Intellect or Insanity, Jonathan Klinger's Blog

0. Abstract.

[This Wednesday I shall lecture at the LiSS working group conference, here is a draft of my lecture] From 2003, and until today, the Israeli Government has been working diligently in order to legislate the biometric database act and the orders and ordinances according to it. However, This biometric database is not the only biometric database in Israel and is not the only database where government authorities have access to. In my brief lecture, I shall present a different approach, asking whether this database act was actually required and what are the reasons for choosing a legislative act when doing so. When doing so, I’ll have to ask whether the act of legislation was needed because the social contract was broken, or because it was a megalomaniac act made out in will to block any different approach to databases.

1. Database Laws, Privacy.

Let’s first understand how government databases operate. The Israeli Privacy Protection Act does not differentiate public sector databases from private sector ones; moreover, article 23D provides any person the right to know about such database and article 23C provides government bodies the right to request and transfer data from other databases when the action is required by law or by the body’s function. Meaning, if it was it’s desire, the Government could have set up a registered database and operated the biometric database out of such act; but in such case, it couldn’t have mandated the people to provide their biometric information.

So what could it do? It could have amended the Census Act. The Israeli Census Act is the act regulating the management of the Israeli Census (which, as we already know, was leaked to the Internet); article 2 writes down the fields in the database that are required to be listed. In such case, amending and mandating a person’s biometric data under it could have solved the biometric database problem in a 1-line amendment, without requiring massive legislation.

However, The Israeli legislator decided to pass a 30 page long act (PDF), which describes in full the security and use in detail, and allow public debate over it. In order to understand why, let’s understand how other government databases work.

2. Government Databases and legislation.

First let’s see what are the databases which were legislated and which weren’t; Meir Sheetrit, the biometric database’s entrepreneur, said that “Israel has enough [other] biometric databases“. However, if we inspect his claims, we find out a different perspective; the one who says who and when is required to provide his information willfully to the database.

Let’s first inspect what are the databases that were legislated under the Israeli Law: The Israeli Anti-Money Laundering Act, The Israeli Census Act (which actually does not establish a database, but only allows the inquiry of information), The Police DNA Database (The Criminal Procedure Act (Searching in a person’s body and taking of identifying information)), Criminal Records (The Criminal Record Act).

On the other hand, there are quite a lot of databases which contain information which is as personal and as sensitive as the legislated databases, including the migrant workers biometric database, the driver’s license database which includes photographs and according to the Israeli transportation office, does not require legislation in order to retain a database (where the transportation office provides this biometric information at least to the ministry of interior), the unemployed database, which contains fingerprints of unemployed and  the Bus Authority database that contains information regarding passengers and their routes.

3. Why do you legislate databases?

We can see that while some databases were legislated because of their sensitive nature (money laundering, f.e), there is no actual difference between the sensitivity; There is no actual difference between money laundering information or the biometrics of a migrant worker. We can also say that legislation did not come because of the voluntary nature of the database; a person cannot choose to be unemployed or not to travel by car or bus. None of the non-legislated databases are actually voluntary; they just address specific needs and puts the person “agreeing” to provide the information in an inferior place: he is either unemployed, or he wishes to travel to Israeli to work, he may want to drive in Israel or take a bus. These are all daily functions that a person cannot go without.

4. Why Legislation.

Now, let’s go to the theoretical assumption that legislating the biometric database could have been made without any real or substantial legislation; It could have actually just establish a national database by issuing an order of the Passport Act, seeing that most Israelies have a passport, and hold the information in a way that is “required” to issue a passport; he could have went in the same way the Transportation Office went, and required just the issuance of fingerprints. However, the choice to legislate the database was taken. And why?

The reason is the Israeli Privacy Protection Act, but not the article requiring willful consent, nor the article mandating informing the data subject on its rights, but because of article 23C. Let’s inspect the text:

“Notwithstanding article 23b, providing the information is permitted, if not prohibited by any legislation or professional ethics – (1) between public bodies, if one of the following exists (a) providing the information is in the authority or role of the body who provides the data and it is required to exercise a law or a cause by the authority of the data provider or its recipient; (b) providing the database is to a public body who is allowed to demand such information according to law from any other source; (2) from a public body to a government office or another state establishment, or between offices or bodies as such, if the providing of information is required to exercise any legislation or for a purpose in the authority or roles of the data provider or its recipient …”

Well, we do need to read this carefully: There could have been a state-wide database without legislation;  however, in such case the Police could not have been granted access to the information. And why? because neither article 23b(a)(i) nor article 23b(a)(ii) allow it: The first alternative requires specific authorization under law to disclose the information and the second requires that the police would have been authorized to request the information at source. However, the police are not entitled to coerce a person to give them his biometric information, and the ministry of interior [was] not authorized to specifically assist the police.

