The SEEK II’s biometric data was collected in detention facilities, on patrols, during screening of local staff, and after the explosion of an improvised bomb. Around the time the device was last deployed in Afghanistan, the US war effort there was halted. Osama bin Laden had been killed in Pakistan a year earlier – his identity was reportedly confirmed using facial recognition technology.
One of the main concerns of the military leadership at the time was a spate of shootings, with Afghan soldiers and police officers turning their guns on US troops. They hoped the biometric registration program would help identify possible Taliban agents in their own bases.
A 2011 Commander’s Guide to Biometrics in Afghanistan described face, fingerprint and iris scanning as a “relatively new” but “crucial battlefield capability” that “effectively identifies insurgents, verifies local and third-country nationals, who have access to our bases and facilities, and connects people to events.”
The SEEK II has a tiny screen, a miniature physical keyboard, and an almost comically small mouse pad. A fingerprint reader is protected by a hinged plastic cover on the bottom of the device. Like an old Polaroid camera, the machine can be opened to allow iris scans and photos to be taken. Marx used the SEEK II on himself; When he turned it off, a message popped up asking him to connect to a US Special Operations Command server to upload the new “collected biometric data.”
Last year, Marx and a small group of researchers from the Chaos Computer Club, a European hacking group, bought six biometric capture devices on eBay, most for less than 200 euros ($315), to analyze them to find vulnerabilities or design flaw. They were motivated by concerns expressed last year that the Taliban had seized such equipment after the US evacuated Afghanistan. The group wanted to understand if the Taliban could have obtained biometric data from the devices on people who had helped the US, putting them at risk.
Finding so much information unencrypted and easily accessible shocked her.
“It was disturbing that they didn’t even try to protect the data,” Marx said, referring to the US military. “They didn’t care about the risk, or they ignored the risk.”
Stewart Baker, a Washington attorney and former national security official, said biometric scanning is a valuable tool in war zones, but the data collected needs to be kept under control. He predicted that the data breach “would make a lot of people who have helped the US and are still in Afghanistan really uncomfortable.”
“This shouldn’t have happened,” Baker said. “It’s a disaster for the people whose data is being exposed. In the worst case, the consequences could be fatal.”
Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs for wearable cross-agency identity recognition devices — two SEEKs contained sensitive data. The second SEEK II, whose location metadata shows it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of US soldiers.
Upon reaching through the Times, an American whose biometric scan was found on the device, confirmed the data was likely his. He previously worked as a naval intelligence specialist and said his data, and that of all other Americans found on those devices, was most likely collected during a military training course. The man, who spoke on condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked for his biometric file to be deleted.
Military officials said the only reason these devices would have data on Americans is for their use during training sessions, a common practice to prepare for deployment in the field.
According to the Defense Logistics Agency, which handles the disposal of millions of dollars of surplus Pentagon material each year, devices like the SEEK II and HIIDE should never have made it onto the open market — let alone an online auction site like them Ebay. Instead, all on-site biometric capture devices are to be destroyed when they are no longer needed by military personnel, as well as other electronic devices that once contained sensitive operational information.
How eBay sellers got hold of these devices is unclear. The device with the 2632 profiles was sold by Rhino Trade, a surplus equipment company in Texas. The company’s treasurer, David Mendez, said it bought the SEEK II at a government equipment auction, not knowing that a decommissioned military unit would contain sensitive data.
“I hope we didn’t do anything wrong,” he said.
The SEEK II with the information from the American troops came from Tech-Mart, an eBay seller in Ohio. Tech-Mart owner Ayman Arafa declined to say how he acquired it or two other devices he sold to the researchers.
An eBay spokesman said company policy prohibits listing electronic devices that contain personally identifiable information. “Advertisements violating this policy will be removed and users may face action, up to and including permanent account suspension,” the spokesman said.
The sensitive data of the devices were stored on memory cards. If the cards had been removed and destroyed, this data would not have been disclosed.
“The irresponsible use of this high-risk technology is incredible,” Marx said. “We find it incomprehensible that the manufacturers and ex-military users don’t care that used devices with sensitive data are peddled online.”
The Times reviewed online manuals and documentation for the HIIDE and SEEK II devices and found that they were designed to search biometric files stored on government servers. However, they are able to store thousands of biometric records for use in an internet-restricted environment, which may explain why those biometric records were still on those devices.
Ella Jakubowska, policy adviser on biometrics at European Digital Rights, a privacy advocacy group, said the military should notify anyone whose data has been exposed.
“It doesn’t matter that it’s been a decade,” she said. “One of the key points we always want to make about biometrics and why they are so sensitive is that they can identify you forever.”
Jakubowska said it doesn’t matter if some in the database have committed crimes or are on watch lists. “You are still human and it is a hallmark of democratic societies that we still treat people, even criminals, with dignity and with respect for their human rights,” she said.
Marx alerted the Department of Defense about the unprotected data, as well as the device’s manufacturer, HID Global. Requested for comment, HID Global said in a statement that it “did not share any details about our customers or specific product implementations.”
“The configuration, management, protection, storage and regularity of data deletion is the responsibility of the organization using HID-manufactured equipment,” the company said.
Belkis Wille, a researcher at Human Rights Watch who has written about the use of biometrics in Afghanistan, told Bayerischer Rundfunk that people who had worked with the US government and were affected by the breach should be given the opportunity to report to Afghanistan to leave and apply for asylum.
“Even a former police officer who has gone into hiding and changed his name because they don’t want the Taliban to catch him is no longer safe,” she told Bayerischer Rundfunk. “This system means they really have no way of protecting themselves.”
Marx wanted to present his findings at an event for hackers in Berlin on Tuesday. After completing the analysis of the biometric devices, he and his research colleagues want to delete the personal data.
This article originally appeared in The New York Times.
https://www.smh.com.au/world/north-america/us-military-fingerprints-and-iris-database-sells-for-100-on-ebay-20221229-p5c9b5.html?ref=rss&utm_medium=rss&utm_source=rss_world US military fingerprint and iris databases are selling on eBay for $100