A Survey Study of Social Media User Awareness towards

Personal Identifiable Information’s Data Security in

Indonesian Millennial Generation

Gabriel Alexander Christie1 Ivan2 Javier Trevan3

Cyber Security Program,
Computer Science
Department,
School of Computer Science,
Bina Nusantara University,
Jakarta, Indonesia 11480
Gabriel.christie@binus.ac.id1
Cyber Security Program,
Computer Science
Department,
School of Computer Science,
Bina Nusantara University,
Jakarta, Indonesia 11480
Ivan013@binus.ac.id2
Cyber Security Program,
Computer Science
Department,
School of Computer Science,
Bina Nusantara University,
Jakarta, Indonesia 11480
Javier.Trevan@binus.ac.id3

Nadia4 Franz Adeta Junior5 Said Achmad6

Cyber Security Program,
Computer Science
Department,
School of Computer Science,
Bina Nusantara University,
Jakarta, Indonesia 11480
Nadia002@binus.ac.id4
Cyber Security Program,
Computer Science
Department,
School of Computer Science,
Bina Nusantara University,
Jakarta, Indonesia 11480
Franz.junior@binus.ac.id5
Computer Science
Department,
School of Computer Science,
Bina Nusantara University,
Jakarta, Indonesia 11480
Said.achmad@binus.edu6

Abstract:

Online Social Network is a network communication platform where users have profiles that
can be uniquely identified by the content sent. This content can be produced, consumed, and
interacted with by other users. To connect with other users on social media, users must register
by providing Personally Identifiable Information (PII) to social media platforms. PII is specific
information that can identify or track individuals directly. This specific information may
include your name, address, social security number, or other identifying code numbers such as
telephone numbers, email addresses, and others. Personal identifiable information leakage is a
problem in data security. Basically, every individual does not want their personal data to be
known by anyone. Utilizing a sample size of 50 respondents, this study aims to ascertain the
percentage of individuals who are aware of PII security on social media. This research will use
quantitative methods by distributing questionnaires. The questionnaire in this study uses a
social media attribute design. The results of the survey indicate that many respondents are
unaware of the security of their data and have a limited understanding of how their personal
data is managed by technology companies, particularly the 80% of non-IT respondents.
 Keyword: Personal Identifiable Information; Online Social Network; Social Media; Data
Security; Indonesian Millennial, Big Data

INTRODUCTION Education 0 8 1 3
Workplace 0 6 1 5
Social network site is a networked Birthday 0 4 7 1
Zip Code 0 0 10 2
communication platform in which Email 0 0 12 0
Phone 0 0 6 6
participants (a) have uniquely identifiable Address 0 0 4 8
profiles that consist of user-supplied
content, content provided by other users, PII leakage is one of the major
and/or system-level data; (b) can publicly problems in data security [4]. Rationally,
articulate connections that can be viewed people don't want their personal and private
and traversed by others; and (c) can data to be known by even family members.
consume, produce, and/or interact with But according to a cyber security firm,
streams of user-generated content provided Indonesia is still the highest nation in
by their connections on the site[1]. South-east Asia, with more than 1 million
Personal Identifiable Information internet users. Statistically, 44 from every
(PII) is information that, either alone or in 100 Indonesian are experiencing data
combination with additional data that may leakage [5]. The most common consequence
be linked to a specific person, can be used of the data leakage for the user is that they
to identify or trace an individual [2]. Further, are vulnerable to identity theft. If a
PII is defined as data that: I directly identify malicious person/group gets a hold of your
a person (e.g., name, address, social personal information such as full name,
security number, or other identifying address, Date of Birth (DoB), or even
number or code, phone number, email sometimes national ID number. they could
address, etc.); or (ii) allows an organization start a bank account in your name, or take a
to indirectly identify particular people by loan in your name, etc. Internet user’s PII
combining their data with other data when leaked can do a lot of harm for the
elements. (These informational user. This research will include example
components may combine gender, race, information from various people in this
date of birth, location, and other region based on a data collection form done
identifiers.) Furthermore, information that in the US.
enables offline or online communication The purpose of this research is to
with a particular individual qualifies as create an understanding for social media
personally identifiable information. This users, especially millennial teenagers,
data can be kept on paper, electronically, or about personal data identity information or
through other types of media[3]. known as PII. If the attacker knows the PII
Table 1. Type of PII available by default of the victim, the attacker can easily
PII Data Level of Availability identify and track the victim. This will
Always Available by Unavailable Always
Available default by default Unavailable make social media users insecure and have
Photo 9 2 1 0
Location 5 7 0 0 a high risk. So, the attacker can use the
Gender 4 6 0 2
Name 5 6 1 0
victim's PII in his crime. Therefore, this
Friends 1 10 1 0 study will use a qualitative method by
Activities 2 8 0 2
Photo Set 0 9 0 3 distributing surveys. This survey will be
Age 2 5 4 1
distributed to social media users, especially
teenagers in Indonesia. The results of this
survey will be used to determine the level
of youth awareness in understanding
identity security in the world of social
media. Indonesia ranks third in the globe
for cases of personal data leakage, as
depicted in Figure 1.

