Unmasking Secrets: The Rise of Open-Source Intelligence

Dive into the world of open-source intelligence (OSINT) in this episode, where we uncover how ordinary citizens use publicly available data to unravel some of the most complex global mysteries. From tracking conflicts in real-time to exposing the truth behind high-profile incidents like the downing of Malaysia Airlines flight MH17, discover how OSINT is revolutionizing the field of investigative journalism and transforming how we perceive and verify information.

Hosted By

Ran Levi

Co-Founder @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 16 million downloads as of Nov 2023.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Reach out to me via ran@ranlevi.com.

Special Guest

Eliot Higgins

Founder and Creative Director of Bellingcat

Eliot Higgins is the founder of Bellingcat and the Brown Moses Blog. Eliot focuses on the weapons used in the conflict in Syria, and open source investigation tools and techniques.

Unmasking Secrets: The Rise of Open-Source Intelligence

In 2011, Eliot Higgins was doing admin and finance work for a company that housed refugees in the UK. Unfortunately, his company lost its government contract that year and had to shut down: Higgins found himself sitting alone in an empty office, with quite a lot of free time on his hands. 

Incidentally, 2011 was also when the first Libyan civil war broke out between forces loyal to Libya’s dictator Muammar Gaddafi, and rebels inspired by the success of other uprisings and armed rebellions in neighboring Arab nations such as Egypt and Tunisia. Drawn to news reports covering the unfolding Arab Spring, Higgins spent his days watching YouTube videos taken in Libya and arguing with other Internet sleuths about their contents – like, for example, the location of a town that the rebels claimed to have captured. 

“[Eliot] And in the video there was a mosque with a dome and a minaret. It was next to a road that was quite wide. It had two lanes of traffic separated. So I went to Google Earth: I could see the town, I could see that road running through it and when I zoomed in you could see it was very clearly wide enough, based on, for example, the width of the cars on the road. I could use that as a kind of rough measurement. And then I followed the road down and I saw a mosque with a dome and a minaret, and then I started looking at the smaller details in the original video, which were things like utility poles for example, or the way in which the pavement curved around a certain section of the mosque and all these little details which are also visible on the satellite imagery. You kind of start with a big clue and then you start narrowing it down down to the smaller and smaller details that you’ve got until you’ve got a perfect match.”

By crossing the information found in videos and photos published on Social Media and news outlets with Google Earth’s satellite imagery, Higgins was able to closely follow the fighting in Libya and deduce the location of the frontlines on a day-by-day basis. 

“[Eliot] I just found it really interesting – but no one else was doing it because it was like hey, there’s all this free information out there. There’s a way to verify it – why aren’t more people doing this?”

A year later, in 2012, Higgins started a blog named Brown Moses – after a Frank Zappa song – in which he used his internet-detective skills to report about the Syrian conflict, exposing the use of cluster bombs and chemical weapons by the Syrian government. His work gained considerable attention, and in 2014 Higgins founded Bellingcat, an investigative journalism group comprised of himself and eight other volunteers, focusing on what’s known as ‘Open Source Intelligence’ (OSINT, for short): collecting data from various public sources – from broadcast TV and radio to Social Media and blogs – and analyzing it to gain insights of the sort we would usually expect to get from professional journalists. 

Why would anyone invest hours upon hours pouring over blurry video frames and scouring endless satellite images in their free time? The answer is probably obvious to anyone who’s used to playing video games.

“[Eliot] Someone once told me I found the best computer game in the world to play. It always has new content and it’s very complex and very involving.”

Compared to computer games, however, OSINT also has the added advantage of having a real impact on the world – as Bellingcat itself was about to prove. 

MH17

On July 17, 2014 – the same month Bellingcat was founded – Malaysia Airlines Flight MH17 was en route from Amsterdam to Kuala Lumpur. Among the 283 passengers were six delegates to the 20th International AIDS conference in Melbourne, Dutch Senator Willem Witteveen, and actress Shuba Jay, a prominent Malaysian entrepreneur and stage performer. 

