Your Fingerprint: Coming Soon to a Terrorist Near You

Israel is about to mandate biometric identity cards and passports, further chipping away at personal privacy.

A person uses a sensor for biometric identification on a smartphone.
A person uses a sensor for biometric identification on a smartphone. © Fabrizio Bensch / Reuters/R

More than 80% of the policemen investigated by the internal affairs unit admitted to using the police database for personal needs, sometimes for profit, a high-ranking cop told Haaretz in June 2016. Now the biometric database law has come into being, ruling that from now on, Israeli identity cards and passports will all bear a chip with our biometric information, meaning a portrait photo and fingerprint. The law will come into force from July, after regulatory amendments, until which time the biometric pilot program will continue to operate.

It took the law nine years to pass through the Knesset, not least because of frenetic opposition. One of the amendments to be enacted has to do with police use of the biometric database.

One opponent is Prof. Eli Biham of the Technion – Israel Institute of Technology’s Cyber Security research center.

An image grab taken from a video released by Dubai police on February 24, 2010 allegedly shows two suspects in last month's murder of top Hamas militant Mahmud al-Mabhuh, at the airport in the Gulf emirate. Pressure mounted on Israel on February 25 as Australia became the latest country seeking answers over the use of Western passports in the Dubai killing by suspected Mossad agents of a top Hamas militant.
AFP

“Imagine that one day a husband finds a suspicious fingerprint in his and his wife’s bedroom,” Biham imagines. “He calls a private detective who bribes a cop to check the fingerprint in the database. Why should that even be a possibility?”

While the pilot project has been up and running for some time, nobody commissioned an inquiry into the risks a biometric database would pose, and how to reduce those risks, Biham adds. Other academics also argue the state shouldn’t impose the biometric database on the people.

Other Western countries don’t collect and keep biometric information to any such extent.

Last week, opponents of the law chalked up a triumph: The fingerprint won’t be mandatory. The state however does want fingerprints on record, so people who “pony up” will get their passports renewed for 10 years, and fingerprint-refuseniks only for five.

Minister Dery's fingerprint being scanned for Israel's biometric database, June, 2016.
Moti Milrod

It bears saying that the pilot program has been going on for three years and the state has already built up a base of over a million fingerprints.

The brain behind the biometric database is the counterterrorism administration. Its goal is to make forging Israeli papers more difficult.

Proponents say that the Interior Ministry cannot feasibly spot somebody who shows up pretending to be somebody else – what they call “duplicated enrollment.” The biometric database would make that impossible.

Opponents say that argument is specious and there are other ways to overcome enrollment duplication, which is a negligible problem anyway.

“Duplicated enrollment was presented as the rationale for the database, but it hardly exists,” cyber experts wrote in a report published in January. “There is no need for a database for the purpose of issuing smart cards to the people. If the security authorities want the database for their own purposes, they should say so.”

Meir Sheetrit, who as interior minister pushed for the biometric database, says the opponents are populist demagogues, adding that it’s a shame that a noisy group of opponents managed to frighten the government and people alike. The United States has the fingerprints of 2 million Israelis, he adds, and because of collaboration between intelligence services – that means Britain, New Zealand and Australia have that information too.

Passports presented by Dubai police after the murder of top Hamas militant Mahmud al-Mabhuh.

Probable hack

Even though the law finally passed, its story isn’t over. The Knesset has yet to approve regulations for it, and the Movement for Digital Rights, which hates the database, plans to sue, probably next week.

“A database that has the facial features of every citizen in Israel, that will probably get hacked or abused, as has happened before, is dangerous,” argues Dr. Tehilla Shwartz Altshuler of the Israel Democracy Institute. The potential damage to privacy and rights worries her: She thinks the whole thing should be abolished outright.

Databases do get hacked. In July 2015, some 35 million people worldwide, including 170,000 Israelis, waited with bated breath after hackers got into Ashley Madison’s cheating site and stole credit card and, shall we say, personal information. In Israel, the data of 9 million Israelis (living and dead, obviously) leaked, as did the Transportation Ministry’s database of facial photographs. And then there was the massive leak from the NSA courtesy of Edward Snowden.

FILE - In this Feb. 5, 2016, file photo WikiLeaks founder Julian Assange speaks on the balcony of the Ecuadorean Embassy in London. President Barack Obamaג€™s decision to commute Chelsea Manningג€™s sentence quickly brought fresh attention to another figure involved in the Army leakerג€™s case: Julian Assange. In a tweet in early January 2017, Assangeג€™s anti-secrecy site WikiLeaks wrote, ג€œIf Obama grants Manning clemency Assange will agree to US extradition despite clear unconstitutionality of DoJ case.
AP Photo/Kirsty Wigglesworth

Even the seemingly most secure databases in the world are vulnerable to hackers, which begs questions about the security of the Israeli biometric database.

