By capturing 40 pieces of data per person—from iris scans and family connections to their favorite fruits—a system designed to reduce fraud by Afghan security forces may actually help the Taliban.

When the Taliban swept Afghanistan in mid-August and declared the end of the 20-year war, it was soon reported that they had also captured US military biometric equipment used to collect data such as iris scans, fingerprints, and facial images. Some people worry that these machines, known as HIIDE, may be used to help identify Afghans supporting the coalition forces.

However, according to experts at MIT Technology Review, these devices actually only provide limited access to biometric data, which is stored remotely on secure servers. But our report shows that Afghan government databases containing sensitive personal information pose a greater threat, and this information can be used to identify millions of people across the country. 

"MIT Technology Review" interviewed two people familiar with one of the systems, which is a US-funded database called APPS, the Afghan Personnel and Salary System. Both the Afghan Ministry of Interior and Defense use it to pay for the national army and police. It can be said to be the most sensitive system of its kind in the country, and it can gain insight into the extreme details of security personnel and their expanded networks. We grant anonymity to sources to protect them from potential retaliation. 

The only hope for many who have been taken over by the Taliban is the response of chaotic and sometimes adventurous online volunteers.

According to estimates by people familiar with the plan, APPS started in 2016 to reduce salary fraud involving false identities or “ghost soldiers”. It contains approximately 500,000 records of each member of the Afghan National Army and the Afghan National Police. A person working on the system said that the data was collected "from the day they were enlisted" and will remain in the system forever, regardless of whether anyone continues to actively serve. He added that records can be updated, but he is not aware of any deletion or data retention policies-even in emergency situations, such as a Taliban takeover.

The NATO Afghanistan Joint Security Training Command’s presentation on the police recruitment process indicated that 36 data points were collected in just one application form. Our source stated that each profile in APPS contains at least 40 data fields. 

This includes obvious personal information, such as name, date and place of birth, and a unique ID number that associates each personal profile with biometric data held by the Ministry of Interior of Afghanistan. 

But it also contains detailed information about the individual’s military profession and career trajectory, as well as sensitive relationship data, such as the names of their father, uncle, and grandfather, as well as the names of the two tribal elders who each recruit serves as a guarantor for them. Enlisted. Ranjit Singh, a postdoctoral scholar at Data & Society, a non-profit research organization that studies data infrastructure and public policy, said this has turned the original simple digital catalog into something more dangerous. He called it the "pedigree" of "community connections", "putting all these people at risk."

This information also has important military value—both to the Americans who helped build it or to the Taliban, both are "looking for a network of rival supporters", reporter and author of "First Row: Stories" Annie Jacobson talks about modern warfare in the age of identity advantage.  

But not all data has such a clear purpose. For example, the police ID application form seems to require the recruits’ favorite fruits and vegetables. The Office of the Secretary of Defense forwarded questions about this information to the U.S. Central Command, which did not respond to requests for comment on how they should handle such data.

"If they look at the database and start printing the list... and are now headhunting former military personnel, I wouldn't be surprised."

Although asking about fruits and vegetables on the police recruitment form may feel inappropriate, it indicates the scope of the information collected, and Singh said, pointing out two important questions: What data is legal to collect for national purposes , And is the balance between pros and cons appropriate?

In Afghanistan, data privacy laws were not enacted or promulgated until several years after the US military and its contractors began capturing biometric information, and these questions have never received clear answers. 

The resulting record is very comprehensive.

"Give me an area that you think we will not collect, and I will tell you that you are wrong," said one of the relevant personnel.

Then he corrected himself: "I don't think we have a mother's name. Some people don't like to share their mother's name in our culture."

The Taliban have publicly stated that they will not retaliate against Afghans who have cooperated with the previous government or coalition forces. But their behavior-whether from history or since they were taken over-is not reassuring. 

On August 24, the United Nations High Commissioner for Human Rights stated at the G7 special meeting that her office had received a credible report on the "summary execution of civilians and combatants of the Afghan National Security Forces." 

"If they look at the database and start printing lists based on this, I won't be surprised... They are now headhunting former military personnel," a person familiar with the database told us.  

An Amnesty International investigation found that after the Taliban occupied Ghazni Province in early July, they tortured and massacred nine Hazara men. In Kabul, there have been many reports that the Taliban had “registered” door-to-door. Individuals who work for the government or government. Internationally funded projects. 

