Research Hacking – Searching for Sensitive Documents on FTP; Captchas and the Google Governor

If you want to find *sensitive documents using Google search (*documents with impacting information which someone does not want revealed, more or less), I’ve found that in addition to targeting queries to search for specific domains and file types, an alternative and potent approach is to restrict your results to files residing on an ftp server. 

The rationale is that while many allow anonymous log-in and even more are indexed by Google, FTP servers are used more for uploading and downloading, storing files than viewing pages, and typically house more office-type documents (as well as software).  As limiting your searches to ftp servers also significantly restricts the overall number of results to be returned, choice keywords combined with a query that tells Google to bring back files that have “ftp://” but NOT “http://” or “https://” in the url yield a high density of relevant results. This search type is easily executed:

Screenshot - 12032013 - 08:10:35 AM

A caveat one encounters before long using this method is that eventually Google will present you with a “captcha.” Many, many websites use captchas and pretty much everyone who uses the internet has encountered one. The basic idea behind a captcha is to prevent people from using programs to send automated requests to a webserver, they are a main tool in fighting spam by thwarting bots that mine the internet for email addresses and other data, and which register for online accounts and other services en masse. The captcha presents the user with a natural language problem which they must provide an answer to.

Google is also continuously updating its code to make it difficult to exploit Google “dorks,” queries using advanced operators similar to one used above (but usually more technical and specific). Dorks are mostly geared toward penetration testers looking for web application and other vulnerabilities, but the cracker’s tools can easily be adapted for open source research.

Screenshot - 12032013 - 08:13:41 AM

Unless you are in fact a machine (sometimes you’re a machine, in which case there are solutions), this should be easily solved; however lately, instead of returning me to my search after answering the captcha, Google has been sending me back to the first search page of my query (forcing me to somewhat start the browsing process again and to encounter another captcha). I’m calling it a Google Governor, as it seems to throttle searchers’ ability to employ high-powered queries.

The good news is that the workaround is really just smart searching. One thing you’ll notice upon browsing your results is that dozens of files from the same, irrelevant site will be presented. Eliminate these by adding -inurl:”” (which tells Google NOT exactly “” in the url). Further restrict your results by omitting sites in foreign domains (especially useful with acronym-based keyword searches): -site:cz -site:nk.

When you find an ftp site which looks interesting, copy and past the url into a client like Filezilla for easier browsing.

To give you an idea of the sensitivity of documents that can be found: One folder was titled “[Name] PW and Signature,” which contained dozens of files with passwords as well as .crt, .pem, and .key files; another titled “admin10” contained the file “passwords.xls.” This was the site of a Department of Defense and Department of Homeland Security contractor – the document contains the log-in credentials for bank accounts, utilities, and government portals. This particular document is of more interest to the penetration tester; for our purposes it serves as a meter for the sensitivity of the gigabytes of files that accompanied it on the server. The recklessness of the uploader exposed internal details of dozens of corporations and their business with government agencies.

The hopefully sufficiently blurred "passwords.xls"
The hopefully sufficiently blurred “passwords.xls”

*As of this writing, the FTP mentioned above is no longer accessible

Blackwater GSA Schedule 84 Security Services Pricing Catalog

Screenshot - 12072013 - 07:37:51 AM

Found included in documents I’ve been posting here and those published on the Declaration, a nice reference: the Blackwater GSA Price List (General Services Administration Schedule, GS-07F-0149K) 30 August 2006. You’ll remember Blackwater or can use your Googler.

It’s an interesting read – Tier 1 a nice place to be, at over $1,000 a day.


Screenshot - 12072013 - 07:36:11 AM

Read here

First Release: Internal Documents, DHS Federal Protective Service Officers and Megacenters

Monday I published an article to the Declaration which introduced documents detailing the operations and contracting history for the Department of Homeland Security’s Federal Protective Service Philadelphia Megacenter. The following is a brief description of the DHS Megacenters, a listing of internal documents obtained via confidential source, and a first posting of what will eventually include many hundreds of records which relate to the same agencies and contractors. I am currently reviewing thousands for release, the source is currently active and still protected by the Declaration for ongoing investigations.


Federal Protective Service (FPS) Headquarters is located in Washington, D.C. Regional offices are geographically located in New York, Boston, Philadelphia, Atlanta, Denver, Chicago, San Francisco, Seattle, Fort Worth, Kansas City, and Washington, D.C. Other sites include the Far East and the Caribbean.

“The Federal Protective Service (FPS) MegaCenter monitors multiple types of alarm systems, surveillance cameras and wireless dispatch communications within federal facilities throughout the nation. Always in operation, the Center is equipped with state-of-the-art communication systems to make it a unique and vital communications link between FPS law enforcement personnel on the street and contract security guards located at various FPS-protected facilities.”

