Magic APIs, Exploits, and other fairytales of social media

Social Media Monitoring practitioners routinely bear the brunt of command level frustration over what can and cannot be found online. After years in the discipline it is easy to see where frustrations occur. Much of the conflict is based in misconceptions about SMM technologies. Some of them are actually humorous whereas others are downright aggravating. Below are some of the most commonly encountered:

1. Vaporware: (n) a program that despite what your friend told you, does not exist. I lost count of how many times a discussion has started with, “I want a program that…” and ends with a modern iteration of “SKYNET.” The fact that such a program does not exist has caused many a police executive and security professional to hesitate before buying a product. It seems they are holding out for that one perfect, all-knowing, all-doing, super crime solving software. This is commonly referred to as a “Unicorn” among practitioners. The solution? Go with a program that provides what you reasonably need.

2. “Why can’t you find it?” This is one of the single most aggravating questions any SM practitioner can hear. The easy answer is, “There are approximately 1.2 million terabytes of data available on the commercial web and you want me to find one missing tweet? From six days ago?” Of course this answer will not win friends or convert non believers to the fold. The truth is finding information like tweets and status updates can be extremely difficult. As a rule you need at least two of the four dimensions (User, Content, Location, Time) to vector in on a specific item.

3. Secret APIs- Let’s be clear, even SMM platforms have to abide by rules. As practitioners we know one of the risks in this discipline is the loss of an API. Savvy practitioners will know enough about the various social media sites to “mainline” searches if needed. Ethical practitioners stay away from SMM platforms who claim to have “secret access” to otherwise unavailable APIs. Rumors constantly swirl of platforms negotiating back-room deals with social media sites. In the end, if the data is acquired through suspicious means, it is no good for law enforcement, and may even lead to litigation.

4. Exploit-O-Rama- This is specific to SMM practitioners who gather information for prosecution. As of right now, information obtained via a script or exploit, which would normally not be accessible without a court order, is poisoned fruit. Many a speaker will stand in front of a room and deliver amazing speeches on the power of hidden exploits, but at some point even they must admit their methods will not stand in court. The best advice, “when in doubt, get a court order.”

5. Free is Key- There are plenty of free SMM platforms out there. Some of them like Tweetdeck and Topsy are actually really good. However, at the end of the day nothing beats a paid platform. Competition in this space has benefitted practitioners more than many can imagine. Whereas a few years ago a platform would display information once every 10 minutes, today’s platforms can monitor in real-time, build heat maps, conduct link analysis, and so much more. The old adage truly holds up, “you get what you paid for.”

The OSINT Scammers

The police commander looked at the woman introducing me as though she was explaining advanced physics. When she completed her introduction and a brief explanation of open source monitoring he simply replied, “okay.” It was less an affirmative response than an indication he was still not sure what type of voodoo I practiced. As we walked away she said to me, “Well, he’s the incident commander and you will be spending a lot of time together…so good luck.”

The commander’s response was common ground for a law enforcement open source practitioner. To me it was neither good nor bad, but an indication of where we stand in the broader LE community. “OSINTers”, as we are called, occupy the land between true computer forensics and black magic. To some we are digital ninjas who can glide along the keyboard and produce volumes of information in less time than it takes to empty a K-cup. To others however we represent the best scam going. Unfortunately we’ve done this to ourselves, and if we keep it up, we will go the way of 3 ½ inch floppies.

If you walk into any law enforcement conference in the US and throw a rock, you will likely hit seven open source subject matter experts. They openly describe their art as OSINT, or open source intelligence. Their self-ascribed accolades are almost as dubious as the job they perform. Many will tell you how awesome they are, how smart they are, and how much you really need them. Some of them are products of one or two open source gathering platforms on the market. When you ask them what they do, the truth usually comes out after a few minutes of self-aggrandizement; they surf the Internet…period. Most OSINT “SME’s” use such a broad-based approach to OSINT they end up producing volumes of useless information. In some of the worst cases, they creep through Face Book, Instagram, and others looking for photographs of Marijuana, guns, and “gang indicia.” These folks will demand a high priced OSINT gathering platform, three or four screens at their desk, and will end up costing departments thousands in overtime while producing nothing but strands of useless information. On their best days they might snag a photograph of a teenager smoking a blunt, and if the OSINT god smiles upon them they will hit the jackpot with a photograph of weed lying next to a gun in a nondescript hotel room. Huzza!

The law enforcement community is saturated with these people and they are killing the discipline one deployment at a time. The problem with their approach is they see OSINT as a way to impress others with tech-savvy and screen-shots of drugs all while solidifying a position for themselves in the future. They rarely produce anything with evidentiary value and if they do, courts have a field day stripping their methods and reducing them to something akin to a modern day peeping tom. At large events, they basically troll the internet looking for that one terrorist who decides to Tweet his attack minutes before he executes. In short, they are more like street cops roaming the city waiting to get lucky.

In the meantime, a small cadre of well-trained law enforcement intelligence professionals are working silently in the OSINT realm. It is these people that are the true future of LE-OSINT. These few don’t need a high priced platform, but if they have one it will be one tool in their box. OSINTers of this genre may be involved in evidence gathering, but they approach it with subpoenas and court orders. Most of them however see OSINT as an intelligence art like HUMINT and SIGINT which take time to learn proper gathering and analysis techniques. OSINTers of this level use targeted gathering approaches so as not to waste time rifling through hundreds of spring break photos. These OSINTers spend hours preparing for large events, establishing a baseline of behavior and seeking out grass roots trends. Finally, these OSINTers respect the privacy of other users and keep an eye towards civil liberties protections.

Back to the commander and I. We spent three hours together in the command center; me working my “Matrix” style voodoo and he watching over my shoulder between trips to the meatball tray. It wasn’t till a moment wherein I was able to provide a SITREP of the entire venue footprint that he finally sat back and shot a look of approval. I don’t know what it was he wanted to see, but it was clear I’d earned my spot in the command center for several games to come. Hopefully as we progress we show how this new method of public safety is worthy of the time and money that will be spent. It is my hope that in 10 years, LE-OSINT will take its place beside special investigations and computer forensics as a respected and reputable discipline.