Social media’s value and danger to law enforcement investigations

Social media is increasingly useful to law enforcement investigations. But it, along with other OSINT sources, comes with inherent risks to access.

Despite the dangers, the web is playing an increasingly important role in conducting thorough and efficient law enforcement investigations, and nowhere is that more true than on social media.

Social media has become one of the most robust sources of information for law enforcement investigators to quickly gain insight on persons of interest and their affiliates. Reports estimate that the total number of social media users is over 4 billion — that’s equal to more than half the global population.

Social media profiles and activity can reveal a pattern of life that often provides a rich context of behaviors and contacts. It can reveal phone numbers, hangout locations, habits and possessions (e.g., cars, phones or clothes). With geolocation, it can even help you identify a subject’s location at a specific time.

But searching social media to support law enforcement investigations carries an elevated risk — on top of the standard risks of accessing the web for OSINT collection and other research.

Web-based risks to law enforcement investigations

The “standard” risk of using the web is cyber risk. Anyone clicking a link or navigating to a site could encounter malware that downloads to their device and potentially spreads in their network.

Malware comes in all shapes and sizes, from ransomware that’s increasingly targeting police departments to keyloggers that can track everything you type.

This is why browser isolation is important — particularly in investigations that will likely encounter bad actors or risky content, as in law enforcement investigations — to keep absolute separation between the browsing environment and the device.

Isolated, cloud-based browsers mean web code (and the threats that lie within it) execute in the cloud and not the local device, while the user interacts with a benign video display that looks and behaves just like the normal browsing experience.

But there’s another risk particular to investigators: tipping off investigative targets simply because of how (most) browsers work.

Tracking mechanisms can spoil law enforcement investigations

Traditional browsers like Chrome, Firefox or Safari track users during — and even between — browsing sessions and obtain an array of information about their device, browsing activity and more.

Tracking exists to tailor browsing experiences based on your location, device settings, browsing history, browsing behavior and details of the browser itself. These details are not just collected by the browser, they’re conveyed to the websites you visit; specifically, they include:

• Internet address and connection: registered owner, subscriber information
• Browser and device type: OS, software/plugins installed, time zone, audio/video devices, cookies, HTML5 local storage, HMTL5 canvas fingerprinting, audio rendering
• Unique online behavior: social media connections, shopping interests, websites visited, account activity

And this is where it becomes a problem for investigators.

Separately, these components may be insignificant, but all together they can help websites — and their webmasters — track and identify who you are, who you’re working for and why you’re snooping around.

Your “digital fingerprint” is highly unique. If it sticks out like a sore thumb on the site you’re investigating, the webmaster may perform counter-intelligence, feed you disinformation or retaliate. They could also use it to uncover your true identity and come after you or your organization.

If your investigative target knows who you are, best case scenario: that investigation is compromised. Worst case scenario: it could get personal.

Learn more: What’s in your digital fingerprint and how to control it >

Social media is tracking on steroids

So your standard web browser is built to track you (note: this is still happening even if you’re in private browsing mode). But social media takes tracking to a whole new level. Here’s an example:

Facebook receives “off-Facebook” activity; even while you’re not on Facebook, it can collect information about apps you’re using and sites you’re visiting. That means it’s possible for Facebook to see you have an interest in aviation, you read Denver news, you’ve shopped at Galls.com (a law enforcement supplier), that you have an AT&T FirstNet account, you’re interested in firearms, real estate investing and have been looking at events in the Washington D.C. area.

​​Take a break and disconnect your off-Facebook activity now >

So even if your profile doesn’t say you work for law enforcement, the details provided to Facebook could make it easy to guess that you do. This can be a problem when it comes to the friend recommendation feature.

Hazards of the friend recommendation

When a social media platform suggests a new friend, they look at your location, your mutual friends and searches you've completed. But if you're using your own profile while performing your investigation, the platform may suggest friends based on the person you’ve searched.

And if it’s happening to you, you can bet it's happening to your subject — they see you pop up as a friend recommendation.

You may also be appearing as a friend recommendation to confidential sources, putting them in jeopardy.

Your profile can turn you into the target

Who you are offline is very similar to who you are online — and criminals know this. If the details of your digital fingerprint, including social media activity, point to law enforcement, your investigation could be compromised and you could potentially be at personal risk.

