Use of Google Forms Leaves Israeli Air Force Exposed

As part of the IDF’s vaccination drive, soldiers were instructed to report their details on Google’s platform. The free online program can expose personal details. Why does the IDF keep using it?

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
An IAF pilot at the Hatzerim base. The medical questionnaire sent out to soldiers on the base through Google Forms revealed their I.D. numbers and personal info
An IAF pilot at the Hatzerim base. The medical questionnaire sent out to soldiers on the base through Google Forms revealed their I.D. numbers and personal info Credit: Ilan Assayag
רן בר זיק - צרובה
Ran Bar-Zik

Google Forms may be a convenient tool for students or for surveys – but the software constitutes a significant vulnerability when it comes to gathering sensitive information.

Any request from an organization for personal details on Google Forms should be denied, but when such a request comes from the Israel Defense Forces, a denial is not enough. IDF commanders should be told clearly that this free online system must simply not be used within the army.

Many don’t understand the risks using Google’s system for sensitive information. Is it not secure enough? Is there a privacy problem by exposing the information to Google itself - and is it greater than the risk of uploading details onto other databases? 

The answer is yes. Google’s system isn’t designed to gather personal, sensitive details because all the security in the world cannot protect against human error - no matter how small. All it takes is one wrong setting or a setting change and all the answers, as well as the respondents’ identification, are exposed. On Google Forms, one can change the form's settings from private to public. This is done to allow it to be shared among those who need to see the results, but it also makes it available online.

Software programs built especially to support forms and questionnaires, even those with inferior security, do not include functions to publish the data with a single click. On the IAF's Google Forms, this happened.

This is a problem as the forms allow both the gathering of sensitive, personal information and their inadvertent publication. This problem becomes worse when it comes to medical information and all the more so when the information comes from military units or pertains to soldiers’ medical condition. Since quite a few units in the Israeli army use this tool to streamline organizations processes – whether it is to communicate with reserve soldiers, gathering information from regular soldiers or even to conduct military operations – it constitutes a real issue.

A recent incident brought to my attention by a military source is good case in point: Some of the military units at the Israeli Air Force base of Hatzerim were vaccinated. Instead of filling in the required medical questionnaire during the vaccination, the soldiers were asked to fill it in on Google Forms.

Every soldier was asked to fill in their real I.D. number and name, as well as information about their general feeling, what their temperature was, whether they have been infected with coronavirus in the past and other matters related to the vaccination. 

The questionnaire sent to IAF soldiers asked for their I.D. numbers as well as other personal information that could then easily be found online as the link to the form was publicCredit: רן בר-זיק

The problem was that the person who created the actual questionnaire enabled those uploading the data to examine the results fed into it. In other words, anyone who had the link to the questionnaire could access the data, including the soldiers’ I.D. numbers and names. Also, the results appeared chronologically, so it was possible to group the soldiers on the basis of the various units.

A list of ID numbers belonging to IAF soldiers exposed by the public form the air force used as part of its vaccination driveCredit: רן בר-זיק

All this was accessible to anyone armed with a browser. This is the main problem in Google Forms. Also, with all due respect to Google Israel, Google is a foreign company and exposing military data to it may not be the best idea around.

I asked the IDF spokesman about it, and his office quickly removed the form from the internet and responded: “The IDF has approved, supervised platforms for the use of soldiers online. These soldiers are instructed in information security briefings not to provide personal details or details concerning their military service online via links or platforms that are not official and approved by the army. Any deviation from these instructions is looked into and dealt with accordingly. These cases have been dealt with and the instructions will be clarified.”

Click the alert icon to follow topics: