Euro Security Watch with Mathew J. Schwartz

Biometrics , COVID-19 , Cyberwarfare / Nation-State Attacks

Taliban’s Takeover of Kabul: Biometric Fallout Concerns

Biometric Databases Could Be Used to Identify Individuals Who Assisted NATO Forces
Taliban’s Takeover of Kabul: Biometric Fallout Concerns
A U.S. soldier uses the Biometric Automated Toolset-Handheld Interagency Identity Detection Equipment system to scan military-aged males' retinas in Paktika Province in 2012. (Photo: U.S. Army, via CC)

Privacy and data protection may sometimes seem to be abstract concepts. But unfortunately, if personal information gets compromised or falls into the wrong hands, the consequences can be catastrophic.

See Also: Live Webinar | Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways

Witness the withdrawal from Afghanistan of the U.S. and its allies. As the last U.S. military flight lifted off Tuesday evening from Kabul airport, what was left behind in the country reportedly included not just biometric-reading devices, but a vast collection of biometric data that could be used to identify individuals who assisted the occupying U.S. forces.

With the Taliban having retaken Kabul, the concern is that it will use the data to track these individuals and then potentially interrogate or execute them. In addition, this biometric data was built on by the now-fallen Afghan government to underpin election registration and work permits. The national identity system the government established included not just biometrics, but also ethnicity data.

As part of an "identity dominance" strategy, the U.S. Department of Defense by 2004 had begun collecting vast quantities of personal and biometric information in Afghanistan and Iraq in an attempt to better track those who it deemed to pose a military threat, Margaret Hu, a professor of law and international affairs at Penn State, writes in a blog post.

"By 2007, U.S. forces were collecting biometric data primarily through mobile devices such as the Biometric Automated Toolset and Handheld Interagency Identity Detection Equipment," she says. "BAT includes a laptop, fingerprint reader, iris scanner and camera. HIIDE is a single small device that incorporates a fingerprint reader, iris scanner and camera. Users of these devices can collect iris and fingerprint scans and facial photos and match them to entries in military databases and biometric watchlists."

The Defense Department aimed to collect biometric data on 80% of all Afghans, though Hu notes it's unclear if it reached that goal.

Threat to Afghans

What threat do Afghans now face? Hu notes that it's unclear if the Taliban has the technical capability to access any left-behind HIIDE data, although it could share databases with Pakistan's Inter-Services Intelligence agency, which likely would have the ability to recover the information.

Hu says lessons must be learned. "The U.S. military should assume that any sensitive data - biometric and biographical data, wiretap data and communications, geolocation data, government records - could potentially fall into enemy hands," she says. "In addition to building robust security to protect against unauthorized access, the Pentagon should use this as an opportunity to question whether it was necessary to collect the biometric data in the first instance."

Data Minimization

Data minimization is a well-known privacy principle. The EU's General Data Protection Regulation, for example, mandates that any business or organization that collects or processes Europeans' personal data must collect only as much as it needs - and is allowed to collect, often by first gaining an individual's consent - and delete the collected data in a timely manner.

By law, any organization that collects Europeans' personal information must also complete a data protection impact assessment to identify and minimize the data protection risks of a project. These impact assessments can be reviewed at any time by privacy watchdogs. And if they're found to be incomplete or in violation of GDPR, that can lead to sanctions.

Privacy by Design

Even in regions with such laws, however, governments do not always abide by them, for example, by prioritizing a "privacy by design" approach.

Last year, 200 of the world's leading scientists and researchers from more than 25 countries warned in a letter that some governments' digital COVID-19 contact-tracing apps were being developed in a manner that could have catastrophic privacy consequences.

"We are concerned that some 'solutions' to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large," they said.

Of special concern were plans by some governments, including Prime Minister Boris Johnson's administration in the U.K., to identify all app users, track their movements and store this information in a centralized database to which multiple government agencies would have access.

"The principle of keeping this to the minimum of what is necessary for clinical use is important," Alan Woodward, a visiting professor of computer science at the University of Surrey, and signatory of the letter, told me last April as debate raged over what was necessary, proportional and safe.

Ultimately, Apple and Google held firm and said they would not allow any developers to build contact-tracing apps that centrally stored information about users, which in the wrong hands could become a de facto surveillance system.

"One of the reasons Apple and Google took their approach is that they wanted to support contact tracing, but didn't want their technology to act as a foundation for apps that could be used to track populations," Woodward said. "Not all governments are benign."

Britain's Belated Contact Tracing U-Turn

In the U.K., facing the prospect of scant adoption, the prime minister subsequently altered course and ordered the government's health department to do whatever it took for the National Health Service app to be able to tap Apple and Google APIs. The resulting app for England and Wales included a number of privacy-preserving features, including decentralized data storage, using obfuscation to hide patterns in network traffic, practicing minimal data collection, and never tracking IP addresses or location, for example, via GPS.

The U.K. National Health Service COVID-19 contact-tracing app for England and Wales (Source: NHS)

After launching the app last September, earlier this year, the government reported healthy uptake and said the app was helping contain infections.

But Johnson's administration could have gotten the app into the public's hands earlier if it had prioritized taking a privacy-preserving approach, potentially lessening the country's current COVID-19 death toll, which stands at roughly 156,000 individuals.

In Afghanistan, Britain and beyond, when it comes to collecting personal information - including biometric details - less so often means more.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.