deepfake and ai ethics case study

Case 1 Deepfake and AI Ethics

link tiktok

  1. Ethical and digital risks that occurred.
    1.  Disinformation & disruption of public discourse

Realistic deepfakes blur the line between fact and opinion. During elections/political contests, these types of fake videos can quickly trigger polarization, panic, and harmful public action.

  1. Damage to reputation & personal rights

Public figures (or non-public parties) may experience defamation, threats, or even social criminalization based on false statements. 

  1. Psychological & security effects

Viewers find it difficult to verify, thereby reducing public trust in digital media; it also triggers threats to individual safety due to doxxing/threats.

  1.  Economy & market manipulation

Deepfakes featuring CEOs/ministers can trigger market fluctuations, investment withdrawals, or financial scams if false information is used to deceive.

  1. Technical: provenance & watermarking

Detection limitations as generative models become more sophisticated → makes provenance tracking and detection urgent.

2. Connection with Indonesian legal provisions

UU ITE (UU No. 1 Tahun 2024, perubahan PUU ITE)

Articles related to the distribution of misleading information, defamation, threats, or the dissemination of false content (e.g., Articles 27, 27A, 27B) can be used as a basis for criminal/civil charges against creators/distributors of deepfakes who deliberately spread false information or harm others. 

PDP Law (Law No. 27 of 2022)

If deepfakes use or misuse personal data (photos, voices) without permission, then such actions violate the principles of lawful data processing; violations can result in administrative and criminal sanctions under the PDP Law (articles on subject rights, controller obligations, sanctions for disclosure of personal data).

Copyright & Personality Rights

The use of a person’s face/recording may touch on image rights, publication rights, and moral rights. If models are trained with copyrighted works without permission, there are also copyright issues related to the dataset (potential civil lawsuits).

3. Desain Campus AI Code of Ethics

As a preventive measure against the misuse of artificial intelligence technology, such as deepfake cases, campuses need to have an AI Code of Ethics that emphasizes transparency, accountability, and personal data protection. Any use of AI to generate public content—including text, images, or videos—must be accompanied by an explanation or label stating that the material was created or modified by AI. The use of other people’s images, voices, or personal data must obtain explicit permission, in line with the data protection principles in the PDP Law. Universities also need to implement a content source verification and tracking system (provenance) so that the authenticity of every digital publication can be ensured. In addition, AI literacy and digital ethics education must be a mandatory program for students and lecturers to build a responsible academic culture. Finally, an ethics enforcement and incident response mechanism is needed—covering reporting procedures, public clarification, and coordination with digital platforms—so that the potential negative impacts of AI-based manipulation can be addressed professionally and with integrity.

Case 2 Hoax and Digital Security

  1. Explain the ethical and digital risks that occurred.

Hoaxes and phishing attacks operate by combining technical exploitation with psychological manipulation, a dual mechanism that targets both systems and human cognition. Technically, attackers distribute deceptive messages via social engineering, exploiting trust within closed communication networks such as WhatsApp. The malicious link disguised as an invitation actually contained a banking trojan malware (similar to the Cerberus or Anubis variants). Once installed, the malware requested accessibility permissions, allowing it to read SMS messages, intercept OTP codes, and record keystrokes. These permissions granted remote access to the attacker’s control server, enabling unauthorized data exfiltration and financial theft. The malware further propagated by automatically sending the same fake invitation to all contacts in the victim’s phone, creating an exponential “viral” spread pattern.

Psychologically, such attacks manipulate users’ emotional triggers and cognitive biases. The curiosity bias lures recipients to open “personal” messages, while social proof—the fact that the message comes from a known contact—reduces skepticism. Emotional framing (“Siang, jangan lupa dateng ya☺”) induces warmth and impulsive trust, overriding rational caution. This combination of emotional deception and technical exploitation exemplifies advanced social engineering, proving that digital security failures often stem more from human behavior than technological weakness.

  1. Digital Safety Steps (Levels 1–4)

Level 1 – Device Protection

Use strong passwords and enable two-factor authentication (2FA) on all financial apps. Install applications only through verified sources like Google Play or App Store. Disable the “Install Unknown Apps” option, and regularly update both your operating system and antivirus software.

Level 2 – Personal Data and Privacy

Never share OTPs or banking PINs, even with individuals claiming to be official representatives. Use separate email accounts for financial transactions and personal communication. Review app permissions and delete suspicious applications. Utilize encrypted password managers to store credentials safely.

Level 3 – Information Verification

Before clicking links, always verify the domain and file extension—a .apk file is never a legitimate wedding invitation. Use online scanners like VirusTotal.com to analyze suspicious URLs. Recognize red flags such as emotional or urgent messages, and confirm authenticity through direct phone contact with the sender.

Level 4 – Civic and Legal Awareness

Report phishing or malware cases to Kominfo’s CSIRT or Patroli Siber Polri (https://patrolisiber.id). Promote community awareness by sharing verified warnings within family and campus circles. Practice “Stop Before You Share” as part of responsible digital citizenship.

  1. social, economic, and legal impacts of poor digital literacy.

