The Taliban control systems holding sensitive biometric data that Western donor governments left behind in Afghanistan in August 2021, putting thousands of Afghans at risk, Human Rights Watch said today.
These digital identity and payroll systems contain Afghans’ personal and biometric data, including iris scans, fingerprints, photographs, occupation, home addresses, and names of relatives. The Taliban could use them to target perceived opponents, and Human Rights Watch research suggests that they may have already used the data in some cases.
“Governments and organizations that helped amass vast quantities of personal data on large numbers of Afghans may be inadvertently assisting the Taliban repression,” said Belkis Wille, senior crisis and conflict researcher at Human Rights Watch. “Data collection’s highly intrusive nature and inadequate protections could put people at heightened risk of Taliban abuse.”
Foreign governments such as the United States, and international institutions, including United Nations agencies and the World Bank, funded and in some cases built or helped to build vast systems to hold the biometric and other personal data of various groups of Afghans for official purposes. In some cases, these systems were built for the former Afghan government. In others, they were designed for foreign governments and militaries.
Afghanistan currently has no data protection law. Having such a law, even assuming it met international standards, would not have guaranteed adequate data protection, but it could have helped to ensure better practices and to reduce the potential harm to those whose data has fallen into Taliban hands.
Human Rights Watch interviewed 12 Afghans with expert knowledge of the country’s biometric systems, including 6 judges; 5 foreign privacy and human rights researchers documenting the potential impacts of the systems being accessed by the Taliban; 3 UN staff members working on Afghanistan; and 2 US military officers formerly based in Afghanistan.
A former military commander still in Afghanistan said that Taliban detained him for 12 days in November and took his fingerprints and scanned his irises with a data-collection tool. “They told me they took my fingerprints to check if I was military and if they could confirm it, they would kill me,” he said. “I was very lucky that for some reason they did not get a match.”
Human Rights Watch examined six systems built by private companies for or with the assistance of foreign governments and international institutions:
- Afghan National Biometric System, used to issue Afghan national identity cards, known as e-Tazkira;
- US Defense Department Automated Biometric Identification System (ABIS), used to identify people whom the US believed might pose a security risk as well as those working for the US government;
- Afghan Automated Biometric Identification System (AABIS), used to identify criminals and Afghan army and police members;
- Ministry of Interior and Defense Afghan Personnel and Pay Systems (APPS) for the army and police, into which the AABIS was integrated in early 2021;
- Payroll system of the National Directorate of Security, the former state intelligence agency; and
- Payroll system of the Afghan Supreme Court.
In late 2021, several privacy rights organizations and media outlets raised their concerns about the Taliban gaining access to some of these systems, particularly the APPS and ABIS systems. Concerns about Taliban access to the other systems has received little coverage. However, information that a former government adviser shared with Human Rights Watch suggests that the Taliban may not have access to APPS.
The Taliban’s access to this data comes at a time when they are targeting individuals because of their past association with the former government, particularly members of the security forces, judges and prosecutors, and civil servants, including women working in these fields. The Taliban have also detained and abused people who have criticized their policies. Human Rights Watch in November documented the Taliban’s killing or enforced disappearance of 47 former members of the Afghan National Security Forces (ANSF) – military personnel, police, intelligence service members, and militia – between August 15 and October 31, with the UN reporting credible allegations of the killing of at least 130 security forces members or their relatives.
The Taliban have targeted journalists and threatened human rights activists, including women’s rights activists, women working in roles the Taliban believes are unsuitable for them, and people who are lesbian, gay, bisexual and transgender (LGBT).
Since the Taliban takeover on August 15, many people who believe themselves to be at risk have been in hiding and moving frequently. Taliban access to these systems may make it much harder, or impossible, for these people to remain hidden. The Taliban have also taken steps to block people from fleeing the country.
The Taliban have previously used biometric data to target people. In 2016 and 2017, journalists reported that Taliban fighters were using biometric scanners to identify and summarily execute bus passengers whom they determined were security force members, all the Afghans interviewed mentioned those incidents.
