Could biometric technology like facial recognition and fingerprint readers have prevented the September 11 attacks? The idea is a seductive one. So seductive, in fact, that it motivated a congressional hearing on the topic, held on November 14, 2001, just over two months after the attacks. As California Senator Dianne Feinstein explained in her opening remarks to the hearing on “Biometric Identifiers and the Modern Face Of Terror”:
“How could a large group of coordinated terrorists operate for more than a year in the United States without being detected and then get on four different airliners in a single morning without being stopped? The answer to this question is that we could not identify them. . . . And the biometrics technology, the state-of-the-art technology of today, really offers us a very new way to identify potential terrorists.”
In the highly-charged months after 9/11, identity was framed as a matter of national security, and biometrics was posed as the solution. Now, however, the wisdom of this program is being called into question, especially with the recent news that sensitive biometric records collected by U.S. troops may have fallen directly into the hands of the Taliban.
When the 9/11 Commission released its final report in 2004, it recommended the installation of biometric screening systems to monitor entry and exit at all U.S. borders. Today, facial recognition technology systems are in place at most major U.S. airports and will soon be able to peer through the windows of cars driving across the land borders with Canada and Mexico. Facial recognition has also been deployed beyond the policing of borders: Immigrations and Customs Enforcement (ICE) has used facial recognition to track people inside the United States and to aid in the deportation of unauthorized migrants.
This focus on using biometrics to fight the war on terror extended overseas as well. In the context of the wars in Iraq and Afghanistan, one of the U.S. military’s central tasks was to determine who was the enemy. According to former army intelligence officer William C. Buhrow, it was like looking for a needle in a haystack, since the U.S. military increasingly found itself in pursuit of nonuniformed foes who blended in with the local civilian population. In response, the U.S. Department of Defense (DOD) introduced a sweeping biometrics program in 2003, with the aim of establishing “identity dominance” and “stripping the enemy of anonymity.” In the process, the biometric data of millions of Afghan and Iraqi citizens was collected and stored in U.S. biometric databases.
From 9/11, we can trace the root of the idea that fighting terrorism is a question of identity management, and that the best way to determine a person’s identity is to build massive biometric databases. Technology developers rose to the occasion, supplying fingerprint readers, iris scanners, and database solutions—and winning billions of dollars in military contracts in the process. The justification of national security is tantamount to writing a blank check; it opens purses and removes restrictions for things that are usually subject to more protective laws.
Twenty years later, the Department of Homeland Security has compiled the second largest biometrics database in the world, which will include the faces, fingerprints, and irises of 259 million people—most of whom are not U.S. citizens—by 2022. What’s more, the legacy of 9/11 lingers in the U.S. government’s sustained focus on identity as critical to national security, a philosophy that continues to underpin its approach to border control, military operations, and domestic surveillance.
A brief history of biometrics in Afghanistan
As a particular case in point, let’s take a closer look at the Department of Defense’s Automated Biometric Identification Systems (ABIS) database, which contains the biometric data of an estimated 3 million Iraqis and more than 2.5 million Afghans. Throughout the war effort, military forces in Iraq and Afghanistan engaged in a policy of widespread data collection of nearly every person they came into contact with: suspected insurgents, enemy combatants (both dead and alive), detainees, military contractors, and applicants seeking to work on U.S. military bases or join the Afghan or Iraqi police, as well as ordinary citizens.
Biometric records were also funneled in from government personnel records, voter enrollments, recipients of microloans, military enlistments in partner countries, border checkpoints, latent fingerprints lifted from improvised explosive devices (IEDs), random sweeps at markets and bazaars, and even the compulsory registration of all “military-age males” in certain villages. Media sources from the early 2010s report people being pulled out of homes, buses, and mosques to have their fingerprints scanned and registered—leading some commentators to label this strategy a “post-9/11 dragnet.”
In a report that I recently published with the NGO Privacy International, I reviewed how the U.S. military’s biometrics strategy was rapidly developed without attention to human rights, privacy, or stipulations for data collection and storage, even according to internal assessments conducted by the U.S. Government Accountability Office. One DoD official justified the Department’s lack of adherence to its own standards by explaining it was due to an “urgent mission need for Central Command to collect and authenticate the identity of individuals.” Overall, the U.S. biometrics strategy appears to have been developed on an ad-hoc basis, flying the plane as it was being built and encouraging indiscriminate data collection along the way.
