Why are you a Refugee? Afghans and the US Identity Database

by Professor Elspeth Guild, Queen Mary University of London and Professor Didier Bigo, Sciences-Po, Paris and Kings College London

In this blog Elspeth Guild and Didier Bigo look at how the US identity database of Afghans is already creating refugees. The Taliban has taken access to the databases and may already have access to the US database indicating who was working for them in what capacities and who they considered ‘terrorists’.

One of the questions which arises constantly in the context of data protection debates and discussion in Europe is why so much protection is needed and why so much attention is given to state use of our data when we have nothing to hide.

This argument comes up again and again in political and academic discussions and it is generally premised on the idea that we have confidence in our governments to ensure that we are well protected. Accordingly, why should we not provide those governments with access to our data and allow them to use it in a wide range of areas?

Against this argument, generally the response is that responsible government is the outcome of responsible law making which protects the citizen.

In the context of data protection, the European law principle that an individual is always the custodian/owner of his or her data (a right which cannot be sold and only waived where there is specific informed consent limited to a particular task) can sometimes seem rather onerous for data processors in particular where the objective is to enhance ordinary state activities.


Many examples are usually given of why data protection is so important and why government authorities are not always sufficiently well placed to provide satisfactory protection for our data.

Often, the relationships of states with the private sector are called into question, the sharing of data across government departments with unexpected outcomes is brought to the fore and the occasional data failures or losses by government departments.

Further, although EU law requires enhanced protection of sensitive data such as biometric data, some observers  question how and why this is the case. The respondents often hark back to examples from the mid 20th century, misuse of population registers by Nazi governments.

For a modern audience in light of the giant transformations which have taken place in data technology, these arguments seem rather stale.


Yet, a recent and unfolding example of the issue of data protection, in particular sensitive data protection has come to light in Afghanistan.

On 18 August, the on-line journal The Intercept published a particularly relevant article about the protection of biometric and other sensitive data collected and stored by the US authorities during their 20-year occupation of the state.

As the US authorities have withdrawn from Afghanistan, it has come to light that their opponents, the Taliban, have seized US military biometric devices which give the holder access to Afghans who have assisted coalition forces.

An investigative journalist, Annie Jacobsen, has written that the US military objective was to collect biometric data on 80% of the Afghan population.

Exactly what codes and references are in respect of this data is unclear. However, the devices known as Handheld Interagency Identity Detection Equipment (HIIDE) automatically access large, centralised databases.


According to the Intercept, while the biometric data and the database was originally intended to track terrorisms and insurgents, over time it became an everyday tool for US authorities and contractors to check the identity of Afghans working for them, entering the US controlled areas.

The devices are designed to read ID documents and tell the holder of the device the status of the individual in front of him or her.

Needless to say, Afghans who have come into contact with US authorities over the 20 years of occupation and have voluntarily or semi-voluntarily handed over the biometric data to them are anxious about the consequences of Taliban potential access to that information.

Having been characterised as a potential terrorist by the US authorities might not be such a prejudicial thing under the new Taliban regime, but to have been collaborating with the US authorities or working for them, albeit temporarily, or indeed being designated as a trusted person by the US authorities may be the equivalent of a death sentence for the individual.


It is unclear from the Intercept article whether the Taliban have the capacities to use the devices to access information.

Nor is it clear what steps the US authorities are taking to try to block access to this data (if possible) by devices which are unaccounted for.

However, the technical issues are apparently not insurmountable for the Taliban bearing in mind the support which they may have from neighbouring authorities.

The scenes of chaos and desperation at Kabul airport which media outlets have been providing have demonstrated just how anxious many Afghans are to be able to escape their country now that the Taliban have come back to power.

General concerns about how the Taliban will deal with Afghans who are denounced as collaborators with the US authorities and other coalition partners appear to be well founded.

The existence of a biometric database with detailed information about so much of the Afghan population access to which appears to have fallen into the hands of the Taliban is a frightening fact of data protection failure.


It brings home to all of those who question the need for strict controls over data collection, use and storage what can happen in our era when access to sensitive data falls into hostile hands, albeit the hands of those who are currently in the process of forming the legitimate (they hope) government of their country.

Every data system is only as strong as its weakest link. The separation of data access (and storage) and strict limitation on access only for those purposes for which the data was originally collected seem like excellent rules in light of the Afghan experience.

Further, one of the often ‘temporarily’ at least forgotten rules of EU data protection is the duty on all data controllers to erase personal data as soon as it has served its purpose, that is to say the purpose for which it was collected.

The temptation to retain data for vaguely related uses, such as training of AI tools, etc is very great. But the rule is strict – erasure.

If the US authorities had been subject to EU data protection rules regarding the personal data of Afghans, many fewer civilians would now be concerned about their personal situation.

Photos by Andre Klimke and Joel Heard on Unsplash