Biometric Database Plan to Undergo Further Review

An article in the JPost reports that the Interior Ministry agreed to review its plan for a pilot biometric database to investigate some of the security concerns it has raised.


According to the article, Israel is the second democratic country (Spain being the first) to create a biometric database of its citizens. However, India, is also in the middle of collecting biometric data including iris scans, facial images, and fingerprints from its 1.2 billion citizens, although there are concerns about privacy there as well. (See the articles from the Economist, and NY Times.)  Morpho, a company involved in the Indian data collection process is also providing Israel's airports with security equipment and its explosive detection system is being used by the Prime Minister's Office. In France, the constitutional court ruled earlier this year that a law proposing a centralized national database containing biometric data was unconstitutional.


Relatedly, the Israeli Law, Information and Technology Authority (Israel’s data protection authority, “ILITA”), has issued a draft directive, regarding its stance on the Protection of Privacy Law, limiting the collection of people's teudat zehut or national identity numbers unless. Teudat zehut numbers should only be collected after the database owner whether such collection is necessary and for how long the data is required. Part of that examination entails considering whether there is a less intrusive means for identifying the data subjects. That means that when you register to join a store's customer list, they should not ask for your national ID number, instead they should provide registrants with a unique customer ID number. 

For some scholarly papers on the vulnerabilities of biometric database systems and their solutions see here, here, here and here. There is also a book published by the American Bar Association entitled The Practitioner's Guide to Biometrics, but it is basically a collection of papers on some of the problems with biometrics. I don't think it's worth the price.


One fear of biometric fingerprints is that a user can be forced to place his finger on the scanner or his finger can even be detached from his hand by malfeasants and used to gain access to sensitive information. According to one article, a German company has come up with a way to defeat the second scenario by imaging the change in skin color that occurs when a live finger is pressed against the scanner. But then there is always the problem illustrated by this (poor quality) clip from the movie National Treasure.

New Draft Regulations for the Protection of Databases

Trade Secret Theft, Corporate Espionage or anything else you want to call it has been getting a lot of press recently. (See here and here.) C. Frank Figliuzzi, the head of the U.S. Federal Bureau of Investigation’s counterintelligence division, testified that based on the FBI data, "economic espionage losses to the American economy total more than $13 billion." See article here. The Center for Responsible Enterprise and Trade (CREATE) recently issued a white paper detailing some of the problems and possible solutions to trade secret theft.

There are a number of weak links in corporations that allow bad actors to steal company secrets: unencrypted networks and databases, hack attacks, and theft of data by employees or contractors. Some companies refuse to completely outsource operations due to the threat of data theft by companies located in the home country of the outsourced plant, so they are choosing captive sourcing instead. In captive sourcing the parent company builds and operates the plant in another jurisdiction but they are still subject to threat of competitors hiring their employees away and with them, valuable trade secrets. Many countries do not have robust legislation making trade secret theft illegal, giving companies little recourse after being victimized. CREATE has a number of suggestions for companies to help prevent trade secret theft. They suggest that companies:

1. Conduct a strategic assessment of the company's trade secrets.
2. Undertake appropriate pre-contractual due diligence.
3. Employ strong contractual protections.
4. Utilize appropriate operational and security measures.
5. Take appropriate action after a business relationship has ended.

Some of the specific suggestions include clearly identifying in contracts what information the company deems confidential and requiring the counterparty to restrict, monitor, and record employee access to sensitive information, and specifying that the company has a right to audit the counterparty to measure compliance. Also, depending on the country it may be important to have a forum selection clause identifying a friendly forum for any IP or trade secret disputes. Because some countries do not recognize the concept of a third-party beneficiary, companies should also consider entering into confidentiality agreements with key employees of the counterparty. If subcontractors will be used, the company might want to retain approval rights and ensure that any confidentiality agreements flow down to the subcontractor and any violation is the responsibility of the contractor. Other security measures such as monitored physical access to confidential data, encrypted or expiring files, separate computer systems for sensitive information, keeping certain systems disconnected from the internet, and instituting computer use policies to allow the monitoring of data transmissions.


It is interesting to note that in its second version of draft regulations regarding the protection of privacy, ILITA, the Israeli Law, Information and Technology Authority (Israel’s data protection authority) recommended many of the same security measures regarding the protection of sensitive information stored in databases. If formally implemented, the regulations will require companies to:

1. institute a data security protocol that describes the database structure, access privileges, security measures, provisions for periodic audits and what access privileges subcontractors have been granted.
2. ensure that its systems are kept in a secure location which prevents access for unauthorized users; Owners of medium and high security databases must document all entries and departures from database system facilities as well as all equipment that is taken into or out of those sites;
3. conduct a security audit at least once every two years to certify compliance;
4. tightly control Employee access to data and passwords must be changed immediately upon termination of an employee;
5. conduct periodic training sessions for employees, commensurate with the scope of their duties, on database settings, security procedures, and the data security provisions under the law;
6. implement a mechanism for automatic documentation that will enable inspection of all login attempts to the system including: username, date and time, scope of access, and components accessed, to be kept for 24 months;
7. implement automatic documentation of events that raise suspicions of data breaches or unauthorized access;
8. report serious security events to the Registrar of Databases as well as any steps taken in remediation;
9. implement security measures that take into account the special vulnerabilities of mobile devices;
10. disconnect the database system from the Internet or other public network unless appropriate measures are taken to protect against unauthorized intrusion or malware that can cause damage or disruption to the system;
11. encrypt the transfer of information over a wireless network, public network or the Internet using conventional encryption methods;
12. segregate systems that access the database from other systems used by the database owner;
13. explicitly list in a contract with the subcontractor:

a. The data and systems that the subcontractor may access and for what purpose;

b. The types of activities the subcontractor may perform on the data;

c. The term of the relationship with the subcontractor and the subcontractor’s requirement to return and destroy any data upon termination;

d. The subcontractor’s data security obligations under these Regulations;

e. That the subcontractor’s employees must sign non-disclosure agreements to protect the security of the data;

f. The subcontractor’s obligation to include all of the relevant provisions of the Regulations in any contract with any subcontractor of his;

g. The subcontractor’s obligation to report to the database owner, at least once a year, of his execution of his obligations under these Regulations and to inform the owner of any data security event.