Now, the existence of the U.S. military’s biometric records has received renewed attention due to recent reports indicating that the Taliban has taken possession of equipment used by U.S. troops, which may allow them to access remote biometric databases, in addition to sensitive data stored locally on the device. Human rights activists fear that the Taliban will use this information to identify and target Afghans who assisted U.S. and NATO forces. These concerns are not unfounded. Local media sources from 2016 and 2017 reported that Taliban insurgents were stopping buses and using biometric scanners to screen passengers and identify those who had helped security forces. However, because the U.S. biometric databases do not just contain information about people who worked for U.S. and coalition forces, there’s a possibility that people who were coerced into providing their biometrics may be perceived as collaborators, regardless of whether or not they actually supported U.S. troops.
Other sources have questioned whether the biometric devices seized by the Taliban, which are known as HIIDE, will actually be able to connect to remote databases, and a DoD spokesperson has asserted that the data “is not at risk of misuse.” Regardless of whether the HIIDE devices can link up to remote databases, there exist other biometrics databases in Afghanistan that could still pose a threat and put people’s identity at risk. One such database is the Afghanistan Automated Biometric Identification System (AABIS), established in 2009 and supported by the U.S. Federal Bureau of Investigation (FBI) through training, mentorship, and data sharing. While the exact number of people who have been enrolled in AABIS is unclear, its goal was to log biometric information for 80% of the Afghan population. Some estimates peg its current size at 8.1 million entries.
The threat of too much data
The U.S. government also encouraged and funded the development of biometrics databases in other branches of the Afghan government, mostly for the administration of civil affairs, including a national ID card for voter and vehicle registration, as well as airport security, personnel management, and payroll. This shows how the same technology has been mobilized for both military purposes and more mundane government affairs. However, regardless of the rationale for its collection, biometric data can be dangerous if it’s exposed. Given that at least some of the biometrics collected by the Afghan military were handed over to the U.S. government through data sharing agreements, some might wonder how much of the United States’s support for a local biometrics program was motivated by the opportunity to scoop up even more information for its own biometrics databases.
In sum, millions of dollars of U.S. funding and material support went into the construction of local databases containing sensitive biometric and biographic information of Afghan citizens. However, it is unclear whether U.S. officials provided training on data security principles. Because these databases are stored locally within Afghanistan, they are at the greatest risk of being exploited by Taliban forces.
As early as 2007, there were warnings about what would happen if the U.S. biometrics database was exposed or breached. In an August 2007 interview, Lieutenant Colonel John W. Velliquette Jr. said in reference to the U.S. military’s biometrics data collection in Iraq, “This database, I must add, is also very sensitive, because essentially what it becomes is a hit list if it gets in the wrong hands.” Earlier that year, a coalition of privacy and human rights activists wrote a letter to members of Congress, cautioning that the military’s aggregation of biometric data “creates an unprecedented human rights risk that could easily be exploited by a future government.” In other words, the fact that the Taliban or another terrorist group could gain access to sensitive biometric data is not a surprise; it was foretold. But at that time, the general public had less knowledge about biometric identification and its associated dangers. Perhaps, in 2021, as U.S. activists fight against facial recognition at home, more people will take notice.
As we continue to reflect on the impact of the United States’s involvement in the conflicts in Iraq and Afghanistan, these databases remain. There is no end-date or requirement for deletion of these records; DoD policy simply states that it “will be stored indefinitely in support of the War on Terrorism.”
In a recent presentation, Glenn Krizay, the director of the Defense Forensics and Biometrics Agency, noted that the United States’s primary national security concern has shifted away from terrorism and toward “interstate strategic competition,” citing Russia, China, and North Korea as particular threats. Nevertheless, he continued to assert that biometrics is the key to national defense.
This is part of the legacy of 9/11. When all you have is a hammer, everything looks like a nail. Biometrics has become a blunt instrument. However, we must remember that it was a very specific set of circumstances that gave rise to the U.S. government’s broad collection of biometric data. These programs and policies, hastily designed and rapidly introduced as they were, were not inevitable. Yet, they have had long-lasting consequences, both with regards to the sensitive biometric data that continues to be held in U.S. databases and in terms of an ongoing approach to national security that prioritizes the collection of people’s biometric information over other forms of defense.
Twenty years after 9/11, what are we left with? Databases with hundreds of millions of biometric records. The use of biased facial recognition across 18 federal government agencies. Data leaks and cyber attacks. In its efforts to secure the nation, the U.S. government’s unfettered use of biometrics may in fact have exposed us to even greater risks.
Nina Dewi Toft Djanegara is a PhD candidate in the Department of Anthropology at Stanford University. Her research uses ethnographic and archival methods to to explore how computer vision is applied to “solve” political problems. In particular, her dissertation examines how surveillance technology—such as facial recognition and biometric identification—is applied to border management and law enforcement.