Figure 1. Statistic of a personal data leakage (Indonesia ranks third in personal data
leak for the third quarter of 2022) (sumber :
https://databoks.katadata.co.id/datapublish/2022/09/13/indonesia-masuk-3-besar-negara-
dengan-kasus-kebocoran-data-terbanyak-dunia)

B. Literature Review:
The use of social media in Indonesia is
increasing every year. About 74.23% of
Indonesian Internet traffic is for social
media, and about 49.52% of those can be
categorized as millennials and gen z [7].
Millennials and gen z tend to post their
daily lives in social media, which combined
with the inadequacy and over-confidence
toward their knowledge about privacy
awareness, their distrust toward the
Indonesian government, and the lack of
strict regulation, has made them an easy
target for cyber-attack [8].
In the new era of internet, most
social media are currently storing and/or
using their user’s PII for either simplicity or
advertising interest. These PIIs can consist
of full name, friend lists, gender, location,
habits, pictures or videos, and most of those
PII’s are set to ‘open to public’ by default[2].
These PIIs are usually the starting point for
any attacker to create a link and model by
summarizing PIIs and other information
obtained by 3rd parties such as
advertisers[9]. Those user’s PIIs are usually
obtained from a data broker who usually
sells user’s data as a bulk to those
advertisers. According to a report by
Identity Theft Resource Center (ITRC) in
2016, there’s at least 980 separate data
breaches, which consisted of more than 35
million user’s private information[10].
The internet currently only works
thanks to big data, and a bulk of that data is
usually PIIs. From 2011, data that had been conclusions from the responses of
uploaded to the internet doubled every two respondents. The questions elicit
years, and that trend is only increasing year knowledge of the statutes governing data
by year[11]. But with the growth of big data, protection among respondents.
it’s getting harder to maintain data security
and privacy. Because usually any problem C.Methodology:
with data security and privacy in big data is This research method uses
dealt with on a case by case basis. Because quantitative methods. A questionnaire
the data needed to be classified by their technique was used to collect data in this
sensitivity, confidentiality, security, research. Design of questionnaire research
[12] using the characteristics of media social
control, and access . Because of that, any
organization that’s managing big data attributes[15]. The following is the main
needs up-to-date security management. It design of the Social Media Attributes used
can be helped by using encryption, routine in this research questionnaire.
device check-up, check valid access,
network monitoring, secure
communication, conduct awareness
training, and create policy in the
program[13][14].
A survey is being conducted to
determine the level of cognizance of
personal data security among Indonesian
college students (sitasi
https://www.mdpi.com/2071-
1050/15/4/3814). Perceived Privacy
Control, Perceived Privacy Risk, Perceived
Security, Self-Presentation, and Personal
Figure 2. Basic knowledge question
Data Security Awareness were questioned.
The sample of respondents included
This questionnaire will be
participants who were both active (as
distributed to respondents directly with an
content creators) and passive (using social
application form. The application form
media only for entertainment) in their social
used is Google Forms. The minimum
media interactions. The distribution of
number of targets for filling out the research
questionnaires was randomized using the
questionnaire form is 50 respondents with 5
snowball sampling technique. The results
of those as control group, 10 more as
of the study indicate that participants who
neutral group, and the rest as the data set.
actively use social media are more likely to
The research's target respondents are
use and exploit their personal data, whereas
Indonesian millennials.
passive users are more concerned with data
The questions on the questionnaire
security.
consist of 15 questions, of which 10
Unlike previous survey studies, we
questions are basic knowledge tests about
will conduct a survey of PII data on the