Therefore, unlike other databases, the mobility of the information and the detachment between the cause of why it was collected and its use brought the actual need for legislation.

5. Ruling out other factors.

Now, we can inquire about the question of whether this was actually the reason; whether there was a secret hand that required it. The only reason to explain why a 30-page long bill was passed was explained when alternatives were presented to the government. The rejection of the Adi Shamir proposal, for a non-identifiable database, and the choice to store both a person’s facial photo and fingerprint (where such information is not required to maintain a clean database, see Yoram Oren’s statement “if the purpose is to reduce a list, then yes“). Meaning, the legislator was presented with at least two alternatives that allow a secure database that does not allow double-inclusion and does not retain so much sensitive data, but rejected it.

Such rejection may be discussed later in courts when inquiring about the constitutionality of the act, but that’ out of the point. The choice of both legislating and deciding on this architecture was made solely in order to allow surveillance.

6. Summary and Conclusions.

We know that the legislator had other options to legislate a database (or not to legislate it); and that it could have allowed it to be used quicker, without any pilot and even with the coercion against the persons, but in such case, the police and other security authorities could not have obtained access to the database. Therefore, the sole purpose of addressing legislation is in order to allow such access, and unless we can rule this out, this is the true purpose of the database.

The Government’s wish to issue self-signed electronic signatures on the newly inaugurated biometric cards is more of a monetary mishap than a privacy Issue. However, some critics may say that this is more than a failure, it’s a way of doing business.

In 2001, Israel legislated an Electronic Signature Act, which allowed authorised bodies to issue digital signatures to encrypt and digitally sign documents, in order to replace their physical presence [further reading at the Israel Justice Department website]. To sum up: when acquiring a digital signature, a certificate authority issues a signature, and then validates your identity and warrants that you are who you say you are.

However, due mostly to overburden created by the state, Israel holds only one certificate authority, ComSign. The problem? ComSign is (a) a private company and (b) charges 300 ILS (~75 US$) per signature. The lack of competition caused the government to try a new approach: as every biometric ID has to be digitally signed, the government wishes to be both the certificate authority and the entity which relies on the validty. There are two main advantages for this scheme: first, the costs of issuing electronic ID cards reduce, as there is only need to pay the issuer of the plastic card; Second, the government is certain that the certificate authority will never go out of business.

However, there is one major flaw: when the government issues a person’s private key, it can never (and i mean never) hold a copy of that private key. Exposing this key to any person which may be able to access it is a major flaw that could assist identity theft and other causes. Here comes the need for a certificate authority’s liability. When inflicting liability on a CA, it may exercise best care and warrant that no information may be misused. Moreover, it, by itself, lacks the interest of infringing its users’ privacy. Therefore, opening the market to competition and allowing more private CAs is the solution, not allowing the government to have more force.

However, a minor tongue-slip by Adi Sagi, from the military’s CA, during last week’s discussion, may show that something is not all-that-ok wiith a self-issuing certificate authority; Sagi stated that the certificate exists “not only on service cards, but also for Keva [additional service, after the mandatory - jk], soldier service cards, smart ID cards for the military’s needs. I want to raise two other points: the first is the trust in the soldiers or loss of cards. Once a soldier loses a smart card or a card is stolen, he has to notify the police and the ministry of interior that the card was stolen. Then you need to operate systems where the certificate is not valid anymore and a new certificate needs to be issued. I don’t know, and i guess that Boaz [Dolev, the head of the computing unit in the government - jk] doesn’t know, any authority that if a certificate is stolen may…” here Sagi was interrupted, stating that he exceeded his authority.

But it seems that the architecture of privacy here was not in the main interest of the government. Issuing seven milion ID cards and paying a private entity 300 ILS per card may cost the government more than it is willing to pay for the biometric experiment. Therefore, the government decided, for monetary reasons to risk the citizens’ privacy, and be its own certificate authority.

When explaining it to the committee, i said that “I am afraid from my government. I am afraid from the government in a place where a corrupt social security employee was bribed to pass private information; I am afraind from a government that cannot investigate the leak of its own census; I am afraid from the government and I am entitled to do so, and it is still the government’s duty to protect me. But this is not the discussion. The question is a certificate authority could be the entity that verifies the identity and still hold my cryptographic keys“.

Something has to be done here, before it gets too late.