A group of security researchers in Germany has been at work on an important task: reviewing the types of devices used to collect biometric data in Afghanistan in the early 21st century. Their goal is to learn more about whether any flaws exist in them — the kinds of flaws that might have allowed, say, the Taliban to pull data from them. A recent New York Times article details the surprise that one such researcher received after buying a former military device on eBay for $68: biometric data for over 2,600 people.
As the article details, the Secure Electronic Enrollment Kit — as the device is known — had not been used since 2012, when it was utilized in Afghanistan. What’s especially alarming is that no one seems to know why the data wasn’t deleted from the device between then and now.
Matthias Marx, the researcher who purchased the device, certainly wasn’t expecting it to come with fingerprints and retinal scans on it. Defense Department press secretary Brig. Gen. Patrick S. Ryder released a statement asking for the device to be returned for inspection. The Defense Logistics Agency told the Times that biometric data collection devices are supposed to be destroyed outright after the military is finished using them. And eBay has a policy against selling technology that contains personal information.
It’s alarming for numerous reasons. But it’s also a situation that could put people in real danger. The Times spoke with Stewart Baker, who has abundant experience with national security, about the data. “It is a disaster for the people whose data is exposed,” Baker told the Times. “In the worst cases, the consequences could be fatal.”
Thanks for reading InsideHook. Sign up for our daily newsletter and be in the know.