What Technology Can (and Can’t) Do for Hostile Surveillance
By TorchStone VP, Scott Stewart
During my December 8 presentation at the International Protective Security Board’s Close Protection Conference, I had the opportunity to discuss the threats to high-profile individuals and their executive protection teams posed by a variety of hostile actors.
I noted that one of the commonalities of all the hostile actors posing physical threats to protectees is that they are all bound by the constraints of the attack cycle, and are thus vulnerable to detection as they progress through their various attack cycles.
Indeed, this fact is one of the foundational principles of protective intelligence and is one of the reasons protective intelligence programs are so effective in allowing security teams to become proactive rather than reactive.
During my presentation, I noted that technology can aid physical surveillance but can’t replace it.
I’d now like to expand on that point by examining some of the benefits and limitations of technologies that can be used to supplement surveillance.
Technological Surveillance Tools
Criminals have always been early adopters of technologies that can help them in the execution of their crimes.
For example, depression-era gangsters were greatly aided by technologies such as the Ford V8 engine and the Thompson submachine gun which allowed them to outrun and outgun the police.
In recent decades, the emergence of information technology and the internet have created a wide array of new crimes, and the internet has also proved to be a useful tool for anyone wishing to conduct surveillance.
The proliferation of information aggregators has made it easy for criminals to use these services to purchase a profile on their target that includes their date of birth, addresses, phone numbers, email addresses, social media accounts, employment information, relatives, neighbors, vehicles, etc.
Once you have identified the target’s address, work address, and vehicle, it is not difficult to begin physical surveillance.
Information aggregators are thus real threats to protective teams and save hostile actors a lot of footwork.
Other online information sources that are useful in identifying address information include property tax records (which in many jurisdictions include maps), voter registration information, Federal Election Commission political donation records, and court records, among others.
Google Earth and other mapping tools can provide satellite photos of a property and even street-level photos that can be used to identify a residence; in many cases, they may even show some of the security measures in place such as fences, gates, and cameras.
Google Earth street-level photos can also in many cases help confirm vehicle information by showing the vehicle parked at the residence.
Simple internet searches can also produce information that can be mined from news media stories, interviews, blogs, workplace biographies, and other websites that provide information pertaining to the target.
Gossip and fan sites and chatrooms can also provide sensitive information pertaining to the location, habits, and associates of high-profile people.
But perhaps the most illuminating (or harmful) source of information on a target for a surveillant is social media.
People often post more potentially damaging information on social media than they realize.
Such information can include information about where they live and work, their habits, hobbies, and schedules.
In some cases, even when a potential target has been careful not to post sensitive information on social media, family members or friends may not be as cautious.
Rapper Pop Smoke was killed in a home invasion robbery after a criminal gang noticed the address of the LA home he was staying at was listed on the gift tag of a bag shown in a social media post made by one of his associates.
His associate also posted photos of the money and expensive jewelry at that residence—making it a tempting target for the robbers.
Even without explicitly posting the address of a particular location (or leaving sensitive metadata embedded in photographic files), an address can often be determined by the geolocation of posted photos.
Posting photos taken at a residence or workplace must thus be done with care.
Social media posts can also provide information about the security measures in place at a residence such as locks, alarms, camera systems, gates, fences, etc., allowing criminals a chance to devise ways to overcome those measures.
Internet of Spy Devices
Beyond the large amount of information that can be harvested from the internet, the advent of the internet of things—or as I call it, the internet of spy devices—has also opened up a number of vulnerabilities that can be exploited by stalkers and other hostile actors.
Televisions, security cameras, smart speakers, baby monitors, and a number of other internet-enabled devices can be vulnerable to those wishing to conduct surveillance, especially if the factory default passwords have not been changed.
Smartphones and computers are also vulnerable to being infected with remote access trojans and other types of “stalkerware” that allows them to be transformed into spy devices; dual-factor authentication, frequent changing of passwords and the like must be employed to ensure the devices remain uncorrupted.
While many people pay close attention to cyber security they often fail to focus on the threat posed by plain old bugs.
Clandestine audio and video devices, and car trackers including devices like Apple AirTags, are now cheaper and more widely available than ever, and are designed to be quickly and easily placed.
These listening devices and hidden cameras are not just a threat indoors.
Clandestine cameras can also be hidden in trees and shrubs either on or adjacent to a property to allow a hostile actor to remotely view a residence and track patterns of their target including departures and arrivals.
In the aftermath of the March 2016 Zaventem airport bombing in Brussels, investigators learned that the cell responsible for that attack (who were also behind the Nov. 2015 Paris attacks) had used a concealed camera placed in a bush to surveil the home of a senior Belgian nuclear official.
Drones also present an emerging threat to security operations, in that they allow a hostile actor to view security measures and personnel remotely and from above.
For many years now, groups like the Ruckus Society have been training activists to use technological tools such as radio frequency counters and programmable scanners to identify the radio channels used by security teams as they conduct preoperational surveillance, a process they refer to as “scouting.” This allows the activists to monitor security radio traffic during the execution of their direct-action operation.
Surveillance Tool Technological Limits
While the internet is indeed a valuable source of information, it is also a source of a great deal of disinformation and bad information.
Quite simply, anything found on the internet cannot be trusted unless it has been verified.
So, by using an information aggregator, a criminal may be able to obtain an address for their target, and maybe a description of the target’s vehicle, but they can’t plan an attack until the information they’ve collected has been verified.
The data must be verified in person; in other words, they must conduct surveillance.
The data one can obtain on a specific target via the internet is also in most cases incomplete, or at least not complete enough actually to plan an attack.
It may contain some indications of the security measures in place, but not all of them, or enough of them, to plan a successful operation.
From my personal background as a federal agent who planned and executed search and arrest warrants against armed criminals, there is no way I would want to execute a warrant on a residence based solely on what I could obtain via the internet.
I needed to know and verify critical facts, including obvious ones such as does the target still live at this address. But beyond that, eyes on the target are also a must to obtain the minutiae needed to ensure a successful raid such as: how many doors there are, which way they open, what are the doors constructed of, what kinds of locks they have, etc.
Other important information needed to plan a criminal attack that can’t be found through internet searches are details of security operations.
Does the target use the security measures in place? Is there a security team and, if so, how do they function? A criminal must conduct surveillance to learn how security around the target operates.
Placing a concealed camera is often more discreet and efficient than assigning a person to sit on the street to conduct surveillance.
However, before a camera can be placed, surveillance must still be conducted to identify a location, and then a person must physically visit that spot to set up the camera.
Furthermore, if the security team discovers a concealed camera, they will automatically realize they are under hostile surveillance and will likely implement security measures to counter the possible threat.
The same is true with drones—if a drone is spotted surveilling a residence or a security motorcade, it will alert security that they are under hostile surveillance.
Likewise for things like bugs, car trackers, and stalkerware.
While such tools are helpful, they can also tip the target that a crime is being planned.
In the end, there is currently no technology that can totally remove the need for criminals to conduct physical surveillance as they progress through their attack cycle.
There are things that can aid surveillance and help limit the amount necessary, but surveillance remains a key vulnerability in the criminal attack cycle and a constraint that security teams can use to their advantage.