As the Taliban swept through Afghanistan in mid-August, declaring the end of two decades of war, reports quickly circulated that they had also captured US military biometric devices used to collect data such as iris scans, fingerprints, and facial images.Some feared that the machines, known as HIIDE, could be used to help identify Afghans who had supported coalition forces.
According to experts speaking to MIT Technology Review, however, these devices actually provide only limited access to biometric data, which is held remotely on secure servers. But our reporting shows that there is a greater threat from Afghan government databases containing sensitive personal information that could be used to identify millions of people around the country.
MIT Technology Review spoke to two individuals familiar with one of these systems, a US-funded database known as APPS, the Afghan Personnel and Pay System. Used by both the Afghan Ministry of Interior and the Ministry of Defense to pay the national army and police, it is arguably the most sensitive system of its kind in the country, going into extreme levels of detail about security personnel and their extended networks. We granted the sources anonymity to protect them against potential reprisals.
Started in 2016 to cut down on paycheck fraud involving fake identities, or “ghost soldiers,” APPS contains some half a million records about every member of the Afghan National Army and Afghan National Police, according to estimates by individuals familiar with the program. The data is collected “from the day they enlisted,” says one individual who worked on the system, and remains in the system forever, whether or not someone remains actively in service. Records could be updated, he added, but he was not aware of any deletion or data retention policy—not even in contingency situations, such as a Taliban takeover.
A presentation on the police recruitment process from NATO’s Combined Security Training Command–Afghanistan shows that just one of the application forms alone collected 36 data points. Our sources say that each profile in APPS holds at least 40 data fields.
These include obvious personal information such as name, date, and place of birth, as well as a unique ID number that connects each profile to a biometric profile kept by the Afghan Ministry of Interior.
But it also contains details on the individuals’ military specialty and career trajectory, as well as sensitive relational data such as the names of their father, uncles, and grandfathers, as well as the names of the two tribal elders per recruit who served as guarantors for their enlistment. This turns what was a simple digital catalogue into something far more dangerous, according to Ranjit Singh, a postdoctoral scholar at the nonprofit research group Data & Society who studies data infrastructures and public policy. He calls it a sort of “genealogy” of “community connections” that is “putting all of these people at risk.”
The information is also of deep military value—whether for the Americans who helped construct it or for the Taliban, both of which are “looking for networks” of their opponent’s supporters, says Annie Jacobsen, a journalist and author of First Platoon: A Story of Modern War in the Age of Identity Dominance.
But not all the data has such clear use. The police ID application form, for example, also appears to ask for recruits’ favorite fruit and vegetable. The Office of the Secretary of Defense referred questions about this information to United States Central Command, which did not respond to a request for comment on what they should do with such data.
While asking about fruits and vegetables may feel out of place on a police recruitment form, it indicates the scope of the information being collected and, says Singh, points to two important questions: What data is legitimate to collect to achieve the state’s purpose, and is the balance between the benefits and drawbacks appropriate?
In Afghanistan, where data privacy laws were not written or enacted until years after the US military and its contractors began capturing biometric information, these questions never received clear answers.
The resulting records are extremely comprehensive.
“Give me a field that you think we will not collect, and I’ll tell you you’re wrong,” said one of the individuals involved.
Then he corrected himself: “I think we don’t have mothers’ names. Some people don’t like to share their mother’s name in our culture.”
A growing fear of reprisals
The Taliban have stated publicly that they will not carry out targeted retribution against Afghans who had worked with the previous government or coalition forces. But their actions—historically and since their takeover—have not been reassuring.
On August 24, the UN High Commissioner of Human Rights told a special G7 meeting that her office had received credible reports of “summary executions of civilians and combat members of the Afghan national security forces.”
“I wouldn’t be surprised if they looked at the databases and started printing lists based on this … and now are head-hunting former military personnel,” one individual familiar with the database told us.
An investigation by Amnesty International found that the Taliban tortured and massacred nine ethnic Hazara men after capturing Ghazni province in early July, while in Kabul there have been numerous reports of Taliban going door to door to “register” individuals who had worked for the government or internationally funded projects.
