Likud campaign exposes Israeli voters’ identities, again

Party insists series of dramatic data mishaps caused by ‘criminal attack attempts’ seeking to undermine its electoral prospects; cyber officials investigating

Likud party supporters at an election campaign tour in Jerusalem, September 13, 2019. (Yonatan Sindel/Flash90)
Likud party supporters at an election campaign tour in Jerusalem, September 13, 2019. (Yonatan Sindel/Flash90)

For the second time in two weeks, Likud’s online voter-tracking efforts have resulted in the exposure of the entire database of Israeli voters, including names, home addresses and other details, to the wider internet.

The new leak was caused by faulty data protection on a website belonging to Likud that the right-wing party used to register and assign its election-day observers to ballot stations around the country, Channel 12 reported on Sunday.

The report said another unnamed party was also using the website.

There is no immediate evidence that the exposed information was downloaded by foreign parties before the vulnerability was discovered.

No more information is immediately available on the exact nature of the breach or specific content of the information exposed, beyond the fact that it included the voter registry.

Illustrative: Officials count the remaining ballots from soldiers and absentees at the parliament in Jerusalem, a day after the general elections, April 10, 2019. (Noam Revkin Fenton/Flash90)

Likud on Sunday called the incident part of a series of “criminal attack attempts against Likud websites” that are being carried out by “criminals acting systematically to hurt Likud and the electoral process. Likud has filed yet another complaint with the police and we expect swift action to catch the criminals.”

The Justice Ministry’s Privacy Protection Authority confirmed that it is investigating the latest breach.

“When the authority turned to the [relevant political] parties, the websites were immediately taken down, and changes were made in their accessibility and permissions,” the authority said in a statement to Channel 12.

The National Cyber Directorate is also taking part in the investigation.

The report comes just two weeks after Israelis learned that Likud’s campaign was responsible for one of the largest and most compromising leaks of Israelis’ personal information in the nation’s history, and that the party was being investigated by authorities for possible violations of election privacy laws.

Screenshot of the website of the Elector elections data app, taken February 10, 2020.

A petition filed early this month to the Central Elections Committee accuses Likud of using its access to the official CEC voter registry to create a database of all voting-age Israelis, which it then made available to its grassroots activists through the publicly available app Elector.

The app is intended to enable political parties to conduct real-time data-crunching on election day, showing data on individual voters, polling stations (including rates of support for a party by station) and regions, information vital to a party’s grassroots get-out-the-vote effort.

But a flaw in the app’s web interface gave easy “admin access” to the entire database, allowing anybody to access and copy the Israeli voter registry, along with additional information gathered by Likud about hundreds of thousands of voters, including information supplied by friends and family about individuals’ political preferences. The exposed database also included the full name, sex, home address, and, in many cases, cellphone number and responses to political polling for 6.5 million Israeli adults.

Senior judges and law enforcement officials were among the individuals whose political leanings were listed in the leaked database, information security researchers found.

Officials are now looking into possible breaches of privacy laws — including handing over the voter registry to the programmers of Elector. Israeli election law gives political parties access to the registry, but forbids handing it to a third party.

Prime Minister Benjamin Netanyahu, center, blows a kiss to the crowd as he’s surrounded by activists during a gathering to show support for him as he face corruption investigations, held at the Tel Aviv Convention Center, August 9, 2017. (AFP/Jack GUEZ/File)

Elector was used by other parties as well, including Yisrael Beytenu and in a limited way by some primary candidates in the Labor party over the past year. But Likud was the only one known to have outsourced its voter data wholesale to the app, and Prime Minister Benjamin Netanyahu has on many occasions urged party activists to use it, saying it would “give us victory” on election day.

Likud’s lax data security combined with its fervent embrace of big-data methods for its campaign have drawn a torrent of criticism, especially since past mistakes do not seem to have improved the party’s handling of voter information.

The latest round of missteps follows another voter privacy debacle ahead of the September 17 election.

The business journal The Marker reported on September 9 that it had managed to access Likud’s voter database (Hebrew link) through a party website, including information the party had recorded on each Israeli’s relationship to the ruling party. For example, over 600,000 people were listed as “not supportive.”

read more: