Israel's National Biometric Database Authority may have broken the law by storing data in a private company's data center.
The nation's largest print newspaper, Israel Hayom, reports that a International data center in Tel-Aviv was used as a backup site for the state biometric database, in contravention of rules that stipulate restrictions over who has access to the data. The information includes photos and fingerprints of every Israeli citizen.
All your data
The Biometric Identification Methods and Biometric Identification Data in Identification Documents and Database Act, 5769 – 2009, notes that the database should be stored “in a manner that will ensure protection against leakage or intrusion of information from the repository, as well as from transfer, exposure, deletion, use, modification or copying without lawful authorization.”
It adds that access “shall be done in such a way as to minimize the number of persons authorized as aforesaid, and the scope of the accessible information...
"No person shall be given access to the biometric database under this section and no person shall perform an action that allows access to the biometric database, unless he has undergone a security check as defined in section 15 of the General Security Service Law, 5762 – 2002.”
Hayom claims to be in possession of documents that show that security guards at the Bezeq data center are civilians, and that its security levels are not the same as for the main, government-owned site - although the paper is not suggesting there are any security failings with the Bezeq facility. The colocation data center, used by multiple clients, is built underground to "Tier-III+" levels, the company claims.
“The core activity of the Biometric Database Management Authority is the management and security of the biometric information of residents of the State of Israel," the Ministry of Interior said in a statement (translated by Jewish Press). "The requested information is classified at the highest level, and therefore the ISA does not intend to disclose processes or methods of work relating to the manner in which the biometric information is stored or secured. The Authority is subject to and operates according to the requirements of the law and in accordance with the directives of the authorized bodies set out in the law.”
Hayom's document notes that the government is currently working to transfer the backup site to the state-run CERT data center in Be'er Sheva. However, it is unclear when this will actually happen.
This is not the first time the database has been embroiled in controversy, with a different sub-contractor allegedly working on it illegally back in January. This October, a review said that the fingerprint identification system suffered high rates of failures at the country’s borders.
“The police didn’t prepare appropriately to use the technology, to enforce the law, and there’s a real risk of improper identifications, one of the big risks to a law-abiding democratic country,” Tehilla Altschuler Schwartz of the Israel Democracy Institute said at the time.
“For instance, if someone is arrested and isn’t carrying an ID card, the police could take his fingerprints, run them through the biometric database and get a false match – and thus think they have someone else.”