DONATION: Though the outlines of this story have been reported by Israeli and foreign media, there is much reported below you will not find anywhere else. No one else is obsessive and committed enough to dig up Israeli cyber-security activists and comb through Hebrew language technical reports and legal filings as I have done here. This blog is the only place you can find such detailed, comprehensive reporting on such critical issues to Israeli and western democracy. Not to mention that this post was pitched to two progressive publications, who passed. You can only read this here. I urge you to respond to the exclusive information you find here with a generous donation through PayPal or Network for Good (tax-deductible) via my sidebar. To avoid processing fees, you may send your gift directly to me or my fiscal sponsor (tax-deductible), NAAME.
Reports over the past few days from Israel and foreign media exposed the massive data breach of Israel’s election database. Though those reports conveyed the outline of the hack, they did not convey its full extent and damage.
The Likud Party has been the most aggressive in its Cambridge-Analytica-type collection of massive amounts of data on Israeli voters. Its digital campaign is far more sophisticated than any other Party. This process began during the last two elections when the Party used the Facebook chatbot to directly appeal to Israeli voters. Messages purporting to be directly from the Prime Minister himself solicited voters to convey their personal data via the app; and to make personal calls and text messages to friends and family to encourage them to do the same. This, combined with Facebook advertising features permitting the Party to search for accounts with similar political views, enabled it to amass a database with names, phone numbers, and political affiliation of over 1-million voters.
If you review the screenshot for the Facebook ad displayed here, it shows that the user speaks Amharic (the native language of Ethiopian Israelis), The criteria used to determine that user would be shown the ad included that the Likud was aiming to find other users similar to this person who are 18-years and older, and who live in Israel. If the user takes action, then the Likud may use their list of Friends and send to those whom the algorithm determines are like-minded.
Though privacy advocates complained about the abuse of the Facebook feature both to the company and the election commission well before the last election, neither engaged in any action against it till just before voting day. By then, much of the damage had been done.
Nonetheless, indictments were filed against both Netanyahu himself (the chatbot messages purported to be directly from him) and his U. S. campaign consultant, John McLaughlin. The latter was recently appointed to run Donald Trump’s 2020 New York State election campaign. Presumably, he’ll exploit the same set of dodgy tools as the ones he used in the Israeli election.
Just as Israel has become a laboratory for “experimenting” on Palestinians, Lebanese and Syrians with the latest Israeli and U.S. military weapons, so to its voters have become “lab rats” in testing the limits of electoral fraud and manipulation; just as Trump’s campaign managers and those of other right-wing authoritarian regimes like Orban’s Hungary and Law and Justice’s Poland, are watching this Likud experiment to see how far the Israeli state will permit it to trample of voters’ rights and privacy. Further, they are watching for the impact these shenanigans have on the overall confidence citizens have in the integrity of their elections. As far as they’re concerned, a cynical voter who has either embraced Likud wholeheartedly or renounced its rivals because s/he no longer believes their vote counts–is just the sort of scenario that benefits them electorally. We saw that here in the U.S. in 2016 and in the Brexit election in the UK.
You have often read my imprecations about the Israeli security state, which sacrifices the individual rights of citizens on the altar of defending the nation. These choices made by Israelis and their leaders have far-reaching implications. They sanction the widespread corruption in Israeli society; they sanction the massive weapons exports to genocidal regimes; they sanction the peonage of the Palestinian people; and finally they overlook egregious violations of Israeli voter privacy, as part of the price Israelis pay for being the so-called Start-Up Nation.
Elector, the New-New Thing in Election Technology
While the Likud continues to exploit the Facebook chatbot, it has new tools at its disposal which provide ever greater violations of voter privacy. By law, the State provides every political party with a download of the voter registry. Parties may use them to communicate with voters.
But the Likud has taken this raw material to an entirely new level. Using a new app, Elector, developed by a computer consultant who works at the Technion, the Party has enhanced its existing Facebook data, populating it with the newly acquired voter registration information. It now has access to the full name, phone numbers, age, gender, ID number, mother and father’s names, native language, political affiliation, residential address of every Israel adult–6.5-million. Elector is also available for download via the Google and Apple app stores.
