Open Source Intelligence (OSINT) is Great for Catching Bad Actors; But It Can Also Be Used Against the Good Ones – You and Me

Posted on Oct 12, 2021 by Glyn Moody

Most people have heard of open source these days – after all, it has conquered every aspect of computing, with the possible exception of the desktop. But Open Source Intelligence (OSINT) may be less familiar. It was brought to prominence by the Bellingcat group, which describes itself as “an independent international collective of researchers, investigators and citizen journalists using open source and social media investigation to probe a variety of subjects – from Mexican drug lords and crimes against humanity, to tracking the use of chemical weapons and conflicts worldwide.” Its name comes from the fable about a group of mice afraid of a fierce cat, which put a bell around its neck to warn them of its arrival. According to the founder of Bellingcat, Eliot Higgins, “We’re teaching people how to bell the cat.” Here’s how Bellingcat carries out its OSINT investigations:

As smartphone technology has become more available, people are recording and sharing every aspect of their lives. They give away a huge amount of information, everything from their day-to-day activities to war crimes and some of the most horrific acts you can imagine. Some of that is done on purpose, and sometimes it’s just accidental or incidental. But because that’s all online, it’s all information that we can use to piece together what happened around a wide variety of events.

Using this publicly-available information, Bellingcat have helped understand who shot down the MH17 passenger plane, and who poisoned the MI6 double agent Sergei Skripal and his daughter. Those are obviously valuable contributions to public understanding of important events. But there is a darker side to the use of OSINT tools. After all, it is not just bad actors who post huge amounts of personal information online: we all do. This means that potentially anyone with the right software can piece together this digital jigsaw puzzle to discover much about our daily lives.

The Intercept has an important article about two such tools, Kaseware and SocialNet, and the use of them by the Michigan State Police. Kaseware is a case management platform designed for law enforcement agencies. It allows surveillance data to be monitored, mapped and analyzed using a variety of tools. The platform typically holds zip codes, addresses, GPS coordinates, geotags, and satellite imagery, as well as a wide range of socio-economic data. It also allows the use of more specialized tools like SocialNet from the company ShadowDragon. SocialNet pulls in data from a large collection of public social media networks, Web sites, RSS feeds, data dumps and dark Web locations – over 120 according to The Intercept article. The basic idea of the software is summed up well as:

Bad Guys share too much information online. Use it against them.

Like most of us, criminals enjoy the benefits of online activities and social networking. SocialNet captures these digital tracks, maps against their aliases, and explores their connections in near real time to expedite your investigations and threat analysis.

There’s an interesting blog post by the founder of ShadowDragon, Daniel Clemens, in which he runs through a basic link analysis, and shows how it can be used in investigations. As he puts it, it enables “the story of complex relationships to be told with a picture, which can make trends and connections more obvious.” The analysis is not that sophisticated – it is simply finding connections between data held in many disparate sources. Its power derives from the size and number of those databases, and the computing power brought to bear on finding links. That is, the success of this automated OSINT analysis – as opposed to the human kind conducted by Bellingcat – is largely a function of Moore’s Law. This allows unprecedented amounts of data to be ingested and digested to produce useful information.

It’s not a new idea. It’s precisely what Edward Snowden revealed the NSA and its UK equivalent, GCHQ, have been doing for years. The full Internet flows across international cables were collected and then analyzed. There are even older precedents for this approach to surveillance. Back in 2003, the US Information Awareness Office operated a system called “Total Information Awareness“. It was designed to correlate information in order to spot and prevent terrorist incidents before they happened. It was defunded in late 2003, because of fears that it might be used to carry out large-scale surveillance of US citizens.

Since the tools are relatively straightforward conceptually, it seems likely that foreign governments have created similar systems, kept secret for obvious reasons. But these are not the only threat to privacy today. The new commercial versions like SocialNet mean that anyone anywhere that uses the Internet can be investigated by trawling through the even-larger quantities of OSINT that are available today. Compared to the older systems, or those created by foreign governments, the costs are relatively moderate, and no special equipment is needed. The real problem is not that these services exist, but that we all leave such revealing data trails as we use the Internet. Avoiding that would require a massive re-design of the online world – something that seems an unlikely prospect. Until then, the best we can do is to be more circumspect in our use of these services that provide such rich raw material for OSINT analysis.

Featured image by pxhere.