Selfies with ID Cards as the New Normal
In the past, the risk to citizen identity began with a simple request: “send a photo of your ID card.” Today, that request has evolved into a much more comprehensive package: a photo of the ID, a selfie holding the ID, liveness checks, and even video recordings. From a verification standpoint, this appears to be progress. However, from the perspective of personal data protection, it is becoming increasingly risky. This is because what is being collected is no longer just administrative identity, but the direct link between identity documents and the owner’s face. In several processes, this data is further reinforced with biometric traces attached to the body that are difficult to replace once leaked. An ID card can be replaced within certain limits, but faces and fingerprints cannot be changed as easily as replacing a card.
The recent uproar regarding photocopies of e-KTP (electronic ID cards) should be viewed through this lens. The Directorate General of Population and Civil Registration (Dukcapil) previously stated that e-KTP no longer needs to be photocopied as it contains a chip that can be read via a card reader. However, following various interpretations, Dukcapil clarified that the e-KTP remains an official identity and photocopies can still be used as long as they are required for service needs and handled responsibly. Dukcapil also apologised because the previous information was deemed insufficiently clear. Yet, that is precisely where the main issue lies. The public debate seems to have stalled on the question of whether photocopying an ID is permitted or not. The more fundamental question is why so many services feel the need to store copies of citizens’ identities, even when the initial need is merely to ensure that a person is who they claim to be.
The issue of the ID card is not merely a matter of population administration; it has become a cross-sector verification infrastructure. Therefore, before issuing policy messages to the public, the government should conduct an impact assessment, at least in the form of a simple Regulatory Impact Analysis. The question is not just whether photocopying an ID remains relevant, but who has been requesting IDs, for what purpose, whether copies are truly necessary, and who is permitted to request photos of IDs or selfies holding them. This final question is vital. The Ministry of Home Affairs should not only explain whether e-KTP can be photocopied or not. Not all services carry the same level of risk. Banks and fintech companies may require stricter verification due to financial transactions and the prevention of identity misuse. However, does the same need apply to office buildings, hotels, test organisers, customer services, internet installations, or early-stage recruitment processes?
ID cards are embedded in many third-party service chains. At airports, passenger identities may be checked upon entering the terminal, during check-in, before security screening, approaching boarding, and even matched again when entering the aircraft. In hotels, IDs are used for guest validation. In office buildings, identity cards are requested for security purposes. If the practice of photocopying or manual recording is to be reduced, the replacement design must be clear: is it sufficient to merely show the ID, read it with a card reader, verify it through a system, or simply match it without storing it? Without clear boundaries, every institution will create its own standard. Some may simply view the ID, some photocopy, some take photos, some request selfies, and some even store these documents via vendors. Consequently, citizens never truly know whether such requests are legitimate, excessive, or merely an unmonitored administrative habit.
Daily experience shows that this issue is close to the citizens. In online English tests, for example, participants may be asked to upload their ID and perform a selfie with the ID. In customer services, including the activation or installation of cable TV, similar patterns may emerge as part of customer validation. This practice may be intended to ensure that service users are the correct individuals. However, behind this convenience, there is a question rarely answered: are the ID photos and faces merely verified, or are they also stored? If stored, for how long, by whom, and for what purpose? Because such requests occur in many places, citizens’ identity data eventually spreads across many storage spaces. Some are stored in the official systems of institutions, some enter vendor servers, some are stored in online forms, and some may simply reside in computer folders, email inboxes, or the messaging applications of officers. At this point, the risk no longer stems from a single major leak, but from many small archives that are not always visible, not always audited, and where it is not always clear when they are deleted.