According to local media reports, dating back at least to 2016, biometric technology has played a role in such activities. In a widely reported incident that happened that year, the insurgents ambushed a bus on their way to Kunduz, took 200 passengers as hostages, and ultimately killed 12 people, including after visiting their families. Local Afghan National Army soldiers returning to base. Witnesses told the local police that the Taliban used some kind of fingerprint scanner to check people's identities.

It is unclear what type of devices these are or whether they are the same as those used by the U.S. military to help establish an "identity advantage"-the Pentagon's goal is to understand who people are and what they do. 

The coalition forces headed by the United States have more firepower, more equipment, and more funds. But it is the Taliban who have benefited the most from technological progress.

U.S. officials are particularly interested in tracing identities to disrupt the network of bomb makers who successfully avoided detection because their deadly improvised explosive devices caused a large number of casualties in the U.S. military. Using biometric devices, military personnel can capture people’s faces, eyes, and fingerprints, and use these unique, immutable data to connect individuals (such as bombmakers) to specific events. Raw data tends to be one way—returned from the device to the confidential DOD database—and actionable information, such as a list of people to “attention”, is downloaded back to the device.

Events like Kunduz seem to indicate that these devices can access a wider range of data sets, which has been repeatedly denied by the Afghan Ministry of Defense and US officials.

The Department of Defense spokesperson Eric Pahon wrote in an email: “The United States has taken precautions to ensure that sensitive data does not fall into the hands of the Taliban. There is no risk of these data being misused. Unfortunately. Yes, I can only say that." Statement shortly after the publication.

But Thomas Johnson, a research professor at the Naval Graduate School in Monterey, California, provided another possible explanation for how the Taliban used biometric information in the Kunduz attack. 

He told MIT Technology Review that they did not obtain data directly from the HIIDE device, but it is possible that the Taliban sympathizers in Kabul provided them with a database of military personnel, and they can verify printed materials against these databases. In other words, even in 2016, the biggest risk may be the database, not the device itself. 

In any case, some locals are convinced that collecting their biometric information puts them at risk. Abdul Habib, 32, lost his friend in the Kunduz attack. He was a former all-day air force soldier who blamed their deaths on the acquisition of biometric data. He was very worried that the database could also identify him, so he left the army and Kunduz province shortly after the bus attack. 

In an interview with the MIT Technology Review shortly before the fall of Kabul, Habib had lived in the capital for five years and worked in the private sector. 

"When it was first launched, I was very happy with this new biometric system," he said. "I think this is something useful and the military will benefit from it, but in retrospect, I don't think it's a good time to introduce something like this. If they are making such a system, they should also consider protecting it." 

He added that even in Kabul, he did not feel safe: “A colleague was told'we will delete your biometric information from the system', but as far as I know, once saved, they cannot delete it.”

When we talked to him for the last time before the evacuation deadline on August 31, thousands of Afghans surrounded the Hamid Karzai International Airport in Kabul and tried to leave on an evacuation flight. Habib said he was successful. Up. His biometric data is compromised, but with luck, he will leave Afghanistan. 

APPS may be one of the most worrying systems in Afghanistan, but it is not unique—not even the largest.

With the support of international donors, the Afghan government has accepted the possibility of biometrics. Biometrics will "help our Afghan partners understand who their citizens are...help Afghanistan control its borders; and...allow GiroA [the Government of the Islamic Republic of Afghanistan] to have an "identity advantage", as a US military official said in 2010 As said at the Biometrics Conference in Kabul. 

The core of this work is the biometric database of the Ministry of the Interior, called the Afghanistan Automatic Biometric System (AABIS), but it is often referred to simply as the Biometric Center. AABIS itself is modeled on the highly classified Department of Defense biometric system, called an automatic biometric system, which helps to identify the target of a drone attack. 

The only hope for many who have been taken over by the Taliban is the response of chaotic and sometimes adventurous online volunteers.

According to Jacobson's book, AABIS aims to cover 80% of the Afghan population, or approximately 25 million people, by 2012. Although there is no public information about how many records the database currently contains, and neither the contractor who manages the database nor the U.S. Department of Defense official responded to a request for comment, an unverified digital project manager in its LinkedIn profile at its U.S. headquarters will It is listed as 8.1 million records. 

AABIS was widely used by the former Afghan government in many ways. Most government positions and job applications for projects require a biometric check of the MOI system to ensure that the applicant does not have a criminal or terrorist background. Biometric checks are also required for passport, national ID and driving license applications and registration for university entrance exams in the country. 

Another database slightly smaller than AABIS is connected to the country's electronic national identity card "e-tazkira". According to data from the National Bureau of Statistics and Information, approximately 6.2 million applications were being processed when the government collapsed, but it is not clear how many applicants have already submitted biometric data. 

