Privacy Activist Accidentally Buys Sensitive US Military Biometric Data on eBay

US military says devices shouldn't have been on open market in first place
By Mike L. Ford,  Newser Staff
Posted Dec 27, 2022 5:28 PM CST
Sensitive Biometric Data From Military Devices Found on eBay
In this 2012 photo provided by the U.S. Army, U.S. Army Pfc. Mark Domingo takes an Afghan man's fingerprints in the village of Dande Fariqan, in Afghanistan's Khowst Province, as part of the military's effort to gather biometric data on the residents.   (Sgt. Christopher Bonebrake/U.S. Army via AP)

For $68 plus shipping, Mathias Marx obtained the biometric data of 2,632 individuals whose identities were once captured by the US military. According to the New York Times, the German security researcher and privacy activist had no intention of obtaining such sensitive information when he ordered a used Secure Electronic Enrollment Kit (or SEEK II) on eBay. He and colleagues simply wanted to analyze the device for flaws and vulnerabilities. Case in point, they learned what happens when the memory card isn't removed. It turns out most people in the database—which includes names, nationalities, photos, fingerprints, and iris scans—are or were from Iraq and Afghanistan, where the device was last used in 2012.

"It was disturbing that they didn’t even try to protect the data," Mr. Marx said of the US military. "They didn’t care about the risk, or they ignored the risk." So-called biometric capture devices like the shoebox-sized SEEK II were important to US troops for collecting and analyzing biometric data at checkpoints and other settings where potential enemies mingled with civilians or allied troops, but an American expert reached by the Times said, "This should not have happened" and "the consequences could be fatal" even though the info is over a decade old.

Defense officials say such devices never should have hit the open market, and it’s not clear how they did. A DoD spokesperson said, "The department requests that any devices thought to contain personally identifiable information be returned for further analysis." Marx made no mention of returning anything but told the Times he plans to destroy the data once his research is complete. Marx was also featured in a Wired magazine report in July about his efforts to "reclaim his face," which, like billions of others, was "scraped from the internet" by a company called Clearview AI, which has a database and facial recognition technology that law enforcement agencies and other clients can use to help identify people of interest. (More biometrics stories.)

Get the news faster.
Tap to install our app.
X
Install the Newser News app
in two easy steps:
1. Tap in your navigation bar.
2. Tap to Add to Home Screen.

X