Hostile elements are of two kinds: criminals and terrorists. Identity theft is a concern in both cases. Also, criminals could, for instance, frame people by planting stolen fingerprints, points out cyber expert Doron Shikmoni, formerly among the planners of the Tehila e-government system and an opponent of the biometric database.

The plan for a biometric database actually arose in defense circles, but not only Israelis at home are at risk of data leaks. So are Israelis abroad. Shikmoni envisions a scenario in which a terrorist scans crowds in a foreign city, such as central London, on his smartphone, using face recognition software to identify matches to stolen pictures of Israeli faces. Foreign governments could use the data to identify Israeli agents operating in their territory.

The security services presumably wouldn’t let their present secret agents register in the database, but what about today’s youngsters whose future might be in the Mossad? Take the case of the assassination of Hamas military commander Mahmoud Al-Mabhouh on January 19, 2010, in a Dubai hotel room. The Dubai police claim to have security camera footage of Israeli Mossad agents in the hotel.

Last week, the decision was approved that security forces may access the database only with the permission of a district court judge. But Section 7 of the law remains in place, allowing any police officer, for the sake of identifying a person before him or verifying his identity, to ask for permission to compare the biometric information with the information in the database.

Protester clash with police officers during a protest against police brutality toward Ethiopians.
Ilan Assayag

Risk of abuse by the state

Governmental biometric databases do exist in other countries, usually for the purpose of issuing passports; a person can opt out of “handing over” his picture and fingerprint by simply never getting one and not leaving the country. But the Israeli law requires every citizen to have an identity card, from age 16, and to carry it on him and provide it for inspection upon request by the head of the local government, any police officer or soldier on duty. Requiring it to be biometric could lead to constant monitoring of Israeli citizens, impinging on the right to freedom of movement. Matching the database with pictures from security cameras, for instance, can enable the state to know where anybody is at any given time, Shikmoni says.

Proponents of the system point out that our pictures are out there on Facebook, anyway. Schwartz Altshuler points out that Facebook can’t arrest you, but the police can.

Other countries building biometric databases include Pakistan, Iraq and Portugal, where biometric ID cards are mandatory. Other countries that issue biometric ID cards or passports do not make joining the database compulsory. Britain began a pilot project of smart cards based on a scan of the face and retina, but stopped in the face of public protest and in 2010, the government decided not only to cancel the plan but to destroy the database.

MK Yulia Malinovsky (Yisrael Beiteinu) points out that the biometric database can be built, smart cards can be issued and then the database can be destroyed because it isn’t needed any more. “Experts told me that once 80% of the people have these cards, the database won’t be necessary any more,” she says. “I understand the need for smart documentation, but there’s no need to keep the database after five years.”

A worker demonstrates fingerprint payment security on the Samsung Electronics Co. stand at the Mobile World Congress in this arranged photograph Barcelona, Spain, on Wednesday, Feb. 24, 2016. Mobile World Congress, an annual phone-industry event organized by GSMA Ltd., runs from Feb. 22 to Feb. 25. Photographer:
Pau Barrena/Bloomberg

The Biometric Database Management Authority responded that statistics for 2014 for the police and counterterrorism forces show that fraud and forgery constitute a real economic, social and security threat. Criminals can steal your identity and clean out your bank account, even sell your home and car or vote for you. Terrorists can steal identity to gain access.

What is needed is a long-term solution, and the biometric database can help prevent identity theft and all the above, the authority says. Dozens of nations maintain biometric databases of their citizens, the authority adds, including Finland, France, Turkey and 35 of the U.S. states. Israel’s won’t include biographical data, the authority qualified. It adds that the Israeli database is protected by the cybersecurity department.

By the way, establishing the biometric database is a matter of a billion shekels. One huge beneficiary is HP, which received the contract from the state, without tender, though to the year 2025. The state comptroller criticized the contact with HP back in 2011, and lately several Knesset members have been raising eyebrows too. In June 2016, the Israeli company Beeri Printing sued over the process by which HP won the job, and claimed the real reason for the contract was that the Interior Ministry wanted HP to forgive it a 70-million-shekel debt, and that HP wants too much per ID card that it issues. The case is pending.