The massive, ever-growing role of social networks in human communication comes with a unique set of hazards. In particular, the layer of concealment provided by online contact can easily be abused by bad actors who either choose to remain unidentified entirely or who intentionally misrepresent themselves to others. Anonymity too often is used by criminals in anything from hate speech and harassment, to drug dealing or planned violence. Using a false identity may be a precursor to exploiting people, especially children and the elderly.
Unmasking digital hidden identities is a common requirement for law enforcement agencies (LEAs), even as developments in 5G networks and pervasive encryption continue to make that task harder. As a result, the clues into identifying a suspect may be small and scattered, elevating the lawful-intelligence roles of location and metadata.
Human and Technology Factors in Identity Deception
Fundamentally, bad actors can obscure their identities by hiding their tracks using technology and dishonesty. Technology-enabled approaches that make use of privacy and security technologies can vary dramatically in their effectiveness. For example, users can hide their IP addresses using different browsers, proxy servers, or even public Wi-Fi. Any of these approaches may be effective, although all are vulnerable to limitations that range from improper set up to eavesdrop compromise.
With VPN available widely, sophisticated parties may apply measures simply by using a VPN tunnel across international boundaries to make posts appear like they have been made from abroad. The need to involve foreign governments with differing privacy and lawful intercept statutes can make it difficult or even impossible for a LEA to identify the source’s IP address. That complexity increases further if there are multiple international hops or if one or more of the governments involved is hostile or uncooperative. At the same time, the relative complexity of using technology measures such as these to obscure one’s identity helps limit the extent of their use and effectiveness.
While some countries mandate social media profiles be tagged to national IDs, in most parts of the world, it is far more common for threat actors to simply create social media profiles that don’t include their true identities. In these cases, the person creating the profile commonly overestimates the level of anonymity they have achieved. They may believe that they are hidden from view even as they post from their phones or home IP addresses, providing clear connections for law enforcement between their online interactions and real-world identities. Pictures and videos posted to social media also tend to reveal more information than account users recognize, such as revealing physical locations with attached metadata and visual cues or identifying individuals using facial recognition.
Correlating Multimodal Data to Identify Commonalities and Patterns
Basing an investigation on metadata and other bits of digital evidence creates the interrelated challenges of gathering all relevant data and effectively analyzing that data to draw meaning from it. SS8’s Intellego XT lawful intelligence platform enables LEAs to correlate multiple data sources, across wireline, wireless, and broadband IP networks. That data fusion and analysis function enable investigators to find patterns, trends, and connections that tie various parts of an individual’s digital footprint together
The sheer scale of open-source intelligence (OSINT) provides endless potential for raw data to fuel such investigations, harnessed and made useful by Intellego XT. Sources as diverse as public social media content and surveillance video may help establish an individual of interest’s digital identity. Intellego XT applies semantic logic to correlate these sources and identify relevant data using keys based on text, images, or other factors, incorporating it into the broader analysis. The platform algorithms incorporate both OSINT and lawful intercept data handed over by SS8’s Xcipio mediation platform.
While individuals of interest may presume that their physical locations are hidden in social media interactions, it is often possible to link location information with other aspects of their digital footprint. Location may be interpreted from OSINT, including highly visible evidence such as posted incriminating video or even publicly livestreamed crimes in progress. It may also be obtained by lawful intercept, such as in the form of GPS, mobile cell, or Wi-Fi information. Needless to say, once investigators are able to obtain geolocation data of an individual of interest, MetaHub can easily assist them to find the relevant and respective CCTV videos (which is one of the common types of unstructured data that MetaHub supports) given the time and location.
Correlating data from all these sources reveals patterns and relationships that form a composite whole, ultimately placing enough context around an anonymous social media profile to reveal the owner’s identity and hold them responsible for illegal online activity.
Applying Timing Analysis to Patterns
A common approach to identifying an individual of interest is by finding factors in common among multiple data sets. For instance, if we know that a number of interest fits the criteria of being a positive integer less than 10, an even number, and a multiple of three, the number must be six. All three of the criteria must be known to identify the number of interest, and the answer is certain. Similarly, combining fragments of information about a social media profile can logically establish the owner’s identity or at least a valid hypothesis.
More tangibly, consider a simple case of timing analysis, where a profile of interest posts information to social media at a particular time on a given day. An LEA could hypothetically examine network activity to identify the list of IP addresses that connected to the relevant social media platform at that time. Repeating the same approach for additional posts would yield additional lists, and a single unique IP address that appears on all of the lists would reveal a definite correlation between it and the profile of interest.
All analyses have limitations; this one is limited both because the IP address may be hidden as discussed above and because a single profile may post from a variety of IP addresses. To counter the limitations of any single analysis, SS8 continues to innovate with its platforms to combine many approaches using robust interception, mediation, data fusion, and intelligence to trace and reveal the connections between online identities and the people responsible for them.
Even as encryption standards have never been more stringent, forward-thinking LEAs are leveraging intelligence platforms to uncover valuable data and patterns in which to identify persons of interest.
Learn more about providing your law enforcement agency with actionable intelligence into subjects of interest, by visiting the SS8 website.
About Dr. Cemal Dikmen
As SS8’s CTO, Cemal plays an integral role in the company’s strategic direction, development, and future growth. A renowned expert and thought leader in the legal compliance and communications analysis domain, he has been a frequent speaker at various industry conferences over the past 10 years. Cemal holds BS, MS, and PhD degrees in Electrical Engineering. You can learn more about Cemal on his LinkedIn profile by clicking here.
About SS8 Networks
SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies. Xcipio® is already proven to meet the very high demands of 5G and provides the ability to transcode (convert) between lawful intercept handover versions and standard families. Intellego® XT is a monitoring center that includes MetaHub, a best-in-class data analytics tool for intercepted, 3rd party and location data. Both product portfolios are used worldwide for the capture, analysis, and delivery of data for the purposes of criminal investigations.