German researchers raise important questions and concerns about how sensitive US military equipment containing biometric data like fingerprints, iris scans, photographs, names and descriptions of over 2600 individuals, mostly from Iraq and Afghanistan, found its way to eBay.
A group of researchers called the Chaos Computer Club, led by Matthias Marx, bought six of the devices on eBay, most for under $200. They were spurred by a 2021 report from The Intercept that the Taliban had seized similar US military biometric devices. As such, they wanted to see if they contained identifying data on people who assisted the US Military that could put them at risk.
They were "shocked" by the results, according to the report. On the memory card of one device, they found the names, nationalities, photographs, fingerprints and iris scans of 2,632 people. Other metadata showed it had been used near Kandahar, Afghanistan in the summer of 2012. Another device was used in Jordan in 2013 and contained the fingerprints and iris scans of a small group of US military personnel...
One device was purchased at a military auction, and the seller said they were not aware that it contained sensitive data. The sensitive information was stored on a memory card, so the US military could have eliminated the risk by simply removing or destroying the cards before selling them.
That the researchers who bought these devices were spurred on by a report from the Intercept is particularly ironic - the Intercept just happens to be funded by billionaire eBay founder Pierre Omidyar.
These devices were used to identify insurgents, verify local and third-country nationals accessing US bases and link people to events. They also included biometric data of American military personnel, likely collected during training, according to the New York Times (paywall).
When reached by The Times, one American whose biometric scan was found on the device confirmed that the data was likely his. He previously served as a Marine intelligence specialist and said his data, and that of any other American found on these devices, was most likely collected during a military training course. The man, who spoke on the condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked that his biometric file be deleted.
The research group says it plans to delete the sensitive personal information but the individuals whose data was stored may still not be safe, since the chain of custody of the devices is not known.
It's not the first time sensitive government equipment has wound up on eBay - for example back in September, a cyber security expert sounded the alarm after purchasing a Michigan voting machine on the site as well.
eBay's official stance is that company policy prohibits the listing of electronic devices that contain personally identifiable information, stating that listings which violate the policy will be removed, and users may face actions up to, and including, a permanent suspension of their account - but as we've seen with many cases of fraud, counterfeits, price gouging, and other policy violations, what the policy pages and eBay spokespeople say and what actually happens are often very different things.