events experienced and related to personal
millennial generation in Indonesia by
information and 5 questions about the
disseminating online surveys and drawing
Personal Data Protection (PDP) law. The
following are 10 questions regarding basic
knowledge of events experienced and
related to personal information that were
asked of respondents:
1. You are opening a calculator
application on your mobile phone,
then this notification appears. Have
you ever experienced this?
2. You register with a website /
agency, then you are asked to take a
photo of yourself with an identity
card. Have you ever done this?
3. You have friends of the same age
and are currently in a close
relationship with you. At one point
you accidentally saw your friend's
social media exposing a relationship
without your consent. Have you
ever done or experienced this?
4. At one point, you accidentally see a
friend's or party's post on social
media in the form of a screenshot.
This post contains a conversation
between you and your interlocutor.
Have you done or experienced this?
5. When you are at an agency or
website you are asked to provide a
telephone number or email for the
website. Have you ever done this?
6. While there is a viral challenge on
your favorite social media, the
challenge asks you to post a photo
with your identity card. Have you
ever done this?
7. You follow people on social media,
then try to find out information
about them in other places such as
Google and other social media, with
the aim of getting to know that
person more deeply. Have you ever
done this?
8. Something happened to you, and
you notified the incident to your
social media, including information
such as your name, face photo, and
possibly his address. Have you ever
done or experienced this?
9. You have a hobby (hobby) for
something and other activities that
you like, then you post it on your
social media. Have you ever done
this?
10. You put personal data information
in the biography section of your
social media profile. It aims to
provide information to people you
know. Is that the right thing to do?
From the respondent answer of question 1 -
10, the data that will be extrapolated can be
rated as such.
Yes = the respondent still does the
dangerous practice for their PII
No = the respondent does not do the
dangerous practice for their PII
Maybe = the respondent is unsure or
doesn’t remember
The following are 5 questions about the
PDP law that were asked of respondents:
1. Are you aware of the laws
governing the security of your
personal data?
2. If your answer is Yes, what do you
know about the law?
If your answer is No, have you ever
heard of the personal data protection
law?
3. Do you know that personal data is
stored and managed by digital
technology-based companies?
4. Did you know that you can request
data from digital technology-based
companies that store and manage
your data?
 5. Do you want to feel the personal
data protection law can help secure
your personal data?
D. Results
The results of research that was
conducted for 50 respondents. 46% of the
number of respondents are aged 18 to 21
years. For the work of the majority of
respondents Non-IT (with a red indication)
as many as 80% respondents and the rest
worked in the IT field as many as 20%, the
results of the survey respondent's
demographic data can be seen in Figure 3
for age and Figure 4 for the respondent's
background. Based on survey questions 1-
10 related to respondents' experiences, it
shows that an average of 42% of
respondents carried out dangerous practices
related to PII and 12.4% were in a state of
uncertainty about the safety of their PII
data. More detailed data is shown in table 2

Figure 3. Age of survey respondent

Figure 4. Background of survey respondent

Table 2. The average percentage of respondents indicated to be practicing PIPI security
in a dangerous manner
Question 1 2 3 4 5 6 7 8 9 10 Total
Percentage

Yes 14% 48% 38% 68% 64% 4% 64% 24% 72% 24% 42%

No 70% 40% 44% 20% 20% 90% 26% 66% 16% 64% 45.6%

Maybe 16% 12% 18% 12% 16% 6% 10% 10% 12% 12% 12.4%

Figure 5. Result from question 1 : Are you aware of the laws governing the security of
your personal data?
Figure 6. Result from question 2 : If your answer is no, have you ever heard of the PDP
law?

