Digital identity and biometric systems created in Afghanistan may now lead to data leaks, organization says
ARTICLE 19, 50 other international civil society organizations and individuals have urged international actors to safeguard or destroy databases of biometric and identity information created by foreign governments and aid agencies in Afghanistan.
There is a possibility that the information contained in these systems could be used against individuals, such as human rights defenders, journalists, and members of ethnic and religious minorities, if accessed by the Taliban, they said in a statement.
Faruq Faisel, regional director for ARTICLE 19 in South Asia, on Tuesday said: “As circumstances change, biometric and digital identity systems created to foster inclusion and security in Afghanistan may now lead to the opposite.”
The potential detrimental use of these digital systems and databases poses grave concerns and threats that international actors cannot ignore, he added.
“ARTICLE 19 urges international institutions to take immediate action to restrict and secure biometric and other digital identity databases in Afghanistan,” Faisel further said.
The statement signed by 36 organizations and 20 prominent individuals targeted the US government, World Bank, UN Agencies, humanitarian actors, and private sector suppliers that have left equipment in use in Afghanistan.
It also identified the types of systems developed over the years and reported the abduction of biometric equipment by the Taliban.
Furthermore, it included an eight-point action plan to deal with the existing systems and to prevent further risks.
The points are as follows:
>Wherever possible, immediately shut down systems and securely erase data.
>Impose a moratorium on any continued usage of biometrics in Afghanistan without prior human rights assessments that can ensure any such systems are safe, inclusive, not prone to error, and are the least intrusive means of authentication available.
>Carefully control and audit which parties have access to data of beneficiaries and staff, including checks to see patterns of access revealing efforts to surveille and profile individuals and vulnerable communities.
>Ensure there is no unrestricted access, including by suspending or disabling systems that permit access without oversight, to ensure unknown actors cannot access systems in ways that may allow them to bring individuals to harm.
>Move data off computer infrastructure physically located in Afghanistan to infrastructure outside of the influence of militants and other actors seeking to intimidate vulnerable communities and at-risk individuals.>Implement data leak protections to detect unauthorized upload or transfer of data or databases.
>Take remedial steps to inform anyone whose data has been compromised or who may be at risk, to support individuals who have been harmed by misuse of their data, and to ensure unintended access to an individual’s data does not cause further harm.
>Make public announcements of detected or known breaches of data, and provide authenticated mechanisms for individuals to verify if their personal data was included in the breach.