Identifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other Internet Bread Crumbs

Interesting story of how the police can identify someone by following the evidence chain from website to website.

According to filings in Blumenthal's case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30.

It showed the woman, in flame-retardant gloves, grabbing a burning piece of a police barricade that had already been used to set one squad car on fire and tossing it into the police SUV parked nearby. Within seconds, that car was also engulfed in flames.

Investigators discovered other images depicting the same scene on Instagram and the video sharing website Vimeo. Those allowed agents to zoom in and identify a stylized tattoo of a peace sign on the woman's right forearm.

Scouring other images ­-- including a cache of roughly 500 photos of the Philly protest shared by an amateur photographer ­-- agents found shots of a woman with the same tattoo that gave a clear depiction of the slogan on her T-shirt.

[...]

That shirt, agents said, was found to have been sold only in one location: a shop on Etsy, the online marketplace for crafters, purveyors of custom-made clothing and jewelry, and other collectibles....

The top review on her page, dated just six days before the protest, was from a user identifying herself as "Xx Mv," who listed her location as Philadelphia and her username as "alleycatlore."

A Google search of that handle led agents to an account on Poshmark, the mobile fashion marketplace, with a user handle "lore-elisabeth." And subsequent searches for that name turned up Blumenthal's LinkedIn profile, where she identifies herself as a graduate of William Penn Charter School and several yoga and massage therapy training centers.

From there, they located Blumenthal's Jenkintown massage studio and its website, which featured videos demonstrating her at work. On her forearm, agents discovered, was the same distinctive tattoo that investigators first identified on the arsonist in the original TV video.

The obvious moral isn't a new one: don't have a distinctive tattoo. But more interesting is how different pieces of evidence can be strung together in order to identify someone. This particular chain was put together manually, but expect machine learning techniques to be able to do this sort of thing automatically -- and for organizations like the NSA to implement them on a broad scale.

Another article did a more detailed analysis, and concludes that the Etsy review was the linchpin.

Note to commenters: political commentary on the protesters or protests will be deleted. There are many other forums on the Internet to discuss that.

Posted on June 22, 2020 at 7:35 AM • 40 Comments

Comments

AnonJune 22, 2020 8:07 AM

Well, you can also take this the offensive way: DO wear fake distinctive tatoos, to throw off searches.

QJune 22, 2020 8:09 AM

I don't think the Etsy review was needed. Just subpoena Etsy for a list of all the people that purchased that T-shirt in that colour, and Blumenthal's name will be one of them.

AlphagerJune 22, 2020 8:41 AM

The obvious question for me: is this the real way they identified the person, or is this just the parallel construction?

PatrickJune 22, 2020 8:44 AM

Basic investigative work. People are creatures of habit. They use the same screen names and / or derivatives of the same ID so they can remember it. Same with passwords. In many cases, they have been using the same screen names for years or they bring back a screen name they used years ago. In many cases bringing back an old screen name is fruitful because the old profile may still be out there and is a treasure trove of information.

People are also conditioned to use social media. And, as we know, social media has a long tail. So unless you have made an effort to not post things or done a spectacular job erasing your past posts, it is quite easy to pick up someone's trail online. Throw in something distinctive physically, and it becomes relative child's play. I've found that Pinterest is often the key because people will tie Pinterest to Facebook.

Keep in mind that social media, by nature, expects you to make certain things public. If you do post things publicly, it is fair game in any investigation.

MMJune 22, 2020 9:31 AM

nothing new here for Intel community analysts, Open source has been used for decades, social media and scouring online accounts is just the latest. People are fools if they think they can post their lives online and then not get caught when they have live video of them committing crimes.

Law Enforcement apparently needs to catch up

3948ee09a83c23e10677June 22, 2020 9:35 AM

Almost feel bad for people who think they have privacy while in public. People here know that cities have been adding RF trackers to their streets to go along with the gun shot triangulation microphones and red-light cameras.

Police have been using tattoos to track suspects 70+ yrs. That isn't new. "Any distinguishing marks?" Approximate height, weight, skin color, hair style or anything else you can recall about the suspect?

We know Google with a time/location fence warrant could have been used to get a smaller list of suspects. Leave the smart phone off and back at home or in the car on protest day. Don't turn it on until you are far away. A Faraday pouch couldn't hurt. Amazon sells those. "A friend" has one and it does prevent BT, wifi, GPS and cell voice+data from getting to a phone.

