The Justice Ministry’s Privacy Protection Authority said Monday it was looking into an alleged massive exposure by the Likud party of private information from Israel’s entire voter registry, in one of the largest and most compromising leaks of Israelis’ personal information in the nation’s history.
In a statement, the authority said it had “initiated an oversight process due to suspicions of violations of the Privacy Protection Act and Privacy (Information Security) Regulations, following the leak of information on the voter registry.”
“Privacy Protection Authority supervisors are currently in the offices of one of the companies from which the voter registry with the personal information was allegedly leaked,” the statement said, adding that the authority was partnering with other government bodies to prevent further leaks of information.
Haaretz reported that officials visited the offices of the Elector app, which is at the heart of the data leak.
Monday’s development came after a petition filed last week against the Likud party accused it of using its access to the official Central Elections Committee voter registry to create a database of all voting-age Israelis that it then made available to its grassroots activists through the publicly available app Elector.
The app is intended to enable political parties to conduct real-time data-crunching on election day, showing vital information on individual voters, polling stations (including rates of support for a party by station) and regions. But a flaw in the app’s web interface gave “admin access” to the entire database, allowing anybody to access and copy the Israeli voter registry, along with additional information gathered by Likud about hundreds of thousands of voters.
The privacy authority clarified in its statement that responsibility for protecting the information in the registry “is first and foremost that of the parties.”
Noting the added responsibility parties have when outsourcing projects, the authority said they “may be criminally or civilly liable in the event of a breach of the Privacy Protection Act.”
The Likud campaign has spent weeks publicizing access codes to the app across the party’s social media accounts and activist networks in a bid to mobilize its grassroots to collect information that would help it target voters on election day. That effort effectively granted access to the database to countless individuals who were not directly cleared to view the information.
It is not clear if there were any limits to users’ ability to obtain information from the database using the Likud campaign’s access codes.
According to the app’s Google Play Store page, Elector was updated on Thursday, the same day the petition was filed to the Central Elections Committee, to limit the number of daily searches a user was permitted to make from the database.
Under election privacy laws, political parties are allowed to access the voter registry, but not to pass on the data to a third party. The petition, filed by attorneys Shahar Ben-Meir and Yitzhak Aviram, and accompanied by research into the app from experts in the field, claims that Likud’s handing over the database to Elector, which hosted it on its own servers, amounts to an egregious violation of the law.
The petition says the Shas party has also made use of the app in similar ways, as the two parties’ campaigns have been coordinating their efforts.
Likud first employed Elector in Prime Minister Benjamin Netanyahu’s December 26 primary race against rival Gideon Sa’ar. It has since been used by Labor party MKs and by the Yisrael Beytenu party as well.
On Sunday, Central Elections Committee head Supreme Court Justice Neal Hendel ordered all concerned parties, including Likud, Shas, the company that made Elector, Attorney General Avichai Mandelblit and the Privacy Protection Authority to respond to the petition by Wednesday.
Experts said there is no way to know who obtained the information contained in the database.