In March 2020, a hacker claimed to have successfully collected a staggering 91 million user data from Indonesia’s e-commerce giant, Tokopedia. The previous year, its competitor, Bukalapak, experienced a similar affair. However, in both cases, users’ trust seems unaffected. The reason can be because the users are unaware of those misconducts or the potential harm of the breach. I bring forward the ethical issue of companies’ tendency to exploit users’ trust. Are we trusting them too blindly?
Following the news, Tokopedia stated that customers are safe and urged them to update their passwords. That can be true if usernames and passwords are the only data the hackers got their hands on. However, the hacker showed that the data also contain personal information such as full name, e-mail address, phone number, and birth date. At the very least, that data can be sold to spammers who will be happy to bombard unaware users with scam attempts. To put numbers on this, at least 8 buyers have each agreed to pay $5,000 for the data.
Trust plays a key role for an e-commerce site like Tokopedia . Their CEO even mentioned that Tokopedia is a business of trust. We are willing to share our personal data in exchange for access to their services. Among others, we trust them to store our data securely. Of course, there is no such thing as a 100% secure system. In fact, that is exactly why we need trust; as a strategy to deal with uncertainty.
Paradoxically, educating the users regarding the value of personal data does not align with the interest of data-driven companies. After all, those companies want to gather as much data as possible. It is tempting to keep users in the dark and rely on blind trust. Therefore, we should ask ourselves if we have been trusting them too blindly. Consequently, have they been exploiting our trust?
In the following paragraphs, I analyze the impact of the breach on trust using the 4Cs model . As the name suggests, it dissects the matter into four layers: context, construction, curation, and codification. Technology makes it possible for companies to reduce perceived risk under a beautiful interface (see how cute the image is in their page asking for Citizen ID above?). The separation highlights that we should look beyond what is visible.
How do users experience the breach in the platform?
From my observation, nothing changes before and after the breach. Users do not get any prompt to change their passwords in the application itself, nor any e-mails. However, as a Firefox user, I got an alert the moment I entered Tokopedia website. Users who have not heard of the news and are not using Firefox may be clueless about the breach. The lack of response makes me wonder: are they trying to conceal it?
Clarification regarding the impact is key. Tokopedia should inform the users, within their platform, on what happened and which actions should be taken.
How much we know about the system design?
In this case, we are focusing on the security of personal data. This page describes how Tokopedia uses Alibaba Cloud to host their services. It also explains how they secure the networks and which the database they are using. To claim that our data is safe barring the breach, we need more information regarding the security design.
What is the root cause of the breach? Are there any additional data at risk? What architectural changes are they making after the breach?
Who has control of the platform?
After learning that Tokopedia hosts their applications in Alibaba Cloud, who happens to be one of the lead investors of Tokopedia, a question arises on how much control does Alibaba have. Besides, Tokopedia also has a partnership with OVO, a financial technology company, to serve as their payment platform.
We cannot just trust Alibaba and OVO to follow the terms that we have agreed with Tokopedia because we do not know what kind of data sharing exists between them.
Which rules have been violated?
Ironically, Indonesia’s Data Protection Law is still under review — it has been since 2015 — with no end in sight . The current applicable regulation is “Privacy Protection in the Electronic System” by the Minister of Communication and Informatics. Users have to trust the ministry to monitor that users’ privacy is respected and secured accordingly. Looking at how this is the second case in two years, the relationship between the users and the government will be affected as well.
As this breach hurts both parties, Tokopedia should work together with the government to retrospect and prevent the same mistake happening again and again. Throughout the process, they need to keep the users in the loop.
In this post, I consider the tendency of tech businesses to exploit blind trust in favour of collecting as much data as possible. Trust is only ethical if it matches what is at stake. By analyzing the 4C layers, I discuss how minimal our knowledge is regarding the platform. Now that a breach has happened, we have to readjust our trust. Do not wait until the next Cambridge Analytica to happen. Now is the time.
 See Lankton & McKnight (2011).
 For an example of in-depth analysis with the 4Cs model, see Keymolen & Van der Hof (2019)
 More on the draft of privacy law and the relevance to the unicorns, including Tokopedia and Bukalapak, see my previous post (In Indonesian). Bear in mind that the privacy policies can be updated and may no longer be relevant.