An Example of Cell Phone Metadata Forensic Surveillance

In this long article on the 2005 assassination of Rafik Hariri in Beirut, there's a detailed section on what the investigators were able to learn from the cell phone metadata:

At Eid's request, a judge ordered Lebanon's two cellphone companies, Alfa and MTC Touch, to produce records of calls and text messages in Lebanon in the four months before the bombing. Eid then studied the records in secret for months. He focused on the phone records of Hariri and his entourage, looking at whom they called, where they went, whom they met and when. He also followed where Adass, the supposed suicide bomber, spent time before he disappeared. He looked at all the calls that took place along the route taken by Hariri's entourage on the day of the assassination. Always he looked for cause and effect. How did one call lead to the next? "He was brilliant, just brilliant," the senior U.N. investigator told me. "He himself, on his own, developed a simple but amazingly efficient program to set about mining this massive bank of data."

The simple algorithm quickly revealed a peculiar pattern. In October 2004, just after Hariri resigned, a certain cluster of cellphones began following him and his now-reduced motorcade wherever they went. These phones stayed close day and night, until the day of the bombing -­ when nearly all 63 phones in the group immediately went dark and never worked again.


The investigators now turned their full attention to the cellphone records. Building on Eid's work, they determined that the assassins worked in groups, each with a leader and each adhering to specific procedures. Everyone in the group called the leader, and he called everyone in the group, but the lower-level operatives never called one another.

The investigators gave each group a color. The green group consisted of 18 Alfa phones, purchased with fake identification from two shops in South Beirut in July and August 2004. The purpose of the fake IDs was not to defraud Alfa out of payment; every month from September 2004 to May 2005, someone went to an Alfa office and paid all 18 bills in cash, without leaving any clue to his identity. The total phone bill for the green network, including activation fees, was $7,375 ­-- a prodigious amount, considering that 15 of the green group's 18 phones went almost entirely unused.

The first spike in call activity occurred in September 2004, immediately after Hariri announced his resignation. The investigators contend that the green group was at the center of the conspiracy. The phone number 3140023 belonged to the top leader, and the numbers 3159300 and 3150071 belonged to his two deputies. (He called them and they called him, but with those phones, they never called each other.) The two deputies carried phones belonging to other groups, through which they passed on instructions to the other participants in the operation. When a member of one group would call a group leader, the group leader would often follow up by switching to a green phone and calling the supreme leader, who was nearly always in South Beirut, where Hezbollah keeps its headquarters.

On Oct. 20, 2004, the day Hariri left office and his security detail was significantly reduced, the blue group went into operation. It originally worked according to the same rules as the green group, but its active membership increased from three phones to 15, with seven connected to Alfa and eight to MTC Touch. All of the blue phones were prepaid. Some were acquired as early as 2003 and had seen little or no use. The people who bought them also gave false identification, and again money seemed to be in plentiful supply. The minutes that expired each month went largely unused, but the phones were loaded again and again. When the blue group went dark, the phones still had unused minutes worth $4,287.

The prosecutors say the blue group followed Hariri's movements. On the morning of Oct. 20, its members were already deployed around Quraitem Palace. At 10:30 a.m., Hariri set out toward Parliament and then to the presidential palace, where Lahoud was waiting to receive his resignation. The cell towers picked up the blue group's members moving with him and calling their chief. From then on, the blue phones trailed Hariri nearly everywhere --­ to Parliament, to meetings with political leaders, to long lunches at the Saint-Georges Yacht Club & Marina. When Hariri was at his home, so were they. When he flew abroad, they moved with him to the airport and then stopped operating until he returned, when they would pick up the trail again.

Eventually, the yellow group was added....

There's a lot more. It's section 6 of the article.

See also this example.

Posted on May 6, 2015 at 7:09 AM • 29 Comments


MikeMay 6, 2015 7:50 AM

What does the story tell us? That data retention and metadata records are a good thing?

