According to a document appropriated by Israel Hayom, the National Biometric Database Authority has acted contrary to the provisions of the law, when it chose a backup site for the biometric database in a public server farm in Jaffa. The site is owned and managed by Bezeq International, a private entity which is not owned by the State, and which serves many other customers who enjoy access privileges to its servers.
Individuals who are currently in a position to hack the most personal information of Israeli citizens include Bezeq International customers, technicians, operations personnel and security operators, none of whom is a state employee or a National Biometric Database Authority employee, as required by law.
The Biometric Identification Methods and Biometric Identification Data in Identification Documents and Database Act, 5769 – 2009 determines that the preservation of biometric data, facial images and fingerprints of every Israeli citizen must take place “in a manner that will ensure protection against leakage or intrusion of information from the repository, as well as from transfer, exposure, deletion, use, modification or copying without lawful authorization.”
The law further states that the determination of access to the biometric database “shall be done in such a way as to minimize the number of persons authorized as aforesaid, and the scope of the accessible information.”
It also states: “No person shall be given access to the biometric database under this section and no person shall perform an action that allows access to the biometric database, unless he has undergone a security check as defined in section 15 of the General Security Service Law, 5762 – 2002.”
Security experts suggest the best way to maintain the same level of security as the main site handling such sensitive information in a secondary backup and disaster recovery (DR) site, requires a secure backup site, located inside a state-owned structure, and managed and operated entirely by employees who are all civil servants and have been given security classification and who do not engage in any other work – alongside an encrypted database, physically disconnected from any other system to prevent intrusion (AirGap). Such a requirement actually appears in the Biometric Identification act.
Remember the old rule about how you can tell when a public official is lying? You focus on his face and if his lips are moving, you know for sure he’s lying. We were reminded of that rule when we read the response Israel Hayom received from the Interior Ministry regarding the apparent violations of the rights of millions of Israeli citizens:
“The core activity of the Biometric Database Management Authority is the management and security of the biometric information of residents of the State of Israel. The requested information is classified at the highest level, and therefore the ISA does not intend to disclose processes or methods of work relating to the manner in which the biometric information is stored or secured. The Authority is subject to and operates according to the requirements of the law and in accordance with the directives of the authorized bodies set out in the law.”
Say what you will about Israeli civil servants, they pack a lot of fertilizer into one paragraph…