Screenshot - 12042013 - 05:38:58 AM

Primary: Covenant Security Solutions (CSS), a division of Covenant Worldwide, a Chicago IL company in the news since 2003, most recently in 2010, after scandals including tipping off employees of Covenant Aviation Security, its airport security division, working as TSA screeners at San Francisco International and Los Angeles International airports, about undercover inspections by the TSA, were reported in the San Francisco Chronicle, LA Times, and elsewhere.

CSS successfully bid on a comprehensive contract for all 4 Megacenters – Denver, CO; Battle Creek, MI; Suitland, MD. The first center built was the Suitland facility, responsible exclusively for the many Federal properties in the Washington, DC facility. The following three were completed shortly after.

Companies involved: Honeywell, Covenant, Gonzales, Excalibur, Computer Sciences Corporation, Centurion

FPS/Megacenter Documents:

These are the documents I’ve vetted for personally identifiable information, metadata, and compromising data regarding a source. This list will likely need updating as I continue to parse the documents corpus – further links will be posted here or in future publications.

A first document is embedded as an overview sample

Department of Homeland Security solicitation 

Overhead for Protective Service Officers (PSO) Philadelphia 

Gonzales Consulting Services Megacenter/PSO 

DHS-FPS-PSO Philadelphia

Comprehensive Technical Proposal, Covenant, Philadelphia Federal Protective Service

Covenant Basis of Estimation 

Subcontracting by PSO site 

DHS Request for Information

All Positions, subcontracting 

DHS FPS Megacenter FTE 

Initial Response from FEMA Regarding FOIA Request

On November 1st I submitted a Freedom of Information Act request to the Federal Emergency Management Agency for all of its records related to the Delaware Valley Intelligence Center. This morning that request was responded to by the agency – FEMA acknowledged the request and cited the present large number of FOIA requests currently in processing by all Federal agencies in alerted me to the possibility of a delayed full response. The agency also conditionally granted my request for a fee waiver as a member of the media acting in the interest of public information.  The response can be viewed below.





The Department of Defense Information Operations Condition (INFOCON) Decision Matrix

Screenshot - 11212013 - 03:36:23 PM

Employing meta-search methods for online research about which I have been tweeting and writing, I found myself in possession of a copy of the Department of Defense Information Operations Condition, or INFOCON, Decision Matrix. “INFOCON” is a threat condition like DEFCON, with numbered tiers, based on an intelligence assessment of active malware and its likelihood of disrupting connectivity/functionality.

There is much more where this came from. – K

Forensic Indexing, Metadata, and the DVIC Privacy Policy

When doing research on a subject that has some measure of obscurity by design, such as the fusion center in Philadelphia, the Delaware Valley Intelligence Center (DVIC), I often find the only way to fill in the gaps is to “data-mine” for documents. I use quotes, because data-mining strictly involves aggregating and analyzing more fragmented bits of *data, I deal more in *information, and data-mining usually applies to a much more intensive level of computation applied to a much larger corpus to be processed than I will discuss here.

You can get hands on with data mining. This is Tree-Map, I use a program called XBase. They're similar, great for browsing structured data  like xml.
You can get hands on with data mining. This is Tree-Map, I use a program called BaseX. They’re similar, great for browsing structured data like xml.

A more appropriate term would be “forensic indexing,” in that I am applying basic methods of digital forensics like metadata extraction to a general knowledge management system for large collection of documents, too large realistically to open one by one. And I’ve just made it sound more organized than it usually is.

In the case of the DVIC what this meant was using an application which automates queries to metasearch engines as well as enumerating a specified domain to find relationships and other information. I used FOCA. I saved the documents that were the result of this search in separate folders according to which domain I had chosen for the search. I collected around 1800 documents.

I then run a simple command line program called pdfgrep, I used the command pdfgrep -n -i “dvic” *.pdf to bring me a list displaying every line in every pdf file in the same directory containing the phrase “dvic,” tagged with file name, page of line, and ignoring case. One such query returned:

[filename]pg#: "text"
[filename]pg#: “text”

As you might imagine if you have followed the Declaration’s coverage, I was a bit confused. I went to the corresponding folder on my desktop and opened the file in my reader:

Screenshot - 11062013 - 05:33:45 PM

This document is titled “Nebraska Information Analysis Center,” another fusion center which it just so happens is missing a document from the fusion center association website. Where metadata plays in, and why I had missed this by manually “googling” until now, is in how FOCA searches for documents – by file name which is in the metadata of the document which gives its file path on the machine that stores it, its uri– something you can sometimes do by typing inurl:[term] into Google, but then you would have to know the exact name of the file to get relevant results. The name of this file is “Delaware-Valley-Intelligence-Center-Privacy-PolicyMar-2013.” It would have been very difficult to come up with this by educated accident.

