Alleged Alibaba Singapore link sparks election cybersecurity concerns in Indonesia

INDONESIA: Following the 2024 General Election, the public has been alarmed by anomalies in the vote-counting process, as compiled by the General Election Commission’s information system, Sirekap.

Discrepancies have been observed between the vote tallying on Form C1 and the tabulated data on the sirekap-web.kpu.go.id and pemilu2024.kpu.go.id websites.

In response to these events, Cyberity – a community focused on cybersecurity issues and data protection in Indonesia – Chairman Arif Kurniawan initiated research and investigation into the two sites owned by the General Election Commission.

Alongside a joint investigative team, he highlighted several issues regarding the Commission’s IT system. Additionally, telecommunications expert Roy Suryo also disclosed several problems within the KPU’s websites and IT systems.

The investigation by Cyberity revealed that the General Election Commission (KPU) servers were located outside Indonesia.

“The pemilu2024.kpu.go.id and sirekap-web.kpu.go.id systems utilize cloud services with servers located in China, France, and Singapore,” stated Arif.

It was further discovered that the data and email traffic were routed through locations in France and Singapore, connected via Alibaba Cloud services.

Roy Suryo’s investigation identified the IP address 170.33.13.55 as belonging to Alibaba Cloud.

Technically, Sirekap is connected to web.kpu.go.id using the IP Address 170.33.13. Upon further inquiry, it was found that the web address is linked to Alibaba Singapore.

Moreover, the pemilu2024.kpu.go.id website was found to be connected to Zhejiang Taobao Network Co., Ltd.

The utilization of servers located abroad raised concerns about cybersecurity vulnerabilities in the pemilu2024.kpu.go.id application, leading to instability in the Sirekap application, particularly during critical periods such as elections and the days following.

Referring to Government Regulation No. 71 of 2019 on the Administration of Electronic Systems and Transactions (PSTE) and Law No. 27 of 2022 on Personal Data Protection (PDP), Arif emphasized that all Indonesian citizens’ data should be kept within Indonesia.

The handling of public sector data, particularly election data generated by public funds, should comply with Indonesian regulations.

Arif recalled previous anomalies in the KPU’s IT system, notably the data leak from the KPU website in 2023, where millions of Indonesian citizens’ information was exposed internationally, raising questions about the government’s commitment to safeguarding citizens’ data.

Despite these issues persisting over time, Arif criticized the KPU’s lack of initiative in addressing and improving its IT systems’ security.

He called for transparency, urging the KPU to disclose the results of security audits conducted on its systems and data protection measures.

Roy Suryo highlighted the risks associated with using Alibaba hosting, primarily designed for e-commerce, to store critical election data. He expressed concerns about potential data breaches or server disruptions compromising election data integrity.

Roy Suryo also highlighted the KPU’s failure to inform the public about the bidding process for a company that would gather voter data on Alibaba Cloud.

Call for transparent certification and nationwide public testing

“Even the certification is through the Ministry of Communication and Informatics. I openly question that. There must be a public test, and we have never heard of a public test,” he said.

“Public tests should not only be conducted in Jakarta but also in all regions. A system that works in Jakarta may not necessarily work in all 38 provinces of Indonesia,” Roy stated.

He further questioned the operators’ capabilities to manage the data. “If the operators are not certified, are we risking this public data to uncertified personnel?” he asked.

Roy pointed out the impact on the temporary vote count published through the KPU website.

“What happens now is that the number 1 changes to 4, 78 changes to 780. This is because the system and the people managing it are not certified,” he said.

On the other hand, Roy assessed the Sirekap system’s use of uploading Plano C1 forms for voter vote counting as outdated. Based on optical character recognition (OCR) and optical mark reader (OMR), Roy considered it not new as the embryo of the device has existed since 1914.

“Ironically, the KPU cannot fully utilize it, it can even be said to be haphazard and causing many technical errors,” Roy said.

Technical errors were evidenced by the number of C1 votes not matching the conversion results through pemilu2024.kpu.go.id.

This ultimately led to the case of vote count conversion criticized by many, thus alleging elements of structured, systematic, and massive violations adding votes to certain candidate pairs.

Demand for periodic security audits and robust IT systems in safeguarding election integrity

Wahyudi Djafar, Executive Director of the Institute for Studies and Advocacy for Society (ELSAM), emphasized that election data falls under the category of strategic data, as per Presidential Regulation 82/2022 on the Protection of Vital Information Infrastructure, necessitating its storage within Indonesia.

He questioned the absence of periodic security audits by the KPU and stressed the importance of ensuring the integrity and legitimacy of election results through robust IT systems.

Heru Sutadi, Executive Director of the ICT Institute, criticized the placement of election data outside Indonesia, especially sensitive data, raising concerns about its protection and potential manipulation.

KPU Chairman Hasyim Asy’ari acknowledged issues with the automatic data conversion process from C1 forms to the application. Despite discrepancies, the KPU instructed officials to upload documents to Sirekap.

The KPU admitted to errors in Optical Character Recognition (OCR) reading of C1 documents uploaded through Sirekap, affecting 2,325 Polling Stations (TPS).

Regarding this issue, KPU Commissioner Betty Epsilon Idroos denied that the Sirekap server was connected to Alibaba in Singapore. “No, the server is in Indonesia,” Betty said when approached at the KPU building on Saturday (17 Feb).

However, Betty declined to further explain the suspected IP address connection with Alibaba.