Prevention and Eradication in Indonesia Cyber-terrorism Prevention and Eradication in Indonesia November 2008 Edmon Makarim, S.Kom., S.H., LL.M. Department of Telecommunication and Information Republic of Indonesia

Cyberterrorism The use of the Internet for terrorist purposes, such as: (a) attacks via internet that cause damage not only to essential electronic communication systems and the IT infrastructure but also to other infrastructures, systems, and legal interests, including human life  public utility damage (b) dissemination of illegal content, including threatening with terrorist attacks; inciting, advertising, and glorifying terrorism; fundraising for and financing of terrorism; recruiting for terrorism; and dissemination of racist and xenophobic material; as well as (c) other logistical uses of IT systems by terrorist, such as internal communication, information acquisition, and target analysis [ Prof. Dr. Dr. h.c. Ulrich Sieber and Phillip W. Brunst. Cyberterrorism – the Use of the Internet for Terorist Purpose. (expert report), Council of Europe, December 2007. p.11]

Existing Law and Regulations (1) Indonesian Penal Code (KUHP) => 335 & 336 Law No.36 Year 1999 concerning Telecommunication => 38 jo 55 Law No.15 Year 2003 concerning Eradication of Terrorism (“Law of Terrorism”) President Regulation No.7 Year 2005 concerning Mid Term National Development Plan for year 2004-2009 (RPJM) particularly in Attachment Chapter VI concerning Terrorism, Law No.11 Year 2008 concerning Electronic Information and Transaction (“Law of EIT”) + Ministerial Decree No.166/Kep/M.Kominfo/11/2006 concerning Indonesia Security Incident Responses Team On Internet Infrastructure (ID-SIRTII) <=> ID-CERT

Law No.15 Year 2003 In Article 6, it is stipulated that any person committed intentionally violence or threat of violence that cause situation of terror or fear toward a persons broadly or cause massive victims by seizure other freedom or lost of life or possession, or cause damage or destruction of strategic vital objects, or environment or public facilities or international facilities, shall be liable to be sentenced for death sentence, or whole life imprisonment, or imprisonment for minimum f (four) years and maximum 20 (twenty) years. While in Article 7, it is stipulated that any person committed intentionally violence or threat of violence which intention is to cause situation of terror or fear toward person broadly or cause massive victims by seizure other freedom or lost of life or possession, or cause damage or destruction of strategic vital objects, or environment or public facilities or international facilities, shall be liable to be sentenced for maximum whole life imprisonment.

Relevant Law and Regulations (2) Law No.19 Year 2002 concerning Copyright => art.17 + 72 (4) President Instruction concerning E-Gov President Decision concerning Board of National IT and Communication Ministry Regulation concerning Guidance of the National IT Governance Etc.

Case A Email terror The case is dispatch of emails which contain terror by a woman to her ex boyfriend who run away and married other woman in United States. Because of her hatred toward him, she had sent emails by other name to his relatives, school and church where the marriage would be held. the perpetrator was charged with primary charge Article 226 of Indonesia Criminal Code and subsidiary charge Article 335 paragraph (1) of the Code. The perpetrator was also charged with Article 7 of Law of Terrorism provides sentence for any one who has intention to cause situation of terror or fear broadly

Case B The second case is a set up of a site to disseminate information contain terrorism (www.anshar.net). This site was purposed to facilitate communication between them and to facilitate to teach to internet users how the terror conducted. under Registration Case No. 84/PID/B/2007 PN SMG, at least the perpetrator was charged Article 13 point (c) of Law of Terrorism which provide sentence for any person who gives aid or facility for perpetrator of the terrorism criminal act, particularly in this context is communicating through internet.

