Concerns about sensitive data falling into the hands of the Taliban after they took control of Afghanistan have rekindled a debate among privacy experts on the ethics of data collection by aid agencies and multilateral institutions.
As the insurgents moved into the capital, Kabul, on Sunday, residents fretted that biometric databases maintained by aid agencies and security forces could be used to track and target them.
Privacy experts have long warned that United Nations and development agencies’ collection of biometric data and mandating of digital identity cards heightens risks to refugees and other vulnerable groups.
“Not enough care is taken by multilateral and development aid agencies to understand the local context – who can use the data, and if it can be used to perpetuate inequities and discrimination,” said Raman Jit Singh Chima of digital rights group Access Now.
“In Afghanistan’s case it’s particularly shocking, as these agencies knew the troubled history of the country, and should have prepared for a worst-case scenario with lessons learned in Myanmar and elsewhere,” said Chima, a regional policy director.
The Taliban have seized U.S. military biometrics devices that contained data such as iris scans and fingerprints, and biographical information that could help identify Afghans “who assisted coalition forces”, The Intercept reported this week.
Even the national digital ID, the tazkira, championed by the World Bank since 2018 and required to access public services and jobs and to vote, can expose vulnerable ethnic groups, Chima told the Thomson Reuters Foundation.
The World Bank has defended the ID, saying “development progress is not possible when a large share of the population does not officially ‘exist’. Therefore, providing legal identity for all is critical for development”.
The U.N. refugee agency (UNHCR) was quick to embrace biometric technology, first testing an iris-recognition system among Afghan refugees in the Pakistani city of Peshawar in 2002.
The system – usually retinal scanning and fingerprints – was rolled out in several other countries, and used in UNHCR’s response to the Syrian refugee crisis.
The UNHCR has said biometric registration enables more accurate counts and identification of refugees, ensures more efficient registration and aid delivery, and helps prevent fraud.
But critics point to technical challenges, such as spotty connectivity and false facial recognition matches, and say biometric refugee registers can be misused by host nations who demand access on security grounds and by unauthorised users.
There is a risk of “sensitive biometric refugee data being shared with, and used by donor states in a manner other than one which advances humanitarian aims,” said Katja Lindskov Jacobsen, a security researcher at the University of Copenhagen.
“Amid good intentions, the use of biometric technology in humanitarian refugee management may entail various risks for refugee populations,” with their data being accessible without their knowledge or consent, she said.
In June, Human Rights Watch said the UNHCR had shared information on Rohingya refugees without their consent with host country Bangladesh, which shared it with Myanmar – the country they had fled – to verify people for possible repatriation.
The rights group said UNHCR’s data collection practices “were contrary to the agency’s own policies and exposed refugees to further risk”.
In response, UNHCR said in a statement that “specific measures were taken to mitigate potential risks” in sharing data and that refugees were “expressly asked whether they gave their consent to have their data shared” with the two governments.
Privacy experts have also long questioned the impacts of collecting biometric data for so-called counter-terrorism programmes from Somalia to Palestine, as mandated by the U.N. security council.
The United States introduced biometric systems in Iraq and Afghanistan to distinguish insurgents from civilians “without prior assessment of its human rights impact and without the safeguards necessary to prevent its abuse,” Privacy International said in May.
As panicked Kabul residents attempted to flee this week, the Taliban said they would not seek retribution against former soldiers and government officials, or contractors and translators who worked for international forces.
Nevertheless, aid agencies and government authorities must carefully monitor identity or database systems and hide or curtail access to them immediately, said Chima.
Fears that the Taliban could use these data to target activists or people from the previous government highlights the need for an urgent conversation on the use of biometric tech in counter-terrorism or for border control, rights activists say.
“Marginalised and vulnerable groups are disproportionately at risk, especially racial, ethnic and religious minorities, refugees and migrants, and those living in conflict zones,” said Marlena Wisniak, of the European Center for Not-for-Profit Law.
“Unfortunately, these negative impacts are not yet fully recognised nor addressed,” said Wisniak, a senior legal consultant.