Biometrics have played a role in such activity going back to at least 2016, according to local media accounts. In one widely reported incident from that year, insurgents ambushed a bus en route to Kunduz and took 200 passengers hostage, eventually killing 12, including local Afghan National Army soldiers returning to their base after visiting family. Witnesses told local police at the time that the Taliban used some kind of fingerprint scanner to check people’s identities.
It’s unclear what kinds of devices these were, or whether they were the same ones used by American forces to help establish “identity dominance”—the Pentagon’s goal of knowing who people were and what they had done.
US officials were particularly interested in tracking identities to disrupt networks of bomb makers, who were successfully evading detection as their deadly improvised explosive devices caused large numbers of casualties among American troops. With biometric devices, military personnel could capture people’s faces, eyes, and fingerprints—and use that unique, immutable data to connect individuals, like bomb makers, with specific incidents. Raw data tended to go one way—from devices back to a classified DOD database—while actionable information, such as lists of people to “be on the lookout for”, was downloaded back onto the devices.
Incidents like the one in Kunduz seemed to suggest that these devices could access broader sets of data, something that the Afghan Ministry of Defense and American officials alike have repeatedly denied.
“The U.S. has taken prudent actions to ensure that sensitive data does not fall into the Taliban’s hands. This data is not at risk of misuse. That’s unfortunately about all I can say,” wrote Eric Pahon, a Defense Department spokesperson, in an emailed statement shortly after publication.
“They should also have thought of securing it”
But Thomas Johnson, a research professor at the Naval Postgraduate School in Monterey, California, provides another possible explanation for how the Taliban may have used biometric information in the Kunduz attack.
Instead of their taking the data straight from HIIDE devices, he told MIT Technology Review, it is possible that Taliban sympathizers in Kabul provided them with databases of military personnel against which they could verify prints. In other words, even back in 2016, it may have been the databases, rather than the devices themselves, that posed the greatest risk.
Regardless, some locals are convinced that the collection of their biometric information has put them in danger. Abdul Habib, 32, a former ANA soldier who lost friends in the Kunduz attack, blamed access to biometric data for their deaths. He was so concerned that he too could be identified by the databases, that he left the army—and Kunduz province—shortly after the bus attack.
When he spoke with MIT Technology Review shortly before the fall of Kabul, Habib had been living in the capital for five years, and working in the private sector.
“When it was first introduced, I was happy about this new biometric system,” he said. “I thought it was something useful and the army would benefit from it, but now looking back, I don’t think it was a good time to introduce something like that. If they are making such a system, they should also have thought of securing it.”
And even in Kabul, he added, he hasn’t felt safe: “A colleague was told that ‘we will remove your biometrics from the system,’ but as far as I know, once it is saved, then they can’t remove it.”
When we last spoke to him just before the August 31 withdrawal deadline, as tens of thousands of Afghans surrounded the Hamid Karzai International Airport in Kabul in attempts to leave on an evacuation flight, Habib said that he had made it in. His biometric data was compromised, but with any luck, he would be leaving Afghanistan.
What other databases exist?
APPS may be one of the most fraught systems in Afghanistan, but it is not unique—nor even the largest.
The Afghan government—with the support of its international donors—has embraced the possibilities of biometric identification. Biometrics would “help our Afghan partners understand who its citizens are … help Afghanistan control its borders; and … allow GIRoA [the Government of the Islamic Republic of Afghanistan] to have ‘identity dominance,’” as one American military official put it in a 2010 biometrics conference in Kabul.
Central to the effort was the Ministry of Interior’s biometric database, called the Afghan Automatic Biometric Identification System (AABIS), but often referred to simply as the Biometrics Center. AABIS itself was modeled after the highly classified Department of Defense biometric system called the Automatic Biometric Identification System, which helped identify targets for drone strikes.
According to Jacobsen’s book, AABIS aimed to cover 80% of the Afghan population by 2012, or roughly 25 million people. While there is no publicly available information on just how many records this database now contains, and neither the contractor managing the database nor officials from the US Defense Department have responded to requests for comment, one unconfirmed figure from the LinkedIn profile of its US-based program manager puts it at 8.1 million records.
