The HIIDE and SEEK II devices were made to search biometric files stored on government servers. Now, the military database of fingerprints and iris scans is for sale on ebay.
The shoebox-shaped gadget, which can scan irises and take fingerprints, was priced at $149.95 on eBay. Matthias Marx, a German security researcher, successfully bid $68 on the item, and when it was delivered to his Hamburg home in August, it was more than what the listing had indicated.
2,632 people’s names, nationalities, pictures, fingerprints, and iris scans were stored on the device’s memory card.
The majority of the individuals on the database, which The New York Times examined, were from Afghanistan and Iraq. Others appeared to be individuals who had collaborated with the U.S. government or had just been stopped at checkpoints, but many of them were documented terrorists and wanted people. The Secure Electronic Enrollment Kit, or SEEK II, had last been utilized in the summer of 2012 close to Kandahar, Afghanistan, according to metadata on the device.
The device, which is a remnant of the extensive biometric collection system the Pentagon built in the years following the Sept. 11, 2001, attacks, serves as a tangible reminder that even though the United States has ceased its involvement in the wars in Afghanistan and Iraq, the tools used to fight those conflicts and the data they contained continue to be engaged in ways that their designers did not intend.
Uncertainty exists over the precise route taken by the equipment from Asian battlefields to an online auction house. But should the information end up in the wrong hands, the data, which provides extensive descriptions of people in addition to their photograph and biometric information, could be sufficient to target individuals who were previously unknown to have cooperated with U.S. armed troops.
Due to these factors, Mr. Marx refused to publish the data online or make it available electronically, but he did permit a Times reporter from Germany to view it in person alongside him.
“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Brig. Gen. Patrick S. Ryder, the Defense Department’s press secretary, said in a statement. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”
He gave a postal address where the gadgets may be delivered to the manager of the military’s biometrics program at Fort Belvoir in Virginia.
The SEEK II biometric data was obtained at detention facilities, on patrols, during local hire inspections, and following the explosion of an improvised explosive. The American combat effort in Afghanistan was winding down about the time the device was last employed there. Osama bin Laden was assassinated in Pakistan a year before, and his identification was allegedly established using facial recognition technology.
One of military officials’ biggest concerns at the time was a string of shootings in which Afghan soldiers and police turned their weapons on American troops. They thought that the biometric enrollment procedure would aid in the identification of any potential Taliban agents within their own bases.
A 2011 “commander’s guide to biometrics in Afghanistan” described face, fingerprint and iris scans as a “relatively new” but “decisive battlefield capability” that “effectively identifies insurgents, verifies local and third-country nationals accessing our bases and facilities, and links people to events.”
The SEEK II includes a tiny screen, a little physical keyboard, and a mouse pad that is almost laughably small. A hinged plastic lid at the bottom of a fingerprint reader protects it. The equipment opens to allow iris scans and images, much like an old Polaroid camera. Mr. Marx tested the SEEK II on himself; when he turned it off, a message appeared, requesting that he connect to a US Special Operations Command server in order to upload the new “collected biometrics”.
Mr. Marx and a small group of researchers from the Chaos Computer Club, a European hacker organization, purchased six biometric capture devices on eBay during the past year, most for less than 200 euros, with the intention of analyzing them for vulnerabilities or design faults. They were driven by concerns highlighted last year that the Taliban had acquired such gadgets following the United States’ withdrawal from Afghanistan. The researchers sought to know if the Taliban could have obtained biometric data on those who had helped the US through the devices, putting them in jeopardy.
They were astounded to discover so much information that was unencrypted and easily accessible.
“It was disturbing that they didn’t even try to protect the data,” Mr. Marx said, referring to the U.S. military. “They didn’t care about the risk, or they ignored the risk.”
Stewart Baker, a former national security official and Washington lawyer, believes that biometric scanning is a beneficial tool in combat zones, but that the data acquired must be kept in check. He predicted that the data breach would “make a lot of people who helped the U.S. and are still in Afghanistan really uncomfortable.”
“This should not have happened,” Mr. Baker said. “It is a disaster for the people whose data is exposed. In the worst cases, the consequences could be fatal.”
