For sale on eBay: A military fingerprint and iris scanner database

The shoebox-shaped device designed to capture fingerprints and iris scans has been listed for sale on eBay for $149.95.

A German security researcher, Matthias Marx, bid $68, and when it arrived at his Hamburg home in August, the rugged, portable machine held more than advertised.

The device’s memory card contained names, nationalities, photographs, fingerprints and iris scans 2,632 people.

Most people in the database, reviewed by The New York TimesThey came from Afghanistan and Iraq.

Many were known terrorists and wanted persons, but others appeared to be people who had worked with the US government or had simply been stopped at checkpoints.

The device metadata, called Secure Electronic Registration Kit or SEEK IIrevealed that it had last been used in about the summer of 2012 Kandahar (Afghanistan).

The device – a relic of the vast biometric data collection system built by the Pentagon in the years following the September 11, 2001 attacks – is a physical reminder that while the United States has put the wars in Afghanistan and Iraq behind it, the tools built to combat them, and the information they contained lives on in ways not intended by their creators.

It’s not known exactly how the device ended up making its way from the battlefields of Asia to an online auction site.

But the data, which provides detailed descriptions of people, as well as their photos and biometrics, could be enough to identify individuals previously unknown to have worked with the US military, should the information fall into the slots of the wrong hands. .

For these reasons, Marx did not want to put the information online or share it electronically, but he did allow a Times reporter in Germany to view the data in person with him.

“Because we have not reviewed the information contained on the devices, the Department cannot confirm the authenticity of the alleged data or make any other comments about it,” Brigadier General Patrick S. Ryder, the department’s press secretary, said in a statement. .

“The department requests that any device believed to contain personally identifiable information be returned for further analysis.”

He provided the address of the military biometrics program director at Fort Belvoir, Virginia, where the devices could be shipped.

SEEK II’s biometric data was collected in detention centers, on patrols, during local recruitment checks and after a sudden bomb explosion.

By the time the device was last used in Afghanistan, the US war effort in that country was drawing to a close.

Osama bin Laden had been assassinated in Pakistan a year earlier and his identity had been confirmed using intelligence technology. Facial recognition.

A major concern of military leaders at the time was a series of shootings in which Afghan soldiers and policemen pointed their guns at US troops.

They hoped the biometric enrollment program would help identify potential Taliban agents within its bases.

A 2011 “Commander’s Guide to Biometrics in Afghanistan” described iris, fingerprint, and facial readers as a “relatively new” but “battlefield critical capability” that “effectively identifies insurgents, verifies local citizens, and from third countries who access our bases and facilities and connect people to events.”

The SEEK II has a tiny screena miniature physical keyboard and an almost comically small mousepad.

A fingerprint reader is protected by a hinged plastic cover at the bottom of the device.

Like an old Polaroid camera, the machine opens to scan the iris and take pictures.

Marx used SEEK II on himself; when he shut it down, a message popped up asking to connect to a US Special Operations Command server to upload the newly “collected biometric data.”

Over the past year, Marx and a small group of researchers from the Chaos Computer Club, a European hacker association, bought six biometric capture devices on eBay, most for under $200, with the intention of analyzing them for find any vulnerability or design flaw.

The reason was concerns raised last year that such devices could be seized by the Taliban following the US evacuation of Afghanistan.

Prosecutors wanted to know if the Taliban could have obtained biometric data from the devices of people who had helped the United States, putting it in danger.

Finding so much unencrypted and easily accessible information shocked them.

“It was disturbing that they didn’t even try to secure the data,” Marx said, referring to the US military.

“they didn’t care the risk, or was unaware of it.

Stewart Baker, a Washington attorney and former national security official, said biometric scanning is an invaluable tool in war zones, but the data it collects needs to be kept under wraps.

He predicted the data leak would “make many people who have helped the United States and are still in Afghanistan uneasy.”

“This shouldn’t have happened,” Baker said.

