Katitza Rodriguez – Indonesia's Constitutional Court dealt another blow to the free expression and online privacy rights of the country's 191 million internet users, ruling that the government can lawfully block internet access during periods of social unrest. The October decision is the latest chapter in Indonesia's crackdown on tech platforms, and its continuing efforts to force compliance with draconian rules controlling content and access to users' data. The court's long-awaited ruling came in a 2019 lawsuit brought by Indonesia NGO SAFEnet and others challenging Article 40.2b of the Electronic Information and Transactions (EIT) Law, after the government restricted Internet access during independence protests and demonstrations in Papua. The group had hoped for a ruling reining in government blocking, which interferes with Indonesians' rights to voice their opinions and speak out against oppression.
Damar Juniarto, SAFEnet Executive Director told EFF: We are disappointed with the Constitutional Court's decision. We have concerns that the Indonesian government will implement more Internet restrictions based on this decision that are in violation of, or do not address, human rights law and standards.
SAFENET and Human Rights Watch in Indonesia have been sounding the alarm about threats to digital rights in Indonesia ever since the government last year passed, without public consultation, Ministerial Regulation #5 ("MR 5/2020"), a human rights-invasive law governing online content and user data and imposing drastic penalties on companies that fail to comply.
From data localization to other government mandates
In 2012, Indonesia adopted a data localization mandate requiring all websites and applications that provide online services to store data within Indonesia's territorial jurisdiction. The mandate's goal was to help Indonesian law enforcement officials force private electronic systems operators (ESOs) – anyone that operates "electronic systems" for users within Indonesia, including operators incorporated abroad – to provide data during an investigation. The 2012 regulation was largely not enforced, while a 2019 follow-up initiative (M71 regulation) limited the data localization mandate to those processing government data from public bodies.
Since the adoption of MR5, Indonesia's data localization initiative shifted its approach: private sector data can once again be stored abroad, but the regulation requires Private ESOs to appoint an official local contact in Indonesia responsible for ensuring compliance with data and system requests. Private ESOs will be obligated to register with the government if they wish to continue providing services in the country, and, once registered, will be subject to penalties for failing to comply with MR5's requirements. Penalties range from a first warning to temporary blocking, full blocking, and finally revocation of its registration. Indonesia has mandated broad access to electronic systems for law enforcement and oversight and proactive monitoring of online intermediaries, including private messaging services and online games providers.
Proactive monitoring mandate
EFF has warned that, by compelling private platform operators to ensure that they do not host or facilitate prohibited content, MR5 forces them to become an arm of the government's censorship regime, monitoring their users' social media posts, emails, and other communications (Article 9 (3)).
MR5 governs all private sector ESOs accessible in Indonesia, such as social media services, content-sharing platforms, digital marketplaces, search engines, financial and data processing services, communications services providing messaging, cloud service providers, video calling, and online games. The definition of prohibited information or content includes vague concepts such as content causing "community anxiety" or "disturbance in public order," and grants the Indonesian Ministry of Communication and Information Technology (Kominfo) unfettered authority to define these terms (Article 9(5)).
Along with SAFENET and Human Rights Watch, we pointed out earlier this year that the phrase "prohibited" is open to interpretation and debate. For example, what is meant by "public disturbance," what is the standard or measure for public disturbances and who has the authority to determine what qualifies? What if the public feels that peaceful demonstrations and protests are a fundamental right, not "disturbing the society"?
Article 9 of the Ministerial Regulation also prohibits any system from facilitating either "access to prohibited Electronic information and/or documents" or informing people how to do that. Under Article 9 (4)(c) of the regulation, this means that the Tor browser, virtual private networks (VPNs), or even materials showing how to bypass censorship are prohibited. Adding insult to injury, companies failing to comply will be subject to draconian penalties ranging from temporary or full blocking of their service to revocation of their authorization to provide online services within Indonesia (Article 9(6)). Moreover, under Article 13, private sector ESOs are also required to take down and block any prohibited information and documents (Article 9(4)).
