00:00:07
It all started when the pandemic began.
00:00:09
More than 160 countries shut down schools for years.
00:00:13
As a result, 87% of the global student population is homeschooled.
00:00:20
Teaching and learning activities are
forced to switch to virtual classrooms.
00:00:24
Since then, Educational Technology\
has taken the world by storm.
00:00:27
Many of them receive funds unexpectedly,
00:00:30
either from rapid customer growth
00:00:33
or venture capital who are attracted to invest in them.
00:00:36
However, the practice of online learning
is suspected to trigger many violations.
00:00:41
Users' data is secretly collected
and sold to advertising companies.
00:00:45
Narasi and Human Rights Watch,
along with 14 media from 23 countries
00:00:50
collaborated to reveal this phenomenon.
00:00:53
According to our findings, we found more
than 166 online learning platforms in 49 countries,
00:00:58
with about 90 percent of them being engaged in data-mining
practices that compromise the privacy of children.
00:01:04
And Indonesia is one of them.
00:01:16
He wakes up at 06.30 in the morning, takes a shower, eats breakfast,then logs into the ‘classroom’ at 8 a.m.
00:01:29
Budi uses his break time
00:01:31
to communicate with his friends and grandmother in Russia.
00:01:34
“Good Morning, Budi!”
00:01:35
He also enjoys watching cartoons on YouTube.
00:01:38
After the online school is over, he will finish his English homework.
00:01:42
In order to understand his homework,
he uses educational technology applications,
00:01:47
then uploads his homework to his teacher's social media accounts.
00:01:52
Unbeknownst to him, an invisible swarm of tracking technologies surveil
00:01:55
Budi’s online life throughout his day.
00:02:00
A few milliseconds after Budi entered his online class in the morning,
00:02:04
the machine started tracking Budi's
00:02:07
physical location—family room or living room.
00:02:13
His interactions with his classmates were monitored
00:02:15
and then passed along on to advertising technology companies.
00:02:19
Even though class was over, the tracker kept monitoring him
00:02:22
while surfing internet sites and some apps.
00:02:26
and then passed along on to advertising technology companies.
00:02:29
and downloads personal details about his family
and friends.
00:02:32
Budi and his mother are unaware that their activities are being watched.
00:02:36
Both are simply attempting to follow school rules by using this app
00:02:41
during the pandemic.
00:02:44
To find out what really happened to Budi,
00:02:46
we need to know how the app generates money.
00:02:50
There are numerous options, such as selling paid apps,
00:02:53
collecting commission fees on each transaction,
00:02:55
or selling vouchers like online games do.
00:02:58
Today we burn diamonds
tomorrow eat Indomie ha..ha..ha
00:03:05
Aside from that,
00:03:07
the most common thing apps do is data mining.
00:03:11
Take a look at this simple overview to see how it works.
00:03:13
To support app performance, several permissions must be approved by the user.
00:03:18
Do you know that the Android system has hundreds of permission types?
00:03:22
Some examples include GPS, camera,
00:03:26
microphone, phone contacts, call logs,
00:03:30
browser activity, and others.
00:03:32
Data mining begins immediately once you agree to those terms and conditions.
00:03:37
Data about you will accumulate, increasing day by day
00:03:41
Consider this train as a sophisticated algorithm engine.
00:03:44
This bunch of unorganized data then will be neatly organized.
00:03:48
This is where your behavior is revealed.
00:03:51
They can discover things
00:03:52
like where you normally go, who your closest one are,
00:03:56
what you enjoy, what you buy,
00:03:59
and hundreds of other personal details
00:04:01
This is how the educational technology company makes money.
00:04:07
And several educational applications in Indonesia carry out this approach.
00:04:11
We conducted research in 49 countries,
00:04:16
where 165 applications in these countries except Morocco
00:04:22
have all done data-mining of children’s personal information
00:04:27
which is then sold to advertising companies,
00:04:29
where these companies would then sell the data to their clients to target children.