Cruising at an altitude of 33,000 feet, MH17 flew over Donbas in Eastern Ukraine. At that time, Donbas was the epicenter of an armed conflict between the Ukrainian government and Russian-backed separatists. Following reports that the rebels had surface-to-air missiles in their possession, some airlines decided to avoid the separatist-controlled area – but many others, including Malaysia Airlines, continued flying over it: in fact, some 900 flights crossed the region in the seven days prior. 

At 4 p.m local time, MH17’s pilots requested permission from Ukrainian Air Control to deviate some 20 miles north from their planned route, due to weather conditions. The request was approved. Nineteen minutes later, Ukrainian Air Control reached out to MH17 to facilitate the handover of control of the flight to Russian authorities – but the aircraft did not respond to radio calls. It also disappeared from the radar. A short time later, grim reports started flowing in: eyewitnesses told of an airplane breaking up in mid-air over Donbas, with the wreckage spread over a 19 square mile area in Eastern Ukraine. 

Investigators who examined the aircraft’s remains and flight data recorder pieced together MH17’s last moments. The fuselage was riddled with hundreds of small holes, indicative of high-velocity shrapnel: such shrapnel could, in theory, be the result of an engine explosion – but the penetration angle and the blistering of the paint around many of the holes told a different story. A ground-to-air missile detonated just above and to the left of the aircraft’s cockpit, instantly killing its three occupants. The impact caused an explosive decompression of the cabin, tearing the front section of the aircraft and likely incapacitating most if not all of the passengers. MH17 continued to disintegrate as it fell from the sky. All 298 passengers and crew perished in what is the deadliest airline shoot-down incident to date. 

Shortly after the crash, Ukrainian authorities pointed a finger at the separatists, claiming that the Russia-backed rebels shot down the aircraft using a Russian-made SA-11 ‘Buk’ anti-aircraft defense system, and even published a video filmed in the rebel-controlled city of Luhansk which showed such a Buk system carrying three missiles – instead of the usual four. Many analysts agreed with this claim, as the SA-11 was the only air defense system in the area at the time, which was capable of hitting targets at such a high altitude. Furthermore, shortly after the crash a Russian news website reported that the pro-Russian separatists shot down a Ukrainian air force transport plane with a missile – but after the airplane’s true identity became evident, the separatists quickly withdrew their claims and even denied having any anti-aircraft missiles capable of reaching the cruising altitude of commercial air traffic. 

Russia itself vehemently denied any involvement in the attack. Four days after the crash, the Russian Minister of Defense gave an hour-long press conference, in which he accused the Ukranians of trying to frame Russia: he presented radar data and satellite imagery that supposedly showed that MH17 was downed by a Ukrainian Su-25 fighter jet, or by a Buk system deployed by the Ukrainian armed forces.  

With accusations and counter-accusations being flung around by both sides, Eliot Higgins realized that this was a golden opportunity for his fledgling open-source intelligence organization to make its mark. 

History of OSINT

 The roots of Open Source Intelligence go back as far as the American Civil War. Confederate General Edward Porter Alexander described in his memoir, for example, how most of the information he received about the strength and organization of the Union army wasn’t from his spies in Washington, but from reading Northern newspapers reports. 

“From them we learned not only of all [troop] arrivals, but also of assignments to brigades and divisions, and, by tabulating these, we always knew quite accurately the strength of the enemy’s army.”

During WWII and the Cold War, both the British and US governments used publicly available sources to gather intelligence about Nazi Germany and the Soviet Union. But as former Senior Intelligence analyst Richard Baffa acknowledged in an article published on Babel Street, OSINT wasn’t taken seriously at the time.

“I spent 34 years in the US intelligence community as an analyst, during which time OSINT was largely an afterthought. […] My colleagues and I always recognized the importance of information from academia, think tanks and select media. But OSINT, which delivers insights based on the publicly available information and commercially available information sources, seemed at the time like background noise, not actionable intelligence.”

By 2022, however, open-source intelligence was becoming a major source of information for Intelligence Agencies. As a senior defense official told reporters, open source intelligence has played “an outsized” and “critical” role in helping the Pentagon keep track of Russia’s movements in Ukraine.

