The fraud problem driving Indonesia's Ministry of Communication and Digital (Komdigi) is real and exceptionally well-documented. Indonesia generates more than 30 million scam calls per month, ranks second in Asia-Pacific for spam call density, and suffers annual telecom fraud losses estimated between Rp7 trillion and Rp9.5 trillion — roughly USD 415–560 million. With approximately 315 million active SIM cards circulating among a population of around 280 million, the surplus is not a quirk: it is the attack surface. Criminals have long exploited Indonesia's fragmented SIM market by bulk-registering cards using stolen or borrowed National Identity Numbers (NIK), then deploying them for phishing, social engineering, and financial fraud at industrial scale.
The SEMANTIK system — an acronym Komdigi renders as "Smile Safely with Biometrics" — addresses this exploit directly. Under Ministerial Regulation No. 7 of 2026, issued January 22, applicants for a new SIM card must verify their face against the Dukcapil national population registry through a liveness-detection module meeting ISO 30107 standards and achieving at least 95% accuracy. The cap of three numbers per person per operator closes the bulk-registration loophole without requiring operators to police identity documents they are poorly positioned to authenticate. Komdigi officially launched the SEMANTIK branding on May 29, 2026; mandatory biometric registration takes effect July 1.
Why the Security Logic Is Compelling
Policymakers defending SEMANTIK have a stronger case than critics sometimes acknowledge. NIK-only registration, introduced in 2017, demonstrably failed: criminals harvested identity numbers and used them to register SIMs at scale. The shift to biometric matching — face plus NIK, verified against a centralised civil registry — raises the cost of impersonation attacks significantly, because possessing someone's identity number no longer suffices to simulate their identity.
The liveness detection requirement addresses the obvious spoofing vector. Passive detection of physical presence, rather than a photograph check, frustrates the deepfake and printed-photo attacks that have defeated earlier facial systems elsewhere. Thailand and Malaysia have moved in the same direction; Vietnam is preparing a comparable rollout for approximately 100 million mobile users. Indonesia is participating in a regional shift, not improvising a novel intervention.
The three-SIM-per-operator cap is also proportionate. Genuine users rarely need more than three lines with any single carrier. The cap degrades the economics of fraud-farm operations — criminals running dozens of SIMs per stolen identity — without imposing meaningful inconvenience on legitimate subscribers.
The Shadow of the 2022 Breach
Here the analysis must slow down. In August 2022, a hacker operating under the name Bjorka published 1.3 billion SIM card registration records sourced from Indonesia's prior registration database — 87 gigabytes of NIK data, phone numbers, operator identifiers, and registration timestamps. Digital rights group SAFEnet called it the largest data breach in Asian history to that point. The Ministry of Communication denied direct responsibility, claiming the data did not originate from ministry systems, a response the public received with deep skepticism. "We are not free of spam; registration data are leaked and sold instead" became the viral summary of the accountability gap.
That breach did not occur because registration was conceptually flawed. It occurred because Indonesia collected vast centralised databases without the security architecture, institutional accountability, or independent oversight necessary to protect them. SEMANTIK now proposes to collect something more sensitive: permanent biometric facial data, linked to the national identity system. If the 2022 breach was damaging, an equivalent breach of biometric records would be categorically worse. Unlike a NIK, a face cannot be reissued.
What the Regulation Gets Right — and What It Leaves Out
Regulation No. 7 of 2026 takes meaningful steps in the right direction. Biometric data is not stored by operators: carriers must encrypt facial captures and transmit them to Dukcapil, which alone retains the biometric records. This limits the attack surface compared to a model where each operator maintains its own biometric silo. The regulation also requires operators to give users a portal to view which numbers are registered under their identity and request blocking of unauthorised accounts — a consumer protection that did not exist under the 2017 regime.
What the regulation does not fully resolve is the question of inter-agency data sharing. Dukcapil's database already supports multiple government services. Regulation No. 7 contains no explicit prohibition on law enforcement or security agencies querying the linked biometric-SIM dataset without judicial oversight. Indonesia's Personal Data Protection Law (Law No. 27 of 2022) provides the nominal framework, but the independent supervisory body that law contemplated has not been fully constituted. ELSAM, the Indonesian legal aid and human rights organisation, raised this gap in a formal statement, warning that biometric collection at this scale requires institutional safeguards that do not yet exist in practice.
The telecom industry has raised a separate but practical concern: Komdigi set a per-verification fee of IDR 3,000 (approximately USD 0.17). ATSI, the industry association, argues the fee could be passed to consumers or absorbed in ways that slow operator readiness — a real risk given the July 1 hard deadline.
The Policy Verdict
SEMANTIK is a proportionate response to a documented and severe problem. The fraud losses are real; the overcapacity of anonymous SIM cards is a structural vulnerability that NIK-only registration failed to close; and biometric liveness verification is the technically coherent next step. The system is regionally coherent and the three-card cap is well-calibrated.
But proportionality cuts both ways. A state that collects permanent biometric records for 280 million people and links them to mobile communications assumes a serious custodial obligation — one that Indonesia demonstrably failed to meet in 2022. Before the July 1 deadline becomes a fait accompli, Komdigi should publish a data retention schedule for biometric records, explicit statutory limits on inter-agency access without judicial process, a concrete timeline for standing up the PDP supervisory body, and a commitment to annual third-party security audits with public findings.
The case for SEMANTIK is sound. The case for treating "we deployed the system" as the finish line is not.