00:04:35
The government, through the Ministry of Education and Culture,
00:04:39
recommended a number of educational technology companies
00:04:42
for students in Indonesia to use shortly after the online learning process began.
00:04:45
In the Circular Letter of the Minister of Education and Culture,
00:04:47
it recommended six local educational technology companies,
00:04:50
such as Kelas Pintar, Ruangguru, Quipper, Sekolah.mu,
00:04:54
Zenius Education, and Rumah Belajar.
00:04:57
These six applications were promoted by the Ministry of Education and Culture
00:05:00
at the beginning of the pandemic to be used by students in Indonesia.
00:05:03
We used two methods to analyze these six educational technology applications.
00:05:07
First, static analysis.
00:05:09
We obtain the data by examining the application's code
00:05:12
and any instructions that may run once the app is opened.
00:05:15
The tools used for static analysis are open source.
00:05:18
It’s Exodus and Pitheus.
00:05:21
Second, dynamic analysis.
00:05:24
By compiling and inspecting the running code
00:05:27
in Android Developer Studio,
00:05:29
we can watch the application work in real time.
00:05:32
This analyzing process is assisted by the Defensive Lab Agency,
00:05:35
a mobile digital security agency in France.
00:05:38
The results of the analysis found
00:05:39
several odd occurrences done by educational applications in Indonesia.
00:05:43
For example, the app permissions.
00:05:45
App permissions should, in theory, match the application's requirements.
00:05:48
GPS access for transport apps or camera access for photo editing apps.
00:05:54
But what if the requested access
00:05:57
does not match the service?
00:05:59
This is where the oddity lies.
00:06:01
Three of the six apps require
00:06:04
precise GPS access.
00:06:07
Can be seen from these two access requests, and this.
00:06:10
This data can be found in Rumah Belajar, Sekolah.mu, and Ruangguru.
00:06:15
From these two app permissions, the applicator
00:06:17
can retrieve precise location data for user activity.
00:06:20
Pada keterangan apps permission di android store,
00:06:27
Meanwhile, Ruangguru keeps its data collecting secret.
00:06:31
The main question is, what is the purpose of GPS access in educational applications?
00:06:36
in either instant when it came to GPS data.
00:06:40
usually one can think of legitimate reasons why any mobile apps want precise location data.
00:06:47
If you using Mapping Apps because of part of the functionality of the apps.
00:06:55
For education apps, I have no single compelling genuine reasons
00:07:00
why education apps want to know the precise location to that.
00:07:04
That is not thing apps should to child provide more learning.
00:07:09
So thats sentence means.
00:07:11
This is the same for Indonesia as well
00:07:14
These points are actually...several hubs
00:07:18
in cities throughout Indonesia.
00:07:21
These points will be able to support
00:07:26
the children who are close to the GPS,
00:07:30
so it can be something beneficial for our users,
00:07:34
knowing that there is a nearby teacher
00:07:37
who they can go to so they can do learning much better.
00:07:42
Meanwhile, a written objection was submitted by Ruang Guru via email.
00:07:47
They claim not to track
the exact location of the user.
00:07:50
Because Ruangguru doesn't need a location
accurate for their products and services.
00:07:55
They emphasized that in all versions, they never asked for GPS access.
00:08:00
Another interesting permission to examine is the Read_Phone_State access
00:08:04
requested by Ruang Guru,
00:08:06
Kelas Pintar, Sekolahmu and Zenius.
00:08:09
If this access is opened, the applicator can find out your child's phone number,
00:08:14
cellular network information and the status of ongoing calls.
00:08:20
Oleh Ruang Guru dan Kelas Pintar,
00:08:25
Why?
00:08:26
Because they also request access to call logs and contact numbers.
00:08:32
These three combinations of read_phone_state,
00:08:33
call logs dan read_contacts
00:08:35
are enough to let the Ruangguru and Kelas Pintar know
00:08:38
who your children's connections are.