Screenshot - 11062013 - 05:11:50 PM

So while there are still serious questions about the date gap between beginning a “cell” and submitting a policy, and concerns about a lack of full time privacy officer among others, it seems that everyone that was sure that a policy was completed and was approved by the DHS was quite correct, and I’d like to thank them for adding accurate memory to their graciously-given time to discuss the subject. It seems that a March draft was labeled somewhere in its life as the Nebraska Information Analysis Center’s policy perhaps at the National Fusion Center Associate website, where the “comprehensive” list is found, by whomever didn’t link it to the analysis center website.

This is only one elucidation among many from recent developments, the fruits of fresh approaches, and as mentioned, more documents to parse. Read the Declaration

Perl Crawler Script “fb-crawl” Lets You Automate and Organize Your Facebook Stalking

While browsing for scripts that might make my often very high-volume webmining for research less time-consuming/more automated, I came upon the following on Google Code is a script that crawls/scrapes Facebook friends and adds their information to a database.
It can be used for social graph analysis and refined Facebook searching.


– Multithreaded
– Aggregates information from multiple accounts


This is very useful for social engineering and market research, and could also very easily find fans among the more unsavory Wall creepers. They don’t even have to be programming-competent, so most neck-bearded shiftless layabouts and of course Anons can do it. You only have to plug in your FB email address and  a MySQL password (you can download and click-to-install MySQL with simple prompts if you don’t have it).


Crawl your friends’ Facebook information, wall, and friends:
$ ./ -u -i -w -f

Crawl John Smith’s Facebook information, wall, and friends:
$ ./ -u -i -w -f -name ‘John Smith’

Crawl Facebook information for friends of friends:
$ ./ -u -depth 1 -i

Crawl Facebook information of John Smith’s friends of friends:
$ ./ -u -depth 1 -i -name ‘John Smith’

Extreme: Crawl friends of friends of friends of friends with 200 threads:
$ ./ -u email@address -depth 4 -t 200 -i -w -f

Users of the script can also aggregate information about relationship status by location or by school, essentially allowing stalkers to create automated queries for lists of potential victims.


Find local singles:
SELECT `user_name`, `profile` FROM `info` WHERE `current_city` = ‘My Current City, State’ AND `sex` = ‘Female’ AND `relationship` = ‘Single’

Find some Harvard singles:
SELECT `user_name`, `profile` FROM `info` WHERE `college` = ‘Harvard University’ AND `sex` = ‘Female’ AND `relationship` = ‘Single’

And if a stalker wants to make an even handier database of GPS located targets, there are plug-ins:

To load a plug-in use the -plugins option:
$ ./ -u email@address -i -plugins
This plug-in adds the user’s coordinates to the database using the Google Geocoding API.

And as no stalker want to terrorize someone age-inappropriate, they can sort by DoB as well
This plug-in convert the user’s birthday to MySQL date (YYYY-MM-DD) format.

FOIA Request to FEMA concerning the Delaware Valley Intelligence Center

In furtherance of ongoing investigative coverage of the Delaware Valley Intelligence Center (DVIC), a fusion center in South Philadelphia, I filed last night a Freedom of Information Act request for documents related to the facility possessed by the Federal Emergency Management Agency, the primary source of funding for the DVIC under the Homeland Security Grant Program. It is reproduced below for public review. Continued opacity concerning elements of the facility’s activities has prompted expanded efforts through alternate means to secure information in the public interest.

The Delaware Valley Intelligence Center is an "all hazards" model fusion center located in South Philadelphia. Photo DVIC Brochure
The Delaware Valley Intelligence Center is an “all hazards” model fusion center located in South Philadelphia. Photo DVIC Brochure


