The Taliban may have access to the biometric data of civilians who helped the U.S. military

Written by , Ryerson University. Photo credit: AP Photo/Rahmat Gul. Originally published in The Conversation.The Conversation

Taliban fighters stand guard at a checkpoint in Kabul, Afghanistan, on Aug. 18, 2021.

In 2007, the United States military began using a small, handheld device to collect and match the iris, fingerprint and facial scans of over 1.5 million Afghans against a database of biometric data. The device, known as Handheld Interagency Identity Detection Equipment (HIIDE), was initially developed by the U.S. government as a means to locate insurgents and other wanted individuals. Over time, for the sake of efficiency, the system came to include the data of Afghans assisting the U.S. during the war.

Today, HIIDE provides access to a database of biometric and biographic data, including of those who aided coalition forces. Military equipment and devices — including the collected data — are speculated to have been captured by the Taliban, who have taken over Afghanistan.

This development is the latest in many incidents that exemplify why governments and international organizations cannot yet securely collect and use biometric data in conflict zones and in their crisis responses.

Building biometric databases

Biometric data, or simply biometrics, are unique physical or behavioural characteristics that can be used to identify a person. These include facial features, voice patterns, fingerprints or iris features. Often described as the most secure method of verifying an individual’s identity, biometric data are being used by governments and organizations to verify and grant citizens and clients access to personal information, finances and accounts.

According to a 2007 presentation by the U.S. Army’s Biometrics Task Force, HIIDE collected and matched fingerprints, iris images, facial photos and biographical contextual data of persons of interest against an internal database.

In a May 2021 report, anthropologist Nina Toft Djanegara illustrates how the collection and use of biometrics by the U.S. military in Iraq set the precedent for similar efforts in Afghanistan. There, the “U.S. Army Commander’s Guide to Biometrics in Afghanistan” advised officials to “be creative and persistent in their efforts to enrol as many Afghans as possible.” The guide recognized that people may hesitate to provide their personal information and therefore, officials should “frame biometric enrolment as a matter of ‘protecting their people.’”

Inspired by the U.S. biometrics system, the Afghan government began work to establish a national ID card, collecting biometric data from university students, soldiers and passport and driver license applications.

Although it remains uncertain at this time whether the Taliban has captured HIIDE and if it can access the aforementioned biometric information of individuals, the risk to those whose data is stored on the system is high. In 2016 and 2017, the Taliban stopped passenger buses across the country to conduct biometric checks of all passengers to determine whether there were government officials on the bus. These stops sometimes resulted in hostage situations and executions carried out by the Taliban.

Placing people at increased risk

We are familiar with biometric technology through mobile features like Apple’s Touch ID or Samsung’s fingerprint scanner, or by engaging with facial recognition systems while passing through international borders. For many people located in conflict zones or rely on humanitarian aid in the Middle East, Asia and Africa, biometrics are presented as a secure measure for accessing resources and services to fulfil their most basic needs.

In 2002, the United Nations High Commissioner for Refugees (UNHCR) introduced iris-recognition technology during the repatriation of more than 1.5 million Afghan refugees from Pakistan. The technology was used to identify individuals who sought funds “more than once.” If the algorithm matched a new entry to a pre-existing iris record, the claimant was refused aid.

An Afghan internally displaced refugee receives winter necessities from the UNHCR in 2017. Photo credit: AP Photo/Rahmat Gul.

The UNHCR was so confident in the use of biometrics that it altogether decided not to allow disputes from refugees. From March to October 2002, 396,000 false claimants were turned away from receiving aid. However, as communications scholar Mirca Madianou argues, iris recognition has an error rate of two to three per cent, suggesting that roughly 11,800 claimants out of the alleged false claimants were wrongly denied aid.

Additionally, since 2018, the UNHCR has collected biometric data from Rohingya refugees. However, reports recently emerged that the UNHCR shared this data with the government of Bangladesh, who subsequently shared it with the Myanmar government to identify individuals for possible repatriation (all without the Rohingya’s consent). The Rohingya, like the Afghan refugees, were instructed to register their biometrics to receive and access aid in conflict areas.

The UNHCR collects the biometric data of refugees in Uganda.

In 2007, as the U.S. government was introducing HIIDE in Afghanistan, U.S. Marine Corps were walling off Fallujah in Iraq to supposedly deny insurgents freedom of movement. To get into Fallujah, individuals would require a badge, obtained by exchanging their biometric data. After the U.S. retreated from Iraq in 2020, the database remained in place, including all the biometric data of those who worked on bases.

Protecting privacy over time

Registering in a biometric database means trusting not just the current organization requesting the data but any future organization that may come into power or have access to the data. Additionally, the collection and use of biometric data in conflict zones and crisis response present heightened risks for already vulnerable groups.

While collecting biometric data is useful in specific contexts, this must be done carefully. Ensuring the security and privacy of those who could be most at risk and those who are likely to be compromised or made vulnerable is critical. If security and privacy cannot be ensured, then biometric data collection and use should not be deployed in conflict zones and crisis response.