Give me your username. I’ll tell you who you are!
OSINT tools for online social media research in Germany — an essay
Humans are herd animals and creatures of habit. This makes us leave traces on the web. Even sometimes, whether we want to or not. Sure. The one person may be more careful than the next. Those with a password manager, maybe with a burner email address, disposable cell phone numbers or a username that comes from a generator — Great job to you!
But nonetheless, the majority of people are careless social media users. In data-private nations like Germany it seems social media sleuthing is increasingly a potent source for personal data investigations. Sure. It is valid to say that citizens of European countries put a lot of emphasis on data privacy. Especially Germans seem to advocate a lot for data security.
There are strong EU frameworks that rule for instance no profit should be made from someone’s personal data who did not give their consent. Further, health data is sacred. etc. etc. Sure. These rules present a stumbling block for investigators. But I’d argue, to find out more about a person on the web, it often does not even require those sensible data stacks. In short: that social media, in many ways trump all this hot talk on data privacy, especially in Germany.
More on this argument. In most of us, and it doesn’t matter where we come from, there is a deep desire to be a part of the new digital society. Somehow, somewhere we feel the urge to take part in online conversations. This is just growing and growing. Where is that easier these days to observe than in the social corner of the Internet? This is where Germany is now discovering itself.
Curiosity drives people — including perpetrators, criminals, bullies, smugglers and tax evaders — to expose themselves on the Net. What remains is certainly a nightmare for data security, But it is increasingly becoming a blessing for online research. The terrorist-hunting BND has understood the power of open source intelligence. More and more journalists from major German media companies, as well as investigators from law enforcement agencies, buying into this trend.
At the entrance of the social web, you now pay with your personal data
The sharing of data and personal information is often no longer unavoidable. If you want to be part of it, you have to pay. And not with money, but with personal data. Personal information is becoming the social currency that enables participation in social networking.
The example of online dating is perhaps extreme, but not out of place. To participate on Tinder, a minimum amount of personal information is required. To “match,” one is politely asked to reveal preferences (more on research tools here). If you don’t have a picture of yourself and don’t want to offer a believable bio, you don’t even need to show up on Tinder. It’s the same professional networking platform Linkedin. Even on anonymous portals like Glassdoor, people are urged to “take off” their clothes and expose themselves. If not, you might not get that job you applied for.
But now also much more primitively. Without an email address, username or a mobile number, you’re not even let into the online dating club on Tinder.
Some providers don’t even accept a throwaway address anymore. Especially on professional social media sites, it can occur that a Gmail address is no longer good enough and outright refused. Only serious domains are accepted, like an email address from a company domain or a university, for example. The problem for data protection, and the opportunity for Internet search here: the name of the person is often already to be found in the address, so a valid clue to confirm an identity.
If you already know where a person works, the email address of the person (according to the scheme of email addresses of other people in the company) can be confirmed.
Increasingly, platforms also require 2-factor authentication, which is often positive for security. Unfortunately, however, not with SMS 2-factor verification. Experts advise against it. On some platforms its possible that a cell phone number can be used against users, for instance in the form that it allows someone to search and find profiles with it. Facebook has once offered it too, but has closed this loophole a while ago. Other platforms have not. So some possibilities to do research with cell phone numbers remain.
Often it doenst event take that much to find someones cell phone number If you got a name, some people are careless enough to leave it laying around on by Google publicly-indexed websites. Sometimes for years. On eBay or WG-suche.de or other sites, users can leave data like a contact number. If these can be dug up— often deleted but perhaps still present in the Google cache or on an entry in the WayBack Machine — these data can possibly be assigned to its owner. Ex-UK Prime Minister Boris Johnson left his personal phone number publicly available on the internet not less than 15 years. For security experts, it raised concerns that his phone had become vulnerable to hacking by foreign agents.
Sometimes phone numbers can also tell their own story. The format, there is a structure to the madness of German mobile numbers for instance, can be analysed. It can reveal how “private” or covert a user behaves. Similar to VPN IP addresses, finding nothing can also be a clue in a search. Namely, that someone wants to protect themselves here and may have something to hide. The Synapsint tool allows you to enter a phone number and guess the service provider, the “carrier”.