Wearing fairly unique clothing is not good for protestors. May want to look at how Hong Kong people all wore the same color clothing to blend together for the next time?

Destruction of property is not ok.

Bruce SchneierJune 22, 2020 9:40 AM

@Alphager:

"The obvious question for me: is this the real way they identified the person, or is this just the parallel construction?"

That is a good question. I had not thought of that.

Bruce SchneierJune 22, 2020 9:41 AM

@MM:

"Law Enforcement apparently needs to catch up"

That's definitely true. And I am okay with them having these sorts of forensic tools. It'll make them a lot less reliant on back doors.

wiredogJune 22, 2020 9:55 AM

"don't have a distinctive tattoo."
That was a requirement for going to Special Forces school when I was in the Army in the 80's. Various agencies at various levels of government have that requirement for people who may have to be covert for various reasons, too.

SwashbucklingCowboyJune 22, 2020 10:03 AM

A chain of vulnerabilities that resulted in an exploit, the kill chain would have been the tattoo or the Etsy review.

AlanSJune 22, 2020 10:18 AM

@Anon

"DO wear fake distinctive tatoos, to throw off searches."

Poison the data well.

I just read an interesting post that argued that the real damage to the Tulsa event on Saturday created by the TikTok false registration drive is not so much the empty seats (I guess a sort of denial of service attack), which seemed to be the intended effect, but that if there really were a million people asking for tickets the resulting database of ticket requestors, the fuel for an election campaign, is full of junk. How do they distinguish the real registrants from the fake registrants? Do they have to spend endless resources chasing 'bread crumbs' to distinguish the real from the fake? Or do they just have to toss the data from the event?

Clive RobinsonJune 22, 2020 10:39 AM

@ Bruce,

On another security asspect, from the article,

    "It showed the woman, in flame-retardant gloves, grabbing a burning piece of a police barricade that had already been used to set one squad car on fire and tossing it into the police SUV parked nearby. Within seconds, that car was also engulfed in flames."

How did an SUV go from parked to "engulfed in flames" in seconds?

As far as I was aware most modern vehicles which would include SUV's should be made of at the very least "fire retardant" materials.

Thus either US SUV safety specs are way way below what others consider minimally safe, or something in that SUV acted as an accelerant in a significant amount.

If it's the safety specs in the US that are significantly deficient maybe people should think about the likes of Ford Pinto's and other "tommy cooker" vehicle defects, and either buy or demand better.

AlanSJune 22, 2020 10:52 AM

What's good for the goose is good for the gander in Hong Kong: In Hong Kong Protests, Faces Become Weapons.

“The original intention is just to identify who are the policemen,” Mr. Tsui, 21, said. “If they hide their numbers and don’t show their identity, this is the only way to know.” Hong Kong police representatives have said personal information about officers and their friends and relatives had been posted online in an act known as doxxing....The police may have been motivated by the facial-recognition tool, which Mr. Cheung said he had showed off in a Facebook video he posted last month. Making use of Google technology, Mr. Cheung, a college dropout who studied computer science, built an algorithm to identify police officers based on a small collection of photos that had been posted online.

chrisJune 22, 2020 1:28 PM

@Clive Robinson

I'll be answering the FBI's questions later tonight, but here's one of the first links that comes up when you Google "how to set a car on fire":

https://jalopnik.com/i-set-two-cars-on-fire-last-night-heres-what-i-learne-1540984020

Admittedly, these guys stuffed the engine compartment with hay but the materials in the passenger compartments seem to have been left alone and one "became unsurvivable within seconds" once the fire reached it. I haven't watched the video, but I assume that the suspect threw burning materials through a window into the passenger compartment.

And cars are built from all manner of combustible materials. Police cars contain electronics, probably not a small amount of ammunition and, given the situation, "chemical agents" like tear gas (the canisters are said to be explosive) and traffic flares which may or may not be magnesium (there's a passage on that material in the link). In short, a burning vehicle is a serious threat to the safety of everyone nearby which explains why the police were so eager to find this person.

AlanJune 22, 2020 1:30 PM

Well you know Palantir and others who "DESIGN TECHNOLOGY TO HELP INSTITUTIONS PROTECT LIBERTY"...

myliitJune 22, 2020 3:23 PM

@Clive Robinson, chris

From the OP Ars Technica link above:

“Within minutes [ not seconds like the Philadelphia Inquirer link says, iirc ] of that, the SUV was then completely engulfed in flames ...”

I don’t know which, or if either, link is accurate.

