Over two decades, the United States and its allies spent hundreds of millions of dollars building databases for the Afghan people. The nobly stated goal: Promote law and order and government accountability and modernize a war-ravaged land.
But in the Taliban's lightning seizure of power, most of that digital apparatus — including biometrics for verifying identities — apparently fell into Taliban hands. Built with few data-protection safeguards, it risks becoming the high-tech jackboots of a surveillance state. As the Taliban get their governing feet, there are worries it will be used for social control and to punish perceived foes.
Putting such data to work constructively — boosting education, empowering women, battling corruption — requires democratic stability, and these systems were not architected for the prospect of defeat.
“It is a terrible irony,” said Frank Pasquale, Brooklyn Law School scholar of surveillance technologies. “It's a real object lesson in the road to hell is paved with good intentions.'”
Since Kabul fell Aug. 15, indications have emerged that government data may have been used in Taliban efforts to identify and intimidate Afghans who worked with the U.S. forces.
People are getting ominous and threatening phone calls, texts and WhatsApp messages, said Neesha Suarez, constituent services director for Rep. Seth Moulton of Massachusetts, an Iraq War veteran whose office is trying to help stranded Afghans who worked with the U.S. find a way out.
A 27-year-old U.S. contractor in Kabul told The Associated Press he and co-workers who developed a U.S.-funded database used to manage army and police payrolls got phone calls summoning them to the Defense Ministry. He is in hiding, changing his location daily, he said, asking not to be identified for his safety.
In victory, the Taliban's leaders say they are not interested in retribution. Restoring international aid and getting foreign-held assets unfrozen are a priority. There are few signs of the draconian restrictions – especially on women – they imposed when they ruled from 1996 to 2001. There are also no indications that Afghans who worked with Americans have been systematically persecuted.
Ali Karimi, a University of Pennsylvania scholar, is among Afghans unready to trust the Taliban. He worries the databases will give rigid fundamentalist theocrats, known during their insurgency for ruthlessly killing enemy collaborators, "the same capability as an average U.S. government agency when it comes to surveillance and interception.”
The Taliban are on notice that the world will be watching how they wield the data.
All Afghans — and their international partners — have an obligation together to ensure sensitive government data only be used for “development purposes” and not for policing or social control by the Taliban or to serve other governments in the region, said Nader Nadery, a peace negotiator and head of the civil service commission in the former government.
Uncertain for the moment is the fate of one of the most sensitive databases, the one used to pay soldiers and police.
The Afghan Personnel and Pay System has data on more than 700,000 security forces members dating back 40 years, said a senior security official from the fallen government. Its more than 40 data fields include birth dates, phone numbers, fathers' and grandfathers' names, fingerprints and iris and face scans, said two Afghan contractors who worked on it, speaking on condition of anonymity for fear of retribution.
Only authorized users can access that system, so if the Taliban can't find one, they can be expected to try to hack it, said the former official, who asked not to be identified for fear of the safety of relatives in Kabul. He expected Pakistan's ISI intelligence service, long the Taliban's patron, to render technical assistance. U.S. analysts expect Chinese, Russian and Iranian intelligence also to offer such services.
Originally conceived to fight payroll fraud, that system was supposed to interface eventually with a powerful database at the Defense and Interior ministries modeled on one the Pentagon created in 2004 to achieve “identity dominance” by collecting fingerprints and iris and face scans in combat areas.
But the homegrown Afghanistan Automated Biometric Identification Database grew from a tool to vet army and police recruits for loyalty to contain 8.5 million records, including on government foes and the civilian population. When Kabul fell it was being upgraded, along with a similar database in Iraq, under a $75 million contract signed in 2018.
U.S. officials say it was secured before the Taliban could access it.
Before the U.S. pullout, the entire database was erased with military-grade data-wiping software, said William Graves, chief engineer at the Pentagon's biometrics project management office. Similarly, 20 years of data collected from telecommunications and internet intercepts since 2001 by Afghanistan's intelligence agency were wiped clean, said the former Afghan security official.
Among crucial databases that remained are the Afghanistan Financial Management Information System, which held extensive details on foreign contractors, and an Economy Ministry database that compiled all international development and aid agency funding sources, the former security official said.
Then there is the data — with iris scans and fingerprints for about 9 million Afghans — controlled by the National Statistics and Information Agency. A biometric scan has been required in recent years to obtain a passport or a driver's license and to take a civil service or university entrance exam.
Western aid organizations led by the World Bank, one of the funders, praised the data's utility for empowering women, especially in registering land ownership and obtaining bank loans. The agency was working to create electronic national IDs, known as e-Tazkira, in an unfinished project somewhat modeled on India's biometrically enabled Aadhaar national ID.
“That's the treasure chest,” said a Western election assistance official, speaking on condition of anonymity so as not to jeopardize future missions.
It is unclear whether voter registration databases — records on more than 8 million Afghans — are in Taliban hands, the official said. Full printouts were made during the 2019 presidential elections, though the biometric records used then for anti-fraud voter verification were retained by the German technology provider. After 2018 parliamentary elections, 5,000 portable biometric handhelds used for verification went inexplicably missing.
Yet another database the Taliban inherit contains iris and face scans and fingerprints on 420,000 government employees — another anti-fraud measure — which Nadery oversaw as civil service commissioner. It was eventually to have been merged with the e-Tazkira database, he said.
On Aug. 3, a government website touted the digital accomplishments of President Ashraf Ghani, who would soon flee into exile, saying biometric information on “all civil servants, from every corner of the country" would allow them to them to be linked “under one umbrella” with banks and cellphone carriers for electronic payment. U.N. agencies have also collected biometrics on Afghans for food distribution and refugee tracking.
The central agglomeration of such personal data is exactly what worries the 37 digital civil liberties groups who signed an Aug. 25 letter calling for the urgent shutdown and erasure, where possible, of Afghanistan's “digital identity tool,” among other measures. The letter said authoritarian regimes have exploited such data “to target vulnerable people” and digitized, searchable databases amplify the risks. Disputes over including ethnicity and religion in the e-Tazkira database — for fear it could put digital bullseyes on minorities, as China has done in repressing its ethnic Uyghurs — delayed its creation for most of a decade.
John Woodward, a Boston University professor and former CIA officer who pioneered the Pentagon's biometric collection, is worried about intelligence agencies hostile to the United States getting access to the data troves.
“ISI (Pakistani intelligence) would be interested to know who worked for the Americans,” said Woodward, and China, Russia and Iran have their own agendas. Their agents certainly have the technical chops to break into password-protected databases.