Aziz Rafiee, executive director of the Afghan Civil Society Forum, who is familiar with many of the systems and the risks posed, said, “The international community might have thought it was helping us, but instead it played with our fate and ended up creating systems more dangerous than they were helpful.”
A person familiar with the development and management of one of the systems examined, who asked to remain anonymous, said that some people who had been working for the company that maintained the system were still in Afghanistan and at risk from the Taliban. He said the Taliban had detained two senior staff members to force the company to continue supporting and maintaining the system, something it refused to do.
On August 21, Nawazuddin Haqqani, a Taliban brigade commander, reportedly told Zenger News, a US-based online media outlet, that his unit was using US-made handheld scanners to tap into Interior Ministry and other national biometric systems to gather data, including on “journalists and so-called human rights people.” “Those who were barking about having US dollars in their pockets until a few days back — they won’t be spared,” he said. “They can’t be spared, can they?”
Human Rights Watch, on February 10, 2022, wrote to the US government, European Union, International Organization for Migration, World Bank, Grand Technology Resources, Leidos, and Netlinks Inc asking what steps they took before and after August 2021 to protect Afghans’ biometric data and to alert individuals of data breaches. The International Organization for Migration replied, as well as one company, which said its response was not for publication.
Human Rights Watch also wrote to the Taliban, asking for details on which systems with Afghans’ biometric data they had access to and, if any, what they intend to do with the information. The Taliban have not replied.
Given events since August 2021, all those involved in funding and building these biometric systems, including the US government, the European Union, UN agencies, and the World Bank, should make public the kinds of data lost or potentially seized by the Taliban, the architecture of these systems, the human rights and data protection impact assessments carried out before and during the life cycle of these systems, and the steps they have taken to inform data subjects of what has happened to their data.
“Governments, international organizations, and companies should work together to help protect the people at risk because of the Taliban’s access to some of these systems,” Wille said. “They should also learn from this fiasco so that data systems are better conceived and protected in the future.”
National Biometric System
In 2010, the Afghan government began a campaign led by the Ministry of Communication and Information Technology to collect Afghans’ biometric and other personal data and issue electronic identity cards. The digital identity system is known as e-Tazkira. The system holds at a minimum a person’s name, father’s and grandfather’s name, national identity number, physical description, place of origin, place and date of birth, sex, marital status, religion, tribal links, ethnicity, first language, profession, level of education, level of literacy, and biometrics (iris scan, fingerprints, and photograph).
Ministry offices in the seven main regions of Afghanistan have computers that can access information on everyone registered from their region, but not other regions, said Rafiee, of the Afghan Civil Society Forum. In Kabul, the ministry staff with the requisite permissions can access information on anyone enrolled in the system.
A former armed forces deputy commander said that when he signed up for e-Tazkira, he listed his profession as a farmer. “Already for years we knew the Taliban could get its hands on those records,” he said. Five of the judges interviewed said that they did not say that they were judges when signing up for fear of Taliban access to personal data collected for the system. Rafiee said that while he did not sign up for e-Tazkira, he did sign up for the earlier nonelectronic version: “When I signed up for that, I didn’t tell officials I was an engineer. Instead, I said I was a student. I didn’t want to reveal my level of education and work, fearing one day this information would end up in the hands of extremists.”
Human Rights Watch asked the US government, the European Union, and the World Bank what assessments they had made about this risk and what safeguards that were put in place to protect the data held in the system, but they have not provided substantive information in response. Then-President Ashraf Ghani ordered a technical review of the system in 2015, which identified various concerns relating to issues including data processing and data security, the securing of data transmission and data storage, the possibility of data loss, issues of connectivity, and the lack of robust testing of the system.
US Defense Department Automated Biometric Identification System (ABIS)
In 2004, the US Department of Defense created the Automated Biometric Identification System (ABIS), which serves as a central repository for personal data, including biometrics (iris scan, fingerprints, and photograph) collected by US military officers and other department staff of people in Afghanistan and Iraq who might pose security risks.
