State issues toothless warning to political parties about abusing privacy

Statement lacks concrete updates, penalties

Prime Minister Benjamin Netanyahu speaking at the Knesset, February 2020. (photo credit: MARC ISRAEL SELLEM)
Prime Minister Benjamin Netanyahu speaking at the Knesset, February 2020.
(photo credit: MARC ISRAEL SELLEM)
The Authority for Defending Privacy issued a second statement on Tuesday regarding the crisis in which around 6.5 million Israeli voters’ personal information was leaked, but gave no real details about consequences or a timeline.
Sunday, Haaretz reported that the personal information of 6,453,254 Israelis was leaked, after the Likud Party uploaded the entire Israeli national voter registry to an application.
Besides the 2006 theft of the voter registry by two state employees for money, the leak is considered the most serious in Israeli history.
The leaked information includes names, identification numbers, phone numbers and addresses.
Political parties in Israel receive the information of Israeli voters before the elections, have to protect their privacy and cannot copy, erase or transfer the registry.
The voter registry was uploaded to an application developed by the company Elector, which the Likud Party uses on Election Day. A breach in the application allowed for the leaking of the voter registry which could then be downloaded on a computer.
The authority had already issued a statement on Monday night saying that it had opened a preliminary investigation into the actions of multiple parties involved in the leak.
The statement said that the authority would probe both the Likud officials responsible and third parties hired by the Likud who had obligations to protect the personal data.
In addition, the statement said that violators of the law could face criminal or civil penalties depending on their actions. A separate probe would need to be opened by police if criminal penalties were going to be considered.
However, there was no mention of what the penalties might be in this case nor was a timeline given for either fixing or responding to the crisis.
Tuesday’s statement was far more detailed about all of the specific rules and obligations imposed on political parties for guarding the privacy of voters.
But once again, there was little concrete about the current crisis.
For example, the statement explaining the rules about placing specific obligations on whichever senior party activist received a copy of the voter registry that limited who that activist could share the information with.
According to the authority’s Tuesday statement, the senior activist is responsible for training those under him about their duties to preserve voters’ privacy rights.
Junior activists are only supposed to be given access to data within the registry that they need for specific tasks they will perform, and not the entire registry.
Passwords and other defenses are mandatory for the political party and for those working on behalf of the political party.
When questioned about where the probe stood, how quickly it will move and what the consequences might be, a spokeswoman for the authority provided few details.
The spokeswoman confirmed that the authority visited the third party from where the leak originated, but would not confirm news reports which universally say it is Elector.
She said she could not guess a timeline for when the public would be informed officially about the scope of the leak and the expected consequences for those responsible since sifting through what occurred was complex and would take time.
Pressed that when there is a crisis in public policy areas other than privacy that the state and law enforcement often make arrests and issues significant details within 24 hours, she said that the issue was simply too complicated to move fast.
The spokeswoman clarified that civil fines could reach thousands of shekels and that the maximum criminal penalty was five years, though it was not at all clear that there will even be a criminal probe since the police have remained silent.
She also said that private citizens could sue for damages in civil damages lawsuits if they could prove that violation of their privacy caused them damage.
Though former Shin Bet (Israel Security Agency) cyber official Harel Menashri told The Jerusalem Post on Monday that the leak was nothing short of “disastrous” and could endanger national security by providing access to key officials’s personal data to Iran and other foreign intelligence agencies, the authority’s approach does not seem to reflect any sense of crisis.
Leading into the April 2019 election, there was a hack of Blue and White Party leader Benny Gantz’s cellphone which also raised cybersphere questions – that time about political parties’ sufficient defenses from hacking.