Israel’s immigration authorities are illegally storing millions of photos of citizens and foreign nationals, according to a government audit released on Tuesday that raised concerns about the country’s use of mass surveillance.
The cybersecurity report highlighted the challenges regulators face as artificial intelligence-based facial recognition technologies become increasingly sophisticated and undermine existing legal guardrails.
The state comptroller review only examined civilian border control practices rather than those at military checkpoints, which came under scrutiny this month when human rights group Amnesty International said the Israeli army was using facial recognition to restrict travel by Palestinians in the occupied West Bank.
According to a law passed more than a decade ago, the Population and Immigration Authority can retain low-resolution facial images in its databases but must discard any photos with biometric markers that could be used to identify an individual.
However, advances in technology have largely eliminated this distinction, as biometric data can now be gleaned from low-resolution images, according to the state comptroller. Therefore, the practice of saving low-quality facial images is illegal, Ombudsman Matanyahu Englman said in the report.
The Population and Immigration Authority said in a statement it was familiar with the issues raised by the comptroller and would form a committee to review its border control procedures.
Read More: Israel to Probe If Notorious Spyware Used Illicitly at Home
The audit found that the immigration authorities hold millions of low-resolution photos in two non-secure databases, one of Israelis and the other which includes both citizens and foreign nationals who went through passport control. The ombudsman said other government ministries also possess millions of photos of Israelis.
Rachel Aridor-Hershkovitz, a researcher at the Israel Democracy Institute think tank who was given an advance copy of the report, said these databases could be exposed to hackers, presenting a serious privacy risk.
“The moment someone carries out identity theft based on biometric data, it’s very difficult to fight it,” she said.
The practice continues despite a warning by the government office overseeing biometric privacy in 2020 that the domestic databases are illegal and in January 2022 that collecting images drawn from border control also violates privacy laws.
The government report also determined that for nearly seven years, the immigration authorities shared images of Israeli citizens taken at the airport with a different government agency, in another legal violation. That agency, which was not identified, was ordered to destroy photos it received from 2015 until early 2022. It was consulting with officials to keep some photos for security reasons, the audit said.
Englman said the audit also uncovered “real loopholes” in security at Ben Gurion Airport, Israel’s biggest, that were likely being exploited by criminals and members of designated terrorist organizations to enter and leave the country undetected.
Israel’s social security agency is frequently the subject of malicious cyber activity, according to the report. The agency holds information on all Israelis, including health records and employment data, and is responsible for dispensing over $33 billion in government benefits every year.
Israel has encountered a range of digital threats of late, with suspected Iranian hackers shutting down key systems at an Israeli university. A ransomware attack in 2021 shut down the computer systems of a major Israeli hospital, while hackers that year threatened to release sensitive data from an Israeli LGBTQ dating app, highlighting the insecurity of personal information.
--With assistance from Jeff Stone.