“When we get a requirement, in this case, monitoring the Russian military and their aggression, the general public around the world is our source. […] There’s a lot more data outside in the world than there is that the Intelligence community collected, and so we’re getting better organized to use it, and it’s paying great dividends to understand what’s happening.”

That shift, says Eliot Higgins, came about when smartphones and social media platforms took over the world in the late 2000s and early 2010s. 

“[Eliot] It was the launch of the iPhone in 2007 and really the popularization of smartphone technology and the development of apps – particularly social media sharing apps – that started creating a massive amount of data and connected lots of people together.”

While the events surrounding the Arab Spring in the Middle East catalyzed the many hobbyists who joined the Open Source Intelligence community – it was the latest conflict in Ukraine that served to boost its popularity, with online OSINT communities such as Project Owl more than doubling the number of their members within a few weeks of the Russian invasion. 

“[Eliot] I think Ukraine is a really great example of where it was very useful indeed. So there were, you know, in February 2022 doubts coming from various sources about wherever or not Russia would really invade Ukraine. Even Zelensky himself was trying to calm people down and say this won’t happen. What we could see through social media posts from Russia were troop movements and we could gelocate those videos and see where different units were going and in the days prior to the invasion you saw a fresh kind of wave of troop movements as troops moved from positions that were camps that were supposedly for training exercises – and starts moving closer to the border.”

The information collected by OSINT enthusiasts not only assisted Ukraine’s military efforts but also helped swing the West’s public opinion in favor of Ukraine. One notable example was when, a few weeks into the war, horrific videos showing the aftermath of a mass murder of hundreds of Ukrainian citizens in the town of Bucha started circulating the web. The Russians claimed that the Ukrainian military staged the massacre – but the OSINT community unearthed satellite imagery showing bodies lying in the city’s streets weeks before Ukraine reclaimed it. Some investigators even used facial recognition apps to identify Russian soldiers who took part in the killings, using photos and videos they posted on Russian social media platforms.  

Bellingcat’s Investigation

 In the weeks and months following the shootdown of flight MH17, Russia stepped up its efforts to discredit the claims that its separatist allies in Ukraine were the ones responsible for the attack. RT, the Russian-funded TV network, claimed that the Ukrainians shot down the aircraft in a failed attempt to assassinate President Putin. The Russians also launched what an investigative committee of the Australian parliament called ‘a cold-war style disinformation campaign’ which included attempts at editing MH17’s Wikipedia entry to remove any mention of Russian culpability, and a massive ‘astroturfing’ operation that included no less than 57,000 tweets a day that swamped social media feeds with fake news and outrageous conspiracy theories. 

Bellingcat’s volunteers, says Eliot Higgins, had little trouble dealing with such attempts at misdirection. By comparing and crossing many different pictures, videos, and satellite images, and corroborating them with eyewitness accounts, they were able to obtain a clear and cut picture of what happened in the days prior to and after the incident. 

“[Eliot] And there you had people on the ground who were taking photographs of the missile launched as it was traveling through separatist held territory. And for example, in one video we had a missile launch shot on the back of a low-loaded truck. It was just a photograph. First we geolocated it using a variety of sources. We then were able to find the time of day it was taken, because there were shadows visible in the photograph – and once you have the camera position, you can use the shadows as a sundial, effectively. […]  We also eventually even found a satellite image that showed the missile launcher on a truck as it was traveling down that same route.”

Four months after the crash, In November 2014, Bellingcat published their investigation report. In it, they were able to map the route of the Buk missile launcher as it left a Russian anti-aircraft military base near the city of Kursk, and traveled through the separatist-controlled territory in eastern Ukraine on the morning of the attack. The Buk was transported on a truck, and by using a phone number visible on the side of the truck in photographs taken by people driving on the same highway and later posted to social media, the investigators were able to confirm that the vehicle was stolen by the separatists. They were then able to pinpoint the exact location where the system was deployed and the anti-aircraft missile was fired from – and to top it off, linked the Buk system to a specific unit in the Russian military: the 53rd Anti-Aircraft Missile Brigade. 