Dear FOIA Officer:
Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of records relating to FEMA management, funding, and oversight of the Delaware Valley Intelligence Center concerning the planning, development, construction, and operation of the facility for the time period of January 2007 through the date of this request, November 1st 2013. In order to expedite your search, examples of such records might include “Programmatic Monitoring Reports” for the Homeland Security Grant Program/ Urban Areas Security Initiative for the years 2007 through the present date.
 e.g., “Philadelphia Urban Area FY 2009 Monitoring Report” (9/17/2009), FEMA; “Programmatic Monitoring Report, Pennsylvania – Philadelphia Area, HSGP/UASI,” (10/18/2011), FEMA, DHS-HSGAC-FC-059194. “Philadelphia Urban Area FY2009 Monitoring Report”
These examples are not meant to be exclusive of FEMA records relating to the Delaware Valley Intelligence Center which are otherwise responsive.
I would like to receive the information in electronic format where it is so available.
As a representative of the news media I am only required to pay for the direct cost of duplication after the first 100 pages. This information is being sought on behalf of for dissemination to the general public. I have been researching extensively as an independent journalist and have been covering the Delaware Valley Intelligence Center since January of 2013 as co-editor of The Declaration, Philadelphia, PA. The Declaration has a large readership in the local civil rights community as well as a law enforcement interest, and is a primary source for expository public information about the facility.
Please waive any applicable fees. Release of the information is in the public interest because it will contribute significantly to public understanding of government operations and activities. The requested documents will be made available to the general public free of charge, for which I will receive no compensation. This request is made in the process of news gathering for public understanding and not for commercial usage. .
This request is not meant to be exclusive of any other records which, though not specifically requested, would have a reasonable relationship to the subject matter of this request.
If my request is denied in whole or part, I ask that you justify all deletions by reference to specific exemptions of the act. I will also expect to be provided with all segregable portions of otherwise exempt material. Please separately state your reasons for not invoking your discretionary powers to release the requested documents in the public interest. Such statements will be helpful in deciding whether to appeal an adverse determination, and in formulating arguments in case an appeal is taken and written justification may help avoid unnecessary litigation. I, of course, reserve the right to appeal your decision to withhold any information or to deny a waiver of fees.
As I am making this request as a journalist and this information is of timely value, I would appreciate your communicating with me by telephone, rather than by mail, if you have questions regarding this request.
I look forward to your reply within 20 business days, as the statute requires.
In the event that responsive records comprehensive of the request have already been provided by FEMA and available, and can be referred to their location, I will withdraw this request in the interest of minimizing use of tax-payer resources.
Thank you for your assistance.
Kenneth Lipp
Independent Journalist
Editor, The Declaration

Top Cop: There’s a ‘Huge Social Media Component’ to Policing These Days – South Deering – Chicago

I was interested to see that Erica Demarest of DNAinfo Chicago was able to obtain comment from Police Superintendent McCarthy regarding my the report from IACP:



Photo credit: DNAinfo/Erica Demarest
Photo credit: DNAinfo/Erica Demarest

After a panel in Philadelphia last week, reports circulated that a “senior representative” from the Chicago Police Department claimed the city’s cops were working with Facebook to permanently block users who post what’s deemed criminal content.

During the panel — which was hosted by the International Association of Chiefs of Police — a panelist claimed Facebook could identify and permanently block a person’s phone or computer from using the site.

McCarthy wouldn’t address the claims, but did say Chicago cops use social media to aid in their investigations.

“Obviously, there’s a huge social media component to law enforcement these days,” the superintendent said Monday in the South Chicago Police District station, 2255 E. 103rd St.

But “I don’t want to speak about investigative prowess … because it can compromise some of the advantages that we’re finding.”

The top cop said the police department plans to expand its use of social media in coming years.

via Top Cop: There’s a ‘Huge Social Media Component’ to Policing These Days – South Deering – Chicago.

How Police Use Social Media To Monitor, Respond to, and Prevent Mass Gatherings

I have posted several reports from a recent police chiefs conference in Philadelphia, at which revelations were made that have been reported elsewhere in the press which cite this blog. An official from the Chicago Police, whose name I omitted because I have not deciphered it from my recording, announced work between his department and Facebook to disable certain users from posting to website by a device ID. These comments were part of a short session that followed the main discussion, which was titled “Helping Law Enforcement Respond to Mass Gatherings Spurred by Social Media.”

A Facebook spokesperson contacted me via email last night and said that the company has “no special relationship”  with Chicago Police to block users and responds to all reports of violate content equally.  Facebook has updated its “fact check” page with the following item:

Fact Check

Facebook’s Law Enforcement Guidelines

October 27, 2013 11:00 a.m. PT

Content reported by law enforcement is subject to the same review applied to reports from anyone using Facebook. There is no special partnership. We evaluate these reports based on our community standards, and as always, may remove information that violates our policies.

Read more here.

The following report is posted in order to clarify stories which describe a plan to “make protesting impossible” that do not represent the context of the officer’s statement, and to provide a sober look at what we do know about how law enforcement is using Twitter, Facebook, Youtube, dating sites, forums, and the rest of the social web, from the mouths of the police who do the most with it.

After attending this panel and from my own experience covering law enforcement interaction with 1st Amendment protected demonstrations as well as more “direct action” geared assembly, I cannot imagine something law enforcement would want to do less than shut down Facebook or twitter during a protest. With notable exceptions, monitoring and influencing a group of people who self-identify for ready-made aggregation by #hashtagging their activity is a favorable arrangement for police.

Police departments have recognized how integral social media platforms like Facebook and Twitter have become in mainstream communications, and dependence on the Internet by the public to access private and government resources and information has expanded to the degree that even the smallest township department is expected to have a presence on the world wide web.

Thetford Township, Michigan, population  8,277
Thetford Township, Michigan, population 8,277

It is now familiar for a police twitter account to be a celebrity of itself, and vital public relations bulletins are now tweeted contemporaneously or prior to the issuance of traditional press advisories, as seen after the Boston Marathon bombings, when erroneous reports of an arrest on CNN’s twitter feed were corrected by the BPD’s account. As smartphones proliferate crowds the police have in turn taken to having officers on site to film the entirety of gatherings (TARU, the Technical Assistance and Response Unit, does this for the NYPD).