But that’s by no means all. Party activists who download the app may input reams of other data to supplement what is currently available. There are fields denoting whether the voter is pro or anti-Likud or potential supporter; how likely they are to vote; whether they have voted; their native language; names of friends and family and who they are likely to vote for.
Israeli cyber-security consultant Ran Bar Zik, examined the Elector app as part of his work vetting media applications for Verizon Media. He discovered to his astonishment that after downloading the app he could view the source code of the web page. Embedded within the source code were the usernames and passwords of the Likud Party official responsible for the app. Once he logged in as administrator he had access to every name and every piece of data in the database. This wasn’t even a hack. This was simply right-clicking on a web page and viewing its source code (slightly more complicated than that, but not much more). That’s all it took to expose the private data of every adult Israeli. He first aired his findings on his podcast, Cyber-Cyber.
Though this was the chief vulnerability, there were other grave errors in the manner in which the app worked. When Likud members were encouraged via text or email to download the app they were given a URL to do so along with a username and password. there was no authentication of users who registered to use the site or app. No one was required to offer their email address and verify it. This violates the most basic tenets of app security. Further, if the user chose to forward the app solicitation messages to others, they could use the same login data to access it as well. There was absolutely no security associated with this aspect of the site’s operation. Nor could the administrators be sure users it intended to access it were the only ones doing so.
Bar Zik used a VPN and logged in to the Elector site from a foreign country. He wanted to test whether his access was restricted, given that the app itself was supposedly created only to be used by Israelis for the purposes of Israeli elections. He had no problem logging in to the site using a foreign IP address.
Which Foreign Intelligence Services Likely Downloaded Elector and the Voter Database?
In fact, cyber-security researcher Dr. Anat Ben David, a senior lecturer at Israel’s Open University, has discovered in her examination of the app that it has already been downloaded by users in Russia (1), the U.S. (9), China (2) and Moldova (17). You can be damn sure that those downloading the app are not script kiddies. Rather, they are much more likely to be national intelligence agencies seeking access to as much information as they can find about the citizens of a country as important as Israel. Several lawyers filed a complaint with the Israeli election commission. Their appeal includes Dr. Ben David’s findings are here (pgs. 45-58)
Lest you think this may be academic, these researchers searched and quite easily found the personal, private data on the IDF chief of staff (and his entire family) and the Prime Minister and his family. Such data could be immensely valuable to a foreign intelligence agency, business rivals of Israeli companies, and a host of other interested parties. This data breach violates the integrity of the Israeli election system and degrades the public’s faith in its democracy. An Israeli privacy advocate says that it has “turned democracy into a farce.” And another activist declares that by not regulating these new technologies government officials “have permitted a ticking bomb in our electoral system.”
But perhaps even more grave, Elector poses a major security threat to the nation. Considering how secretive the IDF is in shielding the identities of its senior commanders lest they be targeted for war crimes prosecutions, the names and addresses of every IDF officer are included in the database. Though their ranks and units may not be, these can be discovered using other means and correlated to what’s in the voter registry.
Clearly, as the Iowa Democratic Party and the developers of the Shadow voting app learned to its chagrin, a basic tenet of cyber-security is to do a full security audit of a product before it is launched. You offer it to users to test and to hackers to test vulnerabilities. Only then do you release the product live. To do anything less invites the disaster facing Elector and the Likud.
What’s worse is that when Ben David discovered that Likud was using Elector, she did her own audit and warned in a report that the app was neither safe nor adhered to basic privacy provisions. She was ignored and this is the result.
Elector’s CEO, Tzur Yemin, in statements to Israeli media mouthed meaningless platitudes which sound good, while not addressing the absymal failures of his product:
It is important to me that the company maintain high sandards of privacy and information security. I must not relate to any of these issues by minimizing them in any way. This is something very important to me. From a personal standpoint, I am an Israeli citizen and would never want my own personal information to leak. This is my responsibility to the political parties. If I do not provide maximum security according to the highest standards, they’ll go to my competitors.
