The video shows a faint glow in the distance, zig-zagging like a piece of paper caught in an underdraft, slowly meandering towards the horizon. Then there’s a bright flash and the trees in the foreground are thrown into shadow as Ukraine International Airlines flight PS752 hits the ground early on the morning of January 8, killing all 176 people on board.
At first, it seemed like an accident – engine failure was fingered as the cause – until the first video showing the plane seemingly on fire as it weaved to the ground surfaced. United States officials started to investigate, and a more complicated picture emerged. It appeared that the plane had been hit by a missile, corroborated by a second video that appears to show the moment the missile ploughs into the Boeing 737-800. While military and intelligence officials at governments around the world were conducting their inquiries in secret, a team of investigators were using open-source intelligence (OSINT) techniques to piece together the puzzle of flight PS752.
It’s not unusual nowadays for OSINT to lead the way in decoding key news events. When Sergei Skripal was poisoned, Bellingcat, an open-source intelligence website, tracked and identified his killers as they traipsed across London and Salisbury. They delved into military records to blow the cover of agents sent to kill. And in the days after the Ukraine Airlines plane crashed into the ground outside Tehran, Bellingcat and The New York Times have blown a hole in the supposition that the downing of the aircraft was an engine failure. The pressure – and the weight of public evidence – compelled Iranian officials to admit overnight on January 10 that the country had shot down the plane “in error”.
So how do they do it? “You can think of OSINT as a puzzle. To get the complete picture, you need to find the missing pieces and put everything together,” says Loránd Bodó, an OSINT analyst at Tech versus Terrorism, a campaign group. The team at Bellingcat and other open-source investigators pore over publicly available material. Thanks to our propensity to reach for our cameraphones at the sight of any newsworthy incident, video and photos are often available, posted to social media in the immediate aftermath of events. (The person who shot and uploaded the second video in this incident, of the missile appearing to hit the Boeing plane was a perfect example: they grabbed their phone after they heard “some sort of shot fired”.) “Open source investigations essentially involve the collection, preservation, verification, and analysis of evidence that is available in the public domain to build a picture of what happened,” says Yvonne McDermott Rees, a lecturer at Swansea University.
Some of the clips in this incident surfaced on Telegram, the encrypted messaging app popular in the Middle East, while others were sent directly to Bellingcat. “Because Bellingcat is known for our open source work on MH17, people immediately thought of us. People started sending us links they'd found,” says Eliot Higgins of Bellingcat. “It was involuntary crowdsourcing.”
OSINT investigators then utilise metadata, including EXIF data – which is automatically inserted into videos and photos, showing everything from the type of camera used to take the images to the precise latitude and longitude of where the taker was standing – to validify that the footage is legitimate. They’ll also try and identify who took the footage, and whether it’s practical for them to have been where they claim to have been at the time. However, for this instance, they couldn’t use EXIF data. “People would share photos and videos on Telegram which strip the metadata, and then someone else would find that and share it on Twitter,” says Higgins. “We were really getting a second-hand or third-hand version of these images. All we have to go on is what’s visible in the photograph.” So instead they moved onto the next step.
They then look at the footage itself, trying often to geolocate precisely where the video or images were taken, in what direction the taker was standing, and what happened. It involves carefully examining every building, street sign and road seen in the footage and trying to map it onto satellite imagery. In the case of the second video of the Iran incident, the footage showed several buildings that Bellingcat and news organisation Newsy were able to identify as a residential area in Parand, a city near Tehran’s airport. By mapping the location of the images, they’re able to use tools such as Google Street View to match up the buildings and landmarks they see in the video frame to what’s in front of them. A construction site, apartment blocks and street lights helped in this instance – allowing them to identify the taker was facing northeastwards.
The investigators then looked at what they heard, as well as saw, in the video. Identifying when the bang of the explosion was heard, combined with some maths (Pythagoras’s theory of triangles) and the known flight path of the downed airline from open source flight trackers such as FlightRadar24, allowed them to confirm that the aircraft in the video was PS752. When more than one video is available, the investigators will try and cross-check them against each other, syncing up a key moment in a video to corroborate that both support each other’s claims.
From there, investigators move to other available imagery, this time of the aftermath of the crash. The crash site has reportedly been hastily bulldozed by Iranian authorities, reducing the likelihood that an official investigation will find any smoking gun for attribution. (Higgins says he has proof of that but from a confidential source, which means he can’t publish the photograph showing it.)
But two images have surfaced on social media of part of a Tor M-1 missile, which some people have claimed are taken at the crash site. However the provenance of the images has yet to be proven, with Bellingcat mentioning the photos in its summary of the incident, but not saying they are true. They also proved difficult to pinpoint where they were taken because they were close up and top-down. Instead, the Bellingcat team looked at what was around them: the fragments were placed in a gulley surrounded by concrete slabs. The Bellingcat team looked at other images around the area they thought was the site of the incident to support the notion that these were legitimate.
They also pored through a 40-page technical document on the specific missile to find out how it fragments when hitting a target to see if they could map the shrapnel holes seen in some photographs of the wreckage.
In an era of radical transparency and competing claims of fake news, where we see contemporaneous footage of incidents appear on social media, the old way of investigating incidents – where state intelligence agencies would carry out their investigations in secret and only release high-level summaries – simply wouldn't be seen as credible. OSINT throws light on the process in an attempt to reassure sceptics that the conclusions reached are grounded in fact.
And as our world becomes more complicated, with competing claims and counterclaims trying to muddy the waters around contentious incidents, OSINT and its practices will become more important. It has done so here, too: while Iran may have been able to shrug off the protestations of politicians without any proof that they were involved, the catalogue of videos and photographs, coupled with obsessive investigation, means that it has been forced to admit that it had a hand in the terrible accident.
“I think in this case in particular, and with MH17, you get statements made by various governments and bodies,” says Higgins, who spoke before Iran had admitted complicity. “We have Iran saying this wasn’t a missile, the US and others say it was a missile. Now open source information can be used to say which is most likely. And generally you find very quickly, if there’s two contradictory claims on that, it comes down to one side or the other when you look at the open-source intelligence.”
This article was originally published by WIRED UK
