Adam's book notes

We Are Bellingcat: An Intelligence Agency for the People

Book cover

Author: Eliot Higgins

Book details

Table of contents


Bellingcat is an online collective who investigate war crimes and fight disinformation based primarily on clues gathered on the openly available internet such as social media posts, leaked databases, online satellite maps and other such sources to do this.

Since the spread of smartphones and social media, people, innocent and guilty alike, have been providing unprecedently revealing accounts of themselves.

Paradoxically, in this age of online disinformation, facts are easier to come by than ever.

This type of work is commonly known as open-source intelligence, or OSINT.

Most of what we each believe is just based on what someone else told us. Experts are necessary but not sufficient. Today we have a lot of social mistrust, with citizens doubting experts, elites and each other. It is a disaster when truth becomes a matter of group loyalty. The Bellingcat approach is to transparently share the evidence they find so you can check their conclusions.

Chapter 1 - Revolution on a Laptop: The discovery of online investigation

The most important question about news in the digital age is how to know what is true? How can we verify that we are looking at what we think we're looking at?

Traditional journalists aim to safeguard exclusives from their competitors, but the online ethos among OSINT mindset people is to post everything of interest, share insights and make sense of it together.

The author started by watching Youtube videos from protests such as the Arab Spring and wars, drawing out the street map that they imply and using Google Maps satellite view to figure out the actual location of the clips. This is "geolocation".

This style of war reporting is especially suited to the most dangerous conflicts where to report in-person from would likely result in injury. However the material that online investigators trawl through, e.g. violent video content, can still be harmful to the mind of the researcher.

What people mean to show is not all they are revealing.

Nearly all industrial munitions are catalogued online. The author matched weapons he saw in videos to entries in Wikipedia, munitions based message boards, specialist sites like Jane's or websites about unexploded ordnance such as Uxoinfo.

If you can tell what munitions were used then that often points to who fired them.

Online hobbyists are useful. Bellingcat has used plane-spotter and license plate websites for instance.

Back in 2012 it was assumed that publishers could take what they want, sometimes unattributed, from the internet. Online content was deemed less worthy, but yet was an increasing source of public knowledge, underestimated by existing institutions.

The Information Wars started. Repressive states bypassed the critiques of traditional journalists and pumped their propaganda directly into other countries. Disinformation became important to foreign policy. It also provided material for conspiracy theorists' content.

Photos in an image provide insight as to the angle things are at. By combining the shadows left by a rocket with the Wikimapia website the author could determine who had fired missiles in Syria.

When geolocating, it's important to not get lost in detail. Pick a standout element to match against, then move onto a second and so on.

WikiLeaks are not open-source investigators. Wikileaks reveals classified information. OSI uses public information.

"Digilantism" is a reckless form of OSI, pretending to do real detective work. This happened with the Boston Bombers on Reddit.

Bellingcat's motto became ‘Identify, Verify, Amplify’:

• Identify issues overlooked and discoverable online. • Verify all evidence, never indulge in speculation. • Amplify what we learn, while amplifying the field as a whole.

OSI practitioners tend to be detail-oriented, obsessive, fascinated by computers and the internet. Their morals preclude them from other forms of impactful online behaviour such as trolling or hacking.

Chapter 2 - Becoming Bellingcat

Google Earth is one of the most useful tools. It combines satellite images and aerial photos to model the globe. You can:

Bellingcat was founded 3 days before the downing of flight MH17. The goal was to study cases where an atrocity had occurred but no-one took responsibility.

The leading Russian search engine is Yandex.

The SunCalc app, designed for photographers, lets you measure shadows in pictures in order to estimate the time of day they must have been taken.

Google Translate can help translate foreign languages, but is imperfect.

In the past citizens could do nothing when their governments lied to them. Now the online investigative community can discover the truth.

Contradictory statements from the authorities are useful as something concrete to verify or debunk.

LiveJournal is a popular Russian blogging site.

You can watch images from some traffic cameras on public websites.

The Kremlin employs a 4D approach to disinformation:

The Internet Research Agency is a troll factory based in St Petersburg where workers are paid to release huge amounts of disinformation online.

Bellingcat considers that: online claim is nothing more than a hypothesis, one validated only with backing evidence that others should be able to corroborate themselves.

People often share dashcam videos online.

The Pixifly app lets you search Instagram by location and time.

Bellingcat uses open source info as much as possible, but collaboration with other methods (e.g. more traditional investigative journalism) is fundamental to the process too

Panoramio is a tool that allows you to see photos that users have posted that are geotagged.

The timestamps on social media posts can be useful, although there are some idiosyncrasies. For example the default setting of Twitter at one point was to post in the time zone of its headquarters in San Fransisco.

Weather websites give information on historical wind or weather which can help determine e.g. which direction smoke is travelling.

The chat app Zello is popular for sharing audio clips in some areas.

Even if no definitive proof can be found, when several pieces of evidence point at the same answer then that hypothesis looks increasingly likely.

Commercial producers of satellite images such as Digital Globe may have more images available than free sources.

VKontakte aka VK is a Russian version of Facebook. On it you can search for people based on where they live, whether they served in the military, and if so then their unit and years of service.

Odnoklassniki is a social network designed to connect former classmates and friends.

Don't just search for hashtags on social media posts. In a crisis people forget to use them. Think about words people might type in haste.

Searching social media is part of online investigating. The challenge is how to sift through the vast amounts of material available.

Users of Facebook who click "love" rather than "like" on a post tend to have more open personalities and are less likely to have locked down their privacy settings. You might find out where they live, what their job is and who their friends are.

Metadata is valuable. For instance when a phone camera takes a picture it usually adds datapoints such as the time and location where it was taken.

The crowd-verification app Checkdesk lets people sign up to join an investigative project.

Reverse image search features (from companies like Google) let you check if an image was taken earlier or in a different place than it was claimed. You upload an image to the site and it tells you where else it has appeared. It's worth checking photos of suspicious social-media accounts as they often steal images from somewhere to fake an identity.

It used to be that spying from the air was a technical feat available only to flying expensive planes or satellites over a target. Now we can just browse a website.

Suddenly, any citizen could view what had previously been available only to wealthy militaries and intelligence agencies

Bellingcat thought about whether it's sufficient just to publish the reports of their findings when it's possible the information would not be acted upon. They realised that after publication the guilty parties would often delete their online activity, potentially jeopardizing the chances of bringing them to justice. They decided their first responsibility was to the victims and hence they liaise with authorities when it seems right to do so. They try to protect anyone who features in the evidence but isn't responsible for what is going on. They ask decision makers to act on what's online.

Bellingcat run workshops on how they investigate. They're involved in the "Digital Forensic Research Lab" which is an incubator of open-source innovation which has an annual summit which brings online investigators together.

Chapter 3 - Firewall of Facts: The fightback against digital dystopia

According to an indictment, Wikileaks received stolen emails from Hilary Clinton from a Russian hacker group which worked with the Russian government in order to ensure they had the maximum impact on American voters.

The Kremlin tries to hack Bellingcat behind the scenes whilst disparaging them in public.

Spear-phishing attacks are where scammers impersonate real online requests such as asking you to change your password in order to steal it. With your credentials they can leak your emails, plant evidence, publish your photos, etc.

An leaderless disinformation campaign has emerged. They ensure claims circulate between conspiracy theorists, state propagandists and alternative media outliers. The author calls that ecosystem the "Counterfactual Community".

Similar to the Bellingcat community, the Counterfactual Community includes news junkies who want to seek truth online, worry that journalistic institutions miss important stories, and want to use technological tools to hold ignorant politicians to account.

But they differ in their actions:

Investigating what conspiracy theorists say to see if there's evidence for it is a good introduction to open source investigations.

The Counterfactual Community is actually useful insomuch as they demand that investigators justify every piece of evidence, sharpening their skills.

"False triangulation" occurs when people see the same claim in several different sources and infer from this that it must be true even though in reality the sources are reporting the same original claim.

The same content is packaged up differently to appeal to different audiences.

"Alternative media" sites tend to be anti-globalist in ethos rather than divided up into the political left vs right. Some might be run by trolls and manipulative governments, but many people in the Counterfactual Community are entirely sincere.

The Counterfactual Community is frustrated that people don't take them seriously. Like Bellingcat they use videos to make points and cite social media posts. But they're often laughed at. They assume that because Bellingcat is trusted by various mainstream organisations then they must be accomplices in a conspiracy with the establishment.

Bellingcat tries to get its income from a wide range of sources so it's not dependent on anyone.

Typical journalism cultivates anonymous sources that require the journalist to ask their readers to trust them. But this risks confirmation bias, manipulation and misunderstandings. The Bellingcat method is transparent, stating where they found their evidence, what it was and making no claims over other parts of the story.

Bellingcat's focus on the Putin government and Assad regimes is not the result of a political agenda but rather that they're amongst the most violent governments of recent times that have also left a lot of open-source evidence available on the internet.

Social media giants such as Facebook and Google asked Bellingcat and others for help moderating content (oftentimes for free), but Bellingcat doesn't have enough resources to do so effectively.

If they really want to fight fake news then these services need to change their recommendation algorithms and employ a huge number of moderators.

They may well not want to spread fake news. But their profit model requires creating "engagement" which results in pushing content that is optimised towards being emotionally stirring rather than true.

There's a potential tension between social media and open-source investigators, exemplified by the time that Youtube algorithmically removed many Syrian videos for being too violent. This means they were no longer available for investigators to useas evidence.

When citizens can see evidence for themselves, lying becomes a fool’s mission

Initiatives from Facebook to conduct fact checking via partner organisations have never worked well. It can take days of research for a fact to be thoroughly checked. Organisations might manage 200 a year at most. Organisations like Snopes ended up abandoning the work.

In a system called the "Syrian Sentry", volunteers used a smartphone app to record military airfield takeoffs and flight direction which enabled them to warn rebel-held areas.

The Counterfactual Community has learned the wrong lesson from the manipulated intelligence used to justify the US-led attack on Iraq in 2003. It's not that all WMD accusations are a hoax. It's that providing evidence should be mandatory.

Online, polarisation in the US means that mainstream media voices like Fox News often ignore facts in favour of spin that backs up their preferred false narrative.

Bellingcat prioritises saving user-generated content which can disappear overnight. The major news networks archive their own footage.

The internet helped spread extremism, but was also the tool to expose it

Irony and nihilism is dominant on internet message-boards like 4chan. Unlike people who defend Assad or Putin, they don't think they're doing good for the world. Their ethos is that life is pointless and if you take anything seriously then you become the joke.

The vast majority of these forum users are men. Often they're adolescents who have very little power over their offline everyday lives. When united on the internet they got a sense of power that they could impact the world.

One survey of fascists reported that over half of them reported that they'd been red-pilled online. Discord chat logs that were leaked by Unicorn Riot allowed an analysis as to how it happened.

8chan et al have gamified mass violence.

The huge majority of video game players don't want to harm anyone else, but part of gaming culture has been incorporated into violent terror attacks.

You can't "fix" the internet any more than you can fix the rest of the world. But we shouldn't be pessimistic - the internet has also given us new powers to use for good.

Europol's initiative "Trace an Object" asks public for help identifying locations of photos of child abuse, with the victims cropped out.

"Check", the successor to Checkdesk, is a collaborative verification app.

Sweden teaches children about fake news, online propaganda and faked images whilst having a government agency to help psychologically defend their country. Finland offers public courses. Denmark created a "Trolls in your feed" publication for high school students.

Students who participated in a pilot program on media literacy were much more alert to hate speech and better at detecting fake news.

We must be alert to the techniques used against us. "Digital natives" are not exempt - a Stanford study in 2016 suggested that 82% of middle-school students couldn't differentiate a news story from an advertisement.

Fact checking projects have become common. There are at least around 300 of them in mid-2020. But they're always tiny in comparison to the reach of disinformation.

All future disaster reponsse operations should include efforts to counter misinformation.

Bellingcat has a podcast: Bellingchat.