Having a time machine where forensic analysis can travel back in time to reconstruct the events might make things easier for investigators, but are the risks of suspicionless data retention worth it?

SnoMay 6, 2015 8:20 AM

Didn't they do something similar at some point in "The Wire"? Identify the leaders of a group by analyzing the "hub-spoke" pattern of who's calling who, I mean?

Clive RobinsonMay 6, 2015 8:36 AM

The description is of a well resoursed state level operation, thus the paterns seen are what you would expect to see.

The question now is not wether the meta data worked, but how much longer it will work.

Organised groups knowing such measures are in place will simply change the way they maintain communications.

However they will lose the advantages mobile phones gave them in terms of the fact carrying and using a phone is not suspicious to observers and "stop and search" street cops and has the fast response times.

TimHMay 6, 2015 9:43 AM

Add noise. Each person has 6 phones not one, and each day each rolls a die to select the phone for that day, including the same one again. Add a second roll for when to reselect the phone, so the changeover event is time-noisy too. If team members swap phones between themselves, perhaps by having the extra phones in a large stash, then linking the phones becomes even tougher.

Bob S.May 6, 2015 10:34 AM

Rummaging through meta data, old camera videos, the hard drive AFTER some heinous crime occurs tells you having that stuff did no good in PREVENTING the crime. Depending on the circumstances the data might help locate the bad guy, or not if he/they were careful.

Meta data in itself is a vast sea of white noise. Recording all the white noise in the world is very expensive.

If the citizenry were truly allowed to know or have input on the degree of mass surveillance, I think they would be shocked at the scale and cost. That in return might cause reasonable persons to reduce or eliminate it.

That's a big if, and as it stands now, impossible.

ScottMay 6, 2015 10:44 AM

Hmm, seems like a CB radio, or other point to point radio, transmitting encrypted digital voice, bypassing the infrastructure completely, seems a viable option to NSA snooping. Used to be not long ago nobody had a cell phone. I remember as a kid getting a CB radio and talking to my friends much like everyone does today with their cell phone.

UhuMay 6, 2015 11:08 AM

@Bob S.: After reading the article, I think this is not only about understanding the past. Once you understand how such an operation works, it might give you the possibility to detect similar communications pattern in the future. In fact, it appears to me that some of the revealed methods of NSA might be based on information gathered here (maybe they were developed in parallel).

@TimH: This was my first thought, too, but I think it would not work. There were probably more than 30 persons involved, and probably around 5 leaders. Only the leaders would have advanced training, the others might just have been foot soldiers, like kids you pick up on the street, give them a cell phone and some money, and make them observe something. Likely the foot soldiers did not only not communicate directly, they might never have known each other. Then how do you coordinate which phone is to be used by whom at what time? Even the leaders were not always successful in managing their various phones.

After reading the article, I started thinking about rules to detect such an obvious pattern of communication. It then occurred to me that my private phone number would probably trigger such an automatic surveillance (phone always on, always traveling with second phone, rarely used for communication, only very limited number (~5) of contacts called and called from). Maybe I wasn't imagining being followed... :-)

David LeppikMay 6, 2015 11:57 AM

One way to use this sort of metadata would be to find groups that are tracking VIPs. For example, if the President visits a sparsely populated part of Wyoming, look at all the phones in that area. See if those phones are part of a similar hub-and-spoke cell, and then see if those cells track the President when he goes other places.

albertMay 6, 2015 2:01 PM

@Bob S,
Prevention is a different issue, yes. Post-event forensics might help to catch perps, but it would be surprising to me that pattern recognition would help to catch them before the crime is committed. It's a little simpler if you have a small list of VIPs to protect, but random attacks don't need a lot of planning. Punishment is no deterrent to suicide bombers.
The advantage of cell phones is that you're a small fish in a big ocean. Radio (walkie-talkie, CB, etc) might work, but it's trackable, and Allah help you if you're caught with a set. There are RF systems that are very difficult to track, but they're not sufficiently portable at this time.
It's a very expensive cat-and-mouse game that will continue to be played out unless we root out the causes of terrorism. And that won't happen by killing all the terrorists; the system doesn't work that way.