Wilhelm TellJune 22, 2020 3:28 PM

These fantastic tale-stories (of intelligent policemen) are published only to cover that the evidence was in the first place collected by illegal means.

vas pupJune 22, 2020 5:15 PM

@Alphager and @Bruce:
As more of police intelligence are disclosed, the only option left is old CI work to get name and then do parallel construction based on already known technical tools for general public.

Both option could work as @Alphager point out.

The only question we discussed on this respected blog is admissibility of obtained evidence in the court, so if you disclose CI identity, bad option for future work.

By the way, do you know that most spy cases are not so often get to the court for the same reason because defense could require disclose in the court how evidence were obtained. So conclusion is it always trade work, and for future parallel construction is not going to die regardless who is in White House in November.

Methods to stop preparation of the crime or crime in progress (FBI other LEAs) and bring culprit to justice (Federal Prosecutors) do not have one-to-one relationships, i.e. not coincide 100%.

AJune 22, 2020 6:03 PM

> The obvious question for me: is this the real way they identified the person, or is this just the parallel construction?

If that was the case, why not make up an easier claim that nobody can realistically cross-check like "an anonymous tipster recognized her" rather than a convoluted chain through Etsy where everyone can actually see the evidence chain?

humdeeJune 22, 2020 7:38 PM

She was wearing flame retardant gloves the article says. If that is true she is in big trouble.

In the US legal system arson is a "mens rea" crime which means that the prosecution has to prove deliberate intent. This makes sense because you don't want to charge someone with arson for an accidental fire. She is going to have a difficult time arguing that it was an accident or an act of impulse. Flame retardant gloves is a big clue her act was premeditated.

You would think if she had planned enough to bring the proper equipment she would have planned to hide her identity better.

Clive RobinsonJune 22, 2020 8:41 PM

@ myliit,

With regards the time factor to go from burning item chucked in a vehicle to it turning into worse than an inferno from hell, have a look at the article @Chris linked too. The guy righting it is a fireman and he was observing "training fires" using a couple of old "last century rust buckets". In his article you will read,

    "That allowed flames from the engine bay to grab the headliner; the interior was unsurvivable within seconds."

That tells you that there was no accelerant other than the "headliner" which I will assume dropped globs of burning plastic cloth and foam onto plastic seats and nylon type floor carpets.

Thus "going up in seconds" is possible with last century vehicles[1].

But a third of a century later modern materials that are either "fire proof" or "fire resistant" abound in the likes of home furnishings often by law. But some materials are actually "self extinguishing" as well. Thus you would think that fairly modern vehicle passanger cabins would be made from such materials by default.

Which made me wonder why safer materials were not used, or if they were was there some kind of accelerant in the vehicle and importantly if so what and why.

Whilst I don't doubt police do carry quite a few inflamable or incendiary things, I would expect them to be in metal boxes or in the boot/trunk of the vehicle. As @chris notes,

In short, a burning vehicle is a serious threat to the safety of everyone nearby...

Which is why I would be very surprised if anything that could be an accelerant was effectively just chucked in with the driver and passengers. As that would be a real recipe for disaster every day all day.

[1] Such fast infernos are worrying... I don't know how many people who read this blog have been involved with head on crashes that might cause an engine compartment fire. But I do know from experience that the impact of such an accident can leave you dazed for quite some time. Back when I used to wear the green in the 1980's I was in a minibus with eight other squadies when turning off at a very fast and busy motorway roundabout in Kent (UK thus L/H drive). When another vehicle ploughed into the blind left side sliding door where I was sitting. As luck had it I'd caught sight of the vehicle just before it hit, and my feet were not in the footwell otherwise they would have been crushed. The minibus careered across the road as Steve who was driving fought to keep it upright from both the initial impact and mounting the curb at an angle that buckled the front left wheel and dug it's self into the grass verge. Before the minibus had stopped I'd wrenched the sliding door off it's track and jumped out, turned and ran back to the car that had hit us and was there in just seconds. The family inside were in total shock and I had to shout at the driver to turn the wheel as I started pushing the car off of what was a very very busy junction. They were still dazed and out of it as were some of the other squadies in the minibus, by the time we'd got the car up the verge and into safety, where I wrenched the drivers door open. I then ran back to the minibus where I had to actually bodily drag a couple of people out as they did not respond to being shouted at to get out. This was atleast a minuite or two after the minibus had come to a stop. Thankfully there was no fire in either vehicle nor much in the way of physical injuries though both vehicles were now basically piles of spare parts loosely bolted together. I think I was possibly the worst injured with a small cut on my left thigh where the door post colapsed into it, which became a massive bruise that lasted for days and went stiff on me. But the family in the car were still well out of it ten minutes later as you could see in their eyes and aimless movements. If there had been a fire I doubt that they would have been able to get themselves out in time, even if the doors had not been stuck. The drivers I had to wrench the open by what was effectively a "half dead lift" using the power of my leg with my foot up by the door handle and in the process ripped the window frame off the door. Something I did not think you could do but I was running on adrenaline. Whilst a couple other squaddies got the others family member out, I ran back to the minibus to get everyone else out. The upshot is I still very much doubt the family would have been able to push the doors open to get out, or even climb out through the windows, if a fire had started. It's one of those things that haunt you at night on the odd occasion, and yet another reason why I don't like being in cars and do not drive...

