Researchers Shocked At Sensitive US Military Data Found On Memory Card Sold On Ebay

HIIDE fingerprint scan
In 2021, The Intercept reported that the Taliban had seized biometric devices left behind by the US military in Afghanistan, giving them identifiable information on those who worked with American forces. A group of researchers in Germany called the Chaos Computer Club, led by Matthias Marx, wondered if it was really that easy to get highly classified military data. They purchased a few military surplus biometric scanners on eBay to discover that, yes, they had purchased the biometric data of thousands of individuals. 

The devices, known as Handheld Interagency Identity Detection Equipment (HIIDE), are designed to guarantee accurate identification of a person, even if their appearance has dramatically changed. A HIIDE collects fingerprints, iris scans, and photographs for facial recognition, and it stores that data on a memory card. According to a report in the New York Times, the Chaos Computer Club, which has a history of digging into biometrics, discovered the memory card on one of its purchased HIIDE devices had not been erased. It contained the names, national origins, photographs, fingerprints and iris scans of 2,632 people. 

Most of the records were from Kandahar, Afghanistan in the summer of 2012, but a second device had fingerprints and iris scans of US military personnel who were stationed in Jordan in 2013. Marx expressed surprise that the US military didn't even attempt to protect the data. The data was on a memory card, so it would have been trivially easy to dispose of the data before selling the biometric scanners. "They didn’t care about the risk, or they ignored the risk," said Marx. 

HIIDE biometric

The devices left in Afghanistan could contain similarly precise data, which would make it almost impossible for former US allies to hide from Taliban forces. This may amplify calls to grant asylum claims to get these people out of Afghanistan. 

The Department of Defense demurred when asked for comment, saying it had not seen the data and therefore could not "confirm the authenticity of the alleged data or otherwise comment on it." It did, however, ask that any hardware with confidential information be returned to the military for analysis. The Chaos Computer Club says that given the sensitive nature of the data, it plans to delete everything it has found. These devices are capable of storing up to 22,000 full biometric profiles, so technically, it could have been a lot worse.