In the fields of intelligence and military investigation, the use of the O.S.INT discipline for open source analysis has grown steadily over the years. Inside this framework, cyber intelligence has seen the development of a new area, the SOC.M.INT.
SOCial Media INTelligence is about socially produced content, and the tools that allow the creation and publishing of that data.
While already present for quite some time, it is used progressively more in a number of different crime-fighting and crime prevention scenarios. This investigative approach is based on the gathering of information useful for the intelligence cycle through monitoring and analysis of social media content.
Too much data from too many sources could generate misleading results: analytic and investigative skills are essential and effective to produce results when and how we need. Technology is a powerful tool, but it is always a tool.
An important, preliminary distinction to make is the one between social network and social media. The two phrases should not be confused, since social network are just a fraction of the larger world of social media, made also by blogs, forums, social websites, audio/video content, chats, livecasting, virtual words, etc. All those applications share the goal to facilitate the creation and development of social relations and conversations. That is why social networks are the primary, but not exclusive, source of SOC.M.INT. There is a social media channel tailor-made for any need: Twitter for short, rapid exchanges; Facebook to share emotions and thoughts; Foursquare to show locations; Instagram for pictures; Youtube for videos; LinkedIn for the professional life; Last Fm for audios; Badoo and Meetic for personal relationships, and many more (Pinterest, Google Plus, etc).
The social nature of Facebook, Twitter and other platforms make the sharing of psychological states, political opinions, religious beliefs, social circles, tastes, economic conditions easier and more effective. Exploiting this information allows detectives to find data not available on institutional databases or through usual activities.
The use of social media is so widespread that everybody leaves a detectable “web fingertip”, which increases the likelihood of finding some evidence. It is essential to dig through several channels, not just one social network: collecting sources, crossing data and taking specific information from each social network is the core of SOC.M.INT. The features of social media to remember are: property (high level of pertinence), immediacy, accessibility (easy and basic usage), volatility (hard to recover deleted posts). They also promote dialogue, interaction and transparency, amplify voices and actions and provide a very immersive environment. A capable detective keeps all these in mind to limit the investigative object, creating a priority list for the purpose and adjusting the tools for different nations, age, culture and interests of the person, group or company. Then results from different SOC.M.INT. channels should be crossed, and finally this refined report should be put together with the output from other institutional investigative tools, in order to get as wide an assessment as possible.
A key element of social media is the presence of news regarding the composition and behaviour of some subjects or groups, making possible to analyse the “social web” from a dynamic and historic perspective. Usually the results of SOC.M.INT. are accompanied by the SNA (Social Network Analysis), which focuses on the crucial nodes in the social web. The technique analyses the structures, functions and content of social webs, and has seen its usage increased in dealing with investigations into organised crime. The predictive power and capability to prevent crime depends on the centrality of the subject in the net, which translates in the ability to connect otherwise separated people.
Regarding some of the cyber attacks on government agencies or banks or institutions, we have seen how social media has been used to promote such tragic initiatives and spread messages. It would be important to identify the leader of those nets, the key nodes and their overall structure. Even authors of traditional crimes are attracted by the opportunity to get a wide communication of their success. The rapid evolution of communication techniques by criminals requires the intelligence and police forces to have tools and competences up to the challenge. Of course if we think about financial crimes or the risk for patents and copyrights, companies too should be organised to prevent and protect their assets.
The importance of recognising patterns, looking at both private and public communications, is magnified in this context. A crucial aspect of the intelligence for safety is being able to collect information on social platforms, utilising it with the appropriate criteria and parameters and setting up a process it with the help of additional data, coming from both online and offline.
- The process
The main steps of the SOC.M.INT. technique for investigations are:
- Examining all the openly available data (for example, that which does not require any restriction on the privacy settings of the users), without focusing at any individual in particular, but rather looking at the general pattern of the phenomenon studied.
- Focusing on data concerning single individuals, in order to get a wider range of information on them.
- If deemed necessary, wiretapping private communications.
Acquiring a work method in the process means looking for information with purpose. Gathering material through social media needs to have solid methodological basis: given the huge amount of data available, the selection of the sample to analyse is a key factor. It is important to be educated in the field, being objective rather than using fallacious inferences and going through the raw data with a reliable scientific approach.
Often this step is demanded only to those people with particular competences in informatics based systems of data filtering, appearing more focused on generic gathering and less on how representative the elements are; it is mandatory to build a team with diversified skills, especially due to the increased usage of social media in inquiries. The true value lies in being capable of identifying the right data, more than the amount of data itself, which may or may not have information relevant to the intelligence cycle.
An example of the general tendency to underestimate the actual significance of the sample in analysis (Twitter content for instance), can be found in the identification of hashtags as barriers, embedded in the platform itself, to the information concerning a specific theme. Recent research has showed that only a small fraction of communications referring to a certain topic is labelled with a hashtag, while most of them stay out of such logic.
It is appropriate to have a deep knowledge of techniques and strategies to collect data, with a transversal and sharp vision; it is a sensitive activity one that cannot be improvised. Choosing which data means also finding video, pictures, locations, not just textual data. It is essential to know how to isolate various types of data, so as to analyse them one at the time before connecting them in a general inquiry framework, keeping in mind that the virtual space and its lexicon are different from those in the real world. The interpretation of the intention, the motivation, social significance and eventual denotative and connotative aspects of the phrases used must be considered if the analysis wants to find more than the tip of the iceberg. The news must be evaluated with attention, because often, those who are monitored show a tendency to change their behavior when they realise they are watched, even releasing fake or ambiguous information on purpose.
Once we have established the presence of such phenomena, the information is now filtered and isolated, and acquires additional confidence levels thanks to further checks through the connection with other structured and unstructured sources. The final output should be a report, where informative data is correctly collected, refined and analyzed, becoming a reliable and tangible support to the investigation – contributing, even crucially, to its resolution.
The figure shows the hidden connections between two subject of investigative interest: shared friends and social circles are highlighted through icons, links and pictures extracted from albums thanks to tags and geo-localization. The diagram is derived by a research study on Facebook performed with the app FaceLink, by Sistemi & Automazione, a technology partner of SBS. If we extend the methodology to different sources (using similar tools and applications – Tetras, Analyst and so on) and we do analyze the relationships diagram, we’ll find how data will provide us with information: a phone call or a post in a blog is a data. To whom, how often, when, from and where – the answers to all of these questions comprise valuable information that is a tremendous support to prevention.
The role of social media in investigations becomes larger day by day: SOC.M.INT. does not mean searching the web randomly, but acquiring the necessary know-how to study different kinds of websites (a dating site will operate differently from a job search sot, what is popular in Russia is not what is popular in Argentina, the way a social network is used by a teenager is not the way it’s used by an entrepreneur, etc). Basic knowledge is necessary before starting with the process, and the technique should be applied with order, method, procedures, in order to provide added value to investigations, improving the quality of the decision-making process thanks to a more detailed informative background.
Social media analysis represents a method of risks assessment, allowing to collect data that may add information on several kinds of threats, from announced suicide intentions to the public claim of a hacker, from political propaganda to the social circle of a boss: all matters to keep under control for the public security and safety. Risk assessment is key to having an effective prevention policy.
The use of this innovative technique in inquiries has produced excellent results, and one of the reasons is that is becoming more and more reliable and systematic: a lot of different evidence can be gathered, not just through facial recognition or monitoring, but also with direct interaction with the criminal through dedicated profiles. The next step should be supporting and regulating it: technological, analytical and regulatory changes are necessary before it can be fully considered a new powerful tool of intelligence, especially since the balance between security, freedom and privacy on social media is a hot topic that must be addressed.