republished in Global Voices under a content partnership.
As the COVID-19 pandemic continues in Indonesia, the government’s PeduliLindungi application remains an integral part of daily life. Named by merging the Indonesian words for “care” (peduli) and “protect” (lindungi), the app claims to do just that, tracking and screening COVID-19 statuses, and providing resources and information on COVID-19. It has become commonplace in everyday life as most restaurants, businesses, and all public transportation require users to “check-in” by scanning a QR code via the app.
Its existence has become synonymous with and inseparable from the pandemic itself in Indonesia. But people’s reliance on the information, access, and resources it offers to protect from COVID-19 may come at the expense of data privacy rights.
As of writing, over 50 million people have downloaded the app from the Google Play Store, making it the top medical app in the country. But, as more and more users register and use the app, the severity of concerns regarding the app’s security and extensive tracking have also increased.
In September 2021, Indonesian President Joko (Jokowi) Widodo’s vaccine certificate was leaked online, just a month after the suspected breach of the Indonesia Electronic Health Alert Card (eHAC) app, which compromised the data of 1.3 million users. The leaks have since spurred public discourse on data security and the amount of personal information collected and stored by PeduliLindungi.
Following the breaches, the Indonesian government has since claimed that the app has secured the data of all users, a response not unlike previous reassurances it has given, after similar breaches in the past. PeduliLindungi thus potentially poses a bigger threat due to its frequent usage, large user base, and the unique type of information stored, all while leaving people with little to no legal recourse to protect their data.
While the app’s usage varies between regions, there is no other government platform that reaches its scale and scope. The app’s main interface has also been integrated into 15 other consumer-oriented apps;  there are even plans to turn it into a digital wallet.
To enter any public place in Indonesia, one must first scan the location’s required QR code through PeduliLindungi or an interconnected app, such as Jakarta’s regional app JAKI and the Indonesian startup giant GOJEK. The collected information ­— such as the user’s legal name, ID number, susceptibility to COVID-19, current location, and time spent within the facility — are then logged and stored on PeduliLindungi servers. Those who have not formally registered for PeduliLindungi or the other interconnected apps are allowed to enter public spaces only if they show valid vaccine certificates, which are also hosted by PeduliLindungi and must be accessed through its portals.
When an Indonesian is not formally part of the PeduliLindungi system, there are a number of challenges and hurdles disturbing their daily routines. For example, without a ticket to get vaccinated — whether it from choice or vaccine unavailability — one will not be allowed to freely use and enter bus stops, train stations, airports, markets, hospitals, office buildings, and other public spaces. The unvaccinated have even reported difficulties in getting treatment from medical facilities, which rely on the PeduliLindungi database to access COVID-19 status.
Using the app is now not only necessary, but socially mandatory in order to keep freedom of movement. Such measures were justified to curb the spread of COVID-19, despite questions regarding their ability to do so.
PeduliLindungi users can request for vaccine certificates via the website. As long as you have a full name, ID number, date of birth, and date and type of vaccination, you can access anyone’s vaccine certificates. Screenshot by Siti Rochmah Desyana
There are also numerous unanswered questions surrounding the digital security of PeduliLindungi. While no classified information stored online can ever be completely secure, the Indonesian government has yet to take adequate action to ensure the security of its various databases.
When the eHAC database was leaked in 2021, the government chose to deflect and stress that only the “old, separate eHAC” was compromised. The government simply asked citizens to delete the old eHAC app on their phones.
PeduliLindungi does not escape this lack of accountability. For one, the President’s leaked vaccine certificate only showed how easy it was to obtain any certificate — even those not your own. Accessing these on the app requires only a full name, ID number, date of birth, and date and type of vaccination — information that can easily be found on social media or even through carelessly discarded paper documents.
In the president’s case, investigators found that his information was obtained through PCare, a separate application by the Ministry of Health, which is used by healthcare providers to upload a user’s vaccination data to PeduliLindungi servers. The connection between both applications remains unclear.
The issue only compounds with the interconnectivity of PeduliLindungi with other third-party applications. For example, the app is connected to Google and other third-party software providers that track users’ locations when entering and exiting public spaces, and when using public transportation. A previous version of the PeduliLindungi mobile app allegedly contained anomalies, including manual data storage within the application and sending said data to an external, non-Indonesian website. The app had also in the past sent users’ names and kinds of devices to a subsidiary of PT Telkom, Indonesia’s state-run telecommunication company with servers in Singapore.
But, despite evidence that third-party applications may have led to data breaches on other government apps, PeduliLindungi’s latest privacy policy maintains a no-liability clause for “violations or unauthorized access,” which include how third-parties use PeduliLindungi’s data.
PeduliLindungi’s Limitation of Liability on the mobile version of the app. Screenshot by Siti Rochmah Desyana
Despite large numbers of infections, the public continues to debate whether the monitoring and tracking done by PeduliLindungi are necessary to curb the spread of COVID-19. Regardless of which side of the debate you are on, the Indonesian government’s responses to past data breaches and other concerning events fail to address the root of the problem: the security of the PeduliLindungi servers and the data privacy of its users.
The government never published the results of PeduliLindungi’s initial security audit, which would have informed the public of the safety and security of the app before its implementation.
PeduliLindungi is also still not registered under the government’s own Electronic System Organizers — a requirement for public servers as per regulation.
The citizens are once again bearing the brunt of this lack of protection, regulation, and accountability. Indonesians sacrificed their freedom of movement and privacy, and entrusted their data to the government, under the premise that doing so will prevent the further spread of the virus and pave the way toward the end of the pandemic.
Worse, Indonesia currently has no specified legislation concerning the protection of data privacy. While there are provisions regulating consent to individual data usage, they are scattered around various levels of law.
The currently existing ministry regulation concerning Protection of Private Data under Electronic Systems exists more like a guideline that contains no punitive or consequential clauses for those who breach the rule’s terms. While there is a draft for Personal Data Protection Laws, it is still stuck in deliberation under the House of Representatives, and few improvements have been made so far.
As PeduliLindungi and the government continue to fumble in its operations, and as these concerns are brushed under the rug, one needs to ask: Is PeduliLindungi really caring for and protecting the Indonesian public?
Siti Rochmah Desyana is an observer of human rights issues and is especially interested in the matters of equality and justice. She currently works in International NGO Forum on Indonesian Development (INFID) for the In-Equality Program, and writes about the world in her free time.