Houssam Azzam was 17 when the US military took over his hometown of Fallujah in 2004 and detained him as part of a roundup of young men in western Iraq.
His photo, fingerprints, and iris scans were entered into a database, alongside a trove of information about him and his family, even though he said he was only ever involved in peaceful protests against the US presence.
"They were occupying forces. They violated an entire country's rights so of course they would violate an individual's human rights," he said, referring to the US retaining his biometric data.
The photo US forces snapped of the 17-year-old detainee flashed up on the screen at customs, alongside his biometrics, when Azzam, who runs a Fallujah-based NGO, travelled through Baghdad airport last year.
Harvesting the data of millions of Iraqis, like Azzam, was part of the US military's quest for "identity dominance", a term coined by John Woodward, director of the Department of Defence's Biometrics Management Office from 2003 to 2005.
The program led to the biometrics of nearly 3 million Iraqis being stored in a database in West Virginia - where they are still held 20 years later.
US military planners saw biometrics as a key tool to fight the insurgency in Iraq and keep US bases safe. Twenty years after the 2003 invasion, the program is held up as an example of how to use biometrics to tackle security threats.
But rights groups, as well as some Iraqis whose data was collected, see the biometrics program as trampling on the rights of an occupied population and setting the stage for out-of-control mass biometric collection.
"They collected as much as they could - it wasn't that they were focused on collecting biometrics on people who were a threat, they will collect as much as possible," said Jeramie Scott, a lawyer with the US-based Electronic Privacy Information Center (EPIC).
"And even though the initial reason behind collecting it has passed, they kept it all," he said.
The Department of Defence (DoD) biometric database is built to share data with various other US government agencies, including immigration and law enforcement, according to descriptions posted online and contractors who helped build the system.
A spokesperson for the DoD referred questions about biometrics work in Iraq to the Defence Forensics and Biometric Agency, which did not respond to a request for comment.
The spokesperson flagged a 2016 Department of Defence policy document, which states that "biometric collections are encouraged during all military operations and military intelligence activities where legal and appropriate."
The beginning of the Iraq war coincided with a search for biometric solutions to a range of identity and verification challenges. In 2004, the US Defence Science Board recommended the US military launch a drive for "tagging, tracking, and locating" targets in its war on terror.
"The Iraq war was the proof of concept of using biometrics for intelligence purposes," Woodward, who is now a professor at Boston University, said in a phone interview. "A lot of things lined up - it was the perfect storm."
In addition to biometrics gathered in military operations, the US hired private contractors to "enroll" millions of Iraqis in databases.
Toby Stell, a contractor from Oklahoma, traveled around Iraq between 2007 and 2013 collecting data on thousands of Iraqis and sending it more than 6,000 miles away to the Pentagon's Automated Biometric Identification System database in West Virginia.
During stints in Baghdad, Nineveh, and in Kurdistan, Stell would often work 12 hours a day, seven days a week. "There'd be hundreds of people in line," he recalled, "It was never-ending."
But Annie Jacobsen, the author of "First Platoon: A Story of Modern War in the Age of Identity Dominance", a book about the US biometric program, said much of the data collected by US troops and contractors could be incomplete, or inaccurate.
"They put together these databases literally on the fly, with almost no oversight," she said. "Now they are left with an extraordinary amount of data which they collected in such a haphazard manner."
Alongside identifying biometrics, the database could also contain biographical details, religious affiliations, and other sensitive categories, according to specifications published by the DoD.
Fingerprints and other biometric data gathered at the scenes of terror attacks, or at suspected weapons manufacturing sites were also uploaded.
In total, the DoD allocated more than $3.5 billion to build up "combat biometrics," between 2004 and 2012, Jacobsen wrote in her book.
Iraqis who wanted jobs on US bases, or to access sensitive areas such as Baghdad's Green Zone, had to enroll in biometric databases.
Stell recalls enrolling people from all walks of life - from cleaners and cooks, to senior government officials.
According to Katja Jacobsen, a senior researcher at the University of Copenhagen, the biometric rollout in Iraq helped give birth to "the whole idea that if we can only identify who people are, we will be safer," she said.
A 2017 US Government Accountability Office report said biometric data had aided in the capture or killing of 1,700 targets during the preceding decade, and stopped 92,000 people from gaining access to military bases in Iraq and Afghanistan.
"The US military needed to know when it brought someone into custody if they had encountered that person before," explained Woodward. "It saved lives."
The Pentagon did not provide updated figures.
'UNPRECEDENTED RIGHTS RISK'
From the beginning, rights groups raised concerns about the US biometrics program in Iraq - both over the coercive conditions in which they say the data was obtained, and the potential for abuse.
In 2007, EPIC, Human Rights Watch, and Privacy International wrote to the Pentagon warning that the "the massive aggregation of secret files on Iraqis, linked to permanent biometric identifiers, creates an unprecedented human rights risk."
The groups asked what safeguards were in place to ensure the information was not abused - and how long the US planned to store it. Scott said EPIC had no record of receiving a response, but a 2005 DoD policy document stated biometrics would be stored "indefinitely in support of the War on Terrorism."
In 2004, the US started a parallel database for the Iraqi government.
"They wanted to give the Iraqis the same capabilities that the FBI has to do background checks," recalled Alex Kilpatrick, a former vice president with tech and consulting firm Ideal Innovations, who worked on biometrics with the Iraqi government.
Although the database was eventually used to screen applicants to the Iraqi police and digitized fingerprints from 280,000 criminal records, the Iraqis were never able to run it entirely on their own, he said.
The Iraqi Interior Ministry did not respond to a request for comment.
As recently as 2022, the US Department of Defence was seeking contractors to help the Iraqi interior ministry maintain its biometric databases, according to procurement records.
Some Iraqis who had to turn over their data think the US went too far.
"It is at the same time a violation of personal freedoms and Iraq's sovereignty," said Salam Khalid, 38, who was forced to have his biometric data taken by US forces to enter his home city of Fallujah in 2005.
Now, he is calling on the US to either hand over the data to Iraq or destroy it.
"Before they had a justification for this. They controlled the area, and they were enforcing their control," he said. "Now, they left Iraq officially and formally. They have no justification to keep our data."