Among other companies involved, the Defense Department contracted Northrop Grumman, a US-based company, to build and manage the system, but the contract was taken over by Leidos, a US-based company, in 2015. The system includes those considered a US national security concern, among them detainees, people who applied to work on US military bases in Afghanistan, and Afghans working for any US-funded projects.
While the system was designed for these purposes, investigative reporter Annie Jacobsen said in her book First Platoon: A Story of Modern War in the Age of Identity Dominance that in 2020 the Pentagon had aimed to gather biometric data on 80 percent of the Afghan population. For example, the “Commander’s Guide to Biometrics in Afghanistan,” drafted by the US military for US coalition and allied forces stated that:
[e]very person who lives within an operational area should be identified and fully biometrically enrolled with facial photos, iris scans, and all 10 fingerprints (if present). This information should be coupled with good contextual data, such as where they live, what they do, and to which tribe or clan they belong.
In her book Jacobsen stated that the longer-term goal of the military was to hand the system over to the then-Afghan government. The system contains the records of at least 2.5 million people in Afghanistan. After the Taliban’s takeover of the country, their forces were reportedly able to capture some of the machines that US military personnel used to record this data, including the Handheld Interagency Identity Detection Equipment (HIIDE), giving them access to some of the data.
Two US military personnel said that at the time of the takeover, the US military was using two generations of the HIIDE machine. The first generation had much of the collected data stored on a local internal drive. The second generation had improved internet capabilities so that less data stored locally, but still had the profiles of people working for US projects in the area stored locally. The sources said that the local memory drives of both generations of the device could store at least several thousand profiles and that these profiles included information regarding what US agency Afghans were working for. One US military members said:
My concern is that the Taliban might have found a defector who had a HIIDE device, and the ability to use it, and as a result have access to at least the profiles stored locally on that device. It could use that to go locally door to door, to see who was working with us. Alternatively, a foreign state’s engineers might help the Taliban get access to the data in the device to download.
A former military commander currently in Afghanistan said that since their August takeover, he has seen Taliban forces manning checkpoints throughout the area he is living in and stopping people to check their names and faces against lists of names and photographs of former army and police. He said that in early November, Taliban forces stormed his house in the middle of night and detained him. They held him in various locations for 12 days. During his detention, Taliban forces took his fingerprints and scanned his irises using a HIIDE device, which he was familiar with because of his time in the military and in US military training programs, though luckily did not find a match and eventually released him.
Neither the US government nor Leidos replied substantively to a letter from Human Rights Watch regarding measures they had taken to protect the system and to alert data subjects to breaches.
Afghan Automated Biometric Identification System (AABIS)
Modeled after the ABIS and formally established in late 2009 to keep criminal suspects and Taliban members from infiltrating the army and police force, the Afghan Automated Biometric Identification System (AABIS), run by the Afghan government, holds the biometrics (iris scan, fingerprints, and photograph) of former Afghan military and police members. The system was used to cross-check the data against biometric records held by the Afghan National Detention Facility, Kabul Central Police Command, Counternarcotics Police of Afghanistan, and the US Federal Bureau of Investigation (FBI) prison enrollments from Kabul, Herat, and Kandahar. The FBI supported the creation of the system and helped with data sharing, mentoring, and training.
Whether the Taliban have access to this system is not known.
Ministry of Interior and Defense Afghan Personnel and Pay Systems (APPS)
In 2007, the United Nations Development Programme (UNDP) created a police payroll system called WEPS. It included the names of police, their father’s and grandfather’s names, rank, and banking details, but no biometric data, UNDP staff said. In February 2021, as part of a donor agreement reached in 2014, the implementation of which was delayed for many years, the Combined Security Transition Command–Afghanistan created a new integrated human resources and payroll system, APPS, that holds personal data on members of the army and police. The US Defense Department paid for the creation of APPS in 2016 and contracted Netlinks, an Afghan IT-company, to manage the system and integrate AABIS biometric data (iris scan, fingerprints, and photograph).