Screenshot from 2013-10-26 14:38:39

Law enforcement has taken to heart the real-time interaction and mobile capabilities of new technology, especially the ubiquity of smartphones and the ability for not only media organizations but participants in events to provide live video coverage of their activities to an international audience, and incorporated it into their operations to enhance more traditional practices of “spin control” and public relations, as well as finding wide application for the information resources of the web in their investigations and the crafting of policy.

Departments have used social media as a key source for strategic and tactical intelligence, and as a medium for conducting counter-intelligence operations. Chicago, Toronto, Oakland, Indianapolis, and Milwaukee are all among departments that report success in using social media in operations to surveil and even deter mass gatherings. Under certain conditions of perceived risk, special units or officers frequently undertake targeted monitoring and  “digital stakeouts,”  which can be done from anywhere with precious few necessary resources. Chief William Blair of the Toronto Department said, for example, that for every big event in his city he had 8 officers assigned to the Major Incident Unit whose sole job is to conduct social media operations.

State Police in Chicago lock batons during a confrontation at the NATO protests May 2012. Photo by Kenneth Lipp
State Police in Chicago lock batons during a confrontation at the NATO protests May 2012. Photo by Kenneth Lipp.

The close attention paid is a rational response to the feedback loop created by the real-time interaction of participants in mass gatherings with those observing the scene remotely – the potential for “flash mobs” of thousands to gather as a result of  tweets and Facebook posts is not a theoretical one, and events already drawing large crowds such as sporting events and scheduled protests can be augmented and influenced heavily by images, video, and messages posted online.

Photo by Kenneth Lipp
Denver Police flank an un-permitted march through the 16th Street Mall downtown. Photo by Kenneth Lipp
Police in Denver outside the Education Building where they interdicted a protest. Photo by Kenneth Lipp
Police in Denver outside the Education Building where they interdicted a protest. Photo by Kenneth Lipp

Philadelphia Police officer Corporal Frank Domizio presented a case study in February on how his department used practices of manipulating traditional media in concert with internet social network monitoring to successfully uproot the Occupy Philadelphia encampment at Dilworth Plaza in November of 2011. Corporal Domizio writes for the IACP:

[Captain Ray Evers, formerly commander of the PPD’s Office of Media Relations and Public Affairs] says social media was integral to the last push to clear the city’s Dilworth Plaza of Occupy Wall Street protesters so that planned construction could begin on the plaza. “We embedded a reporter with Commissioner Ramsey, which gave our efforts lots of credibility because the reports were coming from a neutral source,” Evers explains.

It was another example of combining traditional with new media, as the reporter lent an “old school” source of information while Evers and the rest of his team used social media for tactical, step-by-step information transmission. “We actually compete with news media because we’re going directly to consumers, without need for the media middleman,” Evers says. And yet, as the Dilworth operation showed, traditional media are still necessary.

The result: no incidents of police brutality were reported or recorded, as had been the case in other cities. “These days everyone has a camera, and if something had happened, it would’ve come out,” says Domizio.

There were 52 arrests at the Dilworth eviction, and while the Philadelphia media on the large part did accept that the police were comparatively gentle, the protesters themselves have indeed used words like “brutality” and “rancor and violence,” and Will Bunch of Philly Daily News noted that the press had abandoned the Occupiers.

A history of the potential for embedded reporters to be directed from unfavorable observations is available for the reader to independently research and assess.

Occupy Philadelphia eviction. Photo by Dustin Slaughter
Occupy Philadelphia eviction. Photo by Dustin Slaughter

Chiefs are working with Federal law enforcement agencies and the private sector to develop technology and best practices for local police (these partnerships are termed community-policing initiatives as part of the Department of Justice COPS office, Community Oriented Policing Services, and are often supported by the DoJ Bureau of Justice Assistance) on how to maximize social media tools to engage the public and for investigation, interdiction, and prosecution. The International Association of Chiefs of Police, which met 13,000-officers-strong in Philadelphia last weekend for networking and discussions that largely featured these policy and industry developments, operates a Center for Social Media that pools resources developed to assist law enforcement agencies who wish to implement social media into their own operations.