Other government agencies have also used or at least promoted biometrics. The Independent Election Commission used biometric scanners during the 2019 parliamentary elections to try to prevent voter fraud, but the results were suspicious. In 2020, the Ministry of Commerce and Industry announced that it will collect biometric information from people who register new businesses. 

Although there are too many systems, they are never fully connected to each other. An audit in the United States in August 2019 found that despite spending $38 million so far, APPS has not achieved many of its goals: biometric technology is still not directly integrated into its personnel files, but only through a unique biometric number Connect. The system is also not directly connected to other Afghan government computer systems, such as the computer system of the Ministry of Finance that sends wages. The audit stated that APPS also relies on manual data entry processes, which leaves room for human error or manipulation.

Afghanistan is not the only country adopting biometric technology. Many countries are worried about the so-called "ghost beneficiaries"-false identities used to illegally collect wages or other funds. Amba Kak, director of global policy and programs at AI Now Institute and legal expert on biometric systems, said that preventing such fraud is a common reason for biometric systems.

"It's easy to portray this [APPS] as extraordinary," said Kak, who co-edited a book on global biometric policy. It "seems to have a lot of continuity with the global experience of biometrics."

"Biometric identity as the only effective means of legal identification... is flawed and a bit dangerous."

It is generally believed that having a legal ID is a right, but "mixing a biometric ID as the only effective legal identification method", she said, "it is flawed and a bit dangerous." 

Kak questioned whether biometrics—not policy fixes—are the correct solution to fraud, adding that they are usually “not evidence-based”. 

However, largely driven by US military goals and international funding, Afghanistan has been very active in the promotion of such technologies. Even if APPS and other databases have not reached the expected level of functionality, they still contain many terabytes of data on Afghan citizens that the Taliban can mine. 

In the two weeks between the Taliban’s entry into Kabul and the official withdrawal of the U.S. military, people’s growing vigilance against the legacy of biometric devices and databases, as well as a large number of other data about daily life in Afghanistan, did not stop collecting people’s sensitive data. . 

This time, the data was mainly collected by well-meaning volunteers in insecure Google forms and spreadsheets, which indicates that the lessons of data security have not been learned, or that every participating group must relearn. 

Singh said more attention needs to be paid to what happens to the data during conflict or government collapse. "We will not take it seriously," he said, "but we should take it seriously, especially in these war-torn areas, where information may be used to cause a lot of damage."

Kak, a biometrics researcher, suggests that the best way to protect sensitive data may be "These types of [data] infrastructure... are not built in the first place."

For author and journalist Jacobson, the irony is that the Department of Defense’s obsession with using data to establish identity may actually help the Taliban achieve its own version of identity advantage. "That would be the fear of what the Taliban is doing," she said. 

In the end, some experts said that if the Taliban did try to use the data, the fact that the Afghan government database was not interoperable might actually be a saving. "I suspect that the application still doesn't work well, and given the recent incidents, this may be a good thing," Dan Grazier, a senior person in the supervision organization and government supervision of project work, said via email. 

But for those who are connected to the APPS database, they may now find themselves or their family members being hunted by the Taliban. This is not irony but betrayal. 

"The Afghan military trusts their international partners, including and led by the United States, to establish such a system," said a person familiar with the system. "Now the database will be used as a weapon for the [new] government."

This article has been updated based on comments from the Department of Defense. In the previous version of this article, a source stated that there was no deletion or data retention policy; he later clarified that he was not aware of such a policy. The story has been updated to reflect this.

How a senior virologist found new evidence to support the theory that the new coronavirus was transmitted from animals to humans in the notorious Chinese market, instead of emerging from laboratory leaks.

The US government’s China initiative aims to protect national security. In the most comprehensive case analysis to date, the MIT Technology Review reveals the extent to which it deviates from the target.

As the number of new coronary pneumonia cases has risen again, new restrictions are being implemented throughout Europe. However, there are several reasons for the new wave.

Thermal cameras and facial recognition systems may help fight covid-19 - but they also make us complicit in high-tech oppression of Uyghurs.

Discover special offers, popular stories, upcoming events and more.

Thank you for submitting your email!

There seems to be something wrong.

We were unable to save your preferences. Try to refresh this page and update them again. If you continue to receive this message, please contact us at customer-service@technologyreview.com and provide a list of newsletters you wish to receive.

Our mission is to make smarter and more conscious decisions about technology through authoritative, influential and trustworthy news reports.

Subscribe to support our news work.