Lebanon will adopt a new biometric passport by the end of July 2016, said General Security chief Major General Abbas Ibrahim in an interview for Lebanese newspaper Assafir less than two weeks ago. While expected, the announcement left unaddressed many key concerns about how this process and the data collected will be handled, particularly with regard to the protection of personally identifiable information (PII).
Given the pervasive lack of trust in the Lebanese government—exacerbated by the gross mismanagement of the passport renewal process earlier this year—it is essential that several sets of questions be asked and answered publicly and transparently before the implementation of biometric passports. We have outlined the questions we think need to be addressed before the program moves forward:
Inkript won the bid that valued $140 million. Inkrypt’s general manager, Jacques Seif, said: “We will handle all the programming and software development in-house.”
Should we trust Inkript to protect our data?
What legal framework and security standards will they use to protect the data?
Who will audit their code for bugs or security holes?
Gemalto, the Dutch/French subcontractor, will be in charge of manufacturing the passports.
Over the last few years, the company was hacked by the NSA and the GCHQ. Gemalto confirmed the attacks.
Has the Lebanese government has publicly acknowledged this breach or proposed countermeasures for how similar attacks might be prevented?
There’s a history of leaking personal data and selling it on the black market in Lebanon. How can we avoid this from happening to our biometric data?
What are the laws and regulations used to protect our data?
Where is the data stored?
Who has access to the data?
How is it protected?
We still lack a data protection law in Lebanon. How can the government make sure that our data is protected in the absence of any protective legal framework?
Any adoption of new technologies must include a thorough review of the risks and rewards vis à vis both national security and personal security, including the protection of personally identifiable information. New laws and regulations must be enacted where necessary. This is an issue that we urge the Lebanese government to take seriously.
In addition to the author, Jessica Dheere, Ghida Frangieh, and Jad Shokor helped in this blogpost