Even worse, secure private messaging apps (such as WhatsApp, Signal, or iMessage) are also obliged to comply with Article 9. Private messaging services that offer end-to-end encryption do not know the content of users' messages. Thus, MR5 effectively bans all end-to-end encryption and thus the ability for anyone in Indonesia to message or text someone without the threat of the provider or government listening in. Moreover, MR5 requires these providers, as it does with others, to determine if content is "prohibited."
The new regulation interferes with rights to free expression and privacy, and requires platform providers to carry out these abuses. This is why, together with SAFENET, Human Rights Watch, and others, we called upon Kominfo to repeal MR 5/2020. In a joint statement, we said MR5 runs contrary to Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.
Mandatory registration for platforms
MR5 requires private platforms to register with the government – in this case Kominfo – and obtain an identification (ID) certificate to provide online services to people within Indonesia. This gives the government much more direct power over companies' policies and operations: after all, the certificate can be revoked if a company later refuses the government's demands. Even platforms that may not have infrastructure inside Indonesia have to register and get a certificate before people in Indonesia can start accessing its services or content. Those that fail to register will be blocked within Indonesia. The original deadline to register was May 24, 2021, but was later extended for six months. As of today, the government has not extended the deadline or enforced the mandatory registration provision.
The idea that websites and apps need to obtain an ID certificate from the government is a powerful and far-reaching form of state control because every interaction between authorities and companies, and every decision that might please or displease authorities, takes place against a backdrop of potential withdrawal of the ID and being blocked in the country.
ID certificate and appointment of local contact
The Indonesian government has many expectations for companies that register for these IDs, including cooperation with orders for data about users. In some cases, that even includes granting the government direct access to their systems.
For example, MR5 compels private platforms that register to grant access to their "systems" and data to ensure effectiveness in the "monitoring and law enforcement process." If a registered platform disobeys the requirement, for example, by failing to provide direct access to their systems (like computer servers – see Article 7 (c)), it can be punished in ways similar to the penalties for failing to flag "prohibited" content, from a written warning to temporary blocking to full blocking and a final revocation of its registration.
Article 25 of MR5 forces companies to appoint at least one contact person domiciled in the territory of Indonesia to be responsible for facilitating Kominfo or Institution requests for access to systems and data. Laws forcing companies to appoint a local representative exist, for example, in Turkey or India.
Both the ID requirement and the forced appointment of a local point of contact person are powerful coercive measures that give governments new leverage for informal pressure and arbitrary orders. As we noted in our post in February, with a representative on the ground, platforms will find it much harder to resist arbitrary orders and risk domestic legal action against that person, including potential arrest and criminal charges.
Human Rights Watch's Asia Division has similarly worried that, [w]hile the establishment of local representatives for tech companies can help them navigate and better understand the different contexts in which they operate, this is dependent on the existence of a legal environment in which it is possible to challenge unfair removal or access requests before independent courts. MR5 provides no mechanism for appeal to the courts, and the presence of staff on the ground makes it much harder for companies to resist overbroad or unlawful requests.
Remote direct access to systems
Direct access to system mechanisms are situations in which law enforcement have a "direct connection to telecommunications networks in order to obtain digital communications content and data (both mobile and internet), often without prior notice, or judicial authorization, and without the involvement and knowledge of the Telco or ISP that owns or runs the network." Direct access to personal data interferes with the right to privacy, freedom of expression, and other human rights. The United Nations High Commissioner for Human Rights stated that direct access is "particularly prone to abuse and tends to circumvent key procedural safeguards."
The Industry Telecom Dialogue has explained that some governments require such access as a condition for operating in their country: some governments may require direct access into companies' infrastructure for the purpose of intercepting communications and/or accessing communications-related data. This can leave the company without any operational or technical control of its technology. While in countries with independent judicial systems actual interception using such direct access may require a court order, in most cases independent oversight of proportionate and necessary use of such access is missing.
MR5 expanded its approach and applies it to all private ESOs including cloud computing services. It does not say exactly what type of access to "systems" (servers and infrastructure) private platforms may be requested to provide, though access to information technology systems (Art. 1) – which includes communication or computer systems, hardware and software – is explicitly called out as a possible subject of an order, over and above requests to turn over particular data.
