Election Results Pending, One Thing Is Clear: Israel Needs Better Privacy Laws

While the final results of Israel’s election for the 23rd Knesset are still pending, the weeks that preceded Monday’s voting made one thing clear: the real losers are Israel’s citizens, at least where privacy is concerned. The race to the polls aggravated existing privacy violations. It also highlighted the need for new legalization that can put Israel on the same level as the European Union’s stringent regulation, and for a privacy authority with better manpower and reach.

Empowering Israel’s Privacy Protection Authority

One of the main issues that surfaced ahead of this election round was a series of data leaks from the ruling Likud party’s website and its campaign app, developed by Elector Software Ltd. Israel’s complete voter registrar was exposed online on three separate occasions as a result of breaches in Elector’s defenses. Some citizens had sensitive information, including political affiliation and medical data, exposed.

The fact that these breaches keep happening is frustrating, but even more so is the lukewarm response of the relevant authorities—first and foremost the Privacy Protection Authority. Following the discovery of the first breach, the authority announced an audit, which is still ongoing and which did not prevent the next leak.

The blame is not solely the authority’s, though. It is operating at a disadvantage, a result of systematic neglect that is possibly deliberate. The authority does not currently have a full-time chairman, with head Shlomit Wagman pulling double duty as the head of the Israel Money Laundering and Terror Financing Prohibition Authority. Furthermore, the authority has no executive power that would have enabled it to take quick, decisive action or levy more intimidating punishment. If the new government truly cares about the privacy of its citizens, strengthening the privacy protection authority should be among its first actions.

Regulating campaign apps

The multiple breaches highlighted the dangers of any disruption to the operation of campaign apps like Elector. The plentiful data parties collect about voters to motivate them on election day can be used for much more nefarious purposes. Parties can choose to send targeted messages, for example: a voter with a chronic condition might receive a text promising a healthcare reform should the party win, while a parent with children serving in the army might be motivated by a message promising efforts to curtail conflicts. These apps can also be used to discourage voters, for example via announcements that a coronavirus case was discovered at their assigned poll.

These apps came into wide use without relevant authorities holding any discussion about their potential impact on the sanctity of the electoral process, about needed regulation, or the legal boundaries. Likud went even further, turning Elector into a major part of the party’s campaign, and like any main campaign element, rules should be set in place to make sure one party does not have an unfair advantage over the others.

Preventing fake texts

A week and a half before the election, hundreds of thousands of Likud supporters started receiving suspicious messages from a phone number promoted days earlier on Twitter by Prime Minister and Likud head Benjamin Netanyahu. The first SMS entreated people to remove Elector from their mobiles. “We are working to secure the app to prevent left-wing activists from taking over your phones, until work is done the app must be removed,” they texts said.

Subsequent texts read: “as part of our app’s security upgrades and to protect your safety, all the usernames and passwords stored on your phone have been sent to Likud’s secure cloud service, which is protected by top experts. A fee of NIS 180 will be automatically charged to your bank account on the 18th of each month.” NIS 180 is approximately $52.

The messages were found to be sent by an anonymous troll. One of the receivers, tech worker Yogev Ezra, dug around and discovered that the texts were sent using the messaging system of mobile provider Telzar 019 International Telecommunications Services Ltd. Ezra approached the company to reveal the identity of the sender, but was rejected for several reasons, including privacy concerns. A petition Ezra submitted to the national voting committee to compel Telzar to reveal the sender was accepted, but with less than a day to the election, the committee allowed Telzar to do so after the election was over.

This is a case of a company that, for its own reasons, is withholding information that could shed light on the identity of a person attempting to tamper with the electoral process. The issue is twofold: first, there are no legal tools that would enable quick action to force parties to reveal information against their will, even though the voting committee did accept the petition. Furthermore, the law does not forbid sending SMS from false numbers. While sending fake messages as part of campaign propaganda is illegal, the mobile operators are not able to prevent such messages anyway.

For this issue, at least, some change is underway. The Ministry of Communication is currently completing a process that could see the license of mobile providers change so that messages sent with a number as a name would only be possible if the owner of the number has verified it. Such an amendment would prevent future cases of the kind of trolling Likud has experienced.

Updating Israel’s privacy protection law

The previous issues discussed are all eclipsed by one matter that requires immediate action: Israel’s privacy protection law. This law has seen almost no updates since it was passed in 1981, and it does not seem to be on the agenda of any lawmakers. Outdated regulation is at least one cause for the chaos experienced recently.

But this could also have serious implications for the local tech scene. Today, Israel complies with the EU when it comes to an adequate level of protection of personal data. This adequacy, awarded in 2011, enables Israeli companies to use the data of EU residents and sell them data-based products. But Israel received its stamp of approval before GDPR came into effect in 2018, and there is real worry Israel will no longer be up to par now that compliance is being rechecked.

This is an arduous task that requires completely new legalization, but lawmakers will not have to start from nothing. Jerusalem-based independent research center the Israel Democracy Institute has already written a bill that will enable Israel to catch up with the rest of the world when it comes to privacy. Passing the bill successfully will require inter-party cooperation, and in the long-term, that lawmakers across the board deal with the many privacy issues that have come to light in recent weeks—and with issues that are still to come.