REGISTRASI HOSTING & DOMAIN website : http://www.anshar.net MAX FIDERMAN als MAP GG. Pangeran Cendono Rt. 04/05 Dawe Kudus Jawa Tengah Registrasi www.anshar.net hosting domain Isi form registrasi : - Isi email : ahmad@maxfider.com - Minta konfirmasi utk pembayaran - Isi form data kartu kredit Submit data kartu kredit curian hosting = 300 £ per year domain = 60 $ US per year www.anshar.net “online” www.openhosting.co.uk QITAL ISI CONTENT UP LOAD TEMPLATE www.joker.com

LAPORAN POLISI NO.POL : LP-A/…./VIII/2006/SIAGA…… TGL……. AGUSTUS 2006 TTG TINDAK PIDANA TERORISM PASAL 7,13 huruf c UU No 15 Tahun 2006 UNSUR-UNSUR PASAL 7 SETIAP ORANG SENGAN SENGAJA MENGUNAKAN KEKERASAN/ANCAMA BERMAKSUD UTK MENIMBULKAN TEROR/RASA TAKUT SECARA MELUAS/MENIMBULKAN KORBAN DG CARA MERAMPAS KEMERDEKAAN/HILANG NYAWA &HARTA BENDA PIDANA SEUMUR HIDUP TERSANGKA ABDUL AZIS “qital” (Guru Komputer SMA dipekalongan) MAX FIDERMAN alias MOHAMMAD AGUNG PRABOWO Mahasiswa Fak Teknik Elektro Universitas Semarang SAKSI-SAKSI BENY IRAWAN ANDI JATI TRISTIYANTO MARDI SISWO UTOMO PETUGAS BNI CBG SUTA USM ADMIN ISP PETUGA LAB POLRI PRTUGAS POLRI AGUNG SETYADI Skom. “pakne” “salafuljihad” Dosen FTI Universitas STIKUBANK BARANG BUKTI DIGITAL MP3 BLUETOOTH USB SIM CARD IM3 &MATRIX MILIK M AGUYNG PRABOWO HARDISK BARACUDA ATA IV ST 3200 II A 20 GB NO SERI 3HT4HM81 BUKU TABUNGAN & PRINT OUT AN M AGUNG PRABOWO 2 KOMPUTER MILIK IS & ISSAC TAYIB ( DPB) HARDISK LAB UNISBANK HP/CDR TLP AGUNG SETYADI HASIL DIGITAL EVIDENT LAB KOMPUTER FORENSIC DLL

DETIKNAS (ICT National Council) => 7 Flagship Programs e-education e-Procurement e-budget National Single Window National Identity Number Palapa Ring Software Legalization

EIT Outline Ch I : General Provisions Ch II : Principles and Purposes Ch III : Electronic information, document & signature Ch IV : Electronic System Provider (including CA) Ch V : Electronic Transaction Ch VI : Domain Name, IPR & Privacy Ch VII : Prohibited Act (Crime) Ch VIII : Dispute Resolution Ch IX : Government Role & Public Participation Ch X : Investigation Ch XI : Criminal Sanction Ch XII : Transition Provision Ch XIII : Closing

Chapter I General Provisions Electronic Information (EI) : electronic data or collection of electronic data include but not limited to writing, sound, picture, map, planning, photo, electronic data interchange, email, telegram, telex, telecopy, or alike letter, sign, number, access code, symbol, or perforation which has meaning for or can be understood by a person through a particular process.

Electronic System (ES) : a set of electronic equipment and procedure to prepare, collect, process, analize, store, present, publish, and/or disseminate EI. Electronic Transaction (ET) : a legal action conducted by or through computer, computer network, or other electronic media. Electronic Document means every Electronic Information made, transmitted, sent, received, or stored on analog, digital, electromagnetic, optical, or the like, which can be seen, presented, and/or heard by means of Computer or Electronic System, include but not limited in writing, sound, picture, map, plan, photo or the like, letter, mark, number, Access Code, symbol, or perforation which has meaning or which can be understood by particular person

Chapter II Sphere of Application For: Every Person Conducts legal action regulated in ETI place : in or outside Indonesia legal impact : in or outside Indonesia harm Indonesia’s interests