Figure 7. Result from question 3 : Did you know that your personal data is stored and
managed by a digital technology-based company?

Figure 8. Result from question 4 : Did you know that you can request data from digital
technology-based companies that store and manage your data
 Figure 9. Result from question 5 : Do you feel that the PDP law can help secure your
personal data
Figure 5 shows 50 respondents that were
questioned, only 20% knew about the law
that governs their private information. And
from that 20%, all knew or have heard
about the most recent law about private data
protection. This indicates that the
awareness of eighty percent of respondents
remains low. It could be said that they do
not comprehend the rights to their digital
data that should be protected by legal
entities. Figure 6 indicates that, among the
80% of respondents who did not know the
law regarding data security, there were at
least some who had heard of PDP but did
not comprehend it. Figure 7 reveals that
48% of respondents recognize that their
data is managed by a digital technology-
based corporation, while 34% do not know
who processes their data and 18% are
uncertain. The result indicates a knowledge
deficit regarding the digital processing of
personal data. In Figure 8, the results
obtained strengthen the results that can be
concluded from Figure 7.
And to finish the poll, after the
respondents were told about the law by the
questioner, they were asked if they felt that
the law could help secure their private data.
In Figure 9, unsurprisingly 54% of them felt
that the law could help, while 42% felt that
maybe the law could help but it still needed
some polishing, whilst 4% felt that the law
could not help them whatsoever. It needs to
be emphasized that the results of the survey
conducted had 80% of respondents from
non-IT backgrounds, which means that
there are still many ordinary people who
lack understanding regarding digital data
security
E. Conclusion
Based on a survey that has been
conducted, most people still don't know
how to secure their private information
almost exclusively because they don't have
a background in technology. This is why
there are still a plethora of people that are
indifferent towards their private
information security and feel that they’ve
done enough to protect their private
information, especially in today's digital era
where threats develop faster than the
protection mitigation. The people that have
a background in technology flourish
whereas those who do not fall behind in
protecting their private information. As
example, all the IT based people that were
questioned know about the most recent data
protection law, the PDP law was approved
and ratified in October of 2022, whilst only
some the non-IT based people have heard
let alone know about it.
Owing to the fact that the
millennials that were questioned are still
somewhat apathetic toward their personal
information security, to help increase their
awareness toward their own private
information security, the researchers
prepared a compact explanation about PII,
latest common threat in social media, and
the consequences if their private
information is leaked. However, the
implemented implementation still does not
have a significant impact, especially in
Indonesia. In the future, a massive PDP
law-related campaign, transparency in the
processing of personal data and a detailed
explanation of the contents of the law can
be implemented so that they understand that
their personal information is protected by
the PDP law.
References:
[1] N. Ellison and D. M. Boyd, “151
Sociality Through Social Network Sites,”
The Oxford Handbook of Internet Studies.
Oxford University Press, p. 0, Jan. 01,
2013.
doi:10.1093/oxfordhb/9780199589074.013
.0008.
[2] B. Krishnamurthy and C. Wills., On
