The data “was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb.” That was the intended role of the device. What wasn’t adequately foreseen was that these things would be going on sale as apparent surplus with the data of thousands of individuals still on the device.
Oh, and the data was unencrypted. Oh, and two of the six biometrics machines the researchers successfully purchased had their archives still intact.
The big problem the German researchers appeared to identified to the Times is that in addition to the database of wanted individuals, other entries in the datasets are simply those of whoever the devices were used on. The records of U.S. citizens are thought to have appeared because they were scanned in training sessions; Afghani citizens may be in the database because their data was collected to check against the database of known suspects at a checkpoint, through job applications, or during other contact with the U.S. military.
In practice, that means the Taliban or other U.S.-hostile groups in Afghanistan could purchase a few of these devices and have a good chance of discovering the names of locals who collaborated with the United States during the war.
The Times wasn’t able to determine how these devices made it into the surplus market at all, much less with their memory cards intact. But the security researchers appear both baffled and peeved by the recklessness here. The machines never encrypted the data of war zone soldiers, allies, and enemies even though they were designed specifically for field operations in areas of high possible risk? And now they’re trickling out onto the open market despite military rules forbidding it?
Wonderful, just wonderful. The Times piece is worth a read, but there doesn’t seem to be any solution for this now that these machines have provably hit eBay and other sites. It seems absolutely inconceivable that military gear meant to distinguish between ally and enemy during wartime was designed with not even a hint of encryption that might protect the data if the machine was stolen or captured, but … here we are. Who can the blame even be pinned on after such a gargantuan screw-up?