In the February 2018 print issue of Professional Security magazine we feature OSINT – Open Source INTelligence. Here Albert James Galloni takes up the topic.
Social media has been under almost constant scrutiny in recent times. From its role in the dissemination of so-called ‘Fake News’ to allegations of manipulation by external threat actors much has been said and written about it, to varying degrees of accuracy. What is still little-understood and oft used in a patchy fashion in the commercial world is the discipline of using Social Media for Intelligence purposes: SOCMINT.
From a technical perspective, SOCial Media INTelligence (SOCMINT) is a niche subset of OSINT, the ubiquitous, ‘Open Source’, unrestricted-access body of information-driven intelligence discipline. It is also a relatively new discipline. Facebook itself didn’t exist until 2004 and didn’t quite achieve global status until circa 2006-7 remaining focused on a comparatively narrow local and small network output for some time after that. Although the Internet arguably became a household essential in the early 2000s, so-called Web 2.0 (an all-catching term describing user-generated content from blogs to the proliferation of user-created YouTube videos to use only two examples) only recently achieved the level of penetration we are accustomed to.
Yet, SOCMINT and its applications for Security but also Investigations, Due Diligence and Threat Assessment is still a largely untapped source of actionable knowledge. These are the optics this article will use to briefly present the benefits of carefully analysed and curated SOCMINT.
Security and threat assessment
On July 27 to 29, 2017 flashpoint riots broke out in Dalston, east London. The riots, significantly smaller in scale when compared to the 2011 riots yet disruptive enough to effectively close off a not insignificant area in the capital close to the City and packed with an early Nighttime Economy crowd received very little immediate attention in the mainstream media. Yet, within moments of an initial flashpoint, two media in particular (Twitter and Snapchat) were alive with user-generated content from the area, in keeping with a flurry of similar activity from the previous days.
The content, video, still imagery and written content, was sufficient in its scarcity to identify (broadly) the number of active participants, the type of weaponry used and the likely movements given the simultaneous visibility of the police presence and their tactics. What is of particular interest is how subsequent feeds and interactions between users also indicated another valuable piece of intelligence: demonstrators widely disagreed with each other on the merits but also the tactics of the protest.
Another particularly pertinent example exemplifying the value of SOCMINT but also its inherent risks and why analyst-driven SOCMINT is a necessity took place at rush hour on October 7 at Euston railway station; again in London.
A minor incident – an electric appliance catching fire in a rucksack on a platform – caused momentary panic and a sudden rush away from the platforms. Social Media was almost immediately alive with ‘reports’ of a rapidly increasing emergency services presence (accurate – and standard protocol given the initial reports and the heightened threat level) amplified by ostensibly ‘news’ accounts rapidly sharing and giving traction to more lurid – and unconfirmed – reports of gunfire and explosions.
By the time the official communication channels used by the Metropolitan Police had confirmed that the ‘incident’ was stood down and no terrorist element played any part in it, the ‘noise’ presented to the casual observer indicated the exact opposite.
Which is why it’s essential for analysts with the ability to cut through the noise to be handling SOCMINT. It is also essential to prepare for a strategy which identifies the amplifiers of inaccuracies and mitigates their effect. All this whilst being cognisant of the fact that sometimes the idea itself the someone may be manipulating reality – when in fact they are not or their reach is significantly smaller – is the most powerful effect in the hands of a weak adversary determined to create an impression of relevance that just isn’t there in real life.
The concept of manufacturing a ‘Strategy of Tension’ which encourages reaction and polarisation is nothing new. And the new social environment based on the instantaneous sharing of information prior to validation and the instantaneous effect on emotions is a particularly insidious feature.
Investigations
One of the most widespread criticisms of the use of SOCMINT is that user-generated content is intrinsically liable to inaccuracies and also liable to be ‘filtered’ through the user’s own objectives. This is undoubtedly true but consider this: which ‘side of the story’ is most likely to assist an investigator identify, for instance, a criminal looking to evade asset tracing and recovery? A statement of assets and liabilities provided by the subject of the investigation purporting zero assets or SOCMINT-harvested evidence of the same individual controlling valuable assets?
Equally, the likelihood of two individuals claiming to be unknown to each other being linked on one or more social media platforms is suitably small. Not to mention the same email used for setting up and managing multiple accounts or interactions with extremist content. Or, especially in the context of a discovery exercise focused on the long-term, multiple platform accessed through the same username.
There is also the – not insignificant – benefit brought about by the ability to identify networks and movement through social ‘shares’ and interactions. In turn, enabling analysts to develop a wider knowledge base and intelligence database that can be exploited in future.
Next?
Although – under pressure from governments – social media giants are now ostensibly taking steps to curate the content presented through their platform more critically, it is mostly fair to say that the impact of Social Media on the way we all interact is likely to have an on-going if not permanent effect. From an Intelligence perspective, this opens up a whole new world of readily-available, often emotion-driven information frequently disseminated by individuals with scant regard for their personal security and privacy. The challenge for the Analyst is to cut through the noise, identify the accurate and present it so that it can be acted upon. But also potentially exploit this environment to solicit further information and penetrate networks, from intelligence gathering to ‘Hashtag Poisoning’. As well as singling out the inaccurate and potentially run a tactical exercise in the containment of inaccuracies and counter-attack.
Much has been said in the military world about ‘multi-domain’ fields of operation fully including the virtual / cyber space. It is time for the commercial world to understand this applies to them. Before a co-ordinated event damages a reputation or a physical incident that could’ve been foreseen impacts them.
About the author
Albert James Galloni is an Analyst (operating in OSINT, SOCMINT and FININT) and Director of Interoperable Services Limited, a British Private Intelligence Company specialising in the provision of holistic intelligence-driven effects which include uses for Security and Defence. More at www.interoperableservices.co.uk; email [email protected].
Photo by Mark Rowe; front of Euston station.