Often, even the location or a region of a mobile user can be narrowed down simply by looking at the mobile or broadband number. All this helps to draw parallels from the Internet to the real person behind the digital sphere.
We are hungry to share our lives
On social channels, we post details about our daily lives. We take snapshots of ourselves and our loved ones, post panoramic shots of our living spaces — pictures of our living rooms overlooking downtown, and think little of it.
If you’re not careful and set your profile to private, you may make yourself vulnerable, we are being warned. But in the end, who bothers. Those restrictions work against our intentions to be social online.
This is how pictures of interiors can be matched with old entries in property and real estate trading portals. The Immobilienscout24 platform thus became a useful source of data for researchers and journalists. Investigators can not only draw conclusions about a person’s ex-residence. Rent or sale price also possibly allow analysis on a person’s status, assets or outgoing payments (which can possibly be compared to crypto transactions). Alternatively, this work can help to reach out to sources.
Social media analysis practices can really help the police in Germany (OSINT for police incident command). For example, in the minutes before a judicial search, an OSINT investigator can look for clues that the person may be armed when the officers arrive.
But investigative journalists like my humble self and colleagues, also benefit a great deal from these techniques. In the case of Instagram-tagged faces of a post by a person: These can link to another profile which then can lead to other important sources.
Locations often play a role. For example, netizens often reveal which new restaurants and cafes they hang out at. Be it on Facebook or Russian VK. There, users explicitly mark these places as “checked in” — thus, allowing investigators to benefit and incorporate these findings in their research.
Why do netizens share so much of their personal stuff with the rest of the world?
Part is addiction to be recognised, to be affirmed, I’d day. On the one hand, it generates attention, which we all kind of like and need. On the other hand, there is social pressure demanding input for the people we meet or pass online. In this context, those who share excessively often want to be understood, appreciated etc.
Our engagement is the glue that made social media popular in the first place. Most of us want to appear authentic. Even with the most fake profiles, there is usually a shred of truth in bio data, I often found. In other words, there is usually a spark of a truth that concerns the person behind the mask.
Now you just have to know what to look for. Is it perhaps an avatar of the profile picture, the language of the posts, any spelling mistakes that reappear in other public posts or emails of a person, or other details that are compatible with the environment of this real person. In the end, it is a combination of details that can be checked and possibly cited as a clue.
Offline ID
Anonymous or not, with our posts and profile data, many of us are telling a authentic story. Who we are, what motivates us and with whom we are in contact (or would like to be). In short: what makes us tick.
For online investigators, there is usually a lot in the legends of social media accounts to verify an offline identity. For example, the history of changes to a Twitter profile can be read on Spoonbill.io.
Offline identities can also be confirmed on the rest of the Internet. A surname, possibly with a date of birth, can be matched with an online entry in a list of participants in a marathon (Berlin Marathon).
In other cases, it is a local court entry of a manager (as on handelsregister.de) that leads to the goal of verification. Alternatively, online death notices/obituaries can be used for research. For example, to verify family affiliations, online obituaries are often useful. If a member of a family dies, spouses, children, nieces, nephews, grandchildren and so on, often all neatly appear each with their full name. These Google-indexed pages, often in PDF form, can be found (useful sources are https://aspetos.com/ or https://www.trauer.de/traueranzeigen). Sites like Ancentry or Myheritage might also help here.
Sure. Much content, on forums and social media profiles, can either be irrelevant to the researcher or untrue. At worst, it’s both. But I’d argue that the majority of profiles contain “true elements”, even if the accounts are otherwise fictitious or anonymous.
Take this example: psychological preferences of how dog owners name their pets. A master gives some name to his dog. The character of the animal reminds him of an old human acquaintance. Cognitively speaking: Maybe it is not a pure coincidence after all that the dog received the name it got. Now I am not saying that this might be useful for investigators. It is the principle that counts here. It simply mean: we make intentional decisions, whether we like it or not. As investigators, we just need to find those links and verify them.
