4.5 million citizens’ details insufficiently protected, comptroller says

The report said that the databases are “defined as a database with a high danger” of being misused or hacked.

Example of the biometric idenitity card (photo credit: INTERIOR MINISTRY)
Example of the biometric idenitity card
(photo credit: INTERIOR MINISTRY)
The details of about 4.5 million citizens, including facial pictures, are not sufficiently protected from misuse or outside hacking, the State Comptroller report said on Monday.
The problems highlighted by the comptroller related to the Transportation Ministry database for drivers licenses as well as the private sector database for smart bus cards.
The report said that the databases are “defined as a database with a high danger” of being misused or hacked.
Comptroller Matanyahu Englman said that neither database had sufficient protections for privacy or from outside hackers and that those in charge did not even have comprehensive information with which to assess the protections.
Of the 4.5 million smart bus cards, he noted that it was especially problematic that the identities and facial shots of over a million children were potentially exposed.
Englman recommended that the Transportation Ministry immediately catch up on these issues for the drivers license database and that the state authority for biometric smart cards start to perform oversight of the private sector’s smart bus cards program.
The comptroller was even harsher with the ministry, noting that the Justice Ministry warned it already 14 years ago to address some of the ongoing concerns.
The report also referred to a lack of legislation and of addressing security concerns regarding information held on 55,000 foreign workers and voice prints of 5,500 prisoners.
A separate recommendation in the report with major potential implications was that the government investigate the possibility of consolidating drivers licenses into the smart card program for efficiency purposes.
Next, Englman criticized over 30 government agencies for failing to streamline their employees toward use of smart cards for access to their offices as opposed to old-fashioned and decentralized methods of access.
Interestingly, the report did not look at the security of the state’s biometric database, which has been hacked in the past.
Petitions to the High Court of Justice had even held up that database for years until November 2016 due to security concerns.
There is also an ongoing probe by the state’s Privacy Authority into Elector, a company used by the Likud during the elections, which allegedly accidentally leaked private information of 6.5 million voters online.
The probe has dragged on for months, but does not appear to have been part of the comptroller’s report.
The Interior Ministry responded to the report saying that its own database “is a crucial and professional source of knowledge, which provides more than a decade of experience in the biometric arena, and which is managed and secured with the highest protections for privacy.”
The ministry praised efforts by the comptroller to reduce threats to privacy and redundancies in the databases kept by the Transportation Ministry, the private sector and other authorities.
The Transportation Ministry responded that it follows the regulations and recommendations of the Israel National Cyber Directorate regarding information security, and that it invests efforts to reduce the potential harm to privacy rights.
It added that it is working with the Population, Immigration and Borders Authority to consolidate the databases into one location.
Attorney Yehonatan Klinger of the Movement for Digital Rights responded to the report, saying that it confirmed their worst fears.
For years, Klinger said they had warned that establishing a biometric database would leave personal data unguarded.
Now, he said that even if the national biometric database is secure (and even that is open to question), it is irrelevant because every citizens' information can be grabbed from the drivers license or bus smart card databases. "This situation is like locking the door and then leaving all of the windows wide open."
He added that the Privacy Authority in Israel was established with extremely weak, non-binding powers and is usually excluded from key, decisive meetings.