Indonesia’s Jeopardized Digital Freedoms – A Case Study in Spyware

By Grey Pilarczyk

Indonesia has long had a mixed human rights record, particularly regarding the online activity of Indonesians. In recent years, political activists and independent media outlets in the country have faced a barrage of digital threats and cyber-attacks. On May 1st, Amnesty International released a stunning report detailing Indonesia’s use of highly invasive spyware, indicating a much more dire problem than previously imagined. If Amnesty International’s allegations are accurate, Indonesians’ internet privacy may be in jeopardy, and for political dissidents, perhaps non-existent. 

Amnesty International’s Findings 

The Amnesty International report, “A web of surveillance: Unravelling a murky network of spyware exports to Indonesia,” claims that since 2017, Indonesian government entities such as the Indonesian National Police and the National Cyber and Crypto Agency have been purchasing surveillance technology. Neither agency has addressed these claims. To procure this technology, these agencies have utilized opaque networks of suppliers and resellers to obscure the transfer of the technology in question. 

Singapore-incorporated brokerage firms including White Global Holdings, 3L, and ESW Systems have proved essential in getting this technology to Indonesia. For instance, in July of 2021, ESW Systems exported a shipment of hardware to the Indonesian National Police valued at over USD 11 million. Some items in this shipment were labeled “Basic Graphical Detection and Identification License” and “Basic Real Time Geolocation Tracking License”. Amnesty International concluded that both items are dual-use technologies, spyware with both military and civilian applications. 

Risks and Challenges 

The Wassenaar Arrangement, established in 1996, is an international framework aimed at regulating the trade of dual-use technologies and ensuring that any transfers of such technology are transparent to the international community. Indonesia is not a participating member of the Wassenaar Arrangement, which is revealing in itself. Now, Indonesian entities seem to be acting in flagrant violation of this framework.  

The alleged spyware in use has originated mostly from the Israeli firms NSO Group, Saito Tech (formerly Candiru), Wintego Systems, and Quadream, as well as Germany-based FinFisher. Both NSO Group and Candiru were added to the United States’ Entity List for Malicious Cyber Activities in 2021. According to the US Department of Commerce, this was based on evidence that they “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”  

The abuse of dual-use technology is much harder to prove than its ownership, a fact that Amnesty International readily concedes. However, the ownership of spyware and malicious intent align more often than not. If Indonesia’s government is indeed misusing this technology, Indonesian internet users could be subject to far-reaching online surveillance. In a 2016 article, Forbes alleges that Wintego Systems’ WINT product is capable of intercepting communications on WhatsApp, a messaging platform that claims to be end-to-end encrypted and is used by an estimated 90% of Indonesians. According to Amnesty International’s research, the aforementioned ESW Systems has sold this very same WINT system to the Indonesian National Police for nearly USD 5.6 million. 

While one can only hope that Indonesia is using this technology responsibly, activists and news websites have routinely been victimized by cyber-attacks in the past. Notably, in September of 2022, the popular news outlet Narasi had its website hacked, but no attackers were ever prosecuted. Many Indonesians have criticized the government’s subsequent inaction on this matter. Erick Tanjung, the coordinator of Indonesia’s Committee for Journalists’ Safety, went even further, stating, “These attacks always happen when journalists or a media agency strongly criticizes the acts or policies of those in power.” 

Perhaps even more concerningly, in November of 2021, Apple warned that more than a dozen senior Indonesian government and military officials had their devices targeted by “state-sponsored attackers” using ForcedEntry, a software developed by the US-blacklisted NSO Group, as reported by Reuters. The Indonesian Ministry of Defense and the National Cyber and Crypto Agency both refused to respond to Reuters’ questions on the matter. 

A Potential Path Forward 

Although there is serious cause for concern regarding Indonesia’s use of spyware, it is not too late to mitigate the harm facing Indonesian internet users.  

To remedy this troubling situation, it is crucial that Singapore and Indonesia both join the 42 current members of the Wassenaar Arrangement and implement as national policy its Best Practice Guidelines for the Licensing of Items on the Basic List and Sensitive List of Dual-Use Goods and Technologies. These guidelines require that exporters of dual-use technologies keep detailed documentation of their exports. 

Through the adherence of these guidelines, intermediary trading companies, such as those incorporated in Singapore, would be forced to document a description of the technology being transferred, the name and address of any consignee of the technology, and most importantly, the name and address of the end-user of the technology. With these regulations in place, it would become far harder for Indonesian entities to obscure their purchasing of spyware. Just as banks are required to monitor transactions to prevent money laundering, these brokers should be mandated to vet their suppliers and customers to prevent the abuse of dual-use surveillance technology.

Posted in

Related Articles

Unpacking the EU AI Act: An ASEAN Perspective

By Nigel Hee The European Union (EU) recently unveiled the Artificial Intelligence Act, a novel piece of legislation that aims to regulate the development, deployment and use of artificial intelligence (AI) systems within the EU. The Act is predicated on a risk-based approach, classifying AI systems into different risk categories and imposing corresponding obligations and […]

Digital Sovereignty in ASEAN

By Mackenzie Gunther With large tech companies owning significant amounts of data, geopolitical tensions, the risk of critical data leaks, and the rising importance of self-reliance in the eyes of world leaders, the concept of who controls data is becoming a high priority.   The global context over the past decade has set the scene for […]

What’s the path to stronger digital trust in Vietnam?

By Nga Dao The alarming situation I receive spam emails, texts, and calls almost every day and about almost everything: from warning a security threat or inviting to a promotional event to offering sales or investment opportunities. Spam is annoying, but I’m still lucky they haven’t stolen my money. Last month, a friend of mine […]