Half a year later, Bellingcat published another report, this time debunking the satellite images presented by the Russian Ministry of Defense, which supposedly showed 4 Buk systems deployed by the Ukrainians in Donbas shortly before the attack. Using various analysis methods, the researchers came to the conclusion that the images were faked: they were in fact historical Google Earth images taken before the shoot down and digitally manipulated using Photoshop. 

This second report, however, came under attack from German image forensics expert Jens Kriese. In an interview with Spiegel magazine, Jens criticized Bellingcat’s analysis methods, describing them as ‘amateurish.’ 

“That’s an erroneous interpretation. They claim that the metadata shows that the images were processed using Photoshop. […] The truth is that the indication of Photoshop in the metadata doesn’t prove anything. Of course the Russians had to use some sort of program in order to process the satellite image for the presentation. They added frames and text blocks in order to explain it to the public. The artifacts which have been identified could be a product of that — or also a product of saving multiple times in JPG format. […] What Bellingcat is doing is nothing more than reading tea leaves. […] There is no way of knowing if the images show what Moscow is claiming. What one can say, however, is that this “analysis” has achieved nothing besides raising awareness of Bellingcat.”

Without delving into the gritty details of Jens’ analysis, it’s hard to discard the core truth in his scathing criticism: open source intelligence work is often done by amateur volunteers who lack formal training and expertise on the topics they investigate. Would any of us agree to replace our professionally-trained doctor with a well-meaning teenager who’s just very good at googling stuff?… 

Another weakness of open source intelligence lies in its crowd-sourced nature. While Bellingcat’s team is relatively small and cohesive, many OSINT investigations are the result of the combined efforts of many individuals who share the information they unearth with each other in tweets, forums and the like. This group effort is a big part of what gives open source intelligence its strength: for example, it allows the information to be discovered in a timely manner, closely following the events as they happen in the real world. 

But as any sociologist will tell you, people behave differently when they are part of a big group. As French sociologist Gustave Le Bon wrote in his 1895 seminal book The Crowd: 

“The most striking peculiarity presented by a psychological crowd is the following: Whoever be the individuals that compose it, however like or unlike be their mode of life, their occupations, their character, or their intelligence, the fact that they have been transformed into a crowd puts them in possession of a sort of collective mind which makes them feel, think, and act in a manner quite different from that in which each individual of them would feel, think, and act were he in a state of isolation.”

A good demonstration of this effect  came in 2013, when two homemade bombs detonated near the finish line of the Boston Marathon race. Following the attack, thousands of Reddit and 4Chan users combed the internet looking for clues that would help authorities nab the perpetrators. One commentator on r/findbostonbombers, a subreddit dedicated to the hunt, pointed at a potential suspect whose face bared some similarity with one seen in a photograph of the suspects released by the FBI: a 22-year-old Brown University undergraduate student named Sunil Tripathi, who had gone missing a month earlier. Within hours, Sunil’s family home was flooded with calls from people who harassed and threatened them: they received hundreds of angry emails with death threats and racist attacks, calling Sunil a terrorist and describing the horrible punishments he deserved. Sunil’s parents and siblings pleaded with the public to stop, describing Sunil as a “kind, gentle and shy young man”, an accomplished saxophone player who suffered from bouts of depression. But the harassment persisted, only subsiding when the true terrorists – brothers Dzhokhar and Tamerlan Tsarnaev, who were radicalized and inspired by Al-Qaeda – were caught following a bloody shootout with the Boston police. A few days later, Sunil’s body was found floating in a local river. 

Eliot Higgins acknowledges this problematic characteristic of open-source intelligence. 

“[Eliot] So the posted marathon bombing investigation on Reddit was a good example of how involving a large number of people can go wrong, and I’ve kind of broken this down, really in a simple way to understand it. If you have a very complicated investigation and you have a lot of people involved, what happened with the boston marathon bombing is that you have [is basically] groupthink. The loudest voices, the people who are online the most and have the strongest opinions, dominate the conversation and shift the investigation in a direction which may be wrong – whilst the kind of less frequent quieter voices who may actually be making good points get drowned out.”

When it comes to OSINT, he says, not all investigations should be treated equally. 

