The Disturbing Info Found On A Military Device Sold On eBay
You may think $68 doesn't buy you a whole lot these days, but if you make the right offer on eBay, it can land you a piece of U.S. military equipment packed with sensitive data. That's what a group of German security researchers found out when they put a "Buy it Now" offer on a Secure Electronic Enrollment Kit, which is also known as a SEEK II. The device was listed for $149.95, but the researchers ended up paying less than $70 after their offer was accepted. Despite the lowball bid, the researchers ended up receiving a lot more than they bargained for.
The device, which is one of six ex-military gadgets Matthias Marx and his team have purchased over the past year, consists of a small screen along with an extremely compact keyboard and trackpad. The SEEK II also has a thumbprint reader along with a way to take photographs and iris scans. According to the New York Times, Marx tested the device out on himself, and was greeted by a message requesting he "connect to a U.S. Special Operations Command server to upload the new collected biometrics."
However, it wasn't Marx's own biometric data that was a concern. Instead, two of the devices he and his team had acquired over the past 12 months contained sensitive information related to thousands of people in Asia and the Middle East. This could prove to be a big problem for both the American government and the individuals affected by the data breach.
What data was on the device?
Marx declined to upload the data to the internet out of fear for the safety of the individuals involved, but a New York Times reporter did view it privately and confirm its authenticity. One of the devices in Marx's possession allegedly contains the biometric data, photographs, and personal information of 2,632 people — most of whom were from Afghanistan or Iraq. While some of the people in the device's databanks may have just been civilians, many will have been working with the Coalition Forces. The New York Times' report confirmed at least one of the people whose data was on the device still works within the intelligence community.
Breaches like this could pose a major problem if that data was to fall into the wrong hands. Insurgents in Iraq and Afghanistan's Taliban governments are both likely to target individuals who are suspected to be working with, or have previously assisted, the U.S. government or its allies. While it isn't currently known how the device appeared for sale on eBay, or why it still had sensitive data on it, the U.S. military has commented on the incident.
In a statement (per The New York Times), Defense Department press secretary Brig. Gen. Patrick S. Ryder said: "Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it. The department requests that any devices thought to contain personally identifiable information be returned for further analysis." The statement came with a request to send the devices to Fort Belvoir in Virginia.
Biometric data is widely used
Biometric data is widely used to identify individuals. Among the entities currently using biometrics are numerous governments, including the United States, and several major companies. If you can unlock your phone with a thumbprint, then your device has some of your biometric data stored. Equally, the government may request things like fingerprints and photographs as a visa requirement, certain jobs, or part of the application process for things like firearms permits.
According to Scientific American, the chances of two humans sharing the same fingerprints is around one in 64 trillion. Only 114 billion or so humans have existed, so it's almost certain no two people in history have ever shared the same fingerprint pattern. This means fingerprints are a very reliable way of identifying a person. Similarly, no two individuals have the same iris pattern, so a snapshot of this can also be used as an almost foolproof identity check.
The growing use and collection of biometric data has caused plenty of controversy. Following a lawsuit in Illinois, Meta had to pay out a total of $650 million dollars to Facebook users whose biometric data was gathered without their consent. Facebook was using the data to power its suggested tags feature, and is currently fighting similar lawsuits in other states. Despite the controversies, the gathering and use of biometric data isn't going anywhere — if anything, it's likely to expand.
In addition to fingerprint, facial, and retinal scanning, other methods have been proposed in recent years. These include using a low-level radar to scan a user's heart and unlock their laptop — and a device that goes beyond fingerprints and actually reads the structure of capillaries within your finger.
Why did the Biometric Enrollment Program happen?
During the campaigns in Iraq and Afghanistan, insurgency was a major problem for U.S. forces (per The New York Times). Part of the job involved training the Iraqi and Afghan military and police forces so they could continue to do the coalition's job when western forces eventually pulled out of the country. These training problems also offered insurgents an opportunity to get close to American troops, with a loaded weapon, in an environment where the U.S. soldiers guard may be down. This resulted in several incidents where a trainee officer or soldier, who was actually an insurgent, opened fire on the troops that were training them. Biometric data offered a way to try and counteract this.
A study from Privacy International outlines how the data was gathered and used. Suspected terrorists, detainees, and people who were found in the area of a terrorist attack would have their biometrics taken and stored in a database. Iraqis and Afghans who were working with the U.S. would also have their data collected, and the database could be used to stop any suspected insurgents getting into sensitive positions.
The collection efforts also turned out to be quite wide ranging, with people randomly stopped at checkpoints also being added to the database. Privacy International came to a fairly scathing conclusion about the program, saying "The DOD's biometric program was developed and implemented without prior assessment of its human rights impact and without the safeguards necessary to prevent its abuse," while adding "Its application, while on paper justified for counter-terrorism purpose, led to indiscriminate collection and storage of biometric data of millions of people in Iraq and Afghanistan, the vast majority of whom would pose not [a] security threat."