00:08:41
The reason we collect data from Read Phone State Permission Access
00:08:46
is to add data points
00:08:49
that we can collect for continuous improvement hours. Digital products and services,
00:08:55
more or less. In order to make it easier for these students
00:08:59
to participate in all of our services.
00:09:02
We can expand the learning experience
00:09:06
by opening access
00:09:11
to their contacts so they can easily just choose
00:09:15
which friends they could invite from Zenius.
00:09:17
join the referral program.
00:09:20
However, Ruang Guru gave a biased answer about Read_Phone_State.
00:09:23
They denied requesting or using this data.
00:09:26
However, they admit that they are able to remove the access in the next version release.
00:09:32
As for the call logs, they openly denied it. And again,
00:09:36
they insist that this objection is based on the permissions on Google Play, which they have no authority to change .
00:09:44
The next question is,
00:09:46
if these data were collected and sold to advertising companies,
00:09:50
will the individual identity in it be removed?
00:09:56
Ruangguru's privacy policy in this section on disclosing personal data is interesting to note.
00:10:01
We do not disclose information about identifiable individuals,
00:10:05
but we may provide them with aggregated information about our users.
00:10:09
Aggregate information, that’s the keywords.
00:10:13
They want to convey that aggregates are numerous and not directed at specific persons.
00:10:23
Our findings contradict Ruang Guru's claim.
00:10:27
They were proven to collect every users’ Android Advertising ID (AAID)
00:10:33
With AAID, developers and Google ad network
00:10:37
can identify our mobile phones among hundreds of millions Android devices.
00:10:43
With this thing called AAID, they can provide ads that match our interests and behavior.
00:10:48
It means that not only data behavior, they only send the subject or who owns the data.
00:10:50
Ruang Guru transfers a bulk of AAID to other parties, according to the Defensive Lab.
00:10:55
The capacity to collect Advertising ID conducted by Ruang Guru
00:10:57
is just one of five applicators who collected Advertising IDs..
00:11:01
However, only sekolahmu,
00:11:05
Zenius
00:11:08
and Quipper, out of the six apps, openly admit to using Advertising ID.
00:11:13
he rest of them, Ruangguru,
00:11:18
Rumah Belajar
00:11:21
and Kelas Pintar, they all completely covered up this action.
00:11:25
Through written confirmation in the email, Quipper denied that they collected Advertising ID.
00:11:30
Ruang Guru also denied the allegation.
00:11:33
They denied collecting personal information about their users.
00:11:39
On the other hand,
00:11:41
Zenius and Sekolah.mu openly admit that they collected the data
00:11:44
for business development.
00:11:46
As for the technical aspect, we have to get back to finding out
00:11:51
the technical details in an engineering way.
00:11:54
But what we want to ensure is that and that's the goal,
00:12:00
as I said earlier. But for the implementation details for this one, we have to get back anyway.
00:12:09
Basically, we see that
00:12:12
when we ask for consent from child users,
00:12:19
Pada dasarnya kita juga
00:12:28
Secondly, for business, we actually use Ads from apps like Google.
00:12:34
Secara posisi memang ada ID-nya yang di generate
00:12:40
For instance, we provide advertisements or information
00:12:45
on further learning activities or further packages
00:12:49
related to the user's learning
00:12:52
activities for other occasions.
00:12:56
ctually, the ID collection is carried out there.
00:12:58
But again, this is more of our internal interests.
00:13:06
For example, we make another program whose purpose is to learn as well.
00:13:14
Dibandingkan lima aplikasi lain,
00:13:19
Not only Advertising ID,
00:13:21
they also collect users' IMEI.
00:13:25
The IMEI is the phone's unique identifier. It is irreplaceable.
00:13:30
That’s why IMEI is very personal.
00:13:33
Law enforcement frequently uses IMEI access to track a case.
00:13:37
AAID and IMEI are explicitly prohibited from being deposited
00:13:40
if its users are children, according to Google's child privacy policy.
