The Ghosts in Our Wires: A Contemplation on the Looming Threat of Identity Theft in the Cyberspace
January 14, 2021 7:38 am ||
The pandemic is still massive here in Indonesia. More and more aspects of our lives are now increasingly digital, leading us to a life I’d call: ‘A Phygital (Physical-Digital) Life’, where our online presence exists as the very same existence as our real-life one. In my previous commentary titled ‘New Normal for Crime: The Urgency of Better Internet Governance in Indonesia’[i], I have expressed my concern on how crimes that haunt us in our real-life will inevitably follow us into cyberspace. In this writing, I will try to expand more on my concern by fleshing out one of the crimes that went through an evolution as it followed us into cyberspace: identity theft.
Out of all cybercrimes globally, identity theft is probably the closest to us as we surf the internet, yet the society’s awareness of this crime is startlingly low. The Chief of Information and Document Management Bureau of Indonesia Police Force, Police Chief Commissioner Moh Hendra commented on this based on the data that there are only 278 cases of identity theft reported to Criminal Investigation Agency out of 11,777 cybercrime cases reported, which only amounts to 2.3% of total case reported[ii]. Yet, if we look at the news, there is news on how nearly nine hundred thousand users’ personal data of an online loan application service are leaked in the internet[iii], or news on how 91 million user data of Tokopedia, one of the biggest Indonesian e-commerce worth nearly 74.5 million IDR, are downloadable for free[iv]—this gap between the reported cases and the presumed cases is what criminologists call ‘the dark figure of crime’. With this writing, I aim to shed some light on this dark figure of identity thievery.
Identity Theft: The Ghost Haunting Our Wires
First, let’s talk definition. Identity theft is a term used to categorize several offenses involving the fraudulent use of individuals’ personal information for criminal purposes and without their consent[v]. The phrase ‘without their consent’ of this definition is actually something I feel must be highlighted in discussions about identity theft in the digital age because the issue of ‘consent’ is highly questionable in the topic of online usage of personal data.
Let us return to the case of Tokopedia Data Breach with a little case study. Let’s say that we just saw the newest Tokopedia ad and are interested in downloading the app. When we downloaded the app, we are asked about our name, email, and phone number. Furthermore, to ease our payment experience, we also store our credit card within Tokopedia’s payment system. As we answer the questions and then are asked to check the box saying ‘I agree with terms and conditions’, we gave our consent for Tokopedia app to use our data as they needed. But then here come the 74 million questions: do we consent on those data being leaked and promptly sold on the dark web for unknown purposes?
This Tokopedia case is not even a rare thing. Another renowned commerce such as Bukalapak and Bhinneka.com has also reported their users’ data being sold on the dark web[vi]. These cases serve as a reminder that like every crime, online identity theft has evolved beyond just phishing or usage of malware and spyware. It is no longer something we can prevent just by educating ourselves on how to create a strong password or following all things listed in Multifactor Authentification[vii]. From these thoughts, I firmly believe that: 1) the issue of online identity theft has evolved to the point that it cannot be separated from the issue of data protection, and 2) it is time to look at identity theft as a crime on a societal level.
The End-User Protection: The Societal Level
Chairul Anam, the Commissioner of National Commission on Human Rights, has already stated that online personal data theft is a form of human rights’ violation seeing that data theft will lead to other, bigger problems[viii]. Constitutionally, we have Article 28G of National Constitution the Republic of Indonesia of 1945 section 1 that entitles us to the protection of self, family, honor, dignity, and property we own—and this property includes our personal data in cyberspace.
Indonesia’s government has already poured its effort into national-scale data protection on Personal Data Protection (PDP) Bill that will regulate subjects such as data owner, data controller, and business associations that use data. It will also define and regulate matters such as; types of personal data, ownership of personal data, personal data processing, controller and processor of personal data that includes their obligations and responsibilities, personal data transfer, administrative penalties, forbidden use of personal data, formulation of personal data controller guidelines, process and procedure of civil courts and litigation, international treaties, the roles of government and people, and its criminal provisions[ix]—the discussions on PDP Bill is scheduled to finish on November 2020.[x]
Now that we have contemplated on the new dimension of identity theft in the age of phygital life and how it has become a threat on the societal level, I hope that we can be more aware of our personal data usage in the various services across the internet and keep practicing the practical steps of personal data protection such as keeping our passwords to ourselves and being mindful of what we put on the internet to protect our data from the ghosts in our wires.
[ii] Fadli Mubarok. 2020. Polri: Kejahatan pencurian data pribadi di level bahaya diakses dari https://www.alinea.id/nasional/polri-kejahatan-pencurian-data-pribadi-di-level-bahaya-b1ZQw9vR0 pada 11 Oktober 2020
[iii]Liputan6. August 2020. Nyaris 900 Ribu Data Pribadi Pengguna KreditPlus Diduga Bocor di Internet accessed from https://www.liputan6.com/tekno/read/4321423/nyaris-900-ribu-data-pribadi-pengguna-kreditplus-diduga-bocor-di-internet on 11 October 2020
[iv] Katadata.co.id. July 2020. 91 Juta Data Pengguna Tokopedia yang Bocor Masih Bisa Diunduh Gratis accessed from https://katadata.co.id/desysetyowati/digital/5f01708894956/91-juta-data-pengguna-tokopedia-yang-bocor-masih-bisa-diunduh-gratis on 11 October 2020
[v] Reyns, B.W., 2013. Online routines and identity theft victimization: Further expanding routine activity theory beyond direct-contact offenses. Journal of Research in Crime and Delinquency, 50(2), pp.216-238.
[vi] Ibid, katadata.co.id
[vii] MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor. Taken from National Institute of Standards and Technology https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication
[viii] Liputan6. Oktober 2020. Komnas HAM: Pecurian Data dalam Ranah Digital Melanggar Hak Asasi accessed from https://www.liputan6.com/news/read/4374458/komnas-ham-pecurian-data-dalam-ranah-digital-melanggar-hak-asasi on 12 October 2020
[ix] Firda Cynthia. Juli 2020. Urgensi regulasi perlindungan data pribadi di era digital accessed from https://www.alinea.id/nasional/urgensi-regulasi-perlindungan-data-pribadi-di-era-digital-b1ZQx9vR4 on 12 October 2020
[x] Kompas.com. September 2020. Pembahasan RUU PDP Ditargetkan Rampung November 2020 accessed from https://tekno.kompas.com/read/2020/09/01/17392217/pembahasan-ruu-pdp-ditargetkan-rampung-november-2020?page=all on 12 October 2020