Two of the six gadgets purchased on eBay by the researchers — four SEEKs and two HIIDEs, or Handheld Interagency Identity Detection Equipment — included sensitive data. The second SEEK II seemed to include the fingerprints and iris scans of a small group of US service men, with location metadata indicating it was last used in Jordan in 2013.
When contacted by The Times, an American whose biometric scan was discovered on the device verified that the data was most likely his. He formerly worked as a Marine intelligence expert and stated that his data, as well as the data of any other Americans discovered on these devices, was most likely gathered during a military training program. The man, who requested anonymity because he still works in intelligence and is not authorized to talk publicly, requested that his biometric file be destroyed.
According to military sources, the only explanation these devices would have information on Americans is because they were used during training sessions, which is a normal technique to prepare for using them in the field.
According to the Defense Logistics Agency, which disposes of millions of dollars in excess Pentagon equipment each year, gadgets such as the SEEK II and the HIIDE shouldn’t have made it to the open market, let alone an online auction site like eBay. Instead, all biometric gathering equipment, as well as other electronic devices that historically housed sensitive operational information, are expected to be destroyed on-site when no longer needed by military personnel.
It is unclear how these devices were acquired by eBay merchants. Rhino Trade, a surplus equipment firm in Texas, sold the device with 2,632 profiles. David Mendez, the business’s treasurer, stated that the SEEK II was purchased at a government equipment auction and that the company had no idea a defunct military equipment would contain sensitive information.
“I hope we didn’t do anything wrong,” he said.
Tech-Mart, an eBay vendor in Ohio, provided the SEEK II with information about American troops. Ayman Arafa, the owner of Tech-Mart, refused to reveal how he obtained it or the two other gadgets he sold to the researchers.
According to an eBay spokesperson, it is against corporate policy to list electronic gadgets that include personally identifiable information. “Listings that violate this policy will be removed, and users may face actions up to, and including, a permanent suspension of their account,” the spokesman said.
Memory cards were used to store sensitive information on the devices. This data wouldn’t have been revealed if the cards had been retrieved and destroyed.
“The irresponsible handling of this high-risk technology is unbelievable,” Mr. Marx said. “It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online.”
The HIIDE and SEEK II devices were made to search biometric files stored on government servers, according to The Times’ analysis of online manuals and paperwork for those devices. It may serve to comprehend why these biometric data were still on these devices if you consider that they have the capacity to store thousands of biometric information for usage in settings with spotty internet connectivity.
According to Ella Jakubowska, a policy adviser on biometric data at the privacy advocacy group European Digital Rights, the military needs to notify everyone whose data was compromised.
“It doesn’t matter that it’s from a decade ago,” she said. “One of the key points that we’re always trying to raise about biometric data and why it’s so sensitive is because it can identify you forever.”
Ms. Jakubowska stated that it made no difference if some people on the database had committed crimes or were placed on watchlists. “You are still a human, and it’s a marker of democratic societies that we still treat people, even criminals, with dignity, and with respect for their human rights,” she said.
Mr. Marx notified the Department of Defense and the device’s manufacturer, HID Global, about the unsecured information. In response to a request for comment, HID Global stated that it does not “share details about our customers or specific product implementations.”
“The configuration, management, protection, storage and regularity of deletion of data is the responsibility of the organization using HID-manufactured devices,” the company said.
According to Human Rights Watch researcher Belkis Wille, who has written about the use of biometrics in Afghanistan, those who had contact with the U.S. government and were impacted by the breach have to be offered the chance to leave Afghanistan and request asylum.
“Even a former policeman who is in hiding, who has changed their name, because they don’t want the Taliban to capture them isn’t safe anymore,” she told Bayerischer Rundfunk. “This system means that they really have no way to protect themselves.”
A year-end press conference held at the State Department has confirmed that the US pulled out of Afghanistan to arm Ukraine.
Mr. Marx intended to disclose his results at a hacker convention in Berlin on Tuesday. After the biometric devices have been analyzed, he and his colleagues intend to erase the personally identifiable data.
Support GreatGameIndia
