According to Jacobsen’s book, AABIS aimed to cover 80% of the Afghan population by 2012, or roughly 25 million people. While there is no publicly available information on just how many records this database now contains, and neither the contractor managing the database nor officials from the US Defense Department have responded to requests for comment, one unconfirmed figure from the LinkedIn profile of its US-based program manager puts it at 8.1 million records.
AABIS was widely used in a variety of ways by the previous Afghan government. Applications for government jobs and roles at most projects required a biometric check from the MOI system to ensure that applicants had no criminal or terrorist background. Biometric checks were also required for passport, national ID, and driver’s license applications, as well as registrations for the country’s college entrance exam.
Another database, slightly smaller than AABIS, was connected to the “e-tazkira,” the country’s electronic national ID card. By the time the government fell, it had roughly 6.2 million applications in process, according to the National Statistics and Information Authority, though it is unclear how many applicants had already submitted biometric data.
Biometrics were also used—or at least publicized—by other government departments as well. The Independent Election Commission used biometric scanners in an attempt to prevent voter fraud during the 2019 parliamentary elections, with questionable results. In 2020, the Ministry of Commerce and Industries announced that it would collect biometrics from those who were registering new businesses.
Despite the plethora of systems, they were never fully connected to each other. An August 2019 audit by the US found that despite the $38 million spent to date, APPS had not met many of its aims: biometrics still weren’t integrated directly into its personnel files, but were just linked by the unique biometric number. Nor did the system connect directly to other Afghan government computer systems, like that of the Ministry of Finance, which sent out the salaries. APPS also still relied on manual data-entry processes, said the audit, which allowed room for human error or manipulation.
A global issue
Afghanistan is not the only country to embrace biometrics. Many countries are concerned about so-called “ghost beneficiaries”—fake identities that are used to illegally collect salaries or other funds. Preventing such fraud is a common justification for biometric systems, says Amba Kak, the director of global policy and programs at the AI Now institute and a legal expert on biometric systems.
“It’s really easy to paint this [APPS] as exceptional,” says Kak, who co-edited a book on global biometric policies. It “seems to have a lot of continuity with global experiences” around biometrics.
It’s widely recognized that having legal identification documents is a right, but “conflating biometric ID as the only efficient means for legal identification,” she says, is “flawed and a little dangerous.”
Kak questions whether biometrics—rather than policy fixes—are the right solution to fraud, and adds that they are often “not evidence-based.”
But driven largely by US military objectives and international funding, Afghanistan’s rollout of such technologies has been aggressive. Even if APPS and other databases had not yet achieved the level of function they were intended to, they still contain many terabytes of data on Afghan citizens that the Taliban can mine.
“Identity dominance”—but by whom?
The growing alarm over the biometric devices and databases left behind, and the reams of other data about ordinary life in Afghanistan, has not stopped the collection of people’s sensitive data in the two weeks between the Taliban’s entry into Kabul and the official withdrawal of American forces.
This time, the data is being collected mostly by well-intentioned volunteers in unsecured Google forms and spreadsheets, highlighting either that the lessons on data security have not yet been learned—or that they must be relearned by every group involved.
Singh says the issue of what happens to data during conflicts or governmental collapse needs to be given more attention. “We don’t take it seriously,” he says, “But we should, especially in these war-torn areas where information can be used to create a lot of havoc.”
Kak, the biometrics law researcher, suggests that perhaps the best way to protect sensitive data would be if “these kinds of [data] infrastructures … weren’t built in the first place.”
For Jacobsen, the author and journalist, it is ironic that the Department of Defense’s obsession with using data to establish identity might actually help the Taliban achieve its own version of identity dominance. “That would be the fear of what the Taliban is doing,” she says.
Ultimately, some experts say the fact that Afghan government databases were not very interoperable may actually be a saving grace if the Taliban do try to use the data. “I suspect that the APPS still doesn’t work that well, which is probably a good thing in light of recent events,” said Dan Grazier, a veteran who works at watchdog group the Project on Government Oversight, by email.
But for those connected to the APPS database, who may now find themselves or their family members hunted by the Taliban, it’s less irony and more betrayal.
“The Afghan military trusted their international partners, including and led by the US, to build a system like this,” says one of the individuals familiar with the system. “And now that database is going to be used as the [new] government’s weapon.”
This article has been updated with comment from the Department of Defense. In a previous version of this article, one source indicated that there was no deletion or data retention policy; he has since clarified that he was not aware of such a policy. The story has been updated to reflect this.