Ministry of Interior and Defense staff said that APPS includes additional details on where individuals live, and their height, eye color, immediate and extended family members’ names and personal details, province, village, district, permanent address, current address, language, ethnicity, religion, and the names, addresses, employment, and family ties of two character witnesses who vouched for their candidacy when they applied for their jobs.
“All of this data belongs to the Afghan government, and since the Taliban is now the government, they have unfettered access to every government system,” said a UNDP staff member, who requested anonymity. The servers storing data on police were housed in the Interior Ministry, said an Afghan former NATO employee managing the system and a former police officer working with the system. Two former Afghan military officials believed the servers housing the military staff data sat in the Ministry of Defense headquarters in Kabul. Although the officials could not link to the data system, they said that the Taliban had rounded up and killed or forcibly disappeared many military officials they knew in the previous four months.
The NATO employee said:
If the Taliban gets access to these payroll systems, they will get all the information they need on Ministry of Interior, Defense, and National Security staff, including individuals’ national security status and where they are from. I am most worried about the safety of our thousands of female officers. And even if these people have made it out of the country, the Taliban might go after their families.
An unnamed former Afghan government official who worked on the biometric gathering told a journalist that the Taliban did have access to the APPS systems. However, on March 28, Human Rights Watch spoke to a former adviser to the government who said that he had spoken to technology officers from the Ministries of Interior and Defense and a senior staffer at Netlinks who all said that one week before the Taliban took control of Kabul, staff in the ministries lost access to APPS and they believed that the US government removed the servers holding the data in the systems from the country and had blocked access.
Human Rights Watch sent an inquiry to the US government and Netlinks about APPS and the extent to which the Taliban had access to the system but received no substantive responses.
Supreme Court Payroll System
The six Afghan judges interviewed included four men and two women. Three of the six are in hiding in the country. Those interviewed said that the Supreme Court has a payroll system with extensive personal data on all judges and their families including their biometrics (fingerprints, iris scans, and photographs), current addresses, and their car’s model, color, and license plate number. European Union reporting suggests that it may have helped fund the payroll system.
The judges said that they believed that the biometric data stored in the system would make it impossible for judges to hide their identities indefinitely. This was of special concern to the judges still in Afghanistan, who said they were in hiding because they feared being arrested or killed by Taliban members or criminals whom they had sentenced to prison but were released after the Taliban took control.
All six judges thought that the Taliban was using the system to try to find or arrest them or others. A judge known for her work combatting domestic violence said that the first night the Taliban took control of her city, its members stormed her home after she had already fled. Taliban members then went to her mother’s home looking for her. “How did they have the details of my mother’s home?” she asked. “She doesn’t even live with my father. Those details were only in the Supreme Court system.”
Other judges shared a screen shot of a post in early December on a Telegram group for Afghan judges about a judge in Bamiyan whom Taliban officials arrested at the local passport office after learning his occupation. The judge had been trying to renew his passport so he could leave the country. The judges said that according to the Telegram group members, the judge’s fingerprints helped the Taliban identify him as a judge.
The judges were convinced that the Taliban could access the servers housing the system, which they thought were in the Supreme Court headquarters in Kabul. One judge said that in late November, his court administrator told him that the Taliban had called him into the courthouse and ordered him to hand over his password to enter the system of criminal cases. This is separate from the system with data on judges but demonstrates the ease with which the Taliban were able to get access. One judge said that in November and December, he heard but could not confirm that gunmen killed two judges in Kabul near their homes, one of whom he knew personally.
Human Rights Watch asked the European Union whether it had funded the system but was unable to confirm that or to determine the risk assessments donors undertook or the safeguards put in place to protect the data held in the system.
National Directorate of Security Payroll System
The National Directorate of Security (NDS), the former government’s intelligence agency that was long implicated in torture and extrajudicial killings, had its own human resources and payroll systems that contain the same sensitive information on their staff, with servers housed in its Kabul headquarters. The former military commander for government security forces said that when the Taliban released him after holding him for 12 days, he discovered that they had been holding him in the local NDS office in his area.