00:13:45
Children are the main users of these apps.
00:13:48
So, how does the practice keep running?
00:13:50
When it comes to appropriations,
00:13:54
I think if asked what is the designation for?
00:13:56
Yes indeed from the business strategy itself.
00:14:00
When talking about business strategy in the end
00:14:04
we also can't let go of whether
00:14:08
If this student has learned
something, we don't need
00:14:11
to follow it, so he will
follow the agreed steps?
00:14:16
Precisely if it is
asked that is part
00:14:19
of how the business
strategy itself.
00:14:24
Which should be the question, if I say so
00:14:28
We are not thrown as executors.
00:14:31
This means that even if there is such a concern, yes,
00:14:36
there are things that are approx
00:14:39
a concern for the government or anyone representing this.
00:14:44
If from the point of view of the children
it doesn't seem right and doesn't fit,
00:14:47
to get the data to be like that,
00:14:50
yes, it means that the complaint must
be conveyed to the business partner itself.
00:14:56
not us as the business entity.
00:14:59
Because if we see it as part of a strategy.
00:15:02
What we do is implement the strategy
00:15:06
And if the partners can
submit the data and incidentally
00:15:09
it is finished, compliance is
complete within one country
00:15:13
I thought it was no problem with us.
00:15:17
This company can sell and send children’s personal data to advertising companies.
00:15:24
This can be seen in technical analysis by looking at the software development kit (SDK)
00:15:29
data incorporated in the application.
00:15:31
That data is usually used to analyze app performance or track bugs and crashes.
00:15:37
Yet, some might be deposited for profiling analysis and, eventually, targeted advertising.
00:15:42
Some programs' SDKs have been identified
00:15:46
transmitting data to advertising marketing companies,
00:15:50
such as Ruang Guru and Zenius to AppsFlyer,
00:15:53
a multinational company headquartered in Silicon Valley, USA.
00:15:57
Or Kelas Pintar to Adjust - a German company.
00:16:00
Also Sekolahmu to Snowplow, a company established in London, UK.
00:16:05
Or your school at Snowplow
based in London, England.
00:16:09
Actually our main application
00:16:11
it doesn't use Snowplow
00:16:13
the only connection to Snowplow
00:16:16
so we have one payment gateway
that we work with using Snowplow
00:16:21
We make the payment gateway
as one of the payment options
00:16:26
Basically Appsflyer is for data analysis
00:16:30
And CRM (customer relationship management )
00:16:32
Then we use Clevertap
for the aggregated data
00:16:38
According to Ruang Guru,
AppsFlyer's third-party status is solely
00:16:41
used to track marketing attribution
activity. Also fraud protection.
00:16:46
Even though he acknowledged that there was
a transfer of data on the Ruangguru flyer
00:16:50
apps, he argued that personal data is in the
form of aggregate data, not personal data.
00:16:53
But it would be strange if it was done by a government application.
00:16:58
As an example, Rumah Belajar collects and sends children's data to advertising companies.
00:17:05
Defensive Lab's investigations show how this data was blatantly
00:17:09
sent to the domain DoubleClick.net
00:17:11
which is clearly an advertising company.
00:17:15
Rumah Belajar is a tax-funded educational application managed by the Ministry of Education and Culture.
00:17:20
What is the Ministry of Education's response?
00:17:24
Sebelumnya terima kasih atas informasi
yang diberikan dari teman-teman Narasi
00:17:24
Previously, thank you for the
information provided from Narasi friends
00:17:28
tapi perlu kami sampaikan di sini bahwa
00:17:28
but we need to say here that
00:17:31
Rumah belajar itu tidak ada kerjasama
apapun dengan perusahaan iklan
00:17:31
The learning house does not have any
cooperation with advertising companies
00:17:35
Jadi sadar bahwa ini layanan pemerintah
00:17:35
So be aware that this is a government service
00:17:38
yang kita berikan secara gratis cuma-cuma kepada masyarakat
00:17:38
which we provide free of charge to the community
00:17:41
dan kita tidak punya kepentingan
mengambil keuntungan dari pihak ketiga
00:17:41
and we have no interest
in taking advantage
00:17:44
of third parties, let
alone commercial ones
00:17:46
Jadi memang kita tidak ada perjanjian apapun
00:17:46
So we really don't have any agreement
00:17:51
Terhadap..