the leakage of personally identifiable
information via online social networks.
Proceedings of the 2nd ACM workshop on
Online social networks (WOSN '09).
Association for Computing Machinery,
New York, NY, USA, 7–12. August 2009.
https://doi.org/10.1145/1592665.1592668
[3]“Guidance on the protection of personal
identifiable information,” United States
Department of Labor. [Online]. Available:
https://www.dol.gov/general/ppii#:~:text=
Personal%20Identifiable%20Information
%20(PII)%20is,either%20direct%20or%2
0indirect%20means. [Accessed: 10-Nov-
2022].
[4] Schwartz, Paul M. and Solove, Daniel
J., The PII Problem: Privacy and a New
Concept of Personally Identifiable
Information. New York University Law
Review, Vol. 86, p. 1814, December 5,
2011. UC Berkeley Public Law Research
Paper No. 1909366, GWU Legal Studies
Research Paper No. 584, GWU Law
School Public Law Research Paper No.
584, Available at SSRN:
https://ssrn.com/abstract=1909366
[5]L.Septiani,”Korban Kebocoran Data di
Internet Indonesia Terbanyak di Asia
Tenggara” [Online]. Available:
https://katadata.co.id/desysetyowati/digital
/62ec9f6234e39/korban-kebocoran-data-
di-internet-indonesia-terbanyak-di-asia-
tenggara. [Accessed October 20, 2022]
[6] P. Holicza and E. Këdena, “Smart and
secure? millennials on mobile devices,”
Interdisciplinary Description of Complex
Systems, vol. 16, no. 3, pp. 376–383, 2018.
https://doi.org/10.7906/indecs.16.3.10.
[7] A. E. Marwick and danah boyd,
“Networked privacy: How teenagers
negotiate context in social media,” New
Media & Society, vol. 16, no. 7, pp. 1051–
1067, 2014.
doi:10.1177/1461444814543995
[8]M. U. Noor, “Indonesian millennial
awareness to privacy and personal data
protection on the internet,” DESIDOC
Journal of Library & Information
Technology. DOI :
10.14429/djlit.40.2.14969.
[9] C. Louw and S. von Solms,
“Personally identifiable information
leakage through online social networks,”
Proceedings of the South African Institute
for Computer Scientists and Information
Technologists Conference on - SAICSIT
'13, 2013.
doi:10.1145/2513456.2513467
[10] G. Venkatadri, A. Andreou, Y. Liu,
A. Mislove, K. P. Gummadi, P. Loiseau,
and O. Goga, “Privacy risks with
Facebook's PII-based targeting: Auditing a
data broker's advertising interface,” 2018
IEEE Symposium on Security and Privacy
(SP), 2018.
Doi: 10.1109/SP.2018.00014.
[11] Y.-C. Wei, W.-C. Wu, G.-H. Lai, and
Y.-C. Chu, “Pisra: Privacy considered
information security risk assessment
model,” The Journal of Supercomputing,
vol. 76, no. 3, pp. 1468–1481, 2018.
https://doi.org/10.1007/s11227-018-2371-
0.
[12] S. Al-Fedaghi and A. A. Al-Azmi,
“Experimentation with personal
identifiable information,” Intelligent
Information Management, vol. 04, no. 04,
pp. 123–133, 2012.
https://doi.org/10.4236/iim.2012.44019.

[13] H. Wang, X. Jiang, and G.

Kambourakis, “Special issue on security,
privacy and trust in Network-based Big
Data,” Information Sciences, vol. 318, pp.
48–50, 2015.
https://doi.org/10.1016/j.ins.2015.05.040

[14] E. McCallister, T. Grace, and K.

Scarfone, “Guide to Protecting the
Confidentiality of Personally Identifiable
Information (PII)” Special Publication
(NIST SP), April, 2010. [Online serial].
Available:
https://tsapps.nist.gov/publication/get_pdf.
cfm?pub_id=904990.

[15] K. Vgena, A. Kitsiou, C. Kalloniatis,

and S. Gritzalis, “Determining the role of
social identity attributes to the protection
of users' privacy in Social Media,” MDPI,
24-Aug-2022. [Online]. Available:
https://www.mdpi.com/1999-
5903/14/9/249. [Accessed: 28-Nov-2022].
Available: https://www.mdpi.com/1999-
5903/14/9/249

[16] B. F. Sangojoyo, A. Kevin, and D. B.

Sunlaydi, “Urgensi Pembaharuan Hukum
mengenai perlindungan Data Pribadi e-
commerce di Indonesia,” Kosmik Hukum,
vol. 22, no. 1, p. 27, 2022.