Labor Party wants to nix Israel's planned biometric database
Bill proposed a day after Haaretz reveals serious security problems with system; pilot program to start in a week.
The Labor Party on Tuesday submitted a bill to do away with the planned biometric database, for fear the classified information to be collected there will be leaked.
The bill was proposed a day after Haaretz revealed serious security problems with the electronic authentication system of the planned biometric identity card. A pilot program of the database initiative was to start in a week.
The bill, initiated by MKs Eitan Cabel and Micky Rosenthal together with party chairman Shelly Yacimovich, states, “Database breaches thus far, such as the breach of the Population Registry database, revealed personal details or sensitive information. The revelation of credit card details recently by a hacker abroad strengthens the claims of the risk posed by such databases.”
They noted that the ramifications of biometric data being misused were serious, “since unlike credit card details, this information cannot be altered.” Such a database raises the risks of identity theft and fingerprint forging that are liable to have irreversible consequences, the lawmakers said.
The program was meant to be launched two years ago, but it suffered lengthy delays due to the need for new legislation, challenges in the High Court of Justice (which the court rejected) and a work dispute between employees of the Population Authority and the treasury, whose resolution three weeks ago removed the last remaining obstacle.
The project is designed to create a computerized database of the fingerprints and facial features of all Israeli citizens, as part of the process of issuing new “smart” identity cards.
During the pilot stage, anyone who comes to renew a passport or amend an ID card will be asked if he wants a biometric document, but this offer can be refused. This phase is expected to last two years with an option to extend it, after which it will be decided whether to make the database permanent.
The Association for Civil Rights in Israel opposes the project, saying it will turn into a police database. They argue that a biometric database is not necessary to issue smart personal documents and it severely undermines personal privacy.
Project management documents obtained by Haaretz revealed a series of irregularities uncovered by penetration tests conducted by the Israeli Law Information and Technology Authority (ILITA) and the intermediate results of the permeability tests carried out by the Comsec security firm.
Comsec revealed that the project’s systems are not protected by antivirus software and do not have warning and control systems that can alert managers both when the system is attacked from the outside and also if the system is being entered by unauthorized employees.
“Without warning systems it is not possible to know whether exceptional operations are being performed in the system, or to investigate them to prevent its misuse in the future,” the document states.
The documents also showed that the system was not designed to allow for manual updating, and that requests for certificates are transferred from the Interior Ministry to obtain digital signatures over an internal network protocol that is not secure.
According to ILITA, “From the perspective of information security experts there is no difference between the level of security required in a ‘closed’ system and in a system ‘open’ to the Internet, since it is known that most hacking is through internal networks/by employees and not from the Internet.” In fact, the leak from the Population Registry in 2006 was the work of a Social Affairs Ministry subcontractor who succeeded in getting his hands on the database.
The Justice Ministry said in response that, “The new system is not in operation yet and the deficiencies pointed out by ILITA as part of its inspection are due to be discussed shortly with the relevant parties as part of a professional discussion on the system’s approach to information security. It should be noted that this discussion has just begun and the documents [leaked] contain preliminary and raw information. The new system, which will be operated for now as a pilot, will be tested throughout the pilot period in accordance with the highest standards in terms of data security.”