Breaches of Israel's Biometric Database Kept Secret Until Watchdog Happened Upon Reports

Government is invoking security grounds to keep details of two breaches - in 2017 and 2018 - from the public eye, while Population Authority says oversight bodies were informed

Passport control at Ben-Gurion airport using biometric identification.
Haaretz

The government recently admitted that the Population Authority’s biometric database at the Interior Ministry was breached twice in the last two years, in 2017 and 2018. The incidents had not been reported to the Knesset at the time and the public was not informed.

The details regarding the two occurrences and their degree of severity are still not known. At this point, the only information the Interior Ministry’s Biometric Database Management Authority has agreed to disclose is that the incidents have been responded to and are still being dealt with by experts.

At least one of the incidents is still under investigation, and it appears that the authorities are unaware of its severity and extent of the possible harm it caused to Israeli citizens. It is also not clear whether the breaches were one-time events or extended over a period of time.

In response, the Population Authority stated: “These are two operational incidents that occurred in 2017 and 2018 and were reported immediately to the oversight bodies. The handling of the incidents was done in coordination with them. The rest of the details are classified and were reported to the High Court of Justice behind closed doors. The court proposed releasing the little that can be disclosed to the petitioners – the years during which the incidents occurred.”

The Population Authority has attempted to downplay the severity of incidents but it has also refused to provide details about what occurred. The worst-case scenario is that information from the biometric database was exposed to individuals on the outside.

In a prior incident, 13 years ago, a contractor working for the Interior Ministry copied the entire population registry, which included details of all Israelis – both dead and alive – and provided the information to someone who sold it. The information later surfaced on the internet.

Scenarios involving security mishaps were also presented to the High Court of Justice in the petition on the matter, which was filed by the Israeli Digital Rights Movement, challenging the creation of the biometric database.

The database currently contains personal details on 3.5 million Israelis. The program has issued 2.1 million biometric identity cards and 2.7 million biometric passports.

The Biometric Database Law from 2017 explicitly requires the head of the Biometric Database Authority to report annually on exceptional events related to the database itself, but it does not impose a requirement to report on incidents related to the information held by the Population Authority. By law, the reports must be provided to the four entities: The interior minister, the head of the biometrics at the Prime Minister’s Office, the database registrar at the Justice Ministry and the Knesset’s Joint Committee on Biometric Identification.

The Digital Rights Movement claims the database is unnecessary and says the real reasons for its implementation were concealed from the committee that approved it.

In February, the High Court ordered the government to give the petitioners documents relating to the establishment of the database that were not made public during the legislative process. The government said the information was classified and sensitive, but after the court justices reviewed the material, they ordered a portion of the documents released to the petitioners.

Breaches discovered by chance

As part of their examination of the documents, the representatives of the Digital Rights Movement discovered the two security breaches. As a result, they submitted a Freedom of Information request to the joint Knesset committee established to oversee the database. The organization said it was shocked to discover that the joint committee never received a report on the incidents, and that the committee has not met since 2017.

The government’s response to the High Court petition also related to the security incidents: “These are operational incidents that do not relate to the security of the database itself or concern over a leak of information from it.” The government included a professional opinion from the head of the Israel National Cyber Directorate, Yigal Unna, who said cybersecurity for the database is at a very high level and meets national and international standards.

As to the incident in 2017, the government reiterated that it was only an operational issue, which has no implications for the general public. As for the incident in 2018, the state wrote that it was an operational incident that caused no damage.

But the document also raises questions. The details are unclear and they seem to indicate a more significant and extensive incident: “The event was stopped, addressed and its implications are being investigated by the Population Authority and the Database Management Authority. The head of the Database Management Authority gave his instructions to investigate the incident and the examination and its conclusions are expected within three months.”

The state said it found that at this stage that the incident had no major implications for the biometric project and solutions would be found later to contain the problem. This implies that at last for now, its implications are far from over.