The app was developed by senior profiessionals in the field of information security…We never compromised in building the app. We never were satisfied with delivering a mediocre product. We want this to work well and be secured under the strictest of standards.
Failure of Israeli Election Officials to Do Their Job
In fact, Israeli authorities accept no regulatory responsibility for these abuses. They say that the Parties themselves will are meant to police themselves. Like the fox guarding the chicken coop?
In this day and age when there are millions of apps performing hundreds of thousands of critical functions for human beings, it is beyond shocking that someone calling himself a developer can produce such a product. But the same can be said for the Shadow app. How could a major political party in one of the most technologically sophisticated countries on earth have permitted that app to be used in such an important primary caucus? What were they thinking?
Nor has anyone linked this disaster to an even worse one that befell the same Democratic Party: the 2016 hack of the DNC computer server and leak of thousands of its emails which were used to discredit the Party and its presidential candidate. In that case, a few heads did roll. But the successors as leaders of the Party seem to have learned no lesson from it. For this, they deserve for their heads to roll.
The GOP and its consultants working for Israeli candidates use these elections as testing grounds for new technology. You may be sure that Brad Parscale is watching with great interest not only Netanyahu’s election prospects, but how Elector was used. And just as the Likud used and abused the Facebook chatbot and the Israeli voter registry, the Trump camp will be taking these tools and using them right up to the edge of what’s permissible, if not beyond. American voters must beware lest they become guinea pigs for Trump’s craven manipulation of election law and democratic processes.
They’re not getting any help from Trump’s GOP, which exploited Russian hackers to defeat Clinton, and seems just as content for something similar or worse to happen in 2020. A GOP senator single-handedly defeated a measure that would have enhanced election security. Why? Because election tampering and sabotage benefits the Party. This is a Brave New World opening before us. But just as in Aldous Huxley’s novel, it is a dystopian universe. We must put the brakes on these grave developments and take back our democratic processes.
Lest anyone think Israel is the only country which has suffered such breaches, in 2018 virtually the entire U.S. voter database was exposed on an unsecured Amazon server by a GOP data analytics company. Though the server was ultimately secured, the lapse permitted anyone full access to massive amounts of private information:
According to UpGuard, the folder includes dozens of spreadsheets containing a unique GOP identifier for each voter for the 2008 and 2012 presidential campaigns, which link to “dozens of sensitive and personally identifying data points, making it possible to piece together a striking amount of detail on individual Americans specified by name.” A folder containing 2016 data only, included files for Ohio and Florida, two crucial battleground states.
Each record lists a voter’s name, date of birth, home address, phone number, and voter registration details, such as which political party a person is registered with. The data also includes “profiling” information, voter ethnicities and religions, and various other kinds of information pertinent to a voter’s political persuasions and preferences, as modeled by the firms’ data scientists, in order to better target political advertising.
Last September, Noam Rotem exposed yet another massive data breach. This one encompassed the entire population of Ecuador: even more private data was included than the Likud case (technical information on the exposed database were published by ZDNet). But unlike in Israel and U.S., Ecuadorean authorities arrested the general manager and CEO of the company which left the database exposed.
The only way to prevent such gross ineptitude is by doing what Ecuador did–instituting criminal or civil penalties for any company violating voter privacy. There must be robust standards in place and those who violate them must be held accountable in some meaningful way beyond the embarrassment that comes from public disclosure.
Finally, some context to my views on Israeli elections in general: while citizens vote and candidates are elected, I do not see Israeli as truly democratic. The Israeli state is an ethnocracy in which Jews have superior political, economic and religious rights. Views of the minority are routinely criminalized and suppressed. So in a sense I totally understand why many voters (especially Palestinian citizens) would give up hope in the entire process. Thus, the reason I’ve written this is not so much to protect or reform the current political system, but to point to its weaknesses and dysfunction so that a new fully democratic system may one day replace it.