With stay at home orders causing an upsurge in social media usage, the ability to navigate the variety of online platforms and identify, detect, and assess risk has never been more important for professional investigators.

However, in an online world where people can operate anonymously under any name they choose, how do you stay ahead of those who use social media to abuse, threaten, or defraud?

There are now a range of sophisticated social media search tools at an investigator's disposal, but while they certainly play a part, the answer often lies as much in psychology as technology. This involves looking for certain patterns of behavior that people exhibit when they use social media.

Like the little “tells” poker players look out for in their rivals' body language, social media users can unknowingly give away details about identity, location, and contacts, even when trying their utmost to evade detection.

“Pierre Delecto” and Familial Tracking

A recent example of this was demonstrated on the international stage. Last year, U.S. Senator Mitt Romney revealed in a magazine interview that he had a secret account he used for “lurking” on Twitter. It was a throwaway remark and he provided few details about the account, certainly not enough to pick it out from all the other anonymous accounts on the site. However, within hours, a journalist had identified the profile.

How did the journalist find Romney's online alias? It came down to one key identifier—familial tracking. 

This involves uncovering a person's true identity by examining patterns within an individual's inner circle. In this case, the journalist looked at the social media accounts of Romney's family members—and, more importantly, the other accounts following them. Unlike the former presidential candidate, some of his family only had a handful of followers on Twitter. Among them, the same mysterious profile under the name “Pierre Delecto” kept appearing.

Once they had identified this account it proved relatively easy to show the similarities between Pierre Delecto and the lurking profile Romney had described. 

Romney's own decisions and human nature ultimately resulted in Pierre Delecto's downfall. Despite trying to remain anonymous, it seems he could not resist following his friends and family. This demonstrates a key factor investigators typically uncover: Ultimately people still gravitate to personal interests and familiarity, even when trying to be anonymous.

Of course, in Romney's case he was not doing anything illegal, and admitted to his secret identity, but investigators look for similar patterns when trying to uncover who may be behind nefarious behavior.

These familial patterns can also apply to the corporate world.

In one case, investigators at K2 Intelligence FIN (K2-FIN) were able to identify a clandestine business partnership between a company the team was investigating and another firm, simply by looking at how key executives in specific divisions of both firms had suddenly started following each other on Twitter and “liking” each other's Tweets.

However, while this familial tracking can be incredibly useful, it often forms just one part of the identification process, as was highlighted in another recent case.

Harassment Case Study

Engaged by a high-profile individual to investigate an Internet troll who was bombarding them with abusive social media messages, including threats towards them and their family, K2-FIN was challenged with taking a deep dive to figure out the identity of this individual.

The perpetrator used multiple anonymous accounts, creating new profiles whenever they were deleted or blocked and posting hundreds of comments. The K2-FIN team started out by going through each one in detail looking for identifiers, and leveraged several tactics to uncover the nefarious actor's identity, including the following:

  • Analysis of language: The content of the troll's posts contained deliberate misinformation about their identity and whereabouts, but certain colloquialisms and references to product names allowed investigators to pinpoint their country of origin, while the tone of their messages allowed the team to correctly identify that they were the same gender as the client.
  • Familial tracking: In this case, it was not friends, family, or colleagues, but particular niche interests and small online communities that the troll had previously belonged to and still gravitated toward. For example: they directed abusive messages at one specific group of the client's supporters, in a manner that strongly suggested a prior relationship with some of these people.
  • Sticky usernames: The troll had previously used variations on the same distinctive username across multiple online profiles dating back more than a decade. It may seem counterintuitive that someone trying so hard to mask their identity would leave such an obvious clue, but it is something that repeatedly appears in online investigations: People grow attached to their usernames, either due to sentimentality or convenience. Even when creating a new account, they revert to something familiar when prompted to enter a username. In this case, the troll's username turned out to be their childhood nickname combined with other personally identifiable information. 
  • Abandoned profiles: It was evident that the perpetrator had forgotten about some of their older, more candid, social media profiles or believed they had done enough to wipe their activity on them. However, the internet never forgets. Leveraging search tools to access databases that collect information scraped from social media in real time, the team uncovered a rich archive of information available long after it had been deleted.
  • Conversation pieces: On social media, not everything necessarily disappears when an account is disabled—some advanced functions allow users to view comments directed at a profile by other users, even when deleted, set to private, or wiped. Though this is only one side of the conversation, this can still be revelatory—whether it is another user confirming their delivery address, or simply wishing a “friend” a “Happy Birthday.” Key biographical details can be gleaned from these interactions.
  • Jigsaw identification: Although no single profile used by the troll contained enough information to identify them on its own, by combining all the little details left scattered across their social media over years, and subsequently using it to direct searches, the team was able to gradually build a picture of who this person was. 

This is frequently a painstaking process that can involve a degree of trial and error and even intuition, but eventually enough information was gathered to carry out a public records search. It yielded just one match—providing the troll's full name, date of birth, and home address. In other words, the code of this person's identity was cracked.

Social Media in Investigations 

It was clear from the start that the harassment investigation would be heavily focused on social media, but these platforms play an increasingly valuable role in a variety of different cases.

For example, in due diligence exercises, social media can reveal whether a prospective employee or business partner has engaged in any online activity that could later result in reputational harm. Social media can also provide useful information for locating people in asset tracing investigations or establishing jurisdiction for legal proceedings. In litigation support, social media can be used to investigate and gather evidence, even when there have been attempts made to delete the content.

Finally, there are growing instances where the client asks for a reverse investigation into their own social media to identify risks. People have legitimate concerns when it comes to how much identifiable information about them can be discovered online. As with the case of the internet troll trying to remain anonymous, even the most privacy conscious person's attempts to safeguard their details can be undone by the smallest leak, or by errors that they are probably not even aware of.

Ultimately, the number of cases where social media can be a factor is endless, and as these platforms continue to grow in dominance and diversify, so too will their role in professional investigations.

The challenge for investigators will be to stay alert to the ever-changing ways these platforms can be abused and continue to identify the people responsible and protect those at risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.