When Mayor Quan was spotted leaving the Capitol Hilton, the news was tweeted and her car was stopped in the middle of K Street for a full 5 minutes
When Mayor Quan was spotted leaving the Capitol Hilton by protesters demonstrating outside the US Conference of Mayors in January ’11, the news was tweeted and her car was stopped in the middle of K Street for a full 5 minutes
Protester outside the Capitol Hilton
Protester outside the Capitol Hilton
Occupy DC at McPherson Park protesters bang drums and chant for Mayor Quan of Oakland to leave the US Conference of Mayors at the Capitol Hilton, Washington, DC
Occupy DC at McPherson Park protesters bang drums and chant for Mayor Quan of Oakland to leave the US Conference of Mayors at the Capitol Hilton, Washington, DC

I’ve reported in several posts about a Chicago Police/Facebook collaboration to block criminal posting from the site by user and device. This collaboration was described by a Chicago PD official at the above-mentioned IACP conference, 2013 Conference Flyer (pdf) at the panel “Helping Law Enforcement Respond to Mass Gatherings Spurred by Social Media,” held Monday, October 21. The official, not on the schedule for the panel, spoke during the Q & A session at the behest of Chuck Wexler, the Executive Director of the Police Executive Research Forum, who led the workshop along with Chief William Blair of the Toronto Police and Assistant Chief Liebold of Milwaukee PD.


Facebook’s Chief Security Officer Joe Sullivan was originally scheduled, according to the flyer, but a Facebook spokesperson tells me that while they “haven’t yet figured out what caused” the Facebook Chief of Security to appear in the schedule, they can confirm that he was never supposed to speak at the event.

In the panel, one of dozens at the conference that highlighted the importance of social networking, cybercrime, and their intersection in “intelligence-led policing” (a close analog of “community-oriented policing”), the speakers provided an overall scope of how law enforcement uses the internet, and what about these practices is novel.

The panel description reads:

Protests and mass gatherings aren’t what they used to be. This discussion will focus on the new methods organizers and protestors are using to get the word out, and how law enforcement can sharpen their skills to ensure an even playing field.

Screenshot from 2013-10-27 08:56:51

After an introduction from Ms. Katherine McQuay, Assistant Director, Office of Community Oriented Policing Services, U.S. Department of Justice , a former journalist,  the panel began with Mr. Wexler, who first made clear that he was not an expert by any means in social media, and that he would largely defer to Assistant Chief Liebold and to Chief Blair, whose department’s policies were frequently lauded in more than one panel as a gold standard in the field.

Tactics used in Philadelphia have been reported as an adaptation to unfavorable media coverage of brutality in California and by the NYPD and resulting litigation, and it is at panels such as those held at IACP in Philadelphia where that experience is shared. Wexler’s organization PERF provides another, more elite, venue for such industry audits. Their work consulting with chiefs of police from departments whose cities held Occupy Wall Street movement encampments earned them some attention in the media in November 2012. Commissioner Ramsey of Philadelphia was among law enforcement executives facing occupations that attended and advised in these sessions, and whose cities within a month conducted evictions of those encampments. The communications were revealed in the press, and Wexler’s organization suffered from the ire of activists as well as the wrath of Anonymous, which he recalls as an introduction to the panel. There is no evidence that PERF advised any specific tactics, and in their response to the allegation issued a statement directing everyone who wishes to obtain an accurate view of PERF’s work to read a report that we released in July 2011 called “Managing Major Events: Best Practices from the Field.”

Before Wexler launches into his “observations” he takes a moment to direct the audience to the IACP’s social media resource page, which contains the NYPD’s social media policies which Wexler and others would note repeatedly as a model implementation.

“I wanna make about 8 kinda observations about this notion of social media, I think it’s really changing everything we think about our live and our work….and there is a real intersection between social media and cybercrime. It’s actually hard to know where one starts and one begins….”

Wexler sees social media and cybercrime intersecting in “strange ways,” which include PERF’s being targeted by Anonymous for what was interpreted by many as a coordination of the multi-city evictions which occurred across the US of Occupy camps, including New York City and Philadelphia.

Wexler says that “you will, if you haven’t already…if you haven’t been targeted by Anonymous for something that you did that’s related to your work, it’s really an interesting experience.” Wexler denies the characterization of the meeting as a “crackdown,” describing Anonymous as “twelve or thirteen year old kids living at home in their basement  that now have this enormous power,” and says the FBI notified him at 5 one day that the cyber collective was planning to access PERF’s website and attempt to download the organization’s internal emails, a prospect  which Mr. Wexler fends off with a shudder.

He discusses the risks the online environment poses to officers, especially the vulnerability to being identified and targeted for “d0x”ing (mass dissemination of personal information), fraudulent credit transactions, and other attacks (“paper terrorism”,) and the need to mitigate those risks (another officer in the Q and A session echoed this concern with more emphasis, adding that his department was working on alternate ways protect officer identity from “these hacker whiz kids” had taken officer badge numbers from media and used it to expose officers and their families,).

Wexler also notes that internet and social media have claimed victims in the form of cyber bullying and child exploitation, making it this “thing that terrifies” young people before summoning Chief Blair to the microphone.

“Where [social media] has really emerged as an effective and important law enforcement tool is in helping us manage large scale, mass public events, demonstrations, or sporting events, where we have large crowds to deal with, sometimes certain behaviors to control.”

