The Taliban Reportedly Have Control of US Biometric Devices – a Lesson in Life-and-Death Consequences of Data Privacy

metamorworks/istockphoto.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Margaret Hu By Margaret Hu,
Professor of Law and of International Affairs, Penn State,
The Conversation

By Margaret Hu,
The Conversation

|

The Defense Department viewed “identity dominance” as the cornerstone of multiple counterterrorism strategies.

In the wake of the Taliban’s takeover of Kabul and the ouster of the Afghan national government, alarming reports indicate that the insurgents could potentially access biometric data collected by the U.S. to track Afghans, including people who worked for U.S. and coalition forces.

Afghans who once supported the U.S. have been attempting to hide or destroy physical and digital evidence of their identities. Many Afghans fear that the identity documents and databases storing personally identifiable data could be transformed into death warrants in the hands of the Taliban.

This potential data breach underscores that data protection in zones of conflict, especially biometric data and databases that connect online activity to physical locations, can be a matter of life and death. My research and the work of journalists and privacy advocates who study biometric cybersurveillance anticipated these data privacy and security risks.

Biometric-driven warfare

Investigative journalist Annie Jacobson documented the birth of biometric-driven warfare in Afghanistan following the terrorist attacks on Sept. 11, 2001, in her book “First Platoon.” The Department of Defense quickly viewed biometric data and what it called “identity dominance” as the cornerstone of multiple counterterrorism and counterinsurgency strategies. Identity dominance means being able to keep track of people the military considers a potential threat regardless of aliases, and ultimately denying organizations the ability to use anonymity to hide their activities.

By 2004, thousands of U.S. military personnel had been trained to collect biometric data to support the wars in Afghanistan and Iraq. By 2007, U.S. forces were collecting biometric data primarily through mobile devices such as the Biometric Automated Toolset (BAT) and Handheld Interagency Identity Detection Equipment (HIIDE). BAT includes a laptop, fingerprint reader, iris scanner and camera. HIIDE is a single small device that incorporates a fingerprint reader, iris scanner and camera. Users of these devices can collect iris and fingerprint scans and facial photos, and match them to entries in military databases and biometric watchlists.

In addition to biometric data, the system includes biographic and contextual data such as criminal and terrorist watchlist records, enabling users to determine if an individual is flagged in the system as a suspect. Intelligence analysts can also use the system to monitor people’s movements and activities by tracking biometric data recorded by troops in the field.

By 2011, a decade after 9/11, the Department of Defense maintained approximately 4.8 million biometric records of people in Afghanistan and Iraq, with about 630,000 of the records collected using HIIDE devices. Also by that time, the U.S. Army and its military partners in the Afghan government were using biometric-enabled intelligence or biometric cyberintelligence on the battlefield to identify and track insurgents.

In 2013, the U.S. Army and Marine Corps used the Biometric Enrollment and Screening Device, which enrolled the iris scans, fingerprints and digital face photos of “persons of interest” in Afghanistan. That device was replaced by the Identity Dominance System-Marine Corps in 2017, which uses a laptop with biometric data collection sensors, known as the Secure Electronic Enrollment Kit.

Over the years, to support these military objectives, the Department of Defense aimed to create a biometric database on 80% of the Afghan population, approximately 32 million people at today’s population level. It is unclear how close the military came to this goal.

More data equals more people at risk

In addition to the use of biometric data by the U.S. and Afghan military for security purposes, the Department of Defense and the Afghan government eventually adopted the technologies for a range of day-to-day governmental uses. These included evidence for criminal prosecution, clearing Afghan workers for employment and election security.

In addition, the Afghan National ID system and voter registration databases contained sensitive data, including ethnicity data. The Afghan ID, the e-Tazkira, is an electronic identification document that includes biometric data, which increases the privacy risks posed by Taliban access to the National ID system.

It’s too soon after the Taliban’s return to power to know whether and to what extent the Taliban will be able to commandeer the biometric data once held by the U.S. military. One report suggested that the Taliban may not be able to access the biometric data collected through HIIDE because they lack the technical capacity to do so. However, it’s possible the Taliban could turn to longtime ally Inter-Services Intelligence, Pakistan’s intelligence agency, for help getting at the data. Like many national intelligence services, ISI likely has the necessary technology.

Another report indicated that the Taliban have already started to deploy a “biometrics machine” to conduct “house-to-house inspections” to identify former Afghan officials and security forces. This is consistent with prior Afghan news reports that described the Taliban subjecting bus passengers to biometric screening and using biometric data to target Afghan security forces for kidnapping and assassination.

Concerns about collecting biometric data

For years following 9/11, researchers, activists and policymakers raised concerns that the mass collection, storage and analysis of sensitive biometric data posed dangers to privacy rights and human rights. Reports of the Taliban potentially accessing U.S. biometric data stored by the military show that those concerns were not unfounded. They reveal potential cybersecurity vulnerabilities in the U.S. military’s biometric systems. In particular, the situation raises questions about the security of the mobile biometric data collection devices used in Afghanistan.

The data privacy and cybersecurity concerns surrounding Taliban access to U.S. and former Afghan government databases are a warning for the future. In building biometric-driven warfare technologies and protocols, it appears that the U.S. Department of Defense assumed the Afghan government would have the minimum level of stability needed to protect the data.

The U.S. military should assume that any sensitive data – biometric and biographical data, wiretap data and communications, geolocation data, government records – could potentially fall into enemy hands. In addition to building robust security to protect against unauthorized access, the Pentagon should use this as an opportunity to question whether it was necessary to collect the biometric data in the first instance.

Understanding the unintended consequences of the U.S. experiment in biometric-driven warfare and biometric cyberintelligence is critically important for determining whether and how the military should collect biometric information. In the case of Afghanistan, the biometric data that the U.S. military and the Afghan government had been using to track the Taliban could one day soon – if it’s not already – be used by the Taliban to track Afghans who supported the U.S.

Margaret Hu is a professor of law and of international affairs at Penn State.

The ConversationThis article is republished from The Conversation under a Creative Commons license. Read the original article.

NEXT STORY: The Future of Work Is Flexible

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.