Andrew WallaceMay 6, 2015 2:19 PM

YOUR data is collected in mass in the same way sand is collected to sieve out gold fragments in gold mines.

Because technology has become cheaper to mass store and data compress large chunks of user data, that is why the Government has started mass surveillance.

Purely to do with economics.

Sure, the Government may be pushing new legislation but that's just to cover the data storage concerns that citizens have voiced.

If you are up to know good I hope you are one of the gold fragments caught by mass surveillance.


Bob S,May 6, 2015 2:45 PM


Re: "...detect similar communications pattern in the future..."

Absolutely. That's the theory. It's the same one that causes our federal government to declare persons who buy batteries, flashlights or pay for stuff in cash might be terrorists!

See: Cash is trash: Big American Brother gives hints on how to spot citizen terrorists

TSA thinks people who wear shoes might be a terrorist (because the shoe bomber did). Fingernail clippers. Water bottle. Yup, all those meta data patterns might reveal a terrorist, or millions of people just trying to negotiate the mass surveillance gauntlet.


Right. Two guys say (in private non-electonically), "Hey, let's do something bad". That's a plan, and if they figure they are going to die trying, why would they care about a trail of meta data crumbs that will reveal their identity?

Clive RobinsonMay 6, 2015 3:49 PM

@ Albert, Scott,

There are RF systems that are very difficult to track, but they're not sufficiently portable at this time.

The simple way is low power and very high frequency.

There is a fairly simple radio chip you can get which is designed for digital audio transmission which can be made Bluetooth compatible or some other variation you want for childrens toys etc.

It works in the ISM band IF you use the correct XTAL however it will actually work just as well with other XTALs that would put it above or below the ISM band.

Because it's designed for full duplex head sets or toys it needs little power to work line of sight, and only moderatly more for a couple of hundred meters and with some going around corners. Thus making a repeater and putting it on a hobbyist drone would give the authorities quite a head ache tracking etc without showing their hand.

I've built very light weight Xband repeaters for video transmission from RC aircraft to base that work well over five miles in all "flyable weather". Making the antenna higher gain and stearable using GPS coordinates is a half semester undergraduate project. +24GHz equipment is now becoming fairly easily available as are higher frequencies, converting the output of a digital audio chip to work with such microwave head ends is relativly simple and there is plenty of amateur radio articles giving just about all the details for the less technically educated.

If I was a legislator I would be becoming quite paranoid about the technical capabilities now available for just a few thousand dollars.

Of course Google are not "helping" their idea about delivering books etc by drone means that it will not be long before long range drones capable of carrying a couple of Kgs of load will be readily available. Oh and a 1Kg shaped charge can do one heck of a lot of damage if landed in the right place, have a look at photos of RPG damage to see this....

UhuMay 7, 2015 4:17 AM

@Bob S: Thanks for the link (what about people who cannot get credit? :-)). Just for the record, in case this was not clear, while I see how one can get excited about metadata filters to find potentially dangerous patterns, I am very well aware of the false positives. In particular, I have more and more the impression that I must have triggered quite a few rules :-)

rgaffMay 7, 2015 5:54 AM

Well, you're here. You visited a "security" blog... that's already a strike against you! Only criminals would do such a thing, right?

OMG you even commented... that's strike two...

...aaaand some government pencil pusher doesn't like what you said, strrrrrike three! Prison for you... if you're lucky.

NikMay 7, 2015 7:42 AM


Re: Drones with payload

I was just telling a dear friend that Drones with a payload are a great tool for "operations". You can detonate the in the air as well for a decent scatter radius and I'm not sure what the defense for something like that would be at a large event. I do wonder if purchases of "large drones" such as for photography that can carry kgs and can take pictures / video for mountain climbers are monitored..