Both Blair and Assistant Chief Liebold outline a social media strategy in lockstep with the overall trend in law enforcement toward Intelligence-led policing.

Intelligence-led policing as a generic practice is not new, however it took on new life post 9/11. The term is always introduced in the context of the World Trade Center attacks and how those attacks punctuated shortcomings in US intelligence practices. An output of the audit of the 9/11 commission was the finding that local police and federal agencies ought to increase and improve their sharing of information, and that the former were recognized as vital source of anti-terrorism intelligence

According to the Bureau of Justice Assistance:

“..effective intelligence operations can be applied equally well to terrorist threats and crimes in the community, homeland security and local crime prevention are not mutually exclusive. Officers “on the beat” are an excellent resource for gathering information on all kinds of potential threats and vulnerabilities. However, the intelligence operations of state and local law enforcement agencies often are plagued by a lack of policies, procedures, and training for gathering and assessing essential information.”

As Chief Liebold describes about the role of the police officer on social media under this philosophy moving “more from collecting evidence to collecting information” toward intelligence and operations that frequently do not involve the formal invocation of the law.

What both Blair and Leibold make clear is that they positively always make sure they are as fully engaged as possible in the sentiment of social media concerning large gatherings of people.

Chief Blair describes a November 2012 demonstration by Palestinians set to coincide with a parade celebrating the city’s CFL victory. He reports that his team monitored social media and determined through a practice called “geofencing” that the demonstration which they expected to be bringing 40 had attracted hundreds. Geofencing is a general term meaning to establish via GPS data sensors and remote communications a virtual perimeter or “fence” for a real world geographic area. It’s a basic element of the science of telematics, and can be thought of in some ways like a virtual electric fence that notifies the owner instead of shocking the pet. In this case it allowed Toronto police to assess sentiment associated with a certain topic by concentration in a specified location, the area of the expected demonstration.

A commercial application for geofencing is transportation logistics
A commercial application for geofencing is transportation logistics

Geofencing is also useful in allowing police to add a form of automation to their Internet intelligence. Software is available and used along with direct observation by analysts to extract information from large amounts of unstructured data, such as the hundreds of thousands of tweets per minute that can accompany events of wide public interest. Blair was able to focus his resources on a “parade” of the kind which often ends in flipping and burning cars while a relatively small number of officers successfully presaged a secondary incident.

Riots in Oakland after a light sentence was given to a police officer in the killing of Oscar Grant. Ray Brooks of the Northern California Regional Intelligence Center told another panel that his fusion center monitored social media for threats after the verdict was delivered.
Riots in Oakland after a light sentence was given to a police officer in the killing of Oscar Grant. Ray Brooks of the Northern California Regional Intelligence Center told another panel that his fusion center monitored social media for threats with technology including geofencing after the verdict was delivered, in anticipation of unrest.

Blair also says that the organizer of the event was very effectively using twitter and Facebook to promote it and direct congregants. He says this person was their “best intelligence officer,” as he was not only posting video and images from on scene with descriptions, but had left on his GPS and was allowing them to closely track his real time location.  Toronto PD’s intelligence on the Palestinian demonstration was enhanced by the media the organizer posted, allowing them to survey the setting and identify people from images and video. The Star has reported that Toronto Police used the Canadian Banking Association’s facial recognition software in attempting to identify suspects involved in a actions at the 2010 G20 Summit. (An intense set of photos can be found here of the property damage and clashes between protesters, called “thugs” by the mayor, and police).

The Chief says that Toronto was able to both monitor and influence the organizer such that whatever potential the demonstration had for creating conflict was defused.

Milwaukee has been able to identify positively protesters allegedly in the act of committing crimes, he reported to the panel, and in one case actually deferred immediate arrest in favor of crowd control and avoiding an appearance on the news in violent confrontation with demonstrators, and made the arrest after the “Black Bloc” action subsided (Milwaukee experienced “Black Bloc” tactics along with other cities during Occupy protests), according to Assistant Chief Liebold, who says that after assessing the situation via social media intelligence he gave the order not to arrest the subject in the act of destroying Milwaukee police property. He said that though it was contrary to his instinct that he knew it was better “not to appear on television fighting with protesters.

Liebold said Milwaukee PD used social media to deter potentially violent assembly at the Wisconsin State Fair. In 2011 his force was “caught with their pants down” in what Eugene Kane of the Milwaukee Journal Sentinel told NPR was

“an incident with young African-American kids who had attended either the fair or the midway, which is the entertainment section. And fights broke out on the fairgrounds, and the fights were between the kids themselves. But at some point, the fighting spread outside of the grounds of the fair – and at that point became a racial incident with black kids basically targeting and attacking and in some case, robbing predominantly white fairgoers”

After an investigation of social media after the fact, Liebold says that they were able to determine that the attacks were not entirely spontaneous but in fact organized through social media and facilitated by real-time posts by alleged participants. At the 2012 and 2013 Fairs, the police were able to use information from profiles built on predicted offenders in combination with traditional law enforcement crowd control tactics, like “cutting off the head, divide and conquer,” and a “14 person rule” Liebold says they developed from experience that 14 was a kind of “magic number” that could serve as a threshold to deter incitement. Milwaukee had officers on site with pictures printed of suspected participants, and made contact when they were sighted to alert them that they were being surveilled.