“It’s a disaster for the people whose data is exposed. In the worst case, the consequences could be fatal.”

Of the six devices the researchers bought on eBay, four SEEK and two HIIDE, for Handheld Interagency Identity Detection Equipment, two of the SEEK IIs contained sensitive data.

The second SEEK II, whose location metadata showed it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of members of the US military.

Contacted by the Times, one of the Americans whose biometric scanner was found on the device confirmed that the data was probably his.

He had previously worked as a marine intelligence specialist and said his data, and that of any other Americans found on these devices, was likely collected during a marine training course. military training.

The man, who spoke on condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked for his biometric file to be deleted.

Military officials said the only reason these devices would have data on Americans is to use them during training sessions, a common practice to prepare for their use in the field.

According to the Defense Logistics Agency, which handles the disposal of millions of dollars of surplus Pentagon material each year, devices like SEEK II and HIIDE should never have made it onto the open market, let alone an online auction site like eBay. .

Instead, all biometric data collection equipment must be destroyed in situ when military personnel no longer need them, as well as other electronic devices that once held sensitive operational information.

It’s unclear how eBay sellers obtained these devices.

The device with the 2,632 profiles was sold by Rhino Trade, a Texas surplus equipment company.

Company treasurer David Mendez said he purchased the SEEK II a government equipment auction and did not realize that a decommissioned military device would contain sensitive data.

“I hope we haven’t done anything wrong,” he said.

The SEEK II with the US troop information came from Tech-Mart, an eBay seller in Ohio.

Tech-Mart owner Ayman Arafa declined to say how he acquired it, as well as two other devices he sold to investigators.

An eBay spokesman said company policy prohibited advertising of electronic devices that contained personally identifiable information.

“Ads that violate this policy will be removed and users may face action up to and including permanent account suspension,” the spokesperson said.

Sensitive data on devices was stored on memory cards.

Had the cards been removed and destroyed, this data would not have been exposed.

“The irresponsible handling of this high-risk technology is incredible,” Marx said.

“We find it incomprehensible that the manufacturer and former military users don’t care that used devices with sensitive data are sold online.”

The Times examined the manuals and online documentation for the HIIDE and SEEK II devices and found they were designed to search biometric files stored on government servers.

However, they are capable of storing thousands of biometric records for use in an environment with limited internet connectivity, which may help explain why these biometric records were still on these devices.

Ella Jakubowska, policy adviser on biometrics at European Digital Rights, a privacy advocacy group, said the military should inform everyone whose data has been exposed.

“It doesn’t matter that it’s from a decade ago,” he said.

“One of the key points that we always try to clarify about biometrics and why they are so sensitive is because they can identify you forever“.

Jakubowska said it doesn’t matter if some of those in the database have committed crimes or are on watch lists.

“You are still a human being, and it is an indicator of democratic societies that we continue to treat people, including criminals, with dignity and respect for their human rights,” she said.

Marx alerted the Defense Department of the exposed data, as well as the device maker, HID Global.

Asked for comment, HID Global said in a statement that it was not “sharing details about our customers or specific product implementations.”

“The configuration, management, security, archiving and regular deletion of data are the responsibility of the organization using HID-manufactured devices,” the company said.

Belkis Wille, researcher at Human Rights Watch who has written about the use of biometrics in Afghanistan, told German public broadcaster Bayerischer Rundfunk that people who worked with the US government and were affected by the leak should be given the option to leave Afghanistan and apply for asylum.

“Even a former policeman in hiding, who has changed his name, because he doesn’t want to be captured by the Taliban, is no longer safe,” he told Bayerischer Rundfunk.

“This system means they really have no way to protect themselves.”

Marx was due to present his findings at a hacker event in Berlin on Tuesday.

Once the analysis of the biometric devices is complete, he and his fellow researchers plan to erase the personally identifiable data.

c.2022 The New York Times Company