More than decade ago, near Kandahar, Afghanistan, the U.S. military employed one of its Secure Electronic Enrollment Kit (SEEK II) devices for the last time. The piece of tech, a chunky black rectangle used to scan fingerprints and irises, was turned off and stowed away.
That is, until August 2022 when Matthias Marx, a German security researcher, bought the device for $US68 ($94) off of eBay (a steal, at about half the the listed price). But that’s not all. For the low, low price of less than $US70 ($97), Marx had inadvertently also purchased sensitive, identifying data on thousands of people. Names, nationalities, photos, and detailed descriptions accompanied the biometric fingerprint and iris scans of 2,632 individuals, according to a report from The New York Times.
From war zone, to government equipment auction, to eBay delivery — apparently not one Pentagon official thought to remove the memory card contained within the particular SEEK II that Marx ended up with. “The irresponsible handling of this high-risk technology is unbelievable,” the researcher told the Times. “It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online,” he added.
Most of the information contained within the SEEK II was data collected on people the U.S. military had identified as terrorists or wanted individuals, according to the Times. However, others were simply civilians who had been stopped at checkpoints in the Middle East or even those who had assisted the U.S. government. And all that info could easily be used to track someone down — making the device and accompanying data particularly dangerous if it were to end up in the wrong hands. For instance, with the Taliban who might have a vested interest in finding and punishing people who worked with U.S. forces in the region.
Department of Defence press secretary, Brig. Gen. Patrick S. Ryder told the NYT that the department couldn’t confirm the authenticity of the data nor comment on it. The device should be returned to the military, Ryder further said, and provided the Times with an address at Fort Belvoir in Virginia. The DOD did not immediately return Gizmodo’s request for comment.
Marx and his co-researchers at the Chaos Computer Club, which self-describes as Europe’s largest hacker association, purchased the SEEK II along with five other biometric capture devices — all bought from eBay. The group planned to analyse the machines for potential vulnerabilities following a 2021 report from The Intercept on the Taliban seizing such military tech.
But even though Marx had set out from the beginning to assess the risk associated with the biometric devices, he was still alarmed by the scope of what he found. In addition to the thousands identified on the single SEEK II device last used in Afghanistan, a second SEEK II purchased by CCC and last used in Jordan in 2013 held data on U.S. troops — likely collected during training, according to the Times.
Military hardware was never meant to end up for sale on “the world’s online marketplace.” Instead, the Defence Logistics Agency told NYT that these SEEK II devices should’ve been destroyed on site as soon as they fell out of use. Gizmodo reached out to the DLA with questions about how Marx’s machines could’ve fallen through the cracks, but did not immediately receive a response.
Though the exact path of the devices CCC obtained is unclear, one of the sellers told the Times that the company acquired the SEEK II at an auction of government equipment.
The listing of electronics containing personal or identifiable information violates eBay’s company policy, a spokesperson told NYT. Users listing such items are liable to face actions including permanent suspension, the company reportedly said.
Currently though, multiple identical or similar military biotech devices are still for sale on eBay. You can buy a SEEK II yourself (apparently Border Patrol surplus) for just a few hundred bucks. But act quick because interest appears to be heating up. eBay did not immediately respond to Gizmodo’s questions or request for comment.