JaysonMay 7, 2015 9:07 AM


If I was a legislator I would be becoming quite paranoid about the technical capabilities now available for just a few thousand dollars.

Never fear, there are plenty of legislators who are eager to regulate every aspect of life.


I do wonder if purchases of "large drones" such as for photography that can carry kgs and can take pictures / video for mountain climbers are monitored..

Probably to the same extent that cars/trucks are monitored for their capability to carry far larger payloads.

Generally, I highly doubt if we'll ever see the age of the driverless car or drone pizza delivery due to the pervasive fear of technology.

Nick PMay 7, 2015 11:38 AM

@ Clive, Jayson

"If I was a legislator I would be becoming quite paranoid about the technical capabilities now available for just a few thousand dollars."

Every time a terrorist attack happens, the executive branch and legislators both push more regulation and expand budgets. The legislators themselves, often investing in defense contractors, made large sums of money on the U.S. government's post-9/11 activities. So, they're more than happy to see new threats make the news so long as they don't get hit personally.

JonMay 7, 2015 5:42 PM

What they're not telling you is that they tracked 630,000 phones, and of those, 63 tended to be near the suspect.

Good luck if you happened to be an innocent victim of statistics.


MrTroyMay 7, 2015 11:30 PM


It's kind of in the included exerpt, if you read carefully:

"He focused on the phone records of Hariri and his entourage, looking at whom they called, where they went, whom they met and when. He also followed where Adass, the supposed suicide bomber, spent time before he disappeared. He looked at all the calls that took place along the route taken by Hariri's entourage on the day of the assassination."

Specifically, the part about "calls that took place along the route taken by" the entourage includes everyone that happened to be nearby. Which means that Eid probably had the whole data dump from the phone companies.

I agree with albert though. It's one thing to look backwards through some data sets, starting with the knowledge that there is probably something to be found, and having some seed data about locations and times. It's a completely different thing to look at data in real-time, trying to find possible patterns that might lead to something happening at some location and time. The false-positive rate would have to be nearly zero or you'd keep a small country in work sifting through each alarm, and I'm not sure what that says about the false-negative and true-positive rates...

I wonder how different a drug distribution network would look compared with Avon (or any other legitimate non-direct product distribution network)

rgaffMay 8, 2015 12:22 AM

Yeah, look out, maybe I didn't make enough random phone calls today, or some criminal walked down my street (or used my lawyer or doctor etc), and now I'll be fingered for all his crimes...

albertMay 8, 2015 1:38 PM

@Clive Robinson, Scott, Nick P, etc.
I was reading about crazy low frequency (CLF:) RF a while back (you know about the submarine communications). Amateurs are communicating thousands of km using frequencies in the 20-40 Hz range, and also the 70Hz and up ranges (avoiding those 60/50Hz power line frequencies). Thousand-watt audio amps are available and relatively cheap. The trick is in the antenna design. A PC sound card makes a great receiver(with a preamp and filters). I'll try to find some links. There are also high-power amps for applications like 'shaker tables' (1Hz is possible) and of course frequencies up to 100KHz are practical as well. A good sound card can do 20kHz, and 'down converters' can be used as well for higher frequencies. CLF would be difficult to monitor from mobile units, if anyone even thought to do it.
Data rates are extremely low. I suppose you could use a combination of keying the carrier, and amplitude shifts (like WWV). 'Go' signals are possible, and 'directional' codes (go 'here', see this) would work to supply more information through more established systems.

