· 4 min read

Biometric Devices Sold on eBay Contained US Military Data

Francis Tuffy
Francis Tuffy · Editor
Biometric Devices Sold on eBay Contained US Military Data

German researchers who purchased biometric capture devices on eBay have reported that they discovered sensitive US military data stored on their memory cards.

The data reportedly included fingerprints, iris scans, photographs, names and descriptions of people, mostly from Afghanistan and Iraq – many of whom worked with the US army.

The researchers, who are the Chaos Computer Club (CCC), which had previously made a name for itself exposing security flaws with other systems and devices, explained that the US military used biometric devices to capture people’s data in Afghanistan. The biometric devices were used to identify individuals, and ‘on used US military equipment, we discovered, among other things, an unprotected biometrics database containing names, fingerprints, iris scans, and photographs of more than 2,600 Afghans and Iraqis,’ the researchers noted.

‘Allegedly, access to the biometrics database should not be possible without further technology, but our research shows that all data on the mobile biometric devices is completely unprotected. We were able to read, copy and analyse them without any difficulty,’ said CCC.

The researchers acquired a total of four Secure Electronic Enrolment Kits and two units of Handheld Interagency Identity Detection Equipment at the online auction house.

The devices were examined forensically, and the researchers found that ‘all storage media were unencrypted. A well- documented standard password was the only thing needed to gain access. Also, the database was a standard database with standard data formats’. It was fully exported with little effort.

The devices CCC acquired ‘contained names and biometric data of two US military personnel, GPS coordinates of past deployment locations, and a massive biometrics database with names, fingerprints, iris scans and photos’.

Taliban

Could this possibly be linked to the disturbing reports that are emerging that the Taliban have possibly accessed biometric data collected by the US to track Afghans, including people who worked for US and coalition forces.

Afghans who once supported the US have been attempting to hide or destroy physical and digital evidence of their identities. Many Afghans fear that the identity documents and databases storing personally identifiable data could be transformed into death warrants in the hands of the Taliban. Furthermore, a March 2022 report from Human Rights Watch 1 indicated the Taliban have been collecting biometric data to potentially match against captured US and Afghan government databases.

This possible data breach underscores that data protection in zones of conflict, especially biometric data and databases that connect online activity to physical documents and locations, can be a matter of life and death.

By 2004, thousands of US military personnel had been trained to collect biometric data to support the wars in Afghanistan and Iraq. By 2007, US forces were collecting biometric data primarily through mobile devices such as the Biometric Automated Toolset (BAT) and Handheld Interagency Identity Detection Equipment (HIIDE) 2.

BAT includes a laptop, fingerprint reader, iris scanner, and camera. HIIDE is a single small device that incorporates a fingerprint reader, iris scanner, and camera. Users of these devices can collect iris and fingerprint scans and facial photos, and match them to entries in military databases and biometric watchlists.

In addition to biometric data, the system includes biographic and contextual data such as criminal and terrorist watchlist records, enabling users to determine if an individual is flagged in the system as a suspect. Intelligence analysts can also use the system to monitor people’s movements and activities by tracking biometric data recorded by troops in the field.

Over the years, to support military objectives, the US Department of Defense aimed to create a biometric database on 80% of the Afghan population, approximately 32 million people at today’s population level. It is unclear how close the military came to this goal.

Digging up the road twice

With all of the personally identifiable data of the Afghan people that has been collected, it seems odd that many Afghans still lack national ID cards. Local officials in the Farah province of west Afghanistan have claimed that at least 70% of the residents of Farahrud district have no national ID card.

At least 14,000 people hold identity cards in Farahrud while the remaining 70,000 are yet to get the national document, according to the National Statistics and Information Authority in Farah. Residents of the district said that some of them are 40 years’ old but still don’t have any recognisable identity documentation.

Recently, the media reported that many Afghans are angry about the delay in the issuance of electronic ID cards, saying that printing and issuing of ID cards from Kabul had already stopped. The applicants added that they are unable to register their names online due to technical issues with the Department for Statistics and Information’s website.

Realising that data for counter-insurgence activities in conflict zones is not the same as for civil registration, it still seems a bit like digging up the road to lay sewers and then digging it up again to lay water pipes.


1 - www.hrw.org/news/2022/03/30/new-evidence-biometric-data-systems-imperil-afghans 

2 - www.nist.gov/system/files/documents/2021/03/23/ansi-nist_archived_vermury-bat-hiide.pdf 

Subscriber content

Read the full article

Full access to ID & Secure Document News articles, newsletters and archives.

Sign Up to ID & Secure Document News Weekly

Receive regular updates on the latest news and articles posted on our website.

Verity

Verity

AI search assistant

Ask me anything from the ID & Secure Document News archives.

free questions remaining