What The West’s Disorderly Withdrawal from Afghanistan Tells Us About Privacy and its Preservation

Posted on Sep 13, 2021 by Glyn Moody

In the wake of the West’s chaotic withdrawal from Kabul, and the rapid takeover of the country by the Taliban, Afghanistan continues to dominate the headlines. Given the major geopolitical implications of these events, with China already looking to capitalize on the West’s failure, that’s hardly surprising. What is more unexpected is how prominently issues of privacy figure in the new chapter of Afghanistan’s unfolding story. The central concern involves biometrics, an area that Privacy News Online has noted previously is fraught with risks.

As The Intercept was the first to report, it seems that amongst the large collection of US military hardware seized by the Taliban there are biometric devices known as HIIDE: Handheld Interagency Identity Detection Equipment. The associated Biometric Automated Toolset System (BATS) uses fingerprints and retina scans to help the US military “tell the difference between the good guys and the bad guys” in a number of countries. The Afghan biometrics program formally began in 2009, with help from the FBI. A “U.S. Army Commander’s Guide to Biometrics in Afghanistan” from 2011 is still available online. As an article from 2016 explains, the primary target of these biometric systems was insurgents:

A majority of our operations produce biometric information that leads to arrests, warrants, and the removal of insurgent anonymity. Furthermore, increasing components of our successful insurgent-targeted operations are a result of our biometric collection and enrollment processes. Across Regional Command–East (RC-E), biometric intelligence-driven operations have achieved major impacts on the insurgent ability to maintain leadership and lower-level cell structures as both coalition and Afghan forces regularly employ biometrically developed insurgent watch lists and “be on the lookout” (BOLO) messages and as they execute deliberate detention operations.

Biometric information about insurgents falling into the hands of the Taliban is hardly a problem, since they are largely the same people. An article in Technology Review points out that the real danger arises from the personal information held in a US-funded database known as APPS, the Afghan Personnel and Pay System:

Started in 2016 to cut down on paycheck fraud involving fake identities, or “ghost soldiers,” APPS contains some half a million records about every member of the Afghan National Army and Afghan National Police, according to estimates by individuals familiar with the program. The data is collected “from the day they enlisted,” says one individual who worked on the system, and remains in the system forever, whether or not someone remains actively in service.

According to the article, each APPS profile holds around 40 data fields, including details on the individuals’ “military specialty and career trajectory, as well as sensitive relational data such as the names of their father, uncles, and grandfathers, as well as the names of the two tribal elders per recruit who served as guarantors for their enlistment.” If the Taliban gain access to this and similar highly-personal information, they can not only identify Afghans who worked in or for the national army and police, but also their close relatives. It is easy to imagine such data being used for summary executions of the kind that have already taken place. The Zenger News site interviewed the head of a special Taliban unit called Al Isha whose task is specifically to exploit biometric and other data to seek out Afghans who helped the US and its allies. Unfortunately for the latter, the Taliban can now draw on considerable technical expertise: they have already used social media to great effect.

The threat that biometric and other personal data might be used against Afghans has led to hurried attempts to minimize the damage. US agencies have been told to “scrub” their Web sites, and to remove articles and photos that might endanger civilians who worked with them. Google has locked Afghan government email accounts, so as to prevent their contents from being used by the Taliban to identify targets for retribution. Facebook, Twitter and LinkedIn have taken analogous action to prevent their services being used track Afghans’ personal histories and social connections. Similarly, ordinary Afghans are seeking to erase evidence of their past lives that might lead the Taliban to target them. However, an article Wired points out that some aspects of online life are not under the control of individuals:

there are the photos and videos that people have been caught up in, wittingly and unwittingly, that they can’t control. Posed photographs showing educational projects on NGO websites and candid shots of life outside Taliban rule are all potentially evidence of transgressions.

Deleting social media profiles completely would mean losing access to family and friends, and resources inside and outside the country.

The fraught situation in Afghanistan exposes in an extreme form the tension between maximizing the utility of social media and preserving privacy. That’s a hard balance to achieve. The looming problem with Taliban access to massive biometric systems revealing who people are, and what they have been doing for the last few years, is in some sense easier for others to avoid. As this blog and many experts have insisted, massive databases holding biometrics and other key personal information are incompatible with protecting privacy. They should never be rolled out as thoughtlessly as they were in Afghanistan, with what is likely to have serious, possibly fatal, consequences for thousands of innocent people.

Feature image by Weaveravel.