With Israel’s fourth election in two years next Tuesday, concerns about the security of the electoral process from cyberattacks are back on the agenda.
While Israel’s paper-ballot system makes the vote-counting process generally secure from foreign actors, a number of other parts of the democratic process remain vulnerable, experts say.
One is the way that political parties use their private data, said Nimrod Vax, cofounder of BigID, a Tel Aviv-based “unicorn.” BigID offers a data-intelligence platform that enables organizations to monitor sensitive enterprise data.
“Some political parties have very sensitive information about people, including their political affiliations,” Vax said. “But not all data is allowed to be collected. You need to ask people’s permission and offer the opportunity to opt out.”
In recent days, the Likud has come under fire for questionable tactics in building its database, allegedly using a voter-management system called Elector that encourages users to provide personal information about acquaintances and relatives, including whether they are Likud voters.
The Likud is scraping personal information from the Truecaller caller-ID app to send voters personalized messages, despite privacy protection laws that allow voters’ details to be used for contacting them only, another investigation by Haaretz found.
In last March’s election, databases used by Likud were leaked, revealing personal details of nearly a million voters. Among the data points compiled in the spreadsheets were whether certain individuals were Likud voters.
Meanwhile, reports in the press indicate that Gideon Sa’ar’s New Hope Party is using a rival voter-management application that profiles potential voters in similar ways. Parts of that database, likewise, have been leaked to the public.
“This is very sensitive info that needs to be protected,” Vax said. “As we all learned during the Facebook-Cambridge Analytica data scandal several years ago, the collector of data is held accountable for how the data is used. You can’t just blame a data breach on others.”
Meanwhile, individuals need to be aware of the dangers of giving information to unknown parties, he said, adding: “If you click on one of the SMS messages everyone is getting, asking who you plan to vote for, the details of your political affiliation are now out there in cyberspace.”
Much of the discussion about data privacy in the United States centers on invasive marketing tactics from corporations, Vax said. In contrast, the European Union is much more vigilant about privacy dangers because of its dark history of dangerous regimes gathering information to use against citizens.
“That’s why some of the first priorities listed in the EU’s GDPR regulations limit gathering data about an individual’s political and sexual orientations,” he said.
The Israeli public has been generally quiet, as there is a sense that individuals are powerless to protect themselves, Vax said. Therefore, the need for lawmakers to enforce privacy regulations is critical, he said.
According to Etay Maor, senior director of security strategy at Tel Aviv-based cybersecurity firm Cato Networks, the biggest risk of election interference from overseas is not from direct attacks on the vote count; rather, it is from misinformation campaigns by malicious actors.
“These people want to undermine the entire system by convincing people that it doesn’t work,” he said. “They want you to think it doesn’t matter if you vote.”
That may begin with ads on Facebook or other manipulations of media that subtly inject new ideas into different networks, Maor said.
“Creating distrust is actually the goal of these actors, not just the means,” he said. “In the US, we have watched the same actor invite some people to a Black Lives Matter protest and others to a planned parenthood protest on the same night.”
“Attacks on polling stations and vote counting aren’t scalable and are easily detectable, but misinformation is extremely effective,” he added.
New “deepfake” technology will allow malicious actors to create lifelike videos of politicians and influencers saying anything they want, Maor said. Security technologies will evolve to help identify and weed out such misinformation, but they will always be steps behind, he said, adding: “Your best weapon is the vigilance to verify facts.”
Meanwhile, Tomer Gershoni, senior director and head of security engineering and cyberdefense at publicly traded cybersecurity company Imperva, said digital voting systems eventually will suffer hack attacks.
“I’m not aware of any cyberattack that has ever been done on a country’s election systems, but I have reasons for concern,’ he said. “Any digital system that has information going from one place to another can be hacked, and election systems are no exception.”
Actions taken by Facebook and other social-media networks have somewhat mitigated the risks posed by misinformation, Gershoni said.
“Since the US elections in 2016, when the impact of foreign influence on the results was dramatic, social-media companies have taken many proactive and even extreme steps to stop them,” he said. “However, we will continue to see the spread of fake news everywhere. There are no complete solutions.”