Article 2 Principles and Purposes Certainty - Good Faith Benefit - Freedom to Choose Prudent - Technology Neutral Purposes facilitate Trade & Economy Justice and legal certainty Technology Development

Chapter VII Prohibited Actions Article 27 (1) Any person, committed intentionally and without right, distributes and/or transmits and/or enables the accessibility of the electronic information and/or the electronic document with indecent content. (2) Any person, committed intentionally and without right, distributes and/or transmits and/or enables the accessibility of the electronic information and/or the electronic document with gambling content. (3) Any person, committed intentionally and without right, distributes and/or transmits and/or enables the accessibility of the electronic information and/or the electronic document with humiliation and/or defamation content. (4) Any person, committed intentionally and without right, distributes and/or transmits and/or enables the accessibility of the electronic information and/or the electronic document with blackmail and/or threat content.

Article 28 (1) Any person, committed intentionally and without right, disseminates hoaxes and misleading news that caused any loss to the consumers in an electronic transaction. (2) Any person, committed intentionally and without right, disseminates information with the aim to create hatred and hostility among individuals and/or certain communities based on ethnic-groups, religion, race and inter groups. Article 29 Any person, committed intentionally and without right, sends the electronic information and/or the electronic document containing a threat or intimidation to be aimed at the target personally.

Article 30 (1) Any person, committed intentionally and without right or violating the law, accesses a computer and/or an electronic system belong to the other persons using any method. (2) Any person, committed intentionally and without right or violating the law, accesses a computer and/or an electronic system using any method to obtain any electronic information and/or electronic document. (3) Any person, committed intentionally and without right or violating the law, accesses a computer and/or an electronic system using any method by breaking, trespassing, surpassing or hacking the security system.

Article 31 (1) Any person, committed intentionally and without right or violating the law, intercepts or taps electronic information and/or an electronic document in a computer and/or a certain electronic system belongs to other person. (2) Any person, committed intentionally and without right or violating the law, intercepts the transmission of electronic information and/or electronic document which are closed to the public, from, to, and in a certain computer and/or an electronic system belongs to the other person that may or may not cause any change that changed, deleted and/or stop the process of transmission of the electronic information and/or the electronic document. (3) The interceptions as referred in Clause (1) and Clause (2) are prohibited except the interception for law enforcement by the police and attorney and/or other law enforcement institutions as stipulated by Law. (4) Further provisions on the interception procedure as referred to in Clause (3) shall be stipulated under the Government Regulation.

Article 32 (1) Any person, committed intentionally and without right or violating the law, by any method whatsoever changes, adds, reduces, transmits, damages, eliminates, transfers and hides the electronic information and/or electronic document belongs to other person or public. (2) Any person, committed intentionally and without right or violating the law, by any method whatsoever changes or transfers electronic information and/or electronic document to the other electronic system belonging to the other person without right. (3) Any action set forth in Clause (1) causing a confidential electronic information and/or a confidential electronic document to be accessible by the public with the inappropriate data integrity.

Article 33 Any person, committed intentionally and without right or violating the law, performs any action that caused disturbance to an electronic system and/or caused an electronic system operate not properly. Article 34 (1) Any person, committed intentionally and without right or violating the law, produces, sells, procures to be used, imports, distributes, provides , or possesses: a. hardware or software of computer designed or specifically enhanced to facilitate the prohibited actions as referred to in Article 27 to Article 33. b. computer codes, access codes or similar to it which are designed to make an electronic system be accessible with the aim to facilitate any prohibited action as referred to in Article 27 to Article 33. (2) Any action as referred in Clause (1) is not a criminal action if it is being used to conduct a research, an electronic system test, with the aim to protect the electronic system alone legally and not violating the law.

Article 35 Any person, committed intentionally and without right or violating the law, manipulates, creates, changes, deletes, damages electronic information and/or electronic documents with the aim to make the electronic information and/or the electronic documents to be regarded as an authentic data. Article 36 Every person shall be intentional and without right or break the law to carry on the action as referred toin Article 27 up to and including Article 34 implicated damage for other.

