Indonesian Dept. of Education and an Invasion of Privacy

If you cannot think of three ways to abuse a tool, you do not understand how to use it.
~Gregory Bateson

Privacy is a tricky issue. Most people don’t care about it until something happened – most of the times, not until it’s no longer a private matter and already late. Then all sorts of things become an issue.

Indonesian Ministry of Education put up a database of students online – public, private and religious schools, including at least some international and expat schools. It’s a work in progress designed to capture all of 36 million students nationwide, searchable by region and attaches the excel files containing the student details – names, date and place of birth and addresses. I’m not sure how many students are presently included – there are hundreds, if not thousands of XLS files, some of them a few thousands names. My estimate is there are some 1 million names at this point. Some underground lists have already circulating compiled Excel tables from the separate files but anyone could do it themselves if they wish to do so. A casual glance on the blogosphere seems to suggest that the database is indeed, very much current and accurate. (my previous post here includes links to some of the outraged parents at the bottom).

Personally, I can’t think of any good reasons to have it in an open database. Students, parents and teachers alike need only to access the information concerning themselves – having an open national database really benefits no one. I’m not aware if there is any other government on the planet doing such a project – let me know if you know any.

One could think of too many reasons of how it could be harmful. Jeremy pointed out the potential misuse of the information for social engineering. Indeed, since the database includes thousands of students 18 yrs old and above, it’s a great resource for planning an identity theft campaign. In most cases, names and birth date are more than enough for some serious mischief.

Others are concerned about kidnapping (somewhat showing a disturbing trend here in Indonesia). For any public figures with security concerns, it won’t be too hard for anyone to track down the names of their children - the files have been out there for a while, now that Google (and other search engines) have crawled and indexed it, one needs only to google the names to get it. I could ramble on for another hour to highlight how one could potentially use this information for nefarious purposes, but I’m sure you could use your own imagination.

Interestingly enough, some students included in the database that I spoke to didn’t seem to mind. Maybe it’s a sign of a whole new generation of digital native - somewhat with less pressing concerns and expectation for privacy. Students can search names of their classmates (or the hot chick from the other class) and get their address, it’s probably a useful tool for some. I tend to think that they are most likely not fully aware of the consequences.

The discussion of whether privacy still exists in the age of the internet is moot – I’m well aware that along with the wonderful things that technology now allows us to do, there are potential risks and consequences that awaits. I wrote about my own personal experience with internet anonymity here, but that is again, irrelevant. The point being, privacy is a personal choice – you can do what you wish with your own information, so long as you’re aware of what it does to you.
The children in those database were never given any choice.

A large majority of the information contained within those files are of children under the legal age of consent. The schools and the Indonesian Ministry of Education acted without their parental consent. The individuals were never informed that their information will be made available for the world to see – for now, and presumably forever: Once it’s on the internet, it’s almost impossible to put the genie back in the bottle (people @ Google that I talked to said that they’re willing to remove the files from the index provided that the originals were removed first).
I very much doubt that parents were aware of this, after all, schools are supposed to protect children. Indeed, most parents were outraged and very much concerned.

I’m still doing my research on what the Indonesian legal framework is for this particular case – privacy awareness is very low in Indonesia (this Dutch research shows some interesting insight into the culture).

There’s no specific law dealing with privacy and access to public records of individuals in Indonesia, indeed, I’m not sure if school admission records are considered public records at all, most certainly not for private schools. The recently passed ITE Law opens the possibility of civil suits – Article 26 states that electronic publication of private data must be done with individual consent, but explicitly requires a proof of damage and Indonesian courts don’t recognize punitive damages. There might be some laws on protection of children or probably regulations on public records, but I’m not aware of any that specifically deals with this sort of issue.

In my view, regardless of the legal statues, it is incomprehensible for the schools to expose underage children to any threats. Common sense dictates that when dealing with little kids, caution and prudence should take precedence. The Ministry is clearly far too reckless and borders on criminal negligence in their failure to consider this.

Even if one were to argue that the benefits outweighed the potential harms, I still can’t see why the information needs to be made to be so publicly available? What exactly are the benefits of having a national database of underage kids?

The Ministry MUST take this issue seriously and pull the information down. Concerned parents should talk to their schools and make sure that they are aware of this. Private schools are most certainly not covered by any sorts of laws on public records and according to the Article 26 of the ITE Law, they are wide open to civil suits. The mainstream media must do their part responsibly and carefully to make sure to minimize the damage.

I can only hope they will be sensible enough to quickly do what is necessary before too much damage is done.

UPDATE #1: Google support confirmed by email that they will remove the index along with the removal of the original.

UPDATE #2: This post seems to suggest that the link to the XLS files was indeed a mistake. It also gives a good backgrounder of the program (in Indonesian) . The link also gives an address to direct the complains but no emails or phone numbers.

UPDATE #3: (13/10/08) Some mainstream media seems to have picked up on this news and ppl are reporting that the XLS files no longer contains DOB and addresses, will check later.