When it comes to access to systems for oversight purposes, MR5 compels providers to grant access either by letting the government in, handing over what the government is asking for, or giving the government results of an audit (Art. 29(1) and Art. 29(4)). When it comes to access to systems for criminal law enforcement purposes, MR5 fails to explicitly include an audit result as a valid option. Overall, direct access to systems is an alarming provision.
Access to data and system
Under MR5, broad remote direct access mandates compel any provider or private ESO to grant access to "data" and "systems" to Kominfo or another government institution for "oversight" purposes (administrative monitoring or regulatory administrative compliance) (Art. 21). They are also required to grant access to law enforcement officials for criminal investigations, prosecutions, or trials for crimes carried out within Indonesian territory (Art. 32 and 33). Law enforcement is required to obtain a court order to access ESO systems when investigating crimes that carry prison sentences of two to five years. But there's no such requirement for crimes that carry heavier sentences of over five years imprisonment (Art. 33).
MR5 also requires private ESOs that process and/or store data or systems to grant cross-border direct access requests about Indonesian citizens or business entities established within Indonesia even if that information is processed and stored outside the country (Art. 34). The cross-border obligation to disclose data applies for crimes carrying penalties of two to five years imprisonment (Art 32), while the obligation to grant access to the providers' system applies for investigations or prosecution of crimes that carry sentences of over five years imprisonment (Art. 35). Unlike Mutual Legal Assistance Treaty (MLAT) agreements, MR5 fails to include a "dual criminality" requirement, meaning Indonesian police could seize data from foreign providers while investigating activity that is not a crime in the foreign country but it is a crime in Indonesia. While practical challenges currently exist in cross-border access to data, these challenges can be addressed through:
The express codification of a dual privacy regime that meets the standards of both the requesting and the host state. Dual data privacy protection will help ensure that as nations seek to harmonize their respective privacy standards, they do so on the basis of the highest privacy standards. Absent a dual privacy protection rule, nations may be tempted to harmonize at the lowest common denominator.
Improved training for law enforcement to draft requests that meet such standards, and other practical measures.
Cross-border data demands for the content of users' communications imposed on companies like Google, Twitter, and Facebook may create a conflict of law between Indonesia and countries like the European Union or the United States. The EU's General Data Protection Regulation (GDPR) does not allow companies to disclose data voluntarily without a domestic legal basis. US law also forbids companies from disclosing communications content without an MLAT process which requires first obtaining a warrant issued by a US judge. While we understand that Indonesia does not have an MLAT with the United States, the process for resolving conflicts of law needs considerable work. The Indonesian government should not expect companies to stride deliberately into legal paradoxes, where complying with a regulation in one country would lead them to not only violate the law in another country but also violate international human rights law and standards. The principle of dual criminality should also be taken into account when a cross-border request is needed.
Access to 'electronic data'
Access to "electronic data" for oversight purposes can be ordered by Kominfo or other competent government institutions (Art. 26). When such access is requested for criminal investigations, it can be done by a law enforcement official (Article 38 (1)).
In both cases, MR5 explicitly states that remote access should be granted using a link created by the private platform, or any other way as agreed between Kominfo or Institutions and the platform or the platform and law enforcement. In many cases, private ESOs can satisfy these requests through negotiating a compliance plan with the requester (which may avoid actually giving Indonesian government officials direct access to companies' servers, at least most of the time (Article 28 (1), Article 38 (1)). Specifically, MR5 provides no information regarding factual background of the investigation or regarding any grounds establishing investigative relevance and necessity
Law enforcement officials can also get access to very broad categories of data, like subscriber identities ("electronic system user information"), traffic data, content, and "specific personal data." This last category can include sensitive data such as health or biometric data, political opinions, religious or philosophical beliefs, trade union membership, and genetic data. Law enforcement can get access to it, without a court order, for investigations of crimes that carry sentences of over five years imprisonment. Court orders are only required for crimes carrying penalties of two to five years imprisonment.
Kominfo or government institution orders to access "systems" for oversight purposes (Art. 30) and for criminal law enforcement (Art. 40) are expected to be "limited" and "confidential" but must be responded to quickly – within five calendar days upon receipt of the order (Art. 31 and 41) – a very short time period that does not allow providers to assess the legality, necessity, and proportionality of the request.