Chapter 4 - Mice Catch Cat

In 2018, Russian intelligence offers allegedly carried out a poison attack on Sergei Skripal's house in Salisbury, UK.

Phone number sharing apps such as TrueCaller are popular in some communities. They amalgamate the contact lists of their users to make a crowd-sourced caller ID. Importantly, the names appear as what they have been saved as in people's contacts, not necessarily what the person concerned would want to be called.

People working with Bellingcat have phoned people under false pretenses on occasion in order to get audio samples of their voices. This allows forensic scientists to compare the samples with other snippets of audio in order to produce an estimate of how likely they are to have come from the same person.

Bellingcat sometimes faces ethical dilemmas. They prefer to use open sources but have turned to leaked sources or bribery at times. For example they used leaked databases of Russian flight manifests when investigating the Skripal cases, which included people's birth dates and passport numbers. They also used the services of someone they found boasting online that they could get hold of government dossiers for a 100 Euros.

Leaked databases of customers from ecommerce sites and open source phone databases can be helpful.

The same torrent sites that carry pirated movies often have leaked databases. Bellingcat found passport, address and car ownership data for Russian citizens. Usually they were out of date or incomplete, but they help to build a picture. Some databases might have originally been sold for legal means (e.g. background checks), others might have been procured by criminals.

Many messenger apps lets you see if a given phone number is currently online.

After asking former officers where future GRU might have been trained, Bellingcat found an academy that had a good reputation for training spies. Their social media site included yearbook photos and reunion galleries.

Reverse searches of vehicles databases can tell you the details of who has ever registered cars to a given address. If it's a large number of people it may be a place of work.

Experts in simulated age progression can compare photos that were taken many years apart to see if they're likely of the same person.

Employees of mobile phone operators have access to metadata that shows where the phone was at any point in time.

As Bellingcat continued to expose the brutality of others it was asked whether they themselves are in danger. The author's view is that the biggest danger comes from individuals who have become deeply enmeshed in the lies of the Counterfactual Community rather than state actors.

People and agencies have tried to hack them in the past.

Open-source investigators are risking psychological damage. The occasional exposure to traumatic imagery might be tolerable, but digging through hours of violent imagery whilst investigating can be very harmful. One associate developed panic attacks, nightmares and intrusive imagery, and was eventually diagnosed with PTSD.

Whilst viewers consciously understand that the disturbing events happened elsewhere it still triggers our nervous system as though we ourselves are in danger. Psychologists have identified a form of PTSD called "vicarious" or "secondary" trauma.

If you feel personally connected to the traumatic event - e.g. the victim looks like someone you know or you know the location well - then you may be more vulnerable.

Citizen investigators should investigate themselves now and then.

We should check in with ourselves to see if our behaviour is changing, e.g. around sleep, appetite, social contact, drinking or drugs.

Taking breaks from viewing the material and talking to others who are seeing similar things may help prevent harm. And consider whether you really need to look through everything.

...we must ask ourselves: do we need to see everything that is out there? The internet makes it so easy. That does not mean we should click.

Chapter 5 - Next steps

The Werfalli case showed that Bellingcat was now involved in discovering, archiving and providing legal evidence. This increased the responsibility they felt to preserve material that might one day by useful for prosecuting criminals. We can't rely on YouTube clips to still be around when we need them.

A paradox about the internet is that the online world seems...both enduring and ephemeral. You see a tweet, forget it almost immediately, but assume it will be there later. Not necessarily.

Technological advances continue to shape international criminal law. Bellingcat advises the International Criminal Court how to apply open-source investigation to their cases.

Sometimes it's not possible to get to the scene of a war crime. But social media evidence is available from anywhere. Digital evidence can affirm the testimony of survivors, debunk claims, and add context to other forms of evidence. Social network graphs can show how suspects relate to each other.

The Human Rights Center at the University of California has become involved after realising that ICC cases kept falling apart in their early stages. Judges felt cases relied too much on testimony rather than other evidence. Because it took so long for trials to come to court witnesses were often reluctant to show up. They've now produced a protocol for open source investigations.

