Indonesia has become a hub for spyware and surveillance tools that threaten citizens’ rights and privacy, Amnesty International has found.
Building on existing research into the sale of surveillance technologies to Indonesia, the NGO has conducted a months-long investigation in collaboration with several media outlets in Switzerland, Greece, Israel and Indonesia.
Amnesty International found evidence of extensive sales and deployment of highly invasive spyware and other surveillance technologies in Indonesia between 2017 and 2023.
These tools came primarily from Israel, Greece, Singapore, and Malaysia. They include Q Cyber Technologies (linked to NSO Group), the Intellexa consortium (owner of the Predator spyware), Saito Tech (aka Candiru), FinFisher and its wholly owned subsidiary Raedarius M8 Sdn Bhd, and Wintego Systems.
Amnesty said, “Indonesia is relying on a murky ecosystem of surveillance suppliers, brokers, and resellers that obscures the sale and transfer of surveillance technology.”
Indonesia’s Government Agencies Involved
Indonesian government agencies have been identified as some of the buyers of these controversial tools. These include the Indonesian National Police (Kepala Kepolisian Negara Republik) and the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara).
“Several of these imports have passed through intermediary companies located in Singapore. These companies appear to be brokers with a history of supplying surveillance technologies and/or spyware to state agencies in Indonesia,” Amnesty noted.
Spyware and surveillance tool providers operating in Indonesia typically use a complex scheme in which intermediary companies are established with nominal company secretaries recorded as owners of the company’s registry documents or company shares. This makes it challenging to identify the actual owner of the company.
“By covering the beneficial owner in this way, verification of end-to-end supply chains for dual-use goods becomes close to impossible, making public procurement oversight challenging,” Amnesty explained.
The NGO also found malicious domain names and network infrastructure linked to multiple advanced spyware platforms, seemingly aimed at targeting individuals in Indonesia.
These include domains that mimic the websites of opposition political parties and major national and local news media outlets, including media from Papua and West Papua with a history of documenting human rights abuses.
However, the report insists that Amnesty and its partners did not focus on forensic investigations to identify individual spyware targets. “As such, Amnesty International does not have evidence that the surveillance technologies described have been used to target specific members of civil society in Indonesia,” the NGO added.
Lack of Relevant Laws Regulating Surveillance
One reason spyware and private surveillance tech are thriving in Indonesia is the absence of laws governing the lawful use of such tools.
Indonesia’s Electronic Information and Transactions Law (EIT Law) provides the most relevant regulatory framework for regulating the use of wiretapping for law enforcement purposes.
However, this law does not include specific mechanisms to request transparency or disclose the use of interception methods in instances of ‘national security’ or law enforcement concern.
Amnesty concluded that this lack of regulation “leaves the public in the dark and poses a significant risk to civil society in Indonesia.”
At the end of its report, the NGO issued a call for countries to:
- Ban the sale, transfer, export and use of highly invasive spyware
- Implement a global moratorium to halt the sale, transfer, and use of surveillance technology until there is a proper human rights regulatory framework in place that protects people from the misuse of these tools