Apa namanya..
00:17:51
Against.. What's the name..
00:17:53
Tadi yang disampaikan terkait AAID,
ataupun..
00:17:53
What was conveyed earlier
was related to AAID, or...
00:17:57
yang bersumber dari layanan aplikasi tersebut.
00:17:57
sourced from the application service.
00:18:00
Itu saja yang bisa kami sampaikan.
00:18:00
That's all we can say.
00:18:09
Beberapa saat kemudian
00:18:09
A few moments later
00:18:11
Eh kami terus terang tidak pernah,
atau..
00:18:11
Uh we frankly never, or..
00:18:15
Sepengatahuan saya ya.
00:18:15
To my knowledge yes.
00:18:16
Kami tidak pernah memotret
dan melihat aktifitas semacam itu
00:18:16
We have never photographed
or seen such activity
00:18:20
jadi kalau jika ini temuan baru
dari teman-teman Narasi
00:18:20
so if this is a new
finding from Narasi friends
00:18:23
it is actually useful for us
00:18:25
untuk kita kemudian melakukan perbaikan-perbaikan
di sisi aplikasi Rumah Belajar
00:18:25
for us to then make improvements
on the Learning House application side
00:18:29
Jadi ini malah informasi baru yang kami terima
oleh Pusdatin terutama
00:18:29
So this is actually new information
that we received especially from Pusdatin
00:18:33
terkait dengan aktivitas tersebut.
00:18:33
related to that activity.
00:18:35
Malah nanti kami jadikan dasar
untuk lakukan perbaikan.
00:18:35
In fact, we will make it the
basis for improvement later.
00:18:38
Yang jelas konsen kami adalah apapun
yang jadi pengamanan perlindungan anak
00:18:38
What is clear is that our concern is
anything that safeguards child protection
00:18:43
pasti posisi kami jelas akan berdiri di titik itu.
00:18:43
surely our position will clearly stand at that point.
00:18:47
Rumah Belajar's privacy policy clearly states that data is
00:18:51
deposited for analysis and then returned as targeted adverts for its users.
00:18:57
According to HRW's findings, among all government-owned education applications
00:19:00
in other nations they researched,
00:19:03
Indonesia is the only one that openly acknowledges selling this data.
00:19:10
his application made by the government is funded by the State and taxes
00:19:15
Why should they collect this data.
00:19:18
If it's private companies that don't get money from the government, where do they come from? if don't sell data
00:19:25
his government has absolutely no reason for them to steal children's data.
00:19:33
The practice of stealing children's information
00:19:36
via educational applications is dilemmatic, especially in Indonesia.
00:19:38
From the beginning, these apps have clearly stated
00:19:41
that they will process their users’ data–the majority of whom are children, for advertising purposes.
00:19:48
On the other hand, Indonesia's privacy laws are very weak.
00:19:51
There is no clear data regulation in general.
00:19:55
he statement from one of the CEOs clearly illustrated
00:19:58
that the weakness of the regulator and the carelessness of the user will be used as a scapegoat.
00:20:03
- So you put more emphasis
00:20:07
- the position in the wrong
context means it's in the user right?
00:20:10
Go back to the user
and back to their controls.
00:20:13
And the last one,
as I said earlier.
00:20:17
In the end it was.. Again..
00:20:21
We are a business entity
00:20:23
And the way we do business
is to agree with partners
00:20:27
and when we talk about compliance
00:20:30
yes it (is in) his partner.
00:20:31
so is the control. (on partner)