Considering Securitizing Move to Overcome the Personal Data Security Problem in Indonesia
Mon, 11 Nov 2019 || By Janitra Haryanto

Violation upon personal data has occurred various times in Indonesia.[1] The exposure of Lion Air customers’ personal data[2], as well as unconsented advertisements sent through SMS from an unknown number,[3] have been shreds of evidence of how vulnerable the Indonesian personal data protection is. The government has attempted to frame the issue of personal data security as an important security issue. It is currently working to establish a law about personal data protection, known as UU PDP. Lamentably, the bill is currently still on hold in the legislation process. Accordingly, this article would like to examine how the Indonesian decision-maker run the decision-making process of the UU PDP and why another model of approach, such as the securitizing move, is considerable towards the protection of Indonesian personal data.

This article tries to answer two questions in a concise elaboration: (1) why does the securitizing move need to be done to secure the Indonesian personal data, and (2) how should the securitizing move be executed. This article argues that the sense of emergency of the data protection issue is what should motivate the securitizing move to be considered. Furthermore, it argues that the securitizing move should be executed by focusing on the three elements: context, political agent, and audience.

 

Q1: Why does the securitizing move need to be done to secure the Indonesian personal data?

According to the perspective of modern security scholars[4] Buzan, Wæver, and Wilde, the issue of personal data protection in Indonesia are currently under the phase of politicization[5] phase where an issue has been debated on the public sphere, through a democratic decision-making process.[6] The government of Indonesia and the legislative body (DPR) has formed a communication to uphold the legislative process of the PDP bill. Although the issue has arguably received a wider amount of attention, the politicization is still left unresolving. Meanwhile, Indonesian personal data has a high chance of being misused and compromised through cybercrimes, such as online fraud. With that being said, it should be in dire need of the Indonesian data security stakeholders to consider the securitizing move as another option.

Referring to the concept provided by Buzan et al., the securitizing move can be defined as an action carried out by a political actor to frame a non-politicized or politicized issue as an existential threat towards the state of security. Therefore, extra measure outside the usual political process is justified.[7] The phrase ‘as an existential threat towards the state of security’ in the context of personal data security is, indeed, debatable considering that the mistreatment of personal data protection in Indonesia has not been resulting in any grave fatality, such as death, disability of individuals, etc. 

However, the securitizing move upon Indonesian personal data can still be justified, for there are difficulties in identifying cyber attacks that may happen in the future, such as zero-day attack[8] and strikes with different socio-engineering models. Furthermore, the attacker always has the upper hand compared to the target due to several factors, such as the impossibility of predicting the attack, the anonymity of the attackers, and so on.[9] Therefore, a securitization move can bind or support the personal processor data to collect, store, use and secure the personal with certain security measure, can be a useful option.

 

Q2: How does the securitizing move of personal data security should be executed in Indonesia?

Buzan et al. argue that there are three requirements to realize a successful securitization: the advent of the 'the existential threat' framing, the emergency move, and the relations between actors happening outside the colloquial political process.[10] The framing of a referent object as an existential threat can be carried through a securitizing move. It takes the form of a speech by securitizer[11] towards the audience. However, this article looks up to the speech argued by Balzacq[12] who highlights the three elements that should be fulfilled by the securitizer: political agent, context, and audience.[13] The three elements are defined, as follows:

First, this article argues that an effective securitizer must be an individual with a certain degree of linguistic competence[14] and dominance[15] towards the audience. This article argues that, in this case, the government is the most potentially successful securitizer. This is due to the lack of the public understanding regarding the issue. Consequentially, regardless of the many potential securitizers, the easiest heuristic for laymen is to refer to the government which is constitutionally responsible upon the perseverance of a society. 

Second, the securitization process involves two sides: securitizer and audience. With that being said, the securitizer has first to ensure that the audience regards the issue of personal data protection as a security matter. Only by then, the two sides are in the same context where the personal data security is a security matter.

Third, the securitizer must have the capacity of using the words/phrases which reflect the language used by the audience about the personal data security. Drawing from the argument of Burke, Schneider, and Ingram, the securitizer must (as cited in Balzacq, 2005, p. 184) adjust the statement, gesture, tone, order (of the explanation), image, behavior, and the ideas about personal data based on the stereotype of the securitizer towards the audience.[16] They must include sentences that reflects a high sense of urgency[17], the fusion of their perspective on personal data security and the audience's[18], and the zeitgeist[19].