Human Rights Watch was unable to verify whether the Taliban have been able to access the payroll systems, but an unnamed former Afghan government official cited in the New Scientist said that the Taliban had seized equipment from the NDS, adding, “It was left behind in the rush to exit. They have everything.” In his August interview, Nawazuddin Haqqani, the Taliban brigade commander, specifically mentioned the service, saying its staff would not be “let off.” The NDS was established by the US Central Intelligence Agency after 2001 and entirely funded by the US government.
Human Rights Watch sent an inquiry to the US government but was unable to determine the risk assessments donors undertook and the safeguards put in place to protect the data held in the system.
The International Covenant on Civil and Political Rights (ICCPR), to which Afghanistan is party, affirms the right to privacy in article 17, which may not be subject to arbitrary or unlawful interference. The United Nations Human Rights Committee (HRC), the international expert body that authoritatively interprets the ICCPR, has held that “any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.”
It has also stated that “gathering and holding of personal information in computers, data banks, and other devices, whether by public authorities or private individuals, must be regulated by law” and that every individual should have the right to know “what personal data is stored…and for what purposes” and “which public authorities or private individuals or bodies control or may control their files.” If a person is concerned that data has been collected or used incorrectly, they should have recourse to remedy the problematic information.
The HRC, in its General Comment No. 16 (1988) on the right to privacy, stated that governments are obligated to take effective measures to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process, and use it, and that it is never used for purposes incompatible with the ICCPR. Effective protection should include everyone’s ability to ascertain in an intelligible form, whether and, if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files.
Donor governments, international organizations, companies, and the former Afghan government should not have built these potentially dangerous systems without conducting a thorough human rights and data protection impact assessment that includes a contextual analysis, an analysis of the technology to be deployed within that context, a system threat model to assess the risk and possible outcomes of system failure, and a data protection and cyber security assessment specific to the Afghanistan context.
Once they decided to proceed with the systems, they should have meaningfully engaged with data subjects to explain how their data would be used, and how they were managing and mitigating risk. They should have revisited these assessments and communications regularly, as the political and security landscape in Afghanistan evolved.
Given events since August 2021, all those involved in funding and building these biometric systems, including the US government, the European Union, UN agencies, and the World Bank, should make public:
- The kind of data that may have been lost or seized following the Taliban takeover, including data they transferred to the former Afghan government or collected on their behalf;
- The architecture of any systems used to hold biometric or other data of large populations so that those affected will have a clearer understanding of possible impacts and measures they can take to mitigate risk. This should include data flow and critical security measures such as monitoring, encryption, authentication/authorization, and wipe/destruction capability;
- The human rights and data protection impact assessments that were conducted for these systems (if any) and how these assessments were tailored to address the context and threats present in Afghanistan. This includes whether these assessments were updated to reflect the Taliban’s territorial gains over the years or whether separate analyses were conducted more broadly on the likelihood of theft or seizure of data by the Taliban;
- The steps they have taken to inform people whose data was held in the compromised systems, where doing so will not put data subjects at further risk. This includes information about the systems themselves at the time of data capture or implementation (for example a fair processing notice, consent statement, and transparency notice) and, subsequently, about any safeguards or mitigating steps they have taken for people whose biometric data may now be in the hands of the Taliban, and whether they have issued breach notifications, in line with good information handling and data protection practice. If they decide that informing data subjects would put them at further risk, they should make public how frequently they will review the decision not to inform them that their data was compromised and what further mitigating steps they are taking to protect those affected.
Given the events in Afghanistan, donors should make a commitment to develop a set of best practices in similar contexts, including procedures for the destruction of sensitive data that was collected using their funding and putting in place effective limits on the collection of data in accord with the principles of proportionality and necessity.
The United Nations High Commissioner for Refugees (UNHCR) and countries considering Afghan refugee claims should take into account the risks that Taliban control of biometric systems have created when making refugee status determinations.
Where they are supplying, building, or advising on systems and tools that may be used in conflict zones, fragile spaces, or humanitarian settings, private sector actors should ensure that their partnerships include a clear commitment to the right of privacy. Such commitments should also be reflected in the principles, scope, and undertaking of that partnership.