Nick PMay 8, 2015 1:52 PM

@ albert

I'm not sure you can do a mobile, low-frequency system. I checked out ELF and VLF a while back. The antennas are ridiculously large. The systems are so impractical that even the military minimizes their use. For spies on the go, burst communications is the definitive method. I'll leave the frequencies, antenna, power settings, and other factors for more knowledgeable people to decide.

albertMay 8, 2015 5:19 PM

@Nick P
It depends on the distances involved. A 'base station' could easily cover a city. Receiving antennas can be as small as 4 feet in diameter. The big problem is grounding your mobile receiver. A hydraulic stake is impractical, but it would be cool:). RF engineers are quite clever these days, and I'll bet they could come up with solutions if there were sufficient motivation. Radio amateurs do this stuff because they can, and it's fun.
The problem with these solutions is that they make you different, when you want to blend in with the crowd.

Clive RobinsonMay 9, 2015 5:50 AM

@ Albert, Nick P,

VLF systems are as you note fairly easy to build using off the shelf audio amplifiers, the problem is they are not very efficient.

What is even less efficient is conventional antenna systems, especially as the wavelengths get comparable to the earths radius.

However as cave divers know you can have man portable two way radio systems that work through quite a bit of rock and allow voice bandwidth communications.

However the amature radio buffs tend to do things the easy way for them which is slow keyed morse (stays in their licence restrictions) which as it's also a CW system means they can make more efficient transmitters...

An audio amplifier is generaly a class A or class AB amplifier which is inefficient. There are class D and class H systems out there but they have other issues that make them more complex and quite a bit larger. Also there is the question of if the THD of the audio amp is going to meet the -80dBc requirements. Which is why quite a few amatures use class F systems using scarily large inductors.

The way to make an electricaly short antenna work is usually to accept that it's input impedence is going to be high... however if your antenna impedence is up around 10K a quick Pwr =V^2/R for 1KW gives some scarily high peak voltages +- 4.5KV meaning you need 10KV insulation as a minimum which is kind of thick...

So you go the other way and use loop antennas which can be made fairly easily with a few reels of 16/0.2 hook up wire and garden sized diameter frames.

There is however another way which is illegal in most places but works ;-) which is to "gama match" into railway lines that are either not being used or are disused but not yet torn up for scrap. I suspect using over head power pylons would work in a similar way if certain precautions were not in place.

As for VLF transmitters, as I said above Class D amplifiers have issues in that they generate square waves which have high harmonic power. Class F avoids this issue by a trick of reflecting odd harmonic power back to the switching device, thus only the fundemental has any power. There is however another series of tricks you can do by using Walsh systems... Which as I designed a Walsh based "pure sinewave UPS" back in the 1980's is still very much my preffered way of building the few very high power VLF amps I've had to build.

Very simply you take three Walsh squarewave sequencies generated by very efficient switched bridge circuits -normally used for driving big stepper motors etc-- and add them in a transformer the result is a nice clean and efficiently generated sinewave and 10KW of power can be done in quite a small unit about the size of a small kitchen cooker, and due to it's efficiency will run off of a "kitchen cooker" mains power outlet. As it's all "digital" frequency control is easy, and unlike a Class F system --which needs constant manual adjustment-- it can do a couple of octives in frequency without requiring any re-tuning.

If slow morse etc is your desired modulation then you are home and dry, but it's actually not a good way to go. Phase Reverse Keying can get data rates upto 0.7f and more complicated PAM systems can do high data rates in low bandwidth.

Whilst phase modulation at VLF can be done with an 8bit microcontroler that generates the Walsh sequences amplitude modulation can be a lot harder if you don't think about it the right way...

The initial solution I used during testing was to use transformers to add the output of two or more out phased Walsh generators together, it works fine at low power but has issues at higher powers due to core issues.

One traditional way to do efficient AM with Class C high power is by a cophase Doherty Amplifier by a process now called "load pull", however it has issues with tuned elements in the output stage, which is undesirable for anything other than fixed frequency systems, which is fine if you are using Class F amps but not otherwise.

The solution I went for, for simple digital PAM at low power was to drive the switching bridges from a Class H power supply.