“[Eliot] So when you’re kind of designing an investigation that involves, you know, different numbers of people if it’s something very complicated – you generally want a small number of people working closely together on it, who have a good sense of the challenges that really like experienced investigations like our kind of core team at Bellingcat. On the other end of that scale if you have a simple question like “what is this object”, you want lots of people involved. It’s a simple, you know, a very simple question. You can share it with a large number of people. You aren’t asking them to do an in-depth investigation. So that you kind of have this line: if you want a complex investigation you have a few people, if you want a simple investigation you have lots of people.”

Strava

And it’s not only totalitarian governments such as Russia’s who should be worried by the growing impact of open source intelligence. The US military already had a glimpse of this dystopian future in 2007, when a new fleet of four Apache attack helicopters landed at an Iraqi base. A soldier took a few pictures of the helicopters, uploaded them to the Internet – and a short time later, an insurgent mortar attack destroyed them. 

Another example is that of Strava, a fitness app that’s also a “social network for athletes”: Users can share their workouts and progress with their friends, join online challenges, and praise each others’ achievements. In 2015 Strava released a new feature on its website: a global ‘heatmap’ showing GPS tracking data of every single activity ever uploaded to Strava by its users. The heatmap received a major update in 2017, with more than 3 trillion individual GPS data points – more than six times the original data from 2015. 

A few months later, an Australian OSINT aficionado noticed a running route in an unexpected location: a remote, out of the way area deep in the Syrian desert. He wondered who were the people who went jogging in what is practically the middle of nowhere, and then it hit him: the only people using fitness apps in such locations would be military personnel – and in places like Syria, mainly foreign military personnel. 

After he published his finding on Twitter, numerous investigators started to scrutinize Strava’s heatmap, looking at similar remote locations and coming up with interesting finds: a suspected CIA base in Somalia, a Patriot missile defense system in Yemen, a US special-ops base in Sudan, and many other secret facilities who weren’t visible on Google’s or Apple’s map services. By analyzing the times in which the workouts took place, one could even figure out the timetables for various activities on the bases such as security patrols, and even identify specific individuals through links to their social media accounts – an obvious treasure trove of information for anyone doing reconnaissance on US military installations abroad. 

Despite the headaches it must cause for many governments, most experts agree that open source intelligence’s potential to disrupt governments’ age-old reliance on secrecy and deception is only set to get worse. Gavin Sheridan, who in 2013 was Director of Innovation at Storyful, a news and intelligence agency, shared in a Twitter thread how he and his colleagues managed to automate their OSINT collection process. 

“Back in early 2013 we built a tool to do simultaneous queries on multiple social platforms against very large geobounded areas. Essentially I could draw a circle around *a country* and wait for *any* geotagged data to appear. The difference between this technique and Strava was you could usually quickly deduce first name and last name if you wanted, and infer other social profiles eg LinkedIn -> FB -> FB friends -> work colleagues. [For example], doing a geobounded search around Langley/Pentagon -> save all geotagged content -> create script to detect usernames from social platforms -> infer other platforms / names -> poll FB graph API -> collect list of family members. The name I coined for the tool was The God Machine, because it felt like you were watching the world from overhead and could deduce all sorts of behaviors by those lowly humans with their devices down on planet Earth.”

There’s little doubt that with modern AI technology, Gavin’s God Machine could be made much, much more powerful.

Epilogue

Since more than two-thirds of the passengers aboard flight MH17 were Dutch, the Dutch government initiated two independent investigations: one conducted by the Dutch Safety Board, and the other – the Joint Investigative Team (JIT) – was led by the Dutch police and assisted by Australia and Malaysia. The JIT’s investigators had access not only to the same open source materials that Bellingcat’s people had access to – but also to confidential information supplied by various Western Intelligence agencies. 

When the JIT report was released in September 2016, it fully validated Bellingcat’s claims, including the involvement of the Russian 53rd Anti-Aircraft Missile Brigade. Based on that report, the governments of the Netherlands and Australia issued a joint statement in which they announced that they hold Russia responsible for the deployment of the Buk anti-aircraft system and the subsequent shootdown of MH17, and would pursue legal remedies. In November 2022, a Dutch court handed down life sentences, in absentia, to three individuals, pro-Russian separatists, for the murder of the 298 passengers and crew of MH17.