Summary of Ch VII Article 27, 28 & 29 => distributing illegal content Obscene/porn; Gambling; defamation; False statement; Hate-speech, racism or xenophobia; cyber stalking Sanction/punishment: max 6-12 years and/or penalty max 1-2 Billion (Art. 45) 23

Max 10 years and/or penalty max 800 million (Art 47) Art 32 Illegal Access Max 6-8 years and/or max 600-800 million (Art 46 section (1), (2) and (3)) Art 31 Illegal Interception Max 10 years and/or penalty max 800 million (Art 47) Art 32 Data Interference Max 8-10 years and/or penalty max 2-5 Billion (Art 48 section (1), (2) and (3)) Art 33 Interception Max 10 years and/or penalty max 10 B (Art 49) 24 24

Art 34 Art 35 Art 36 Misuse of Devices max 10 years and/or penalty max 10 B (Art 50) Art 35 Computer Related Forgery max 12 years and/or penalty max 12 B (Art 51) Art 36 Computer Related Fraud 25

Added Punishment (Art 52) IIf the indecent materials [Art 27 section (1)] concerning children Basic punishment + 1/3 of basic punishment I If the activities destroying strategic data Government data related with public services  + 1/3 of basic punishment Strategic data related with financial, defense, etc  + 2/3 of basic punishment Was done by corporation  + 2/3 of basic punishment 26

CHAPTER IX The Role of The Government & The Society Article 40 (1) The government shall facilitate the utilization of information technology and electronic transaction pursuant to the provisions of the prevailing laws and regulations. (2) The government shall protect the public interests from all kinds of disorder as the result of the abuse of electronic information and electronic transaction that disrupt the public order pursuant to the prevailing laws and regulations. (3) The government shall decide the bureau or the institution possessing strategic electronic data that have to be protected. (4) The bureau or the institution as referred to in Clause (3) shall prepare the electronic document and its electronic backup and connect them to certain Data Centre in order to safeguard the data. (5) The other bureau or institution apart from those stipulated in Clause (3) shall make the electronic document and its electronic backup in accordance to the need for their data protection.. (6) Further provisions on the role of government as referred to in Clause (1), Clause (2), and Clause (3) shall be stipulated under the Government Regulation.

Article 41 (1) The society may involved to enhance the utilization of information technology by means of using and organizing the electronic system and the electronic transaction pursuant to this Law.. (2) The role of the society as referred to in Clause (1) can be organized by an institution which is established by the society.. (3) The institution as referred to in Clause (2) may have the function of consultation and mediation.

CHAPTER X Investigation Investigation shall be conducted based on provisions in Criminal Proceeding Law. (Art. 42) The Investigators are POLRI and PPNS. (Art. 43) Investigators shall pay attention on privacy aspect, confidential status, the continuation of public service, data integrity and public interest.

Evidences (Article 41) Investigation, prosecution and trial in court: Evidences are based on Laws and Regulations; Other evidences : (i) ED and (ii) EI.

Government Regulation Draft NEXT STEP: Government Regulation Draft Implementation of EIT Board of Trust mark Certification; Electronic Signature ; Electronic Certification Providers ; Electronic System Exertion ; Electronic Transaction ; Electronic Agent Exertion ; Domain Administrator ; Board of Strategic Data ; Lawful Interception 31

Others Draft of Ministry Regulation concerning Content Multimedia Guidance; Draft of Ministry Regulation concerning Spamming ; Draft of Government IT Security ; Draft of Ministry Regulation concerning CA ; Draft of Ministry Regulation concerning Standard Audit.

Others Revision of Company’s Filling & Documentation (e-filing) Draft of Law (Bill) concerning Data Protection Act Draft of Law (Bill) concerning IT/Cyber-crime Act

THANK YOU FOR YOUR ATTENTION