Identifying suspects expeditiously in the early stages of criminal investigations is vitally important, but it’s only the start of the battle. To build and pursue cases, investigators need more information about these individuals’ activities – information such as where they go, what patterns their movements take and with what sorts of potential confederates they’re interacting.
Digital data often reveals extensive detail about such individuals’ lives, and advanced tools today can provide unprecedented advantages in unearthing and connecting it. SS8 Networks’ new Discovery platform – a secure, cloud-based software-as-a-service (SaaS) solution designed to help investigators from agencies of any size combine, fuse, analyze and monitor digital evidence and data from dozens of valuable sources – can not only allow authorities to identify possible culprits and others of interest, it can also help locate them and track their movements.
“When you look at our industry, most of our competitors either focus on lawful reception or location,” said Cemal Dikmen, Ph.D., SS8’s chief technology and security officer. (Lawful reception or interception means the acquisition of digital data via methods that comply with legal requirements like warrants, subpoenas, etc.) “We can do both at the same time. We have capabilities in both areas and therefore offer a more complete solution. Our data fusion capabilities can provide a comprehensive analysis of subjects’ communications and patterns of life.”
The specific module within Discovery (and Intellego XT, the company’s signature platform that served as its foundation) that powers the location tracking is Globe. It’s a location analytics and intelligence module that helps discover and link the who (phone/smart device subscriber information), where (latitude/longitude) and when (event timestamps) of complex investigations.
Where have you been?
Globe draws location data from sources in two ways, via file ingestion or RESTful APIs. Location file ingestion basically entails continuous file updates that contain location events from various sources. It’s useful when agencies or data providers lack live network access but can exchange regular batch files — common in lawful intercept or data-request workflows. RESTful APIs are web-based interfaces that facilitate regular data exchanges using HTTP requests between programs. These automate workflows and let systems pull data easily from each other. Globe does this in near-real time – useful for purposes like live tracking and geofence alerts – without any file handling by humans.
Practically what this means is pulling raw location records from sources like cell tower hits, GPS points, Wi-Fi connections and device pings from external systems, normalizing them and ingesting them for advanced analysis.
“From the mobile device we can track the location of a suspect in real time as well as capture their historical location information over time,” said Dikmen. “We can figure out where that person was last week, was yesterday and is right now. We also have the ability, based on a warrant, to look into their communications – starting with the metadata, who’s talking to who, and then, if the warrant allows, listen to the conversations as well. And this includes communications like SMS, Rich Communication Services and messaging services.”
Discovery puts that all together in an advanced platform, designed around law enforcement workflows, that can identify relevant data, trace suspects’ movements and present it all to investigators in a convenient, digestible package.
Closer to the target
As location tracking technologies advance, the precision of monitoring subjects’ locations continues to increase.
“In the past, location information was only available at the cell ID level,” explained Dikmen. “With 2G and 3G technologies, the size of a cell was measured kilometers or miles – in city areas maybe a quarter of a mile, but still very large.
“Since then, two things have happened. One is, as the technology evolved and bandwidth requirements increased as we went to 4G and 5G, cell sizes shrunk. Now if you go into a city area and look at a 5G cell site, it’ll have a radius of maybe 100 meters. And then we’ve also developed new technologies that can look at signal strength and timing information between the handset and the cell site, and collecting this information from multiple cell sites allows us to locate that phone much more accurately. With 2G or 3G and a cell size in the kilometer or mile range, we could locate down to 50- or 100-meter accuracy. With 5G we can get close to GPS levels of accuracy, like 10 meters.”
Cell sites are just one method of determining location. Discovery can leverage others as well, including the marketing identifiers attached to smartphones by their operating systems. These are unique character strings used by apps and advertisers to track user behavior without directly revealing personal identities.
When users grant location permission, some apps associate coordinates with the device’s marketing ID, enabling ad networks to build movement profiles. Recent privacy regulations have made accessing this data harder, but where lawfully accessible under a court order, it can be extremely valuable.
“If you are using marketing IDs, while the identity is anonymous, the level of accuracy is similar to GPS,” said Dikmen. “Call detail records are generally cell ID-based, because you don’t invoke GPS when you make or receive a phone call. But marketing IDs make use of the GPS technology, and that’s one of the most accurate location methodologies.”
GPS remains the gold standard of location tracking. Smartphones’ GPS chips typically communicate with at least four satellites to triangulate precise locations and often use cell towers and Wi-Fi networks to narrow and expedite that process. Outdoor location accuracy can be as precise as five meters under clear sky. GPS coordinates commonly appear in photo metadata and some app telemetry.
Both live tracking locations via GPS/cell data and pulling historical location data generally require warrants, but both can be done without possession of the phone.
“When it comes to helping with criminal investigations, we have different types of technologies that can do both real-time as well as historical location tracking,” said Dikmen. “We can collect and store location over long periods of time, and we can also query the system to see where someone is right at this point within a few seconds of delay.”
To this Discovery can add notifications like geofence triggering, meeting and travel detection, and alerts when certain conditions are met.
‘We can probably figure out it was you’
As these capabilities have advanced, common criminal tactics like SIM swaps and using burner phones become more discernable. Discovery can help identify SIM swaps, for instance, by using a few unique identifiers, including MSISDN (phone number), IMSI (subscriber identity), IMEI (device identifier) and associated metadata like activation events.
Indicators of a SIM swap may include a device that suddenly becomes associated with a different subscriber identity; a subscriber identity that suddenly becomes associated with a different device; frequent identity changes on the same device; location anomalies (e.g., unusual roaming, devices appearing in distant locations within short period); and activation or identity change events around the same time as account takeovers, credential thefts or account locking or resets. Discovery users can set up rules and analytics to monitor such identifiers and alert when relationships change in unexpected ways.
Burner phones can be more challenging, but those key identifiers can also permit detection of indicators that suggest burner or anonymous phones – for instance, devices that are used for a short time, then discarded; that have minimal metadata; or IMSIs and IMEIs with no prior history.
“If I buy a $50 phone with a new number, make five calls and throw it out, it can be very difficult to determine who bought that phone and made those calls,” said Dikmen. “But say you’re calling someone multiple times a day. Then suddenly someone receives five calls from a number that’s previously not known. Now we know the person with that phone knows the caller too. At that point we may not know it’s you, but it’s one of that person’s associates, and maybe that’s 100 people to look into instead of 10,000. Then, with location information and everything else, we can probably figure out it was you.”
Other key attributes include meeting and travel detection. Meeting detection provides alerts based on two or more individuals being in close proximity for a certain duration. Travel detection identifies subjects traveling together for a certain period of time.
Create actionable intelligence
Globe has a full-featured user interface that’s quick, easy to use and compatible with a wide range of web-based and self-hosted maps providing both street-level mapping and satellite imagery. Visual trails highlight the travel and speed of subjects of interest.
The Discovery platform is scalable and affordable, via subscription-based pricing, for organizations of all sizes. “Being offered in the cloud helps keep it accessible for state and local-level law enforcement organizations,” noted DeAnn Baker, SS8’s vice president of marketing.
Active in 25 countries, SS8 has over 25 years’ experience in lawful intelligence interception for law enforcement, intelligence community, communication service providers and mobile network operators.
“We have a very comprehensive suite of capabilities that will take data from different sources and provide a single-pane-of-glass view for law enforcement to analyze it and create actionable intelligence so they can go and chase these criminals,” said Dikmen. “It’s a powerful tool to fight against serious and organized crime.”
For more information, visit SS8.