Similarly: The date of birth of his sweetheart, used as a password for a lock. Also surely no coincidence. Also here: Whoever finds this valid connection can start on social media where we present our loved ones. This is of course of form of hacking, which I, as a journalist do not embrace. But the principle stand: social online presentation can lead to great outcome for investigations of people and what makes them tick.
For the protection of personal data, this freedom of movement on social media services is often disadvantageous. It is true that German citizens are known to be more careful with their personal data than peers in other countries — such as Americans, Brits or Chinese, for example, according to research published by Harvard Business Review.
Yet more than half of respondents, some 58% (in another study by EOS in 2020) say they “frequently or occasionally” share personal data with companies, social media services or apps. This can be of great use for online research by journalists and investigators. If you believe this study, you stand a better chance of digging into a profile and finding what you’re looking for than turning up with nothing.
Using the user name for identity
On Internet forums, we describe our problems, often anonymously, with fictitious usernames. Without a profile and a username, nothing works on the net today. Sometimes the user simply uses his or her real name plus last name. This may not be wise, but it happens more often than you might think.
If you don’t have the time or the inclination to create a new noble username, you simply recycle an existing one (for example, John Dow on Facebook becomes @John_Dow199 on Twitter). If this already exists on another platform, combination skills are required. Use search operators.
This search process for profiles can also be automated to a certain extent (see Maltego). Especially when you consider the statistics of the average Western citizen — according to the market research company Brandwatch, people operate an average of 7.6 social media accounts — you understand how potentially powerful the combination of different open social media sources can be.
In practice, it might look like this: On an eBay or Etsy profile, the target person buys or sells something. This may allow conclusions to be drawn about the income work activity. On a dating platform, such as Tinder, personal-interpersonal preferences can be gathered. On LinkedIn or Xing, the resume can be traced and cross-checked. On Facebook, connections can be drawn with the rest of the family. People rant about politics on Twitter or especially Telegram. Anyone who likes the profile there could possibly be in a personal exchange. Those who have the time and passion to compile and evaluate all of this in a dossier may have a clear advantage.
This is where the real work of the online investigators starts. Does what the person says match what his profile says? Does it match other data sources off and online? If not, where is the snag?
Let’s take the example of the right-wing extremist Martin Sellner, leader of the Identitarian movement, a right wing network, which is also active in Germany and Bavaria. If you search for “Martin Sellner” on https://whatsmyname.app/, you will find a number of social media platforms. On many, the real Sellner, still continuing to hustle. Here it is not only about his terrible right-wing ideologies but also about the organization of supporters, and the dissemination of videos and images, often archived material (search engines to usernames such as NameCheckup or Sherlock perform similar here). In no time, a valid overview can be created of how and where this person may still be leaving traces on the net. The dossier work begins.
We are creatures of habit
Humans are creatures of habit. We can’t remember a hundred thousand user names, let alone keep pulling new names out of our noses. This makes it easier to search for profile connections, and in the end, personal information.
Sure, there are so-called false positives. That is, matches of user names that turn out not to be the same person. The only way to be sure is to invest the necessary verification work. So details one checks what connects the person, a place of residence for example.
My experience is that many people who are active online are often simply lazy and unbothered. This is a stereotype that has been vehemently proven again and again. Interesting personal experience here: people who manage a smaller number of online profiles have a tendency to use similar usernames (and passwords) — than people with a lot of them, who may do it professionally (like I do).
People with a lot of accounts often work with lists that contain login data, like a Google Sheets. So nothing needs to be memorized. Some choose usernames based on generators and choose stronger passwords and may work with a password manager. Professional OSINT investigators often use generators as stated here by OSINT colleague @OSINTtechniques — also to create so-called SockPuppets.
Conversely, this means that users who are less active on the social networking sites, may often be the more vulnerable — due to the lack of imagination, they usernames can be matched across sites. Their lives, in this way, can be decoded and their snippets of Information on various platforms can be combined.
They may use the same (or a slight variation of) a username on Twitter as they do on Instagram. If anonymous, they recycle the same avatar image or use the same email address to register on other platforms. Knowing this can help investigators. You just need to know how to decode it.
How journalists use these techniques, find out by following @Techjournalisto on Twitter
