You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Iraqi Biometric Identification System

Latest News

  • Iraq Biometric Database Could Become a "Hit List," Acknowledges Defense Dept. Program OfficerThe biometrics program manager in Iraq this week expressed concern that the database containing biometrics and secret files on thousand of Iraqis could "become a hit list if it gets in the wrong hands." According to Lt. Col Velliquette, the Iraqi system has approximately 750,000 records in its database. Earlier, EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense to warn that the system will lead to reprisals and further killings. For more information, see Transcript of "The Role of Biometric in Counterinsurgency,' blogs at Harpers and Wired. (Aug. 17)
  • Human Rights Organizations Urge US Secretary of Defense to Investigate Biometric Database of Iraqis. In a letter to Secretary of Defense Robert Gates, EPIC, Privacy International, and Human Rights Watch warn that a new system of biometric identification contravenes international privacy standards and could lead to further reprisals and killings. The groups cite the particular risk of identification requirements in regions of the world torn by ethnic and religious division. The groups also note a 2007 report from the Pentagon's Defense Science Board that said military use of biometric data raise substantial privacy concerns. For a discussion of identity systems and threats to privacy, see "Privacy and Human Rights Report 2005." See also EPIC Biometrics page and Privacy International resources. (Jul. 27)

Overview

Since at least 2007, U.S. troops have been using mobile scanners to take fingerprints, eye scans, and input other personal data from Iraqis (and more recently, Afghans) at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. This information is being used to build an unprecedented identification database of Iraqis that is administered by the U.S. military. However, there is as yet no indication of any privacy safeguards protecting against the risk that this information will be used to fuel the ethnic cleansing.

According to Gianni Magazzeni, head of the U.N. human rights office for Iraq, "People are basically killed or taken away simply because of their name, their identity or specific affiliations." Because names are associated with religious identity, many Iraqis change their names or carry fake IDs to avoid being murdered by rival sects. Numerous reports indicate that Iraqis regularly risk death if they are proven to be of a different sect than gunmen at a checkpoint. In July 2006, Shiite militiamen established a fake checkpoint and killed up to 50 Sunnis after examining their identification documents. In June 2006, Sunni gunmen dragged students from a bus, identified and separated the Sunnis from the group, and then murdered  the 21 remaining Shiites.

As a 2007 Pentagon's Defense Science Board report has acknowledged, military use of biometric data raises substantial privacy concerns. The report also categorized as particularly invasive mandatory systems in which the records include physiological data of citizens and employees, are collected by a public sector institution, and are held in database storage for an indefinite period. This is, however, precisely the sort of identification system now operating in Iraq. Under this system, Iraqis who refuse to release their data can be barred from markets or neighborhoods that require an ID to enter.

The massive aggregation of Iraqis' personal information creates an unprecedented human rights risk that could easily be exploited by a future government. Yet the idea of the U.S. military turning over the database system to the Iraqi government is already under discussion. In May 2007, a prominent think tank floated the possibility of a national identification program for Iraq similar to the U.S. REAL ID system. The proposal, also carried in the New York Times, would introduce biometric ID cards to Iraqis that could be read with portable machines linked to a centralized database. The proposal also envisaged Iraqi government census workers going door-to-door to catalogue residents. The program’s purported purpose would be to distinguish insurgents from lawful citizens, but the proposal admitted that the central database could also be misused for ethnic cleansing.

On June 5, 2008, President Bush issued Homeland Security Presidential Directive 24 ("HSPD-24"), which established a "framework to ensure that Federal executive departments and agencies use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric [information]." HSPD-24 states, "All agencies shall execute this directive in a lawful and appropriate manner, respecting the information privacy and other legal rights of individuals under United States law, maintaining data integrity and security, and protecting intelligence sources, methods, activities, and sensitive law enforcement information." It also called for the Attorney General to create an "action plan" for the implementation of HSPD-24, which would presumably include details on how "the information privacy and other legal rights of individuals" would be protected. However, this action plan was never released to the public.

Historical Background

Such misuse is not without precedent. In Rwanda, despite protests from non-governmental organizations several years prior to the genocide, official identification cards contained ethnic information. The classification system was a remnant from the Belgian colonial government, and was extensively used to identify victims to be killed. To have the word "Tutsi" on an identification card was a death sentence. During the Holocaust, Nazi Germany placed a "J-stamp" on the identification cards of all Jews. These stamps were followed by yellow badges that made the identification and extermination of Jews more efficient.

The pre-existing international privacy protection framework was established in response to such atrocities and to prevent human rights violations in the future. Article 12 of the Universal Declaration of Human Rights, adopted shortly after the end of World War II with the full support of the United States, recognize privacy as a human right and enjoins unlawful or arbitrary interference with privacy, family, home and correspondence. The International Covenant on Civil and Political Rights, which both Iraq and the United States have ratified, similarly establishes privacy as a fundamental human right in Article 17. Further, the United Nation's High Commissioner for Human Rights clarified that this includes personal information stored on computers and databanks, that signatories must take effective measures to ensure unauthorized parties do not access this information, and that this information is never used for purposes incompatible with the treaties. The right to privacy is derogable in times of emergency, but in the Iraqi context privacy is closely intertwined with the right to practice one's religion without reprisal, which is not a derogable right.

Fundamental Rights

Identification has always been a civil liberties issue but it implicates the most fundamental human rights when it enters a region with civil strife. In its January 2007 report to the Human Rights Council, the Special Rapporteur of the United Nations noted that broad anti-terrorism profiling, particularly those that include data on ethnic origin, are prone to abuse in violation of non-discrimination and numerous other human rights norms.

In its report on biometrics, the Defense Science Board stated that the integration of privacy principles into biometric systems are critical to their success, and recommended that privacy considerations be incorporated into the design of any biometric identification system at an early stage. However, there is still no indication that such protections are built into the Iraqi identification system operating in Iraq. If such protections exist, the Department of Defense should delineate what they are. If such protections do not exist, the Department of Defense must undertake strong measures to prevent unauthorized access and disclosure of Iraqis’ personal information. The Department of Defense must also develop clear guidelines regarding the future of the system, including the establishment of privacy and accountability controls if the system is to be turned over to the Iraqi government. These questions are urgent.

Resources

News Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security