Social Media Analytics for Public Safety Enforcement and Intelligence
How public safety agencies can apply analytics to capture online information and turn it into intelligence for crime investigation and prevention
By Grant Woodward, SAS Canada Public Safety and Defence Specialist CPA, CA , CFE
The public safety issues that concern Canadians and the agencies that protect them are constantly evolving. In addition to dealing with current threats, these agencies must identify emerging threats, adapt to the landscape of changing legislation (see addendum) and develop human resources, skills and tools so that they are prepared to meet these ever-evolving threats.
All the while, social media has become central to the way people and groups communicate and interact. In the process, it has become a fertile source of potential intelligence. However, the sheer volume of data, the speed of events, and the relative anonymity available to those active in social media all present challenges for public safety agencies. That is why many are turning to data analytics to give them an advantage in protecting the general public.
The need for this advantage has become more urgent because of the emergence of several trends and issues:
·The emergence of the Islamic State (IS) and the extent to which they have extended their reach to radicalize individuals in the western world to take action in their home countries.
·The fact that social media leads by a huge margin as the vehicle by which IS and local threat actors communicate and propagate their messages.
·The Edward Snowden incident has increased public concern about privacy and possible overstepping of individual rights by data collection and analysis. It has also spawned a movement towards a more generalized use of encryption technology.
·Increased powers to deal with the morphing terrorist threat have been accorded to public safety agencies in several countries. Canadian Bill C-51, the “Terrorism Act 2015”, is the latest in an unprecedented series of new laws introduced and passed in the last two years. These laws enable increased access to information to allow for a more proactive approach to intelligence and enforcement to disrupt national security threats before they happen.
These issues coalesce in an interesting fashion for public safety agencies, particularly where social media is concerned. On one hand, agencies are actively engaged in countering the IS narrative using social media in attempt to prevent domestic radicalization. On the other hand, they rely on social media to monitor known threat actors, to detect new actors, to intercept Canadians who may be attempting to travel to conflict zones, and to find and remove terrorist propaganda or those counselling others to commit acts of terrorism. All this must be done in a controlled manner that balances the preservation of individual privacy and public confidence in the ability of individual agencies and the government to protect Canadians. Not an easy mandate.
A Big Data Problem:
Public safety agencies have been using social media and open source intelligence for years when it comes to investigation of known priority targets. In these situations where in-depth tactical internet investigation is required, the investigative resources have the bandwidth and expertise to accomplish their goals. However, this is not the case in a changing environment where the number of identified potential threats is large and growing, or where there is a need to monitor issue-based social media traffic across the universe of social media users.
One example of a situation in which a large number of named individuals must be vetted is government personnel security screening, where names are searched against law enforcement and intelligence databases as well as against social media and open source information. There may also be a need to monitor or repeat these checks on a periodic basis, adding to the workload.
Even more difficult is the issue-based monitoring of social media, which includes a wide spectrum of activities and potential threats against prominent individuals, infrastructure, commercial interests, and more.
Screening-style vetting and issue-based monitoring are pushing firmly into “big data” territory, where the volume, variety and velocity of data outstrips the ability of unaided human analysts to deal with it.
Fortunately, the era that has created big data problems has also created the analytical computing power to tackle the challenges. In fact, it is the same technology that simultaneously makes screening and issue-based monitoring of social media manageable. The primary analytical capability is the use of a taxonomy to filter and categorize unstructured text found in social media.
As a basic definition, taxonomy refers to the branch of science concerned with classification. The goal in applying a taxonomy to unstructured data from social media is to have a computer select and classify information into categories like a human being would. Just as a human would sift through tweets and blog posts to group items by topic and sentiment (supportive, unsupportive, threatening, sarcastic etc.), a taxonomy does the same, only at a much greater rate of speed.
Taxonomies are developed to be topic-specific, hierarchical and customizable. They are based upon rules created by human analysts, but also employ statistical modelling to contribute to the development and accuracy in operation.
The basic building blocks of a taxonomy are:
- ·A “product” which is the primary topic of the taxonomy, and “features” which are sub-categories under that topic. For example, “recruitment” could be a feature under the product of “terrorism”.
- ·General entity definitions that are not specific to the topic of the taxonomy. “Canada” is an example of a general entity.
- ·Definitions of entities that are specific to the taxonomy topic. Islamic State (IS, ISIS, ISIL) is an example of a “Terrorism” topic-specific entity.
- ·Definitions of entities whose primary function is to identify sentiment. For example, “make them pay” illustrates a negative, aggressive sentiment.
- ·Definitions of entities whose primary function is to identify syntactic structure.
In operation, the taxonomy is employed to categorize social media data according to the definitions, syntactic structure and sentiment definitions to calculate a likelihood score that each document is relevant to a specific topic and feature.
In the case of a personnel screening analyst, searches can be conducted to determine whether an identified person’s social media activity scores high or low against specific taxonomies. Relevant taxonomies could include:
- Organized crime or criminal gangs
These scores can be evaluated by analysts along with information from internal and partner agency data holdings. This allows analysts to spend more time evaluating results and determining an appropriate course of action, and less time performing searches. It also enables a consistent process because an entire list of names can be scored at once using taxonomies that represent a best-practice definition of the various threats.
