Google Forms may be a convenient tool for students or for surveys – but the software constitutes a significant vulnerability when it comes to gathering sensitive information.
Any request from an organization for personal details on Google Forms should be denied, but when such a request comes from the Israel Defense Forces, a denial is not enough. IDF commanders should be told clearly that this free online system must simply not be used within the army.
Many don’t understand the risks using Google’s system for sensitive information. Is it not secure enough? Is there a privacy problem by exposing the information to Google itself - and is it greater than the risk of uploading details onto other databases?
The answer is yes. Google’s system isn’t designed to gather personal, sensitive details because all the security in the world cannot protect against human error - no matter how small. All it takes is one wrong setting or a setting change and all the answers, as well as the respondents’ identification, are exposed. On Google Forms, one can change the form's settings from private to public. This is done to allow it to be shared among those who need to see the results, but it also makes it available online.
Software programs built especially to support forms and questionnaires, even those with inferior security, do not include functions to publish the data with a single click. On the IAF's Google Forms, this happened.
This is a problem as the forms allow both the gathering of sensitive, personal information and their inadvertent publication. This problem becomes worse when it comes to medical information and all the more so when the information comes from military units or pertains to soldiers’ medical condition. Since quite a few units in the Israeli army use this tool to streamline organizations processes – whether it is to communicate with reserve soldiers, gathering information from regular soldiers or even to conduct military operations – it constitutes a real issue.
A recent incident brought to my attention by a military source is good case in point: Some of the military units at the Israeli Air Force base of Hatzerim were vaccinated. Instead of filling in the required medical questionnaire during the vaccination, the soldiers were asked to fill it in on Google Forms.
- IDF coronavirus app revealed personal details of every serving Israeli soldier
- The Israeli army exposed the personal information of tens of thousands of soldiers
- Why trolls keep ‘Zoom-bombing’ your kid’s lessons – and how to stop it
Every soldier was asked to fill in their real I.D. number and name, as well as information about their general feeling, what their temperature was, whether they have been infected with coronavirus in the past and other matters related to the vaccination.
The problem was that the person who created the actual questionnaire enabled those uploading the data to examine the results fed into it. In other words, anyone who had the link to the questionnaire could access the data, including the soldiers’ I.D. numbers and names. Also, the results appeared chronologically, so it was possible to group the soldiers on the basis of the various units.
All this was accessible to anyone armed with a browser. This is the main problem in Google Forms. Also, with all due respect to Google Israel, Google is a foreign company and exposing military data to it may not be the best idea around.
I asked the IDF spokesman about it, and his office quickly removed the form from the internet and responded: “The IDF has approved, supervised platforms for the use of soldiers online. These soldiers are instructed in information security briefings not to provide personal details or details concerning their military service online via links or platforms that are not official and approved by the army. Any deviation from these instructions is looked into and dealt with accordingly. These cases have been dealt with and the instructions will be clarified.”