A cautionary tale on mass data collection, from Afghanistan

 

Since the Taliban re-took Afghanistan in 2021, people on the ground have feared that authorities would gain access to databases holding troves of personal information about Afghans, particularly those who worked with the U.S. military or foreign NGOs. Sources with direct knowledge of the digitization initiatives have confirmed to us that this has indeed happened. 

Human Rights Watch recently released a report on the role of foreign governments and international agencies in constructing and funding these systems that now put Afghans at risk.

Thousands of Afghans can now expect that everything from their name and birthdate to their home address, family relationships, professional ties, fingerprints and facial data is in the hands of the Taliban.

There is nothing especially unique about the existence of Afghanistan’s digital ID systems. From India to Ghana to Venezuela, such schemes are becoming commonplace around the world, and their purpose isn’t always sinister. The idea is that governments and humanitarian agencies can better serve people if they know who they are and where to find them. Inspired in part by the UN Sustainable Development Goals, and driven by the lofty hope that digitization guarantees efficiency, entities like the World Bank, the UN and Western governments often foot the bill for these systems.

But Afghanistan provides a grave warning about what can happen if sensitive personal data ends up in the wrong hands. 

Afghans who are especially vulnerable under the Taliban, including security forces, members of the judiciary, and people who worked with the U.S. military, are now fearful of how this could affect them and their families.

This week I spoke with Belkis Wille, a senior researcher in HRW’s Crisis and Conflict division. She acknowledged that there are other ways for the Taliban to gather information on its targets, but emphasized that biometric databases allow them to easily get more information on more people, and make it harder for those people to stay hidden.

Take, for example, someone who went into hiding after the Taliban took control, like a translator who worked with the U.S. military.

“Because of biometrics, that is not a sustainable solution. The next time he gets fingerprinted at a government office, or he wants to get a passport, or a checkpoint, it’s going to become very clear who he is,” said Wille.

The World Bank, the U.S. and the EU funded the national ID card system, known as e-Tazkira, which holds information on people’s families and where they live. Wille said these funders failed to consider what would happen if leadership changed hands.

She also pointed out that Afghanistan has no data protection law, meaning that “any guarantees that they might have received around data protection won’t necessarily hold.” Such laws should be a prerequisite for establishing systems like these, she said.

Wille stressed that international funders must consider the long term impacts of these systems and adjust to evolving security and privacy concerns to mitigate the risks.

“The approach is not centered around the person whose data is being taken,” she said.

Afghanistan isn’t the only place where these systems are being rolled out in precarious environments, potentially putting people at risk. Many of the world’s systems have failed to consider the real-life implications of their requirements, or what happens when a system malfunctions. Rohingya refugees in Bangladesh have been subject to multiple rounds of data collection, by both the UN High Commission for Refugees and the Bangladeshi government, in order to distribute aid. Some of this data has since been shared with officials in Myanmar, the very place people were fleeing from. 

Fixing biometric databases may bring little comfort to Afghans whose data is already in the hands of the Taliban. But it should serve as a cautionary tale, forcing state and intergovernmental agencies to adopt stronger principles for these kinds of systems. 

She highlighted some lessons from Afghanistan, like the importance of limiting the information collected to what’s strictly necessary. Someone’s occupation, parents’ address or uncle’s name shouldn’t be required to issue a biometric ID, said Wille.

Wille hopes that what happened in Afghanistan will elevate the global conversation about how to build biometric databases in a way that protects peoples’ information, and their rights. 

“We need much more thoughtfulness around how to ensure that if these systems are being created, that they’re being created safely,” said Wille. 

IN OTHER GLOBAL NEWS:

Social media got knocked offline amid Sri Lanka’s state of emergency. In response to massive public demonstrations condemning the ruling government for the country’s crippling economic crisis, officials banned Facebook, Instagram, WhatsApp, Twitter and YouTube on April 3. Plenty of Sri Lankans skirted the ban using VPNs, and it was lifted by the end of the day – around the same time, all 26 members of the president’s cabinet resigned.

Clearview AI plans to offer its controversial facial recognition tech to private companies like banks. The company’s CEO Hoan Ton-That told the Associated Press that the company is hoping to compete with Amazon and Microsoft by exploring how businesses can use Clearview to verify people’s identity. That’s a pivot. Back in 2020, Clearview, which is facing multiple lawsuits for its collection and use of people’s facial images without consent, pledged to end its contracts with private businesses. 

Officials in Chicago are calling for an investigation into whether Immigration and Customs Enforcement uses data brokers to get around legal protections in so-called “sanctuary cities,” where law enforcement agencies do not cooperate with federal immigration authorities. But ICE doesn’t necessarily need information from police to enable its surveillance capabilities. The agency has contracts with data brokers to buy people’s personal information, including their home addresses, vehicle registrations, credit reports, social media posts, and “hundreds of other sources.” Chicago officials are seeking to close that loophole. 

UK Prime Minister Boris Johnson encouraged Russians to use VPNs to access independent information about the war in Ukraine. “To the Russian people, look at what is being done in your name. You deserve the truth. You deserve the facts,” he wrote on Twitter. As important as that message is, it’s ironic coming from UK leadership. Earlier this year, the government launched an ad campaign against end-to-end encryption and to sway public opinion against Facebook’s plans to encrypt Messenger. 

WHAT WE’RE READING

  • This Citizen Lab report on how NSO Group continued to hack Apple phones in belonging to human rights defenders, lawyers and journalists in Jordan, even after Apple sued the Israeli spyware firm
  • This Reuters exclusive on the European Commission senior officials who were targeted with spyware built by the Israeli firm NSO group. 
  • This rundown by The Guardian on all the ways U.S. law enforcement agencies can get access to people’s data from big tech companies like Apple and Meta.
  • This WIRED article on the plans to allow police in different countries in the EU to link their facial recognition databases