In the wake of the Capitol invasion and riot, a Twitter-based, crowd-sourced effort to uncover the perpetrators’ identities swung into action. Dylan Reeve explains how Open Source Intelligence (OSINT) works, and who it’s helped bring to justice so far.
The recent events in Washington DC were significant for many reasons, but one was how well documented they were and what that has enabled. Hundreds of self-styled online detectives – including myself – have devoted hours to scouring footage and photographs from the US Capitol to identify those who participated in the almost-coup.
This is a process I’m not entirely unfamiliar with. During the production of Tickled, the documentary film I co-directed with David Farrier, we used many online resources and images to identify various people and places of interest. And, more recently, I used publicly available online information to identify the person behind harmful rumours about a Covid-19 cluster in Auckland. But it’s definitely not an exact science, and is something that has the potential to cause harm if used irresponsibly.
But these sorts of identification efforts don’t always turn out well. The poster child for online identification efforts gone wrong is Reddit’s collective effort to identify the people behind the Boston Marathon bombing in 2013. A forum on the site was created in the immediate aftermath of the event to collectively crowdsource information about possible suspects. It was, to put it mildly, not a success.
Reddit users quickly focused on a young man reported missing in the area a few weeks earlier, and soon his family were receiving phone calls and threats. Their false identification was picked up by mainstream media and amplified significantly on other social media networks. Ultimately the man they identified, who was entirely uninvolved in the bombing, was found dead a week later, having taken his own life. His death wasn’t likely a result of the misidentification, but the harassment and attention his family received certainly inflamed their suffering.
This is a tale that has been repeated many times over subsequent years when identified individuals are the subject of speculation online. Internet sleuths have successfully and unsuccessfully identified (and misidentified) viral video racists, violent protesters, abusive cops and criminal suspects.
How has it been going?
Are recent efforts around the Capitol invasion going any better, and how are they being carried out?
While identification efforts are taking place in many places online, most activity is happening on Twitter where one user in particular has led the charge – John Scott-Railton of University of Toronto’s Citizen Lab. Calling upon the collective skills of thousands of Twitter users, Scott-Railton has successfully identified a number of key figures from the attempted insurrection.
Scott-Railton has taken his role seriously and taken a measured approach to his identification efforts – collecting information from many tipsters, collating the things that seem relevant then updating followers with next steps and progress, only publicly identifying once he has 100% confidence and authorities have been informed. But not all his followers are as restrained.
Many replies in his threads searching for the identities of two men photographed in combat dress and carrying zip-tie handcuffs were quick to throw out potential false suspects – tweets which were then amplified by others.
— John Scott-Railton (@jsrailton) January 7, 2021
Both people identified by Scott-Railton’s effort on this case – Eric Munchel and Retired Lt. Col. Larry Brock – have been arrested by the FBI and are facing multiple charges. The latter, as a result of Scott-Railton’s investigatory efforts, also found himself the subject of a New Yorker article by Ronan Farrow.
So far there doesn’t seem to have been any high profile false identifications, but many people are willing to spread unconfirmed information.
How is it being done?
There are no specific road maps for identifying people online, but there are many techniques. I’ll summarise the process that unmasked Eric Munchel and highlight a few points about some of the steps.
Early in the process a number of identifying features of Munchel’s appearance were identified. These included symbols on his hat, badges on his body armour, and the clothing itself.
Markings he is wearing: a Tennessee thin blue line PVC patch, an “AR Flag” trucker cap, Punisher Flag PVC patch… pic.twitter.com/hyvUlSHHs5
— John Scott-Railton (@jsrailton) January 7, 2021
With the aid of many in the replies some of those items were narrowed down even more, to the point of being able to pick out exactly what clothing items he was wearing. From there he was identified in other images and videos that had been shared from the event. Eventually locating an image where he was photographed with a woman whose face was not hidden.
Soon he was identified in a hotel foyer live-stream after the event based on his clothing and being in the company of the woman he’d been photographed with earlier.
NEW: Moderate-high confidence match for Male #1 gives interview in lobby of Grand Hyatt. Note mention of his taser and possible contact with police.
Please help with DM'd identification. pic.twitter.com/cNRBDKlopR
— John Scott-Railton (@jsrailton) January 9, 2021
Working on the fact he’d been seen wearing a Tennessee-shaped badge on his vest, some researchers started scouring public photos of Tennessee militia members and soon found images of him attending protests in the same outfit leading to Facebook friends, and ultimately his own Facebook page. Further confirmation was found there in the form of photographs with the same woman from DC – his mother.
Insurrectionists take note: your friends may be unknowingly snitching
At multiple points in the investigation to identify Munchel he was exposed by people he assumed to be friends or on his side. Initially he was unmasked by being featured in a live-stream video by a fellow alt-right believer. Later, his identity was exposed in photos taken and shared by others he’d protested with in the past.
Breadcrumbs and points of confirmation
The key to this sort of work is often finding small jumping off points. In Munchel’s case that included the state-shaped badge, quite unique clothing and equipment. From there those items could be used to identify him in other imagery. In other cases this could be a username or part of a phone number, for example.
Where this often goes wrong is that inexperienced researchers will immediately publish their first potential match based, at times, on little more than a superficial similarity in photographs.
Once a potential match is found, it’s important to look for further points of confirmation. Can you find examples of your suspect with the same items? Or with the same people? The more points the better.
And a final question is: do you need to identify them publicly, or is there a better option? Once a public accusation is made the genie is out of the bottle.
Becoming a skilled investigator
Because every online investigation is different there is no simple recipe, but there are many techniques and tools that can be deployed. Some of the best learning resources are provided by Bellingcat, an online collective of investigators and journalists who have become world leaders in using OSINT – Open Source Intelligence – to find people and solve mysteries.
Their guides can be found here.
Enjoy exploring, but always try to second guess yourself before pointing any fingers.
You can find ongoing investigations of the Capitol invaders among the Twitter feeds of:
Subscribe to The Bulletin to get all the day’s key news stories in five minutes – delivered every weekday at 7.30am.