Israel’s National Biometric Database Authority Failed to Report Two Security Incidents
The authority failed to report the incidents—which took place in 2017 and 2018—to its overseeing parliamentary committee, a committee that apparently hasn’t convened since 2017
For daily updates, subscribe to our newsletter by clicking here.The biometric database authority declined to reply to Calcalist’s request for comment.
Israel’s biometric database has come under severe criticism from both Israeli information security researchers and human rights and privacy advocacy groups since it was first announced. The petition against the database, currently being debated by the Israeli Supreme Court, was submitted by the Israeli Digital Rights Movement in March 2017.
As part of the discussion, the judges mandated the state to reveal to the public some of the confidential information it has submitted as part of its answer. The recently submitted information revealed, among others, the two aforementioned incidents.
One of the incidents, which occurred in 2017, was operational and said to cause no security damages nor any harm to the privacy of citizens. The event was identified, extensively investigated by a joint team with the Israel National Cyber Directorate, handled, and contained, the state said in its answer.
The second incident, which took place in 2018, was also an operational incident that caused no security or privacy related damages, the state said. The incident was stopped and its repercussions are currently being investigated by the Israeli Population and Immigration Authority and by the biometric database authority, the state said.
According to the biometric database law, the authority is required to report any irregular security event to the paramilitary committee of biometric applications. But according to the reply the parliament provided last month to the query submitted in April, the committee’s convention “has not been requested by the government,” and the committee, in fact, has not even been established.
The authority’s failure to report the incidents is one of the symptoms of a system that does not give a damn about its citizens, Nir Hirshman, one of the heads of the digital rights movement, said in a statement. The incidents should have come to light due to the work of the parliament and not as throwaway information submitted by the state following a court petition, he said, adding that the situation brings forth many troubling questions regarding the database and the operations of the authority.