AABIS was widely used in a variety of ways by the previous Afghan government. Applications for government jobs and roles at most projects required a biometric check from the MOI system to ensure that applicants had no criminal or terrorist background. Biometric checks were also required for passport, national ID, and driver’s license applications, as well as registrations for the country’s college entrance exam.
Another database, slightly smaller than AABIS, was connected to the “e-tazkira,” the country’s electronic national ID card. By the time the government fell, it had roughly 6.2 million applications in process, according to the National Statistics and Information Authority, though it is unclear how many applicants had already submitted biometric data.
Biometrics were also used—or at least publicized—by other government departments as well. The Independent Election Commission used biometric scanners in an attempt to prevent voter fraud during the 2019 parliamentary elections, with questionable results. In 2020, the Ministry of Commerce and Industries announced that it would collect biometrics from those who were registering new businesses.
Despite the plethora of systems, they were never fully connected to each other. An August 2019 audit by the US found that despite the $38 million spent to date, APPS had not met many of its aims: biometrics still weren’t integrated directly into its personnel files, but were just linked by the unique biometric number. Nor did the system connect directly to other Afghan government computer systems, like that of the Ministry of Finance, which sent out the salaries. APPS also still relied on manual data-entry processes, said the audit, which allowed room for human error or manipulation.
A global issue
Afghanistan is not the only country to embrace biometrics. Many countries are concerned about so-called “ghost beneficiaries”—fake identities that are used to illegally collect salaries or other funds. Preventing such fraud is a common justification for biometric systems, says Amba Kak, the director of global policy and programs at the AI Now institute and a legal expert on biometric systems.
It’s widely recognized that having legal identification documents is a right, but “conflating biometric ID as the only efficient means for legal identification,” she says, is “flawed and a little dangerous.”
Kak questions whether biometrics—rather than policy fixes—are the right solution to fraud, and adds that they are often “not evidence-based.”
But driven largely by US military objectives and international funding, Afghanistan’s rollout of such technologies has been aggressive. Even if APPS and other databases had not yet achieved the level of function they were intended to, they still contain many terabytes of data on Afghan citizens that the Taliban can mine.
“Identity dominance”—but by whom?
The growing alarm over the biometric devices and databases left behind, and the reams of other data about ordinary life in Afghanistan, has not stopped the collection of people’s sensitive data in the two weeks between the Taliban’s entry into Kabul and the official withdrawal of American forces.
This time, the data is being collected mostly by well-intentioned volunteers in unsecured Google forms and spreadsheets, highlighting either that the lessons on data security have not yet been learned—or that they must be relearned by every group involved.
Singh says the issue of what happens to data during conflicts or governmental collapse needs to be given more attention. “We don’t take it seriously,” he says, “But we should, especially in these war-torn areas where information can be used to create a lot of havoc.”
Kak, the biometrics law researcher, suggests that perhaps the best way to protect sensitive data would be if “these kinds of [data] infrastructures … weren’t built in the first place.”
For Jacobsen, the author and journalist, it is ironic that the Department of Defense’s obsession with using data to establish identity might actually help the Taliban achieve its own version of identity dominance. “That would be the fear of what the Taliban is doing,” she says.
Ultimately, some experts say the fact that Afghan government databases were not very interoperable may actually be a saving grace if the Taliban do try to use the data. “I suspect that the APPS still doesn’t work that well, which is probably a good thing in light of recent events,” said Dan Grazier, a veteran who works at watchdog group the Project on Government Oversight, by email.
But for those connected to the APPS database, who may now find themselves or their family members hunted by the Taliban, it’s less irony and more betrayal.
“The Afghan military trusted their international partners, including and led by the US, to build a system like this,” says one of the individuals familiar with the system. “And now that database is going to be used as the [new] government’s weapon.”
This article has been updated with comment from the Department of Defense. In a previous version of this article, one source indicated that there was no deletion or data retention policy; he has since clarified that he was not aware of such a policy. The story has been updated to reflect this.
Your daily newsletter about what’s up in emerging technology from MIT Technology Review.