Liebold reports that Milwaukee has “interdicted 32 incidents” as a result of their social media strategies.

When dealing with populations that are highly responsive to social media, police departments have everything to gain from platforms like Facebook, Youtube, and Twitter.  As Blair notes, their subjects “post everything about themselves,” and he admonishes his colleagues that, despite the potential of social media to get officers and agencies in trouble and perhaps result in unfavorable legislation it is too powerful a tool as an unregulated medium to glean information and develop complex profiles for law enforcement purposes. Activists and others post everything from photos to their *political preferences all in a forum available to “open source.”

The quality of this information is not always reliable, as a report from the Philadelphia Declaration reveals.

Vulnerable populations like First Nations protesters in Canada and elsewhere who lack the access and leverage to draw mainstream media to their causes are sadly more subject to law enforcement overreach and brutality in a blackout imposed by apathy or obliviousness.

Dell Cameron reported in the Daily Dot: "What started as a peaceful protest by the Mi’kmaq First Nation in Elsipogtog, New Brunswick against a shale gas project has now spun violently out of control. After the Royal Canadian Mounted Police (RCMP) advanced on the anti-fracking protest, demonstrators clashed with police, chemical agents were deployed and at least half a dozen police vehicles were destroyed by Molotov cocktails."
Dell Cameron reported in the Daily Dot: “What started as a peaceful protest by the Mi’kmaq First Nation in Elsipogtog, New Brunswick against a shale gas project has now spun violently out of control. After the Royal Canadian Mounted Police (RCMP) advanced on the anti-fracking protest, demonstrators clashed with police, chemical agents were deployed and at least half a dozen police vehicles were destroyed by Molotov cocktails.”

*The relaxation of restrictions imposed in the Handschu agreement, in 2002 on national security grounds,  now allow the NYPD to freely conduct politically-focused intelligence-gathering from “open sources.” 

Chicago PD on Stopping Incidents Organized Through Social Media Before They Start

In the same panel where a Chicago police official shared his department’s collaboration with Facebook to block criminal posting from the social media site, that Officer claimed that the Chicago police has in fact already had success “getting in front” of activity that its surveillance of the internet predicted would be a public safety threat.

Here the Officer recounts occasions where the Chicago PD has had success “in various areas of the city getting in front of”  events, he says, “everything from the  cyber banging all the way to the flash-mob type incidents.” The officer does not reveal the specific method or application used in these operations.

He also cites other occasions where the social media surveillance “enhanced prosecution,” and that in these cases a warrant was obtained.

Chicago Police Department’s Facebook Graph Search To Stop “Cyber-Banging”

While it does not mention any direct work with Facebook, ReadWriteWeb’s Oct. 10 feature gave an overview of social media surveillance and response techniques and technology the Chicago Police say are helping them stop gang violence.

“The police department worked with a local sociologist to develop the social mapping strategy, that documents and predicts behaviors similar to how platforms like Facebook and Twitter track our relationships and conversations. The network analysis is like a real-life version of Facebook’s Graph Search, the social search tool that analyzes likes, connections and conversations to produce user-specific search results”

Chicago Police Use A Real-Life Graph Search To Stop Crime – ReadWrite.

Yesterday I reported that Chicago PD were working with Facebook to block users who post criminal content from the social networking site by device ID, and I posted a clip from a video I recorded at a panel of police chiefs discussing social media surveillance.


The clip posted was preceded by a depiction of Chicago’s gang culture presence on social media, which led to the officer’s introduction of the department’s work with Facebook to curb “incitement” online.

More Information on Facebook’s Ability to “Lock” Devices Permanently from Their Site, at IACP 2013

Earlier today I posted a report on discussion at a panel at the recent police chiefs conference that wrapped up in Philadelphia yesterday. In the panel a senior representative from the Chicago Police Department discussed his work with Facebook Chief Security Officer Joe Sullivan to permanently block user from the social media platform by account, Internet location, and device. I also reported that the technological means of identifying the device was not stated, however upon reviewing my record of the discussion I noted two methods mentioned: by Voice Internet Phone Network (VIPN) number , and phone PIN, Personal Identification Number.

“….So at the very least they’re probably going to have to get a new computer or a new phone, because as we all know all that information can be culled from either a VIPN number or a PIN number from a phone. It’s all documented, they can actually lock it if they want to.”

The next voice you hear is that of Chuck Wexler, the Executive Director of the Police Executive Research Forum (PERF).