Social Impact

Low digital literacy erodes public trust in online financial services and increases digital anxiety, especially among older users unfamiliar with cybersecurity. False rumors about “bank hacking” or “unsafe apps” may create unnecessary panic and reduce technology adoption.

Economic Impact

According to BSSN’s 2024 report, individual victims of mobile phishing lost an average of IDR 3–10 million. Financial institutions suffer reputational damage, decreased user confidence, and higher operational costs for fraud recovery and digital security upgrades.

Legal Impact

Phishing and malware dissemination violate multiple Indonesian laws:

  1. Spreading Fake Information: ITE Law (Art. 28, Para. 1)

Prohibits dissemination of false information causing public harm.

  1. Illegal Data Acquisition: Personal Data Protection Law (Arts. 65–67)

Forbids collecting personal data unlawfully.

  1. Unauthorized System Access: ITE Law (Arts. 30–32) Criminalizes unauthorized access and data transfer.
  2. Platform Responsibility: ITE Law (Art. 40, Para. 2a) Requires digital platforms to protect user data and mitigate misinformation.

Case 4 Data Privacy and Cloud Breach

  1. How the Data Breach Might Have Happened
    1. Credential compromise (most common)

Phishing targeting IT staff or admin: admin credentials stolen through spear-phishing → access to cloud admin console (e.g., AWS/GCP/Azure) → data exfiltration. (PDP Law indicates illegal data disclosure).

  1. Misconfiguration of cloud storage

S3/GCS buckets without authentication (public read) or loose IAM rules → data can be accessed directly. Many public breaches occur due to misconfigured storage. 

  1. Vulnerability in web app / API

SQL injection, exposed management endpoints, outdated CMS/plugin → attacker privilege escalation.

d. Insider threat

Employees/contractors who misuse access → export data.

e. Supply-chain compromise

Third-party vendor (e.g., outsourced backup provider) compromised → university data leaked.

  1. Legal Connection — Principles of the Personal Data Protection (PDP) Law

Indonesia’s Personal Data Protection Law (Law No. 27 of 2022) establishes a clear legal framework for protecting individual privacy and data security.

The law emphasizes several principles directly related to this case:

  1. Lawfulness and Purpose Limitation – Personal data must be processed for legitimate and specific purposes with explicit consent from the data subject.
  2. Data Minimization and Storage Limitation – Institutions should collect only necessary information and retain it for a limited period. 
  3. Integrity and Confidentiality – Data controllers must ensure robust organizational and technical measures to prevent unauthorized access, alteration, or leakage.
  4. Accountability – Data controllers (in this case, the university) are fully responsible for implementing these safeguards.

Failure to protect student data constitutes a violation of Articles 39–44 of the PDP Law, which mandate technical and organizational measures to secure data.

In the event of a breach, the university must notify both the data protection authority and affected individuals promptly, as required under Article 46.

Negligence in handling such a breach could lead to administrative fines, civil liability, or even criminal sanctions for responsible parties.

  1. Proposed Digital Security Policy for Universities
  1. Immediate Response (0–7 days)
  1. Contain and Isolate – Disconnect affected servers, revoke compromised credentials, and restrict network access.
  2. Forensic Investigation – Analyze system logs to identify intrusion vectors and data exfiltration points.
  3. Incident Reporting – Notify the Ministry of Communication and Information Technology (Kominfo), the data protection authority, and affected students, in accordance with PDP Law Article 46.
  4. Public Communication – Release a transparent statement to maintain trust and demonstrate accountability.
  1. Short-Term Actions (1–3 months)
  1. Credential Hardening – Enforce complex passwords, mandatory two-factor authentication (2FA), and password rotation for all administrators.
  2. Access Control Review – Apply role-based access management and remove dormant or redundant accounts.
  3. Encryption and Backup Security – Encrypt all stored data (at rest and in transit) and ensure offline encrypted backups.
  4. Patch and Vulnerability Management – Regularly update operating systems, CMS platforms, and third-party plugins.
  5. Vendor Risk Management – Audit all third-party service providers and ensure contractual compliance with PDP Law standards.
  1. Long-Term Policy (6–12 months)
  1. Data Classification and Minimization – Categorize student data based on sensitivity (e.g., highly sensitive: NIK, biometric; medium: transcript) and limit retention periods.
  2. Privacy by Design – Integrate privacy and security into all digital development processes, from planning to deployment.
  3. Centralized Key Management – Use hardware security modules (HSM) for key storage and encryption control.
  4. Security Operations Center (SOC) – Establish a monitoring team to detect anomalies in real time using SIEM systems (Security Information and Event Management).
  5. Regular Audits and Compliance Checks – Conduct independent third-party audits at least once per year.
  1. Cultural and Educational Measures

Launch mandatory digital security training for staff, faculty, and students focusing on phishing prevention and safe data handling.

Promote awareness through Digital Safety Weeks and internal campaigns such as #ProtectStudentData.

Establish a Campus CSIRT (Computer Security Incident Response Team) to coordinate quick responses and liaise with law enforcement.

Leave a Reply

Discover more from sofitady

Subscribe now to keep reading and get access to the full archive.

Continue reading