3 core values:

The Yemen conflict boosted Bellingcat's relevance, rigour and standards. It was almost impossible to conduct traditional news reporting due their government refusing entry to most journalists and ensuring any that did get through were stuck with minders.

Bellingcat investigators would look at each alleged airstrike on a civilian area in Yemen and ask 6 questions: where, when, what, how, who, why. Each piece of evidence was graded as confirmed, likely, weak, unsubstantiated or unknown. The intent was to meet the standards needed for the evidence to be used by journalists, academics and lawyers.

"Hunchly" software was used to track what each investigator clicked on and viewed so the whole process can be verified by third parties later.

Bellingcat's techniques work in many sphere. These could include investigations into environmental damage, political extremism, police brutality and more. The wide scope and limited number of Bellingcat staff makes their training courses particularly important to spread the word.

Whilst doctored images have been used throughout history, media manipulations can now be done and distributed easily on a phone.

When deepfakes emerged there was concern that they'd undermine the techniques Bellingcat use to verify evidence. But whilst they're a threat, we can defend against them by understanding what is possible, informing ourselves, preparing for and responding to them.

Media literacy training can help but is hard to keep up to date.

OpenAI created an algorithm that writes coherent text independently. The research was not released at the time for fear of misuse by automated trolls who could use it to engage people in arguments, push conspiracy theories and pollute meaningful discussion.

Audio deepfakes are already in use by scammers, e.g. replicating the voice of a manager to ask an employee to send money.

AI can create photos of people who never existed. The Which Face Is Real website illustrates this.

Companies that create software which can be used to manipulate media must consider their ethical responsibilities. They should build tools to detect as well as to deceive. Perhaps metadata should be uploaded each time a photo is taken that could be checked by forensic specialists.

Already you can remove a person or object from a photo, change the weather, swap faces, edit body movements, change what people appear to say or do.

Possible consequences of this "synthetic media" include:

Deepfakes are improving all the time. As soon as a flaw is spotted it is generally fixed quickly. The models are becoming easier and cheaper to run.

They spread through the same disinformation routes as other types of media do.

A single photo or video must be considered in the context of what else exists.

If people become sceptical (rather than cynical) about what they see online, that is a public good.

AI may also have positive uses for Bellingcat's work. Machine learning provides a way to process the vast amount of information that exists online. For instance, an AI could tag all examples of cluster-munitions usage found within millions of videos for human review. It could trawl through thousands of social media posts highlight suspicious entries to investigators.

It can also help know what questions to ask. The Pandora system monitors emergency dispatch calls, extracting datapoints, cross-references against other databases, and provides real time advice on what the dispatch operator should ask the caller.

A reverse-search for videos would be invaluable to investigators.

There's a tension though in that any tool that's of use to Bellingcat investigators might be useful to intelligence agencies elsewhere. How much should they be publicised?

Virtual reality software can combine several images of a location into a photorealistic 3D model - a "digital memory". With VR, investigators could examine scenes in 3D.

Providers of disinformation now have a vast array of tools and access to huge audiences. To combat that we must act cooperatively, not with the traditional secrecy and jealousy seen in journalism.

...societies are only becoming more connected. Humans share more of their experiences online for the world to see. The blank zones are shrinking.

Bellingcat has a free Online Investigation Toolkit that includes links to many sources of evidence.

Undergoing some basic training on how to verify information should be a basic requirement for modern life.

The field of open-source investigation lacks diversity. Few women are involved. Part of this may be because the attacks by the Counterfactual community on women are particularly aggressive.

Citizens' projects might be less glamourous than war coverage but can still have international impact or inspire others elsewhere.

Amnesty International has a Digital Verification Corps for university students, and a Decoders platform where members of the public can help.

Bellingcat's "Identify, Verify, Amplify" principles have now expanded to include an ethic, social mission and a drive for accountability. They see themselves as a kind of combination of journalists, human-rights activists, computer scientists, archivists, academic researchers and criminal investigators.


Bellingcat's Github repos have some open-source home-grown tools that are useful for investigators.

The Bellingcat method has endless applications. What unifies our work is a drive for accountability. We take scattered facts online and try to turn them into justice.

Recent posts