To avoid the chance of failure[20], the securitizer must also attempt to persuade formal and moral support.[21] This support is not only driven by the Indonesian constituents but also state institutions that have the power of decision-making process, such as DPR.

Editor: Anisa Pratita Mantovani

Read another article written by Janitra Haryanto

 

[1] Regarding personal data security issues in Indonesia, see Abdulsalam, H. (2019). Difficult to Protect Personal Data in Indonesia. Tirto [online] Available at https://tirto.id/sulitnya- protect-data-pribadi-di-indonesia-edCX.

[2] See Wardani, A. S. (2019). Puluhan Juta Data Penumpang Lion Air Bocor di Internet. Liputan 6 [online] Available at https://www.liputan6.com/tekno/read/4065787/puluhan-juta-data-penumpang-lion-air-bocor-di-internet.

[3] See Janah, S. M. (2019). Fahri Hamzah Jadi 'Korban' SMS Gelap dan Pemasaran Kartu Kredit. Tirto [online] Available at https://tirto.id/fahri-hamzah-jadi-korban-sms-gelap-dan-pemasaran-kartu-kredit-efoZ.

[4] The author selects the word 'modern' due to the difference in the security perspective delivered in the Copenhagen school and the traditional school. More about securitization, see Wæver, O. (2011). Politics, Security, Theory. Security Dialogue [online] Vol. 42 (4-5), Available at: DOI: 10.1177 / 0967010611418718., pp. 465-480.; and Buzan, B., Wæver, O, and Wilde, J. P., (1998). Security: A New Framework for Analysis. Boulder: Lynne Reinner.

[5] The politicization referred to in this article is not politicization in the sense of the framing of an issue to meet the political interests of political actors, especially the government.

[6] See Buzan et al., p. 29.

[7] Although the personal data security has not been described explicitly within the five security dimensions of Buzan et al., this article uses the same concept of securitization move. More about the security dimensions of Buzan et al., See Buzan, B., et al., P. 21-23.

[8] Zero-day attacks are the cyberattacks carried out by exploiting the weaknesses of a computer system that are unknown to the owner or system maker. Regarding zero-day attacks in the realm of cybersecurity, see Kello, L. (2017). Virtual Weapon and International Order. New Haven: Yale University Press, p. 48

[9] More about the relation of the attackers and targets in the context of cyber-attacks, see Ibid., p. 68

[10] Buzan et al., p. 26.

[11]Securitizers are political actors who carry out securitization steps. More about securitizers, see Buzan et al. and Balzacq, T. (2005). The Three Faces of Securitization: Political Agency, Audience and Context. European Journal of International Relations [online] Vol. 11(171) Available at DOI: 10.1177/1354066105052960., p.173.

[12] Balzacq argued that Austin's speech act concept referred to by Buzan et al. is too normative and challenging to operate. More about Balzacq's criticism of the speech act concept of Buzan et al., see Ibid.

[13] Balzacq, p. 173.

[14] More about linguistic competence, see Balzacq, p. 189-190.

[15] Dominance refers to the dispositional concept. More about the dispositional concept, see Balzacq, p. 191.

[16] Balzacq, p. 184.

[17] For instance, "[...] Because of our ignorance of future attacks, we must move quickly and not be carried away by circumstances." More on the high sense of urgency, see Balzacq, p. 186.

[18] To fuse both perspectives is to include collective memory and social experience, for instance "[...] Like corruption, theft of personal data exploits our personal rights to the wealth of others." More on the fusion of the securitizer’s and the audience’s perspectives, see Ibid.

[19] Zeitgeist or often known as the spirit of the times refers to the feelings of the audience, for example, "[...] We must be prepared to face greater attacks later on." More about zeitgeist, see Ibid.

[20] See McDonald, M. (2012). The Failed Securitization of Climate Change in Australia. Australian Journal of Political Science [online] Vol. 47(4). Available at DOI: 10.1080/10361146.2012.731487, pp. 579-592.

[21] Formal support is the support given by state institutions that have great power over policy making and moral support is the support given by the public to the policies taken. More about formal and moral support, see Balzacq, p. 184-185.