PRC investment in Indonesian tech startups stirs data security concerns

Major investments by Chinese venture capital (VC) groups into Indonesia’s fastest-growing tech startups has raised concerns over data security, analysts say.

The worries reflect fears that the People’s Republic of China’s (PRC’s) data security laws could leave Indonesians vulnerable to data breaches, as well as apprehension about Beijing’s recent moves to enforce government control on its domestic tech sector. Moreover, they come in the wake of the reported targeting of Indonesia government agencies by state-sponsored Chinese hackers.

“Due to its large population and high internet penetration, Indonesia holds the largest market share in Southeast Asia in the digital economy,” Nailul Huda, a researcher at Jakarta’s Institute for Development of Economics and Finance, told FORUM. “China’s entry into the Indonesian market raised concerns about data security. Third parties in China may use the personal information of Indonesian citizens. People in Indonesia are at risk if their personal information is not protected.”

Thirteen Indonesian technology companies have gone from startup to their current status as “unicorn” — a tech firm valued at more than U.S. $1 billion, according to Singaporean broadcaster Channel News Asia. PRC-based VCs have been their leading foreign investors, supplying them with about U.S. $4.6 billion in disclosed funds as of late 2021, the United States-based Paulson Institute reported. While these VCs appear to be seeking profit rather than Beijing-dictated dominance, that could change, Paulson noted. In the PRC, the state is increasingly controlling tech companies and could take a similar turn on Chinese citizens’ foreign investments.

“There are concerns here about the possibility of data being spied on while processing in China,” Wahyudi Djafar, deputy director of Jakarta’s Institute for Policy Research and Advocacy, told FORUM. “China-based companies process personal data of Chinese citizens and citizens in other countries as part of their obligation to process data in China.”

PRC laws — such as the Data Protection Act and the more recent Personal Information Protection Law — could empower Beijing’s cyber regulators to access Indonesians’ personal data, thanks to the intermingling of data held by the unicorns and PRC-based companies affiliated with the same VCs, Wahyudi said.

“Indonesian startups serve as supply chains for products of other companies,” Bhima Yudhistira, director of the Center of Economic and Law Studies, a Jakarta-based think tank, told FORUM. “E-commerce unicorns, for example, are used to market products from [the shopping websites] Taobao and Alibaba in China. This integration involves outsourcing IT [information technology] resources or highly qualified labor to investors’ affiliate companies.”

The threat of cyber intrusion is a familiar one in Indonesia. The government’s National Cyber and Crypto Agency (BSSN) ranked the country among the 10 most-targeted globally in 2021. Attacks on government agencies including the Indonesian State Intelligence Agency were detected in March and April 2021 by Insikt Group, the threat research division of U.S.-based Recorded Future, The Associated Press reported. The attacks were “very likely” the work of PRC state-sponsored hackers, Insikt said.

In early 2020, a data breach exposed personal details of more than 15 million users of the Indonesian unicorn Tokopedia, including names, email addresses and passwords, The Jakarta Post newspaper reported. The hack also revealed that data on more than 90 million of the e-commerce site’s users was allegedly being sold online.

The Indonesian government is aware of the need for more resilient cybersecurity to protect its citizens, according to a May 2022 report by the Center for Digital Society at Gadjah Mada University, titled “Cybersecurity and Cyber Resilience in Indonesia: Challenges and Opportunities.”

Under an April 2021 presidential decree, BSSN is being reorganized to give the agency “space to work more effectively, efficiently, and right on the target,” the report noted. In addition, stronger enforcement of regulations, and more training for government and private sector personnel is being introduced.

The U.S. also is partnering with Indonesia to strengthen cybersecurity. In 2018, the nations signed an agreement for U.S. experts to train Indonesian law enforcement officials in using digital forensics to defend against cyberattacks, according to CISO MAG, an information security publication.

In June 2022, Indonesian Defense Minister Prabowo Subianto and U.S. Defense Secretary Lloyd Austin met during the Shangri-La Dialogue international security summit in Singapore to discuss their nations’ defense relationship, including a new cybersecurity training initiative, the U.S. Defense Department said.

IMAGE CREDIT: ISTOCK