The use of an unmanned aircraft (UAV) or drone to conduct surveillance is contentious public issue when government does it. When the private sector does it, it is particularly contentious.
As a speaker at a training event in Toronto, Ontario, I was asked about using UAVs for surveillance. This surprised me, as these were experienced private investigators. What follows was my answer to these questions.
If a private investigator intrudes into an area where the subject has a reasonable expectation of privacy and takes pictures and video, then that material is likely to be excluded by any court in Canada. The investigator must respect the Criminal Code as well as all municipal, provincial, and territorial laws regarding trespassing and privacy. The investigator may also face criminal charges or civil suit. A civil suit will name everybody even remotely associated with the sordid affair. These consequences pale in the face of what will happen next.
When a UAV is used for work done for hire and reward, as in a private investigation, a Special Operation Flight Certificate (SFOC) from Transport Canada is required. Aeronautics Act defines hire and reward as “any payment, consideration, gratuity or benefit, directly or indirectly charged, demanded, received or collected by any person for the use of an aircraft.”
The Canadian Air Regulations (CAR) Section 602.41 states that no person shall operate an unmanned air vehicle in flight except in accordance with a Special Flight Operation Certificate. Any violation of the CAR may result in substantial penalties: up to $5000 for an individual and $25,000 for a corporation. The UAV operator bears civil liability if property damage or injury occurs. If the video or image evidence was gathered in contravention of CAR do you think any court would allow the material in evidence? If the court did allow it, would the rest of your evidence be credible?
It takes 20 days to get a SFOC for each flight. Do you think the Transport Canada would even consider giving a private investigator such a permit? Can you plan your surveillance 20 days in advance?
In the U.S.A., commercial operation of a UAV it is still illegal. The Federal Aviation Administration (FAA) is considering allowing commercial UAV use in 2015.
The mobile phone adaptor USB cable is a combination power-and-data connection that can expose your device to manipulation by some very unsavory characters. This practice is called Juicejacking and I have written about it before.
If you must recharge your mobile devices at a public recharging station then you need to practice safe recharging just like your high school health class recommended.
The USB Condom protects personal and private data stored on your mobile device while recharging. The USB Condoms only transfer power, not your data as it cuts off the data pins in a standard USB cable, preventing any data from transferring in either direction. It sells for $9.99. This is very hygienic.
However, you can abstain entirely and achieve the same results by using a power-only USB cable.
I was working on a small surveillance crew recently and we needed to change our appearances on the fly. Changing clothing is an old ploy but it wasn’t enough for this group of very alert subjects.
We bought used clothing in bigger sizes than we normally wear. I tested this clothing around people who haven’t seen me in a while. They all commented on how much weight I had lost. Some asked if I had been sick. I didn’t change, but the clothes made me look like I had lost 30 pounds. Adding a little makeup under my eyes made some people think I had a terminal illness.
Perception goes a long way. People quickly jump to conclusions–my disguise made sure it was the conclusion I wanted them to make.
So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?
The best way to avoid this threat is as follows:
- Go to chrome://settings/content
- Scroll down to Media
- Select “Do not allow any sites to access my camera and microphone.
This will disable Google’s Conversational Search, etc. but security will be increased.
I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.
I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.
I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.
I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.
At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.
Do you know what the WiFi Pineapple can do?
Surveillance & the WiFi Pineapple
The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.
From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.
All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.
The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.
I previously wrote about Bluetooth and Surveillance Detection and how Bluetooth could be used to determine if you were being followed.
Prior to a recent surveillance assignment, I scanned for nearby devices and was able to identify each of the other investigators’ mobile phones. This was not a good start. I required all the team members to demonstrate that they had shut off both Bluetooth and WiFi or at least set the Bluetooth signal to be hidden except to authorized devices and shut-off the WiFi.
I don’t like doing surveillance work. It’s hectic and often unproductive, but somebody has to do it.
I have always preferred using a real camera whenever possible — the real SLR type with a long lenses. Knowing this, a colleague asked me to help out as the second man.
This white-collar type went from one office complex to another and coffee shop to coffee shop all morning. He met people and I got good pictures of the people he met. He went for lunch in a shopping mall food court. This was rather strange as he was wearing a $2000 suit. From the mezzanie I watched. He opened his briefcase and I took pictures of its contents.
The briefcase contained three intersting items, all were books. The titles were:
- How To Survive Prison For The First Time Inmate: Take a look at a dangerous society within our society
- Prison Guide: Prison Survival Secrets Revealed
- The Suburban Inmate: A Man’s Guide To Surviving Prison
Now this shone an entirely different light upon what we were doing. You guessed it, he was settling his affairs before the sentencing.
Security professionals undertake planning in relation to threat spirals. As a threat escalates, it inspires new defensive countermeasures. The security professional endeavors to get inside an opponent’s threat spiral. This means anticipating the next escalation and instituting countermeasures that insulate his principal from the future threat. Getting inside an opponent’s threat spiral requires tools, technology, and manpower.
Some form of surveillance usually precedes attacks against people and facilities. This hostile effort will include research using open sources, social engineering, and both technical and physical surveillance.
One powerful tool to get inside the threat spiral is surveillance detection. Hostile surveillance is a precursor to attack – recognising the surveillance activity gets you inside the opponent’s threat spiral.
The surveillance conscious subject is more common today than forty years ago when I started in the business. Lawyers coach claimants on how to deal with surveillance. Criminals teach each other on how to recognise surveillance. Unfortunately, PI’s do not receive much training on how to avoid detection of their surveillance efforts.
Clumsy choice or use of the initial vantage point may doom the entire surveillance effort. If the subject sees someone repeatedly over Time, in different Environments and over some Distance, and if the surveillant displays poor Demeanor, then he will know that he is under surveillance. This means that initial vantage point, and the PI’s presence there, must not be remarkable in any way.