In the case of strategic analysts who are monitoring specific issues, the taxonomy provides a filtered dataset that can be analysed based on topics, subcategories, entities (persons, places, infrastructure, weapons etc.), sentiment, geographic location, author, etc. The data can also be accumulated over time to allow for temporal analyses to detect changing patterns, trends and more advanced analyses to find correlations and enhance predictive analyses. Also, analysts can drill into trend lines to identify authors, photos, email addresses, social networks, etc., to make valuable connections between strategic understanding of issues and tactical operations.
Another advantage of having taxonomies at the centre of solutions serving multiple purposes is that IT architecture and costs are not duplicated. In fact, there are significant opportunities for the establishment of multi-agency environments to combine know-how in the form of common taxonomies, and to share costs.
As the threat landscape continues to evolve, social media will undoubtedly play a critical role in public safety agencies ability to detect and respond to threats. Just as terrorist and criminal entities are increasingly using social media to their advantage, so too must the agencies that work to defeat their threats. While there are undoubtedly many hurdles to navigate, there is little dispute that the enormous amounts of social media data can be collected and analyzed to turn tweets and posts into useful information to protect the general public. As the volume of this data grows daily, with no sign of slowing down, new methods, ideas and models will continue to evolve to analyze it. I’ll discuss some of these in future articles, including topics such as intelligence fusion, operational security and privacy.
As a Public Safety and Defence Specialist for SAS Canada’s Public Safety and Defense team Grant works with customers to help inform, investigate and mitigate risk with analytical strategies. Grant tweets @GrantRSWoodward and can be reached directly at firstname.lastname@example.org.
Legislative changes in Canada within the last two years:
April 2013 (Royal Assent), Bill S-7 “Combating Terrorism Act “
Following the terror plot to attack a Via Rail passenger train, this bill revived provisions from the Anti-terrorism Act that was passed immediately after the September 11, 2001 attacks in the U.S. Investigative hearings and preventive detentions were restored. In addition, the law made it a crime to leave the country or attempt to leave the country to engage in terrorist activities. It also contains penalties for harbouring a person involved in terrorism.
Charges under these new provisions have been laid against several individuals in 2015.
June 2013 (Royal Assent), Bill S-9 “Nuclear Terrorism Act”
This law introduced offences for possession, use or disposal of nuclear or radioactive material, and the possession of nuclear or radioactive devices with the intent to cause death, serious bodily harm or substantial damage to property or the environment. It also makes it illegal to commit an act against a nuclear facility with the intent to influence the actions of persons, governments or international organizations.
June 2014 (Royal Assent), Bill C-24 Reforms to “Canadian Citizenship Act”
These reforms give the government additional powers to revoke Canadian citizenship from dual citizens convicted of terrorism, treason or spying offences. The changes also allow the government to revoke Canadian citizenship from dual citizens for membership in an armed force or organized armed group engaged in armed conflict with Canada.
December 2014 (Royal Assent) – Bill C-13 “Protecting Canadians from Online Crime Act”
Although known as the “Cyberbullying Bill”, the law goes beyond cyberbullying to revisit general provisions for the search and seizure of Internet data, referred to as “lawful access” legislation.
The law creates new types of production orders that permit police to access “transmission data“ that can possibly be used to discern a person’s identity, interests and habits. Tracking data is also received that allow for geo-locating of entities.
April 23, 2015 (Royal Assent), Bill C-44 “Protection of Canada from Terrorists Act”
Again, in the wake of an attack, this bill expanded the powers of the Canadian Security Intelligence Service. The bill, which had been drafted before the attack, was tabled in Parliament just days after a gunman shot an Ottawa soldier and entered Parliament’s Centre Block before being killed. The bill contains the first legal changes to the Canadian Security Intelligence Service (CSIS) Act since the service was created in 1984. Changes are designed to better safeguard the identities of intelligence informants in Canada and increase the capability of CSIS to collect intelligence in foreign locations.
June 4, 2015 (Third Reading- Senate) - Bill C-51 “Anti-terrorism Act, 2015”
This bill was introduced personally by the Prime Minister, who stated, “The proposed legislation would provide our security and law enforcement agencies with the required tools and flexibility they need to effectively detect and disrupt national security threats before they happen, keeping Canadians safe.”
While the bill contains a host of measures, the most noteworthy is the fundamental shift in the role of CSIS. In an effort to stop acts of terrorism before they occur, CSIS has been mandated to intervene to disrupt threats. These disruptive activities were completely outside of the CSIS mandate, which until now has been to collect, analyze and advise the government.
Other key elements of the bill are:
- ·Enabling the effective and responsible sharing of relevant national security information across federal departments and agencies to better identify and address threats.
- ·Amending Canada’s Passenger Protect Program as a response to concerns about individuals leaving Canada to engage in terrorism and related activities abroad. The threshold is lowered for adding individuals to the no-fly list.
- ·Banning the promotion of terrorism or advocacy non-specific attacks. This adds to the original anti-terrorism act which made it illegal to counsel or actively encourage someone to commit a specific terrorism offence.
- ·Giving courts the authority to order the removal of terrorist material online.
- ·Allowing law enforcement agencies to detain suspected terrorists before an attack and toughen penalties for violating court ordered conditions on terrorist suspects.
- ·Allowing for court proceedings to be sealed in specific circumstances to protect the identity of human sources.