Skip to Main Content
Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear.
Matthias Marx, a security researcher at the Chaos Computer Club, uses a SEEK II to scan his fingerprint in Hamburg, Germany, on Dec. 21, 2022. Andreas Meichsner /The New York Times
By Kashmir Hill, John Ismay, Christopher F. Schuetze and Aaron Krolik, New York Times Service
December 27, 2022
The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing.
The device’s memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people.
Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan.
The device — a relic of the vast biometric collection system the Pentagon built in the years after the Sept. 11, 2001, attacks — is a physical reminder that although the United States has moved on from the wars in Afghanistan and Iraq, the tools built to fight them and the information they held live on in ways unintended by their creators.
Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear. But the data, which offers detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands.
For those reasons, Marx would not place the information online or share it in an electronic format, but he did allow a Times reporter in Germany to see the data in person alongside him.
“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Brig. Gen. Patrick S. Ryder, the Defense Department’s press secretary, said in a statement. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”
He provided an address for the military’s biometrics program manager at Fort Belvoir in Virginia where the devices could be sent.
The biometric data on the SEEK II was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb. Around the time when the device was last used in Afghanistan, the U.S. war effort there was winding down. Osama bin Laden had been killed in Pakistan a year earlier — his identity reportedly confirmed using facial recognition technology.
One of the main concerns of military leaders at that time was a rash of shootings in which Afghan soldiers and police turned their guns on U.S. troops. They hoped that the biometric enrollment program would help identify any possible Taliban agents inside their own bases.
A 2011 “commander’s guide to biometrics in Afghanistan” described face, fingerprint and iris scans as a “relatively new” but “decisive battlefield capability” that “effectively identifies insurgents, verifies local and third-country nationals accessing our bases and facilities, and links people to events.”
The SEEK II has a tiny screen, a miniature physical keyboard and an almost comically small mouse pad. A thumbprint reader is protected by a hinged plastic lid at the bottom of the device. Like an ancient Polaroid camera, the machine unfolds to allow iris scans and to take photos. Marx used the SEEK II on himself; when he turned it off, a message popped up, asking to connect to a U.S. Special Operations Command server to upload the new “collected biometrics.”
Matthias Marx, a security researcher at the Chaos Computer Club, a European hacker association, in Hamburg, Germany, on Dec. 21, 2022. – Andreas Meichsner /The New York Times
Over the past year, Marx and a small group of researchers at the Chaos Computer Club, a European hacker association, bought six biometric capture devices on eBay, most for less than 200 euros, planning to analyze them to find any vulnerabilities or design flaws. They were motivated by concerns raised last year that the Taliban had seized such devices after the U.S. evacuation from Afghanistan. The group of researchers wanted to understand whether the Taliban could have gotten biometric data about people who had assisted the United States from the devices, putting them at risk.
Finding so much information sitting unencrypted and easily accessible shocked them.
“It was disturbing that they didn’t even try to protect the data,” Marx said, referring to the U.S. military. “They didn’t care about the risk, or they ignored the risk.”
Stewart Baker, a Washington lawyer and former national security official, said that biometric scanning was a valuable tool in war zones but that the collected data needed to be kept under control. He predicted the data breach would “make a lot of people who helped the U.S. and are still in Afghanistan really uncomfortable.”
“This should not have happened,” Baker said. “It is a disaster for the people whose data is exposed. In the worst cases, the consequences could be fatal.”
Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs, for Handheld Interagency Identity Detection Equipment — two of the SEEK II devices had sensitive data on them. The second SEEK II, with location metadata showing it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of U.S. service members.
When reached by the Times, one American whose biometric scan was found on the device confirmed that the data was likely his. He previously served as a Marine intelligence specialist and said his data, and that of any other American found on these devices, was most likely collected during a military training course. The man, who spoke on the condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked that his biometric file be deleted.
Military officials said the only reason these devices would have data on Americans would be their use during training sessions, a common practice to prepare for employing them in the field.
According to the Defense Logistics Agency, which handles the disposal of millions of dollars of excess Pentagon matériel each year, devices like the SEEK II and the HIIDE never should have made it to the open market — much less an online auction site like eBay. Instead, all biometric collection gear is supposed to be destroyed on site when no longer needed by military personnel, as are other electronic devices that once held sensitive operational information.