The latest lesson on biometric data privacy could cost people’s lives
Two United States government documents about the use of biometric identification in occupied Afghanistan lack any mention of data security on the ground.
One document, the U.S. Army’s “Commander’s Guide to Biometrics in Afghanistan” is an upbeat, 99-page lesson published in 2011 on deploying identification systems in a developing economy suffering decades of superpower warfare.
The other is from the FBI. Also published in 2011, “Mission Afghanistan: Biometrics,” and also takes a chipper tone describing the law enforcement agency’s challenging but ultimately rewarding effort to help Afghans help themselves through biometric identification.
Neither document discusses securing the data collected from Afghans and the occasional non-Afghan. Both talk about the hardware and software being used to harvest information in the field, build databases and upload the data.
The tools are described as secure and the servers holding the data are described as secure, but there is no discussion about the need to make sure the fractal-like tribal militias – or anyone else – do not get access to the biometric data.
The U.S. began scanning biometrics in 2007, and it was only in 2021 that observers outside the government began raising questions about the security of the information.
That was when privacy and human rights advocates pointed out that with the U.S. gone from the country, the Taliban could use biometrics collection kits to punish Afghan citizens who welcomed and worked with foreign armies and non-governmental organizations.
In fact, there is no way to be sure that handheld systems were not dropped in chaotic situations or abandoned at any point since 2007. Based on the government insider documents, no one operating an iris, face or fingerprint scanner was instructed on minimizing that kind of risk.
MIT Technology Review, a Massachusetts Institute of Technology news publication, in August 2021 wrote at length about breadth of data that the devices, known as Hiides, could hold and, therefore, divulge. Hiides stands for Handheld Interagency Identity Detection Equipment.
It was thought unlikely that the Taliban, which show every sign of bringing back its glory days of summary executions, amputations and strict moral policing, could get data out of a device if they could find one.
Yet The New York Times is reporting on people in the West buying Secure Electronic Enrollment Kits (SEEK IIs) used in Afghanistan on eBay. One of the SEEK IIs held dense personal data records, including iris, finger and face biometrics, on Afghans. It sold for $68.
It is not known how many SEEK IIs or Hiides remain in Afghanistan, where they are and how they can be retrieved. Allies in a U.S.-led war have to live with the threat that they can be identified by a vengeful Taliban.