Over the past two years, the Israeli National Biometric Database Authority has experienced two information security incidents and broke the law by not reporting them to the parliamentary committee in charge of its operations. The state was compelled to reveal this information following a petition to the courts again the biometric database. Another appeal for information, submitted in April to the Israeli parliament, revealed another troubling fact—the committee tasked with overseeing the biometric database has not convened once since 2017.
For daily updates, subscribe to our newsletter by clicking here.
The biometric database authority declined to reply to Calcalist’s request for comment.
Israel’s biometric database has come under severe criticism from both Israeli information security researchers and human rights and privacy advocacy groups since it was first announced. The petition against the database, currently being debated by the Israeli Supreme Court, was submitted by the Israeli Digital Rights Movement in March 2017.
As part of the discussion, the judges mandated the state to reveal to the public some of the confidential information it has submitted as part of its answer. The recently submitted information revealed, among others, the two aforementioned incidents.
One of the incidents, which occurred in 2017, was operational and said to cause no security damages nor any harm to the privacy of citizens. The event was identified, extensively investigated by a joint team with the Israel National Cyber Directorate, handled, and contained, the state said in its answer.
The second incident, which took place in 2018, was also an operational incident that caused no security or privacy related damages, the state said. The incident was stopped and its repercussions are currently being investigated by the Israeli Population and Immigration Authority and by the biometric database authority, the state said.
According to the biometric database law, the authority is required to report any irregular security event to the paramilitary committee of biometric applications. But according to the reply the parliament provided last month to the query submitted in April, the committee’s convention “has not been requested by the government,” and the committee, in fact, has not even been established.
The authority’s failure to report the incidents is one of the symptoms of a system that does not give a damn about its citizens, Nir Hirshman, one of the heads of the digital rights movement, said in a statement. The incidents should have come to light due to the work of the parliament and not as throwaway information submitted by the state following a court petition, he said, adding that the situation brings forth many troubling questions regarding the database and the operations of the authority.