However there are other forms of modulation FSK being one and conveniently it's easy to do with a Walsh generator of any power but Class F can not do it at VLF. One interesting form of FSK is "Six Tone Piccolo" developed by the Diplomatic Wireless Service (DWS) of the UK Foreign and Commonwealth Office (F&CO) back in the post WWII years. For what appears to be a complex system to generate at the time, it offered what was amazing performance compared to other modulation systems and was capable of maintaining a 50baud teleprinter circuit over HF in conditions where even the best of morse operators could not even tune into a morse signal let alone convert it to text.

The DWS also developed a twelve tone system with either an improved performance or four times the data rate. The Russians later developed their own nine tone system which gave twice the data rate but at a much much lower performance due to various production / opperator issues.

A modifed version of Piccolo worked remarkably well in a cave radio system I helped design but sadly although considerably better in performance than existing voice systems it was not considered practical in the pre SMS "texting" ages...

The design of cave radio antennas is of interest, in that although running at considerably higher frequencies they are quite simple to make. Technically they are a multi-turn screened loop, and in practice they are one or more lengths of wide ribbon cable inside a steel wire mesh with a tough plastic outer covering, and make a convenient "over the sholder" strap looking like a thick strap you would find on a large sports bag.

There is no reason why a similar design antenna but of longer loop length could not be made to work at VLF for transmission whilst using a multiple ferrite rod antenna for reception. Which can be made by taking standard 100mm long 8mm diameter ferrite rods and tightly binding seven at a time in a bundle and pour in ferrite loaded epoxy to make a solid bar then carefully aligning the rods glue three bundles end to end then wind around it about 1500 turns of litz wire befor embedding in a plastic water pipe for extra strength. Designs for similar ferrite antennas can be found on the internet.

The receiver needs a preselector filter with several adjustable notches even with 24bit AD converters. The hard part is if you go down the traditional LC route so it can be "DC coupled" you end up with physically very large inductors and capacitors and lots of screening issues (copper / brass / tin plate won't do it). To see how to do it have a look at "siesmic amplifier" design used by geologists.

In the past I've used "switched capacitor" filter chips from Linear Technology Corp (LTC) as easily adjustable fifth order low pass and adjustable bandwidth and frequency -60dB band reject / notch filters, driven by the output of eight bit microcontrolers. Even with 24bit DC coupled sound cards (see mods for SDR projects) a roofing or bandpass filter with notches for mains frequencies and their harmonics is a must along with a "soft clipper" or AGC system.

A look back in history suggests a way around the DC coupling and large inductor / capacitor issue and it works rather well and also enables you to put the signal into an unmodifide 24bit sound cards "sweet spot". It's a double balanced chopper amplifier using instrumentation amplifiers (opamps on steroids) and high quality matched quad fet switches. If you leave out the second down converting chopper you can view it as a very high dynamic range high linearality up converter to 10KHz. In the past parametric amplifiers have done a similar job but modern fets and instrument amps should give a similar if not slightly improved performance at considerably less cost and complexity. Either way you are looking to get the equivalent of over 170dB dynamic range out of your front end which is why having band reject / notch filters with -40dB or better performance at mains and other frequencies is a must, which is also a reason to consider making the receive antenna HiQ tunable as well.

Nick PMay 9, 2015 12:15 PM

@ Clive

I appreciate the thorough response. I've archived it for when I have an electrical engineer on hand that can turn it into working prototypes. :)

albertMay 9, 2015 12:54 PM

You have considerable experience on this subject. Like all unique solutions, one tends to stick out in the crowd. Cellular metadata is here to stay. Burners seem to be the best and cheapest way to go right now.
Personal security is the main task of the LE/IC right now, and that is as it should be. Peoples lives should have top priority. Thing is, people are not the easiest targets any more, if you catch by drift.
ELF would be a good way to handle world-wide, send only, communication. You don't need the power of a MIL installation, as your receivers aren't under water, and you don't need to send a lot of data. Just enough to say: look (here) for further information.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.