Confidentiality provisions such as those featured in MR5 have also been problematic in the past, and sidestep surveillance transparency, as well as the right of individuals to challenge surveillance measures. While investigative secrecy may be necessary, it can also shield problematic practices that pose a threat to human rights. This is why providers should be able to challenge gag orders, and get authorities to provide a reasoned opinion as to why confidentiality is necessary.
Civil society has strongly advocated for the public's right to know and understand how police and other government agencies obtain customer data from service providers. Service providers should be able to publicly disclose aggregate statistics about the nature, purpose, and disposition of government requests in each jurisdiction, and notifying targets as soon as possible, unless doing so would endanger the investigation.
Technical assistance mandates
Technical assistance mandates such as those set out in MR5 have, in the past, been leveraged in attempts to erode encryption or gain direct access to providers' networks. Article 29, too, uses similar language; the government entities requesting access to a "system" may also request "technical assistance" from the private ESOs, which they are expected to provide. The government is planning to issue technical guidelines regulating the procedures for data retrieval and access to the system by December 2021.
Cloud computing in case of emergency
Article 42 compels cloud service providers to allow access to electronic systems or data (voice, images, text, photos, maps, and emails) by law enforcement in cases of emergency. While other laws and treaties (even less-protective treaty mechanisms for streamlining this kind of international access like those in the Council of Europe's Second Additional Protocol to the Budapest Convention) have narrowly defined emergencies as preventing imminent threats to people's physical safety, Article 42(2) defines emergency more broadly to include terrorism, human trafficking, child pornography, and organized crime, in addition to physical injury and life-threatening situations. These categories may implicate life-threatening emergency threats, like a terrorist bomb plot or a child in current danger of ongoing sexual exploitation. But if there is no imminent threat to safety, Article 42 should not apply.
MR5 runs afoul of Article 12 of the International Covenant on Civil and Political Rights (ICCPR). It is a regulation adopted by the Executive Branch. It lacks procedural safeguards and inherently authorizes disproportionate direct access to systems. The UN Human Rights Committee has stated that "even with regard to interferences that conform to [the ICCPR], relevant legislation must specify in detail the precise circumstances in which such interferences may be permitted."
To protect human rights in a democratic society, data access laws should make clear that authorities can access personal information and communications only under the most exceptional circumstance and only as long as access is prescribed by enacted legislation, after public debate and scrutiny by legislators. Further, such laws must be clear, precise, and non discriminatory, while data requests should be always necessary, proportionate and adequate. User data should only be accessed for a specific legitimate aim, authorized by an independent judicial authority that is impartial and supported with sufficient due process guarantees such as transparency, user notifications, public oversight, and the right to an effective remedy. The law should spell out a clear evidentiary basis for accessing the data; ensuring that providers will obtain enough factual background to assess compliance with human rights standards, and protected privileges. Confidentiality should be the exception, not the rule, only to be invoked where strictly necessary to achieve important public interest objectives and in a manner that respects the legitimate interests and fundamental rights of individuals. Moreover, in case of cross border request, the law should ensure the respect of the principle of dual criminality as do most MLATs.
MLATs have traditionally provided the primary framework for government cooperation on cross-border criminal investigations. MLATs are typically bilateral agreements, negotiated between two countries. While specific details may vary across different MLATs, most share the same core features: a mechanism for requesting assistance to access data stored in a hosting country; a Central Authority that assesses and responds to assistance requests from foreign countries, and a lawful authority for the central authority to obtain data on behalf of the requesting country. Generally speaking, in responding to foreign requests for assistance, the Central Authority will rely on domestic search powers (and be bound by accompanying national privacy protections) to obtain the data in question.
MR5's draconian requirements hand the Indonesian government a dangerous level of control and power over online free expression and users' personal data, making it a tool for censorship and human rights abuses. The regulation copies many provisions used by authoritarian regimes to compel platforms to bend to government demands to break encryption, hand over people's private communications, and access personal information without procedural safeguards and proportionality requirements against arbitrary interference. The Indonesian people deserve better. Their privacy and security are at risk unless MR5 is repealed. EFF is committed to working with SAFENET in urging Kominfo to roll back this unacceptable regulation.