Don’t chose the initial vantage point without first evaluating the location. Understand the appearance and behaviour of the people likely to be at the vantage point. Don’t be like the inept guy in the old detective movie — you know the one — the guy leaning against a lamp pole reading a newspaper in the middle of the night.
Observe the vantage point from a position that the subject cannot see — you have questions that need answering. What type of person is at or near the vantage point? How long can you remain at the vantage point without arousing suspicion? What appearance, behaviour or persona will allow you to remain in place without arousing suspicion? Can you follow the subject in your adopted persona or must another team member do that?
I was reviewing a stalled investigation into an apparent corporate fraud when I noticed something interesting. A surveillance photograph was in the paper file — you don’t see many real surveilance photographs any more, just muddy images taken from video.
This particular photo was so clear and detailed that I had to talk to the investigator who took it. It was taken with a long lens mounted on a camera with a 22 mp full-frame CMOS sensor. The investigator directed me to the server and directory that contained over one hundred images along with video taken using the same camera. All of this data was summarised in two paragraphs in the investigation report. This proved unfortunate, as this fine work happened early in the investigation. The investigator wrote a detailed report that someone summarised without including a proper citation. The person who did this failed to recognise that the problem had been solved. Over one year later I was hired to solve this difficult and persistent problem.
The surveillance picture clearly showed an employee pass card. The pass card clearly showed the name of the security system vendor, employee name, employee picture, and worst of all, the employee number. The employee number was the defacto authentication required for gaining information the crooks needed. During social engineering the crooks were challenged and asked for their employee number. When they provided the number the information flood gates opened.
Further investigation revealed that a fake employee pass card was made and used to gain access to the facility. The card didn’t have any electronic component, but the crook was wearing a authentic-looking employee card just like everybody else, and that was enough for him to repeatedly gain the access he needed. He just walked throughout he front door at the right time of day and followed the real employees to the department where he committed his crime, over and over again.
Once captured, this crook freely admitted that he got everything he needed from the passcards that employees wore prominently around their necks. He copied it from pictures he took, just like the first investigator did.
A colleague with offices in South Korea and Singapore was casting about trying to think of an article to write for his blog, The Erudite Risk Blog, which covers issues related to risk management in Asia.
I was pleased to help out, especially since his blog usually contains longer, more detailed articles than I usually have here. My article, Surveillance Detection, deals with creating a holistic approach to Surveillance Detection (SD). I explain how to evaluate the risk associated with hostile surveillance and the methods employed by the surveillance operative. The basics of a SD operation and organisation are explained along with risks and difficulty of conducting Counter Surveillance.
In conjunction with my SD article, I recommend reading Rodney Johnson’s Social Engineering and Information Theft and Ice to an Eskimo. Social Engineering (SE) is surveillance’s evil cousin. Physical surveillance, technical surveillance, and SE are all part of the same risk — the loss of critical information.
Most Private Investigators learn that carrying a clipboard will grant access to most places, even those with confidential data to protect. Well there is a more powerful access tool than a clipboard and his name is Dickie.
Dickie doesn’t work alone, he has friends — 2-way radio, tool belt, Maglight, hard hat, and well-worn safety boots.
Nobody ever challenges Dickie. If a particularly diligent person does question Dickie, he says, “fine with me, but it will be at least four weeks until I can get back here. We’re really backed up.” Thusly, Dickie intimidates the most diligent, pretentious, and over-dressed staff member.
Dickie has an entire wardrobe to cover all occasions. Telephone technician days he is blue as Bell detested Gray. On computer service days, he is in tan slacks with a white polo shirt. When he is fixing the troublesome copier, he is either blue or grey. On clean-up days, he helps the janitor in grey. On hot or cold days, he fixes the HVAC system in this blue-green ensemble. Sometimes he delivers parcels in his fetching brown outfit.
Dickie is a master of surveillance and disguise.
I came across a book written during the Great War that has some good tips for the surveillance operator. It introduces the essentials of spycraft of a bygone era, but it remains particularly relevant to the Investigator who conducts surveillance operations.
The attitude that espionage is a sport in which the players appreciate and honor each other is truly misplaced, but the author’s observations about how to look like you belong in a place and about the key elements of disguise are timeless. The author’s description of how he gained access to critical installations to make observations are as relevant today as the Balkans in the 1890′s.
My Adventures as a Spy, By Lt. Gen. Sir Robert Baden-Powell, is an excellent short read.
I found an excellent article on using disguise to gather information. This is the type of thing really good surveillance guys become adept at this.
I don’t do much surveillance work anymore, but recently I was pressed into service to assist a friend who was injured on the job. I took a file from his caseload at random and this led to a couple of interesting days.
This subject was very ‘surveillance-aware’. He must have been coached or read a book or two. He did all the right things, but in a very obvious and clumsy manner. This was obviously his first rodeo.
On several occasions, I observed him look at his phone then at the surrounding people. I realised that he was doing this with a purpose; I just couldn’t put it into context. It was like his practice of looking at the people in the area when he left a building and then watching the people exiting the door he used to leave the building. Then I realised my problem was that I am a mobile telephone Luddite and I needed to talk to the younger folks — you know the type, the ones always fiddling with their gadget phone thingy.
My conclusion was that the subject was using his mobile phone to scan the area for Bluetooth devices. To do this, he selected relatively confined areas, or choke-points, where he could see people in the area that he might have seen before. If he saw the same Bluetooth device at more than one of these choke-points, he knew he was being followed, and that he stood a good chance of identifying the person following him.
This was a clever use of Bluetooth technology, but it was wasted on me. I don’t carry a Bluetooth-enabled mobile.