How to improve security of biometric data

The international community has many concerns when it comes to the security and safety of people in Afghanistan. One of the main concerns for the privacy and security community, especially the ones who devote their knowledge and expertise to defending human rights online, is the existence of a biometric system that contains the personal information of millions of Afghans.

This system contains millions of fingerprints, iris scans and face photos of Afghan people who had their biometric data collected by US and coalition forces. The system was built more than 15 years ago to facilitate tracking and quickly identifying people for variety of purposes, from distributing e-vouchers by the World Food Programme to maintaining an electronic national identity card system.

Different from a password or an identification card, any collected biometric data, like fingerprints or iris scans, is much harder to forge, making it a reliable way to positively identify individuals. But that also means that it's harder to change it in the event of data being exposed or compromised. One can change their password or an ID card, but one cannot change their fingerprint or iris. Biometric data is as unique as a person, and the privacy and security measures thus have to be evaluated accordingly when developing and implementing biometric systems.

Many human rights and civil society groups have called for more security measures from the beginning of the development of this biometric system. They have expressed concerns that if proper security measures were not implemented, the system might introduce more harm long-term than help. They also demanded for plans to erase and delete all biometric data in case of emergencies like a change in government and ability to inform anyone whose data was exposed or compromised. It is currently unclear what data could be at risk.

A broader challenge is that if security challenges are not adequately addressed and emergency plans are not put in place when developing digital identity systems, confidence in the digital identity ecosystem could be dented, which could prevent its full potential value being unlocked.

To avoid situations where biometric data could be exposed or compromised, a close cooperation between government, the private sector and civil society needs to be established. When developing digital identity ecosystems, nations face new cybersecurity challenges to ensure data confidentiality, integrity and availability on an ongoing basis. That is where different actors bring various perspectives that have to be considered and evaluated to prevent any potential harm and damage caused by a misuse, exploit or hack of the system.

Managing cyber risk is already a major leadership challenge in public and private sectors. The risks associated with cyberthreats are often opaque, and it is difficult to calibrate the right nature and scale of investment in cybersecurity. Global leaders must think of potential harm caused by misuse or exploit of technology and ensure the measures are in place to use these technologies for good and include a variety of voices when developing them.