The Likud party is expected to be fined for the security breaches in its Elector campaign app, which led to the exposure of personal data of 6.5 million Israelis who make up the voter registry, said sources in the Justice Ministry. Tzuriel Yamin, the CEO of the company behind the app and its developer, is also expected to be fined by the Justice Ministry’s Privacy Protection Authority.
This is a precedent-setting decision on the part of the privacy authority because no party has ever been fined before for the exposure of information from the voter registry. The amount of the fines that can be levied by law is low relative to Europe, and is likely to amount to only tens of thousands of shekels.
The privacy authority opened its investigation against Likud accompanied by the cyber department of the State Prosecutor’s Office after two breaches were found in the application in February, before the last election in March. The examination focused on violations of the privacy protection and elections laws, which make the parties responsible for the confidentiality of the voter information they receive from the Interior Ministry.
The data leak was first revealed by Haaretz at the beginning of February. Elector exposed information of 6.5 million Israelis, including their full names, ID numbers, addresses, phone numbers and the polling station where they vote. Elector also included information entered by users, such as the political views of the voter – and their relatives and neighbors – without their knowledge or agreement.
The severe security breach allowed anyone who downloaded the app to have access to the full voter registry. In an interview with Haaretz, the developer of the app admitted that one case was discovered of information leaking. He said he filed a complaint with the police and privacy authority.
Likud officials say they were surprised by the expected findings of the authority’s investigation. A month after the election, privacy authority staff conducted a check on the security and use of the voter registry, a routine examination done for every party, and “since then we have not heard from them,” said Likud officials.
At the same time, the police are investigating whether anyone actually took advantage of the data breaches and downloaded the voter registry – so far without any results. The voter registry contains personal information and addresses of all Israeli citizens, including military officers, judges, senior prosecutors and senior security officials. The Elector app also contained personal information entered by Likud activists about the political views of voters. Even though the app had security holes, as far as Haaretz knows, there is no evidence that the voter registry and the political information on citizens was extracted from the application.
- Likud election app is like coronavirus for Israel's security, ex-Mossad chief says
- App used by Netanyahu's Likud leaks Israel's entire voter registry
- Justice Ministry probing massive leak of voter information from Likud election app
Since the last election, the privacy authority has asked Elector for more information and made more inquiries. Yaron Yadid, the lawyer representing Yamin, said Elector cooperated with the investigation and provided all the information needed. Yadid said he also sent a number of letters to the head of the enforcement department in the privacy authority and asked to speed up the long process, because it were critically harming the company.
As a result of the investigation against Elector, the privacy authority intends on promoting an amendment to the law to allow it to extend its enforcement tools against a leak of the voter registry and to significantly increase the fines it can levy on political parties. In 2012, an amendment to the privacy protection law was proposed, which would have increased the sanctions against violators – but former Justice Minister Ayelet Shaked prevented its passage during her term. The State Comptroller’s report from 2019 recommends passing an amendment to strengthen the privacy authority and grant it greater authority to deal with violations.
The party that handed over the voter registry is supposed to be responsible, “because it was used in a way that exceeds what is permitted,” explained the founder and former head of the privacy authority, attorney Yoram Hacohen. “The status of Elector is the status of ‘holder of a database,’ in other words – it has been given the permission to make use of the data, to process it – and this was done in an illegal manner.”
Hacohen said that the authority can order changes in the system to prevent the repeat of such an incident. “The registrar of databases can define a set of regulations that clarify that this is a violation of the law.” In such a case, if a party ignores the instructions, it will be possible to request a restraining order and stop such activities.
Likud used Elector in the months before the last election in March. Lod Mayor Yair Revivo headed the Likud election campaign at the time and was responsible for promoting the use of the app at party forums. “Where’s the Elector? Where’s Revivo and the Elector?” Netanyahu said as he opened his campaign rally in Hadera a month before the election. A lot of time was devoted at all the party’s rallies to explain to the crowd how to download the app and how to enter the information Likud was interested in.
The privacy protection authority would not deny or confirm the report. The Likud declined to comment.