F

ears of the misuse of personal data on the internet have resurfaced after a number of people complained that they had been contacted by debt collectors for short-term loan services.

Ali Akbar Alsanjani, a 25-year-old employee, said he was surprised when he was contacted by a person claiming to be a staff member of Rupiah Plus, a peer-to-peer online lending platform. In the phone call, Ali was asked to tell his friend to pay off the latter’s debt to the platform.

The debt collector claimed Ali’s name and phone number had been submitted as his friend’s emergency contact when the latter requested a loan. “But they never informed me that I would become an emergency contact for my friend,” Ali told The Jakarta Post.

Surprisingly, Ali said his friend claimed he had never given his name or phone number to the platform and made him as its emergency contact.

“I later heard from my friend that the lending platform could look into the contact list on his cell phone and even open his call log and messages,” said Ali. When he shared his experience on Twitter, it quickly became clear that other users had similar experiences. A user with the Twitter handle @Mitund replied to Ali’s tweet, saying she had once been contacted by a debt collector who claimed her friend had submitted her name as an emergency contact for a loan scheme.

“My friend even showed me the application form, which clearly showed that my name had not been put on the form as an emergency contact [for requesting a loan],” says @Mitund.

“The loan platform is stealing data from the cell phones of borrowers so that its debt collectors can send messages to all of the clients’ contacts,” @Mitund alleged.

The incidents have caused widespread uneasiness and compelled Rupiah Plus president director Bimo Adhiprabowo to issue an apology over the misconduct of the company’s debt collectors. A meeting between representatives of the platform and the Financial Services Authority (OJK) was held on Monday to address the problems.

Still, questions about the privacy of debtors’ personal data stored in their cell phones linger. Flawed data protection is a risk for an increasing number of consumers as peer-to-peer (P2P) lending schemes grow rapidly in the country.

As of April, the OJK has granted operational permits to 44 money-lending businesses, with around 100 more companies waiting for approval. Commenting on the situation, ICT Watch researcher Sherly Haristya said Rupiah Plus and other platforms found to have committed similar practices could be categorized as “abusive apps”, or applications that harvest personal data from its users without applying a proper personal data protection mechanism.

“This kind of app could affect many aspects of our life. In this case, Rupiah Plus and similar applications could hinder the development of the digital economy and startups across the country,” Sherly said.

She added the latest incident involving Rupiah Plus resembled earlier brouhaha pertaining to social media giant Facebook.

Earlier this year, Facebook revealed that the personal data of 50 million of its users, including more than 1 million in Indonesia, had been improperly shared with a United Kingdom-based political consulting firm, Cambridge Analytica.

The incident saw Facebook representatives face hours of questioning on the protection of users’ personal data by authorities in many countries, including the House of Representatives and the National Police’s cybercrime division in Indonesia.

Sherly said such incidents could be prevented by a data protection law and awareness from each application developer that improper practices could affect the sustainability of their business.

“Consumers also play an important role in preventing similar incidents by reporting them to authorities and improving their digital literacy.”

A lack of digital literacy has been blamed as the cause of recurring incidents related to users’ personal data security, because most users fail to read privacy policies. Meanwhile, other critics blame the companies for not making such necessary documents open to public or publishing long legal documents that are not easily understood. The OJK did not respond to a request for comment.