The Taliban may now have access to massive databases of biometric data identifying Afghans who cooperated with the US military, voted in elections, supported the previous government, or belong to targeted ethnic groups. The data was collected with American and European funding and technology, in many cases by the US military itself.
It began with an Afghan national ID card called the Takzira that included a citizen’s photo and personal data. In 2018 the Afghan government upgraded to a digital version, the e-Takzira, that included biometric data. The US and EU funded the e-Takzira project and provided technical expertise.
The e-Takzira was required to vote in Afghan elections, so e-Takzira data was collected in a national voter registry with UN assistance. Biometric voter verification systems were deployed to poll places in the 2018 parliamentary election. It was later reported the election servers were breached.
The US military as well as FBI also collected biometrics (iris, fingerprint, face) on as many as 80% of Afghans, using special laptops and portable devices soldiers carried into Afghan villages. The Taliban soon began stealing the US handheld devices, which reportedly “contain identifying biometric data such as iris scans and fingerprints, as well as biographical information, and are used to access large centralized databases.” It was reported that Pakistani intelligence services (ISI) offered to help the Taliban extract biometric data from stolen devices.
Today the Taliban control Afghanistan and have access to databases created by the previous government, including e-Takzira and voter registration, and possibly US military data that was left behind. “We understand that the Taliban is now likely to have access to various biometric databases and equipment in Afghanistan,” the Human Rights First group tweeted. “This technology is likely to include access to a database with fingerprints and iris scans, and include facial recognition.”
A DHS official confirmed that “there’s almost no doubt [the Taliban have] gotten their hands on an enormously valuable trove of information.” James Lewis of the Center for Strategic and International Studies said “it’s likely that the Afghan government that just fell was collecting on people who were connected to the U.S. in some way for a whole set of reasons.”
Afghans are scrambling to delete themselves from social media and other digital histories that could mark them as US sympathizers. Facebook, Twitter, and LinkedIn provided tools to help Afghans hide their accounts. Some Afghans are even disguising themselves physically to evade Taliban checkpoints, applying makeup, changing facial hair, etc. Such disguises are unlikely to work against modern biometric systems. A Kabul resident said in a private message that she had heard of house-to-house inspections, and that the Islamist militants were using a “biometrics machine.”
Biometric technology is a double-edged sword. It was useful to the US military and Afghan government over the past two decades, but now the Taliban will almost certainly use it to punish Afghan allies we left behind. America placed too much faith in the Afghan government’s ability to secure sensitive data, and too much faith in our own ability to retreat from Kabul in an orderly manner.
The broader cybersecurity lesson is to always assume biometric data records may fall into enemy hands. We must secure them with encryption, access controls, strong authentication, anonymization, and self-destruct kill switches – and be careful who we share them with.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.