A former head of the Mossad spy agency sounded the alarm Wednesday about an app operated by Prime Minister Benjamin Netanyahu’s Likud party ahead of next week’s elections, warning that using it was “a real security threat” and likening the level of danger it poses to that of the deadly coronavirus.
Twice in two weeks, Likud’s online voter-tracking efforts have resulted in leaks of the entire database of Israeli voters, including names, home addresses and other details, to the wider internet.
The first breach earlier this month was one of the largest and most compromising leaks of Israelis’ personal information in the nation’s history, leading to the party being investigated by authorities for possible violations of election privacy laws.
The second leak, reported on Sunday, was caused by faulty data protection on a website and app, called Elector, belonging to Likud that the party used to register and assign its election-day observers to ballot stations around the country.
“This app is dangerous to the security of the State of Israel, to the safety of IDF soldiers and commanders and members of the Shin Bet and the Mossad,” said former Mossad chief Tamir Pardo in an interview with internet expert Dr. Anat Ben-David published on social media.
Ben-David researched Elector and warned the Central Elections Committee of the security and privacy issues it posed.
Pardo continued: “Our friend in Hezbollah sitting in Beirut can [download the app]. So can the Islamic Revolutionary Guard Corps operative sitting in Tehran, and so can the Hamas member in Gaza and in Nablus. They can search any person living in Israel, see who their family members are and search them in the voter registry.
“If they know the name of an IDF commander or a member of the Shin Bet or the Mossad, and someone has filled in their phone number, they can see that. Anyone using the app is endangering the safety of Israel’s security officials,” he warned.
“This is the security ‘coronavirus’ of Israel,” Pardo declared, urging Israelis to “delete the app and not add anything to it.”
Elector spokesman Yaron David responded by calling Pardo’s remarks “a savage and irresponsible tongue-lashing against the most secure and monitored election app currently around, and all based on false information that he doubtless hasn’t examined.”
Calling the remark part of “an orchestrated campaign motivated by a political agenda,” David said all the petitions against Elector had been rejected and that it is accessible only from Israel, restricts searches and takes other precautions.
He said it was Pardo’s comments that were the “coronavirus of our internal resilience system.”
There has been no immediate evidence that the exposed information was downloaded by foreign actors before the vulnerability was discovered.
Likud on Sunday called the second leak part of a series of “criminal attack attempts against Likud websites” that are being carried out by “criminals acting systematically to hurt Likud and the electoral process. Likud has filed yet another complaint with the police and we expect swift action to catch the criminals.”
The Justice Ministry’s Privacy Protection Authority confirmed that it was investigating the latest breach. The National Cyber Directorate is also taking part in the investigation.
A petition filed early this month with the Central Elections Committee accuses Likud of using its access to the official CEC voter registry to create a database of all voting-age Israelis, which it then made available to its grassroots activists through the publicly available app Elector.
The app is intended to enable political parties to conduct real-time data-crunching on election day, showing data on individual voters, polling stations (including rates of support for a party by station) and regions, information vital to a party’s grassroots get-out-the-vote effort.
But a flaw in the app’s web interface gave easy “admin access” to the entire database, allowing anybody to access and copy the Israeli voter registry, along with additional information gathered by Likud about hundreds of thousands of voters, including information supplied by friends and family about individuals’ political preferences. The exposed database also included the full name, sex, home address, and, in many cases, cellphone number and responses to political polling for 6.5 million Israeli adults.
Senior judges and law enforcement officials were among the individuals whose political leanings were listed in the leaked database, information security researchers found.
Officials are now looking into possible breaches of privacy laws — including handing over the voter registry to the programmers of Elector. Israeli election law gives political parties access to the registry, but forbids handing it to a third party.
Elector was used by other parties as well, including Yisrael Beytenu and in a limited way by some primary candidates in the Labor party over the past year. But Likud was the only one known to have outsourced its voter data wholesale to the app, and Netanyahu has on many occasions urged party activists to use it, saying it would “give us victory” on election day.
Likud’s lax data security combined with its fervent embrace of big-data methods for its campaign have drawn a torrent of criticism, especially since past mistakes do not seem to have improved the party’s handling of voter information.
The latest round of missteps follows another voter privacy debacle ahead of the September 17 election. The business journal The Marker reported on September 9 that it had managed to access Likud’s voter database (Hebrew link) through a party website, including information the party had recorded on each Israeli’s relationship to the ruling party. For example, over 600,000 people were listed as “not supportive.”