Israel's secret biometric database revealed
The database was created without planning by Israel’s Population and Immigration Authority, which wants to legalize it, without the restrictions regulating the country’s official database
Omer Kabir | 10:39 17.07.2021
We all make mistakes at work. It's natural. We sometimes do not understand enough about what we are doing, sometimes unexpected external factors surprise us, and sometimes the best intentions go wrong. Israel’s Population and Immigration Authority had a work error of such: unintentionally, creating a secret biometric database that operates alongside the official biometric database, and which includes face images of most Israeli citizens. However, now that this oversight has been exposed, the governmental office is not apologizing for its mistake or working to correct it. Rather, it seeks to legalize it and create a second large-scale biometric database, with significantly fewer protections than those of the official database.
After unintentionally establishing an illegal biometric database of facial images and being exposed, the authority now seeks to retroactively legitimize the existence of this database. Photo: ShutterstockThe existence of the secret database was revealed in a report from the Executive Director of the Identity and Biometric Applications Unit in the Israel National Cyber Directorate, which was sent in June to the Minister of the Interior, Ayelet Shaked, and was obtained by Calcalist. Alongside the secret database, the report reveals a number of significant shortcomings in the activities of the biometric database and the Smart IDs project. From a dispute between the office of the commissioner and the biometric authority that prevents supervision of the database, to a lack of coordination between the various authorities, which prevents the project from reaching its goal: Countering identity theft. "In the past 12 years, the government has built walls of a transparent prison around us. A biometric database, phone triangulation, driver's license database, Ein HaNatz (License Plate Recognition system), and now also the Population Authority’s database," said Nir Hirshman of the Digital Rights Movement. “We all saw how easy it is to degenerate into a dictatorship. Part of the change required by the new government is to steer the wheel in this context as well and put us back on a liberal democratic path. Enough with surveillance, enough with the destruction of privacy. If there is a database that has been created unlawfully, it should be deleted immediately and those responsible for its creation should be prosecuted. Any such database is a potentially dirty bomb, which could leak into the hands of hostile elements, or be used by the enemies of democracy." The biggest issue arising from the report is that without any intention at all, the Population Authority has created another biometric database of facial images, without all the limitations and protections of the official biometric database. How did it happen? The law allows the Population Authority to keep on its computers face images in low quality taken for the official database for the purpose of "visual presentation". Such an image is defined by law as an image that allows visual identification of its subject, but that the biometric data that can be extracted from it is not sufficient for computerized identity verification. And that's really what the authority did. But then, something that should have been anticipated happened: technological development. "In recent years there has been significant progress in facial recognition algorithms, which are now much more advanced compared to the technological capabilities that existed at the time the law was drafted," the report reads. "A test conducted by the Executive Director's unit, using up-to-date algorithms, indicated that the accuracy ratio of comparison of low-quality images is similar to the accuracy rate of the original images. The lower-quality facial images stored in the Population Authority's systems constitute a “biometric means of identification” and a biometric database for all intents and purposes. The current situation, in which the Population Authority does not meet the requirements of the law, is unreasonable, especially considering the long period of time." You might expect the authority to take responsibility for the situation and work to remedy it, but no. "This issue has many practical and operational implications that will affect the authority’s ability to fulfill its purpose, will impact its day-to-day work, will have a direct impact on the service to the citizens and its capabilities to execute its responsibilities within its role," the Population Authority responded. "The authority's position is that legislative changes must be made to allow it to continue to hold on to photos. The Population Authority will initiate legislative changes when a government is formed." This means that after unintentionally establishing an illegal biometric database of facial images and being exposed, the Authority now seeks to retroactively legitimize the existence of this database. However, unlike the official biometric database, there are no protections, such as separating biometric information from identifying information, complete isolation from outside networks, and stringent access restrictions.