The sky fell in on our data privacy and nobody noticed - analysis

The sky fell in this country and no one even noticed.

Personal data source code (Illustrative) (photo credit: PIXABAY)
Personal data source code (Illustrative)
(photo credit: PIXABAY)
Last week, the Privacy Authority handed down its most important decision in history, finding that the Likud, Yisrael Beytenu and Elector, a third party working for the Likud, had violated almost every privacy rule in the book in their handling of the digitized personal data of voters.
While acting Privacy Authority Director Shlomit Wegman-Rotner applauded the decision and likelihood that it would fine Elector and possibly even the political parties as major new progress, the message to those possessing citizens’ personal data was that no one cares what they do.
In February 2020, the personal information of 6,453,254 Israelis was leaked after the Likud Party uploaded the entire national voter registry to an application.
Besides the 2006 theft of the voter registry by two state employees for money, the leak is considered the most serious in Israel’s history.
The leaked information included voters’ names, ID numbers, phone numbers and addresses.
Israeli political parties receive information on voters before elections, and they are bound by law to guard it. They are forbidden from copying, erasing or transferring the registry.
The voter registry was uploaded to an application developed by Elector, a company that Likud used on Election Day. A security breach allowed the voter registry to be downloaded to a computer.
The leak was nothing short of “disastrous” and could endanger national security by providing access to key officials’ personal data to Iran and foreign intelligence agencies, former Shin Bet cyber official Harel Menashri told The Jerusalem Post at the time.
So the response of the government to possibly the greatest privacy breach in the country’s history was... fining titanic political parties and a large private company maybe up to a measly tens of thousands of shekels?
For these major players, this is hardly even paying a parking ticket.
No one even discussed potential criminal charges for violating privacy, though such criminal charges do exist.
So unconcerned by the decision was the Likud, that it did not even issue an official response.
Yisrael Beytenu and Elector blamed each other and the Likud, denied responsibility or said there was some isolated error that has been fixed.
None of the parties aiming to topple the current coalition said much about it or have adopted it as a significant campaign issue.
No harm done to the 6.5 million people, and everyone should just move on as if nothing happened.
Unfortunately, the writing was on the wall that the government’s response would be weak from the beginning.
Back in February 2020, the privacy authority gave no details about the potential consequences of the leak or a timeline to plug it.
When asked throughout the last year for updates, there was no feeling of imminence from the authority.
In November 2020, a spokesperson for the Privacy Authority told the Post that there might be a decision soon, but that it could also take a few more months.
One might have thought that if the Authority wanted to have any impact on the current election that the decision would be rushed to come out in December 2020.
With a decision a full month into election season, clearly improving the process for the current election was not a top priority for the authority or anyone else.
The Authority clearly took pride in meticulously diagnosing and listing all the many errors that Likud, Yisrael Beytenu and Elector made regarding protecting privacy, but it can be pretty easily summed up: they didn’t do anything to protect privacy and no one from any of these groups had designated any individual as responsible for caring.
As if the audience was a group of children and not grownups who know that enforcing legal obligations requires due diligence, the Privacy Authority said that it was improper that the political parties had just taken Elector’s word for it that everything would be protected.
Of course, Elector blamed the Likud for the most problematic voter data breaches, saying the party had gone rogue and added voters’ medical data to its own internal lists.
How is it that there are not bigger consequences?
Apparently, most of this is not the Privacy Authority’s fault as that is the state of the current law.
It seems that no political parties want limits on their efficiency for sharing and moving around voter data so there are basically zero or negligible penalties.
So why isn’t the public up in arms?
It is not clear if the public is clueless, feels too disempowered by not understanding the technological issues, still embraces efficiency over privacy or some other reason.
One staggering stat which puts some fault on the public came from the Privacy Authority with a different report in November 2020.
In that report, the Authority said that private companies that store and use customers’ personal information are deficient a staggering 71% of the time when handling that data, especially with regard to third parties.
Thirty-six surveyed corporations continued to ignore updated legal guidelines for protecting personal data.
Breaking down the 71% figure, the report said 53% of companies handling customers’ personal data in regard to third parties was moderately deficient, while 18% were significantly deficient.
If all of our data is being misused by more than two-thirds of the private sector, what should we care if public officials are doing the same?
Whoever is to blame for the toothless laws for enforcing privacy, it seems that without a sustained public outcry combined with political parties making it part of their platforms, the issue is likely to continue to repeat itself.