Locating Missing People: A Crowdsourced and Global Use of OSINT

#OSINTForGood

At the beginning of February, Neotas Analysts took part in a global competition in which they contributed to active global missing persons investigations. They joined a community of 140 teams of OSINT practitioners from around the world, ranging from law enforcement officers to threat intelligence analysts and information security bounty hunters, in a Capture-the-Flag event organised by TraceLabs.

With the competition hosted in Canada, it meant snacks and energy drinks were at the ready for a 6-hour nocturnal challenge as the team set out to gather intelligence on 7 live missing persons cases from Canada, USA and Australia. Points were scored for any information which could lead to the location of the missing person, including social media profiles, IP addresses, activity on the dark web, recent friends and associates, unique identifiers, and geolocation of activity.

The event was a fantastic way of harnessing both the skills and curiosity of experts in the field in a concerted effort to support law enforcement teams often lacking in resources. Over 6 hours, hundreds of participants submitted pieces of intelligence which could be collated and passed on to law enforcement to aid in their investigations.

Finishing in 12th place out of 140, we are thrilled to have contributed to the collection of valuable intelligence and finishing so high up on a leaderboard which was full of OSINT specialists from around the world was an added bonus. Our team made over 120 submissions to the event total of 5000+ – a record total amount of submissions from such an event and a significant achievement from a volunteer-run challenge.

We are proud to see yet another application of #OSINTForGood and its community growing so quickly. Thank you to TraceLabs for putting on a very worthwhile and successful event, we will see you at the next one!

Social media screening in the spotlight after government controversy

Social media background screening is again in the spotlight after the latest controversy involving a UK government official. The UK Government is once again under scrutiny for its hiring and vetting process, following the “reprehensible” and “racist” comments online of Downing Street adviser Andrew Sabisky.

Online reputation screening and social media background checks remain absent from the official public sector hiring guidelines. As a result, high profile, avoidable controversies such as this continue to crop up. With the likelihood being that there are still unsavoury comments out there in the public domain, waiting to be found – surely, it’s time for governments to introduce social media screening to its background check policies?

Mr. Sabisky, who has since resigned as the PM’s top aide, recently prompted fury with his views on eugenics, race and women. In 2014, he wrote that to stop unplanned pregnancies from creating a “permanent underclass”, there should be legal enforcement of contraception. His comments online also suggested that black Americans had lower IQs than white Americans.

Ian Lavery, the chairman of the Labour Party wrote in a letter to the PM, “there are unanswered questions about how someone with such abhorrent views was ever considered for employment in the first place.” The spotlight is now focused on the Government, with their recruitment and vetting processes very much in question. Business minister Kwasi Kwarteng has also stated that the Government’s hiring process should be “looked at”.

It is no surprise that when unsavoury comments are discovered online, the reputational damage and public outcry can be huge. As we’ve stated before, a proactive attitude towards online reputation screening could have mitigated risk from the outset and informed the hiring process.

Our message to any employer would be that if it’s out there for all to see, wouldn’t you want to see it first? We just hope the Government seriously considers online reputation screening, following the footsteps of the Federal Government in the US.

Online Reputation Screening should be provided by independently accredited providers to ensure it is conducted in a legal and compliant manner, such as those accredited by the Association For Online Due Diligence (AFODD). Only employment-related business risks should be flagged such as terrorism, violent content, and hate and discriminatory behaviour. Online reputation screening helps firms to recruit with confidence and gives employers the opportunity to open up a healthy dialogue about their behaviour online.

If you would like to know more about social media screening, please feel free to schedule a call with our team here. Alternatively, you can build a no-obligation quote using our pricing tool here.

Guide for SRA-regulated firms: Offensive Communications Online

As our online and offline personas increasingly converge, the spotlight is being shone on law firms and the online behaviour of their members. The SRA has recently updated its guidance, warning “the same ethical obligations of professional conduct apply in an online environment”. We take a look at what this means in practice and how law firms can ensure compliance today.

What online behaviour is offensive?

The SRA has experienced a significant increase in the number of complaints concerning inappropriate communications, including the use of social media inside and outside of practice. The regulator expects professionals to “behave in a way that demonstrates integrity and maintains the trust the public places in you and in the provision of legal services”. Examples of the type of behaviour they have investigated (and referred to the SDT) include hate and discriminatory behaviour, the use of derogatory language, sexually explicit comments and abusive comments directed towards other firms or clients. The list goes on.

Who is at risk?

Managers of firms hold the responsibility to ensure that their members do not cross these lines. SRA-regulated firms “must take all reasonable steps to ensure that the firm complies with [our] regulatory arrangements”, including “identifying, monitoring and managing all material risks to the business”.

If a member of your firm sends or posts an inappropriate or offensive communication, it not only puts you at risk under the SRA Principles, but it also has the potential of causing significant reputational and financial damage. For example, if clients react by withdrawing their business or are deterred from instructing your firm. In some circumstances, you could also be liable for your employee’s actions if the communication amounts to victimising or harassing a third party.

How can you ensure compliance and mitigate risk now?

1. Put a social media policy in place

There is no one-size-fits-all approach here. You should ensure you have a policy that feels in line with company culture as well as ensuring compliance and best practice. Also, consider the nature and size of your firm to determine whether you need to put further systems or controls in place.

2. Only identify business-related risks

Only posts that fall within agreed risk categories should be captured and reported on, which would typically include issues such as racism, sexism, illegal activity, or anything that could bring the firm into disrepute.  By ensuring a robust approach to checks it will now be easy to ensure that new hires, promotions and scheduled reviews can all be screened quickly and any risks will be highlighted without becoming intrusive.

3. Make use of technology and trusted third parties

Here technology can help. Don’t spend significant time internally trying to monitor as you will not be efficient or compliant and will undoubtedly review content that you don’t want or need to see.  A trusted third party will save you time, ensure you only see business-relevant information and will deliver an auditable, robust process that will meet the Regulator’s expectations.

4. Beware of online pseudonyms

As the SRA points out, “anonymity is not guaranteed; material which you post under a pseudonym may still be traced back to you”.  The technology goes far beyond a simple name check and we routinely identify multiple online aliases tied to one individual.  Having a very corporate account on Twitter for example and a second “angry” account under a different username does not mean that the rules won’t apply.

As the regulator and the press are increasingly picking up on conduct issues, social media best practice and online reputation screening becomes critical in mitigating the risk for firms.

If you’d like to know more about how to quickly implement a compliant and cost-effective approach to help protect your firm and its members, please give us a call on 0208 090 2622.