Written by Kashmir Hill, John Ismay, Christopher F. Schuetze and Aaron Krolik
The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing.
The device’s memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people.
Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan.
The device — a relic of the vast biometric collection system the Pentagon built in the years after the Sept. 11, 2001, attacks — is a physical reminder that although the United States has moved on from the wars in Afghanistan and Iraq, the tools built to fight them and the information they held live on in ways unintended by their creators.
Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear. But the data, which offers detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands.
For those reasons, Marx would not place the information online or share it in an electronic format, but he did allow a Times reporter in Germany to see the data in person alongside him.
“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Brig. Gen. Patrick S. Ryder, the Defense Department’s press secretary, said in a statement. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”
He provided an address for the military’s biometrics program manager at Fort Belvoir in Virginia where the devices could be sent.
The biometric data on the SEEK II was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb. Around the time when the device was last used in Afghanistan, the U.S. war effort there was winding down. Osama bin Laden had been killed in Pakistan a year earlier — his identity reportedly confirmed using facial recognition technology.
One of the main concerns of military leaders at that time was a rash of shootings in which Afghan soldiers and police turned their guns on U.S. troops. They hoped that the biometric enrollment program would help identify any possible Taliban agents inside their own bases.
A 2011 “commander’s guide to biometrics in Afghanistan” described face, fingerprint and iris scans as a “relatively new” but “decisive battlefield capability” that “effectively identifies insurgents, verifies local and third-country nationals accessing our bases and facilities, and links people to events.”
The SEEK II has a tiny screen, a miniature physical keyboard and an almost comically small mouse pad. A thumbprint reader is protected by a hinged plastic lid at the bottom of the device. Like an ancient Polaroid camera, the machine unfolds to allow iris scans and to take photos. Marx used the SEEK II on himself; when he turned it off, a message popped up, asking to connect to a U.S. Special Operations Command server to upload the new “collected biometrics.”
Over the past year, Marx and a small group of researchers at the Chaos Computer Club, a European hacker association, bought six biometric capture devices on eBay, most for less than 200 euros, planning to analyze them to find any vulnerabilities or design flaws. They were motivated by concerns raised last year that the Taliban had seized such devices after the U.S. evacuation from Afghanistan. The group of researchers wanted to understand whether the Taliban could have gotten biometric data about people who had assisted the United States from the devices, putting them at risk.
Finding so much information sitting unencrypted and easily accessible shocked them.
“It was disturbing that they didn’t even try to protect the data,” Marx said, referring to the U.S. military. “They didn’t care about the risk, or they ignored the risk.”
Stewart Baker, a Washington lawyer and former national security official, said that biometric scanning was a valuable tool in war zones but that the collected data needed to be kept under control. He predicted the data breach would “make a lot of people who helped the U.S. and are still in Afghanistan really uncomfortable.”
“This should not have happened,” Baker said. “It is a disaster for the people whose data is exposed. In the worst cases, the consequences could be fatal.”
Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs, for Handheld Interagency Identity Detection Equipment — two of the SEEK II devices had sensitive data on them. The second SEEK II, with location metadata showing it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of U.S. service members.
When reached by the Times, one American whose biometric scan was found on the device confirmed that the data was likely his. He previously served as a Marine intelligence specialist and said his data, and that of any other American found on these devices, was most likely collected during a military training course. The man, who spoke on the condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked that his biometric file be deleted.
Military officials said the only reason these devices would have data on Americans would be their use during training sessions, a common practice to prepare for employing them in the field.
According to the Defense Logistics Agency, which handles the disposal of millions of dollars of excess Pentagon matériel each year, devices like the SEEK II and the HIIDE never should have made it to the open market — much less an online auction site like eBay. Instead, all biometric collection gear is supposed to be destroyed on site when no longer needed by military personnel, as are other electronic devices that once held sensitive operational information.
How eBay sellers obtained these devices is unclear. The device with the 2,632 profiles was sold by Rhino Trade, a surplus equipment company in Texas. The company’s treasurer, David Mendez, said it had bought the SEEK II at an auction of government equipment and did not realize a decommissioned military device would have sensitive data on it.
“I hope we didn’t do anything wrong,” he said.
The SEEK II with the American troops’ information came from Tech-Mart, an eBay seller in Ohio. Tech-Mart’s owner, Ayman Arafa, declined to say how he had acquired it, or two other devices he sold to the researchers.
An eBay spokesperson said company policy prohibited the listing of electronic devices that contained personally identifiable information. “Listings that violate this policy will be removed, and users may face actions up to, and including, a permanent suspension of their account,” the spokesperson said.
The sensitive data on the devices was stored on memory cards. If the cards had been removed and destroyed, this data would not have been exposed.
“The irresponsible handling of this high-risk technology is unbelievable,” Marx said. “It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online.”
The Times reviewed online manuals and documentation for the HIIDE and SEEK II devices and found that they were designed to search biometric files kept on government servers. However, they are able to store thousands of biometric records for use in an environment with limited internet connectivity, which may help explain why these biometric records were still on these devices.
Ella Jakubowska, a policy adviser on biometric information at European Digital Rights, a privacy advocacy group, said the military should inform all the people whose data had been exposed.
“It doesn’t matter that it’s from a decade ago,” she said. “One of the key points that we’re always trying to raise about biometric data and why it’s so sensitive is because it can identify you forever.”
Jakubowska said it did not matter if some in the database had committed crimes or were on watchlists. “You are still a human, and it’s a marker of democratic societies that we still treat people, even criminals, with dignity, and with respect for their human rights,” she said.
Marx alerted the Department of Defense about the unprotected data, as well as the manufacturer of the device, HID Global. Asked for comment, HID Global said in a statement that it did not “share details about our customers or specific product implementations.”
“The configuration, management, protection, storage and regularity of deletion of data is the responsibility of the organization using HID-manufactured devices,” the company said.
Belkis Wille, a researcher at Human Rights Watch who has written about the use of biometrics in Afghanistan, told German public broadcaster Bayerischer Rundfunk that people who had worked with the U.S. government and were affected by the breach should be given the opportunity to leave Afghanistan and apply for asylum.
“Even a former policeman who is in hiding, who has changed their name, because they don’t want the Taliban to capture them isn’t safe anymore,” she told Bayerischer Rundfunk. “This system means that they really have no way to protect themselves.”
Marx planned to present his findings at an event for hackers in Berlin on Tuesday. After the analysis of the biometric devices is complete, he and his fellow researchers plan to delete the personally identifiable data.