Law enforcement professionals and organizations have valuable data the bad guys can use or sell; as such, they often become targets of cyberattacks.

• The 2020 CIO Survey found cyberattacks are increasing on state and local governments, with spear-phishing and malware being the most common threat vectors.
• In July 2020, The Intercept reported on the BlueLeaks archive that exposed the personal information of 700,000 cops. The theft included 16 million rows of data, including emails, descriptions of alleged crimes, and detailed personal information.
• In July 2019, the LAPD was involved in a data breach releasing thousands of current aspiring police officers' personal records. They didn't realize the breach happened until the hacker told them.

Also, if you're conducting an investigation, your intelligence and evidence could be the target of attacks or leaks, compromising your case.

Before you create that fake persona ...

Because social media is, well, social, it’s easy to get caught up in the idea of creating false personas (i.e., creating a fake name, fake email address, etc.) in order to search the platform and interact with subjects relevant to your investigation.

That isn’t a best practice, and platforms are cracking down to eliminate such accounts. Instead, there are many tools provided by the social media sites or third-parties in line with platforms’ policies. Explore these options thoroughly before you take any risks that would run you afoul of platform terms and conditions, policies within your organization or the law.

Learn more: 13 tools to improve online law enforcement investigations >

Control your digital fingerprint

Other OSINT sources — on the surface and dark web — aside from social media also play an important role in law enforcement investigations.

To protect the integrity of your investigation, ensure your personal safety and that of your agency, you need to control the details conveyed about you to websites you research.

This may start with location spoofing. If you think this is as simple as using a VPN, think again.

With a VPN, it’s important to remember:

1. You’re still using your native browser that is leaking all kinds of information about your location, as well as your browsing habits, your device, etc.
2. You will need to purchase VPN access in the various regions where you want to appear local
3. It’s known that you’re using a VPN (the IP address will be associated with the VPN provider) which could block you from accessing the site
4. You’re not protected against malware infection

Other purpose-built solutions offer networks of internet egress nodes across the U.S. and around the globe that can give investigators the desired in-region access without appearing to originate from a VPN-associated IP address.

But it takes more than an internet egress location to thoroughly cloak your identity. In fact, if other details of your “location narrative” don’t match with where you appear to be accessing from, it may raise a red flag to your investigative subject.

To complete the narrative, you need to match numerous other details to your assumed identity. Consider the following:

• What language, keyboard and timezone settings are appropriate for this egress location?
• What browser and OS (and what version) are common to users in this region? (StatCounter is a great resource to find out market share of this and other info)
• What do other device and browser details say about me (audio/video devices; installed software, plugins, fonts; battery status)?
• How could cookies and other unique identifiers (e.g., session IDs and employee number) reveal my identity or intent?
• What could adversaries or investigative targets learn from conveyed details of my local storage or cached data?

Browse with a clean slate

If you’re running multiple digital fingerprints for researching different sites, you’ll need to ensure your browsing sessions are isolated from one another.

Using an isolated, cloud-based browser can give you a fresh browsing experience in every session, eliminating persistent tracking mechanisms that follow you as you search — even after you close and relaunch the browser. Some such browsers will also allow you to run multiple isolated browsing sessions at the same time, so that you can conduct multiple investigations but not cross-contaminate.

Each time you launch a remote, isolated browser, you start with a clean slate. This means the search terms used, websites visited, browsing patterns, time of use, shopping preferences, etc. won’t contaminate the digital fingerprint you assume to research a particular site or case.

Law enforcement investigators leveraging web research are at a heightened risk because of who they are and who they’re going after. Knowing those risks and how to counteract them is of the utmost importance to ensure a successful investigation and protect those conducting it.

Read more posts for law enforcement

• 13 tools to improve online law enforcement investigations: Use data aggregators to pull together info from courthouses across the country, add extensions to better utilize video and images and safely search social media.

• Leveraging the dark web in online investigations: Why you should utilize the dark web in your investigation, where to begin and how to protect yourself (and your company) along the way.

• Managed attribution FAQs: Authentic8 answers FAQs about managed attribution and misattribution from online investigators who need to cloak or be anonymous for research. 

To learn more about Authentic8’s solution for online law enforcement investigation, Silo for Research, request a demo here.