BenjaminJune 22, 2020 9:31 PM

There's another example from Seattle, with a similar chain based on a bunch of photos from a variety of social media sites. The details can be found in the complaint (https://www.justice.gov/usao-wdwa/press-release/file/1284716/download) which lays a very thorough chain to conclude the person in the photos is the person they arrested.

Clive RobinsonJune 22, 2020 9:59 PM

@ humdee,

She was wearing flame retardant gloves the article says.

That's something else I was wondering about.

Have a look at the photo's I don't think they are "flame retardant" gloves.

Note firstly how thin and stretchy the materials the gloves are made of are, and secondly and more importantly how they fit tightly above the wrist.

The thing about flame retardant gloves is that they are designed to stop you getting injured. As flame retardant gloves are ment for "Hot Work" they are generaly made of multiple layers of organic materials that scorch but don't burn and more importantly insulate quite well (on photo apprars to show "open weave). But even more importantly as they can get oil or other fuels on them, thus could burn due to the wicking effect, they are also made to be easy to get off, thus in all the cases I've seen, they do not get made of elasticated or similar materials that would close at or above the wrist.

Thus I suspect that those gloves are probably not fire retardant, but just light weight work or garden gloves.

Not that it effects the "mens rea" argument, very much the gloves not being ordinary apparal gloves you might carry in your pocket are an indication of intent, what in the UK was called "Going equipped".

However I suspect her lawyer could reasonably argue that as many nations and the WHO had recommended not just masks and gloves and the then US official advice was still the compleatly barmy no PPE for civilians...

Oh she was not the only one wearing gloves and face mask. Have a look at the aerial video footage in this page,

https://www.fox29.com/news/philadelphia-woman-accused-of-torching-police-cruisers-during-riots-held-without-bail

Also have you noticed how what the cort papers say does not appear to line up with the photo. That is the photo does not show her throwing the piece of burning barricade into an SUV...

It would be interesting to see video footage of her doing this but a quick DuckDuck only gave up "News Channels" and they don't have video of her currently alledged act of arson.

Oh and look at the photo's of the tattoo the one of the woman at the protest appears quite different to the one of the employee engaged in massage. I do not know how far apart in time they are but even the shape of the arms looks different, that is heavier set in the one from the protest.

lurkerJune 23, 2020 12:17 AM

@Clive

Which made me wonder why safer materials were not used,

Govt. purchase contract: down to a price, not up to a spec.

AndersJune 23, 2020 2:01 AM

Little bit about russian face searching algorithms.
Some examples when you still can get the result.

habr.com/ru/post/440402/

myliitJune 23, 2020 6:01 AM

@Clive Robinsom

“With regards the time factor to go from burning item chucked in a vehicle to it turning into worse than an inferno from hell, have a look at the article @Chris linked too. ...” From that article:

“Sh!t Whips Open For Like, No Reason

Well not no reason, I just love that headline. But doors, hoods, and hatches can blast open on a burning car with a lot of force and no warning. Other than the fact that the car's ablaze. Dampeners that hold hoods and rear tailgates up explode when heated, which is terrifying and actually a significant event in the fire.

The hood supports in the Suzuki went boom just a few minutes after the fire was lit, slamming the hood against the windshield so hard it broke the glass. That allowed flames from the engine bay to grab the headliner; the interior was unsurvivable within seconds [seconds].

Inflated Tires Explode

And do they ever. With a flare of white and a sound like a gunshot, our Suzuki's front tires succumbed to heat after the engine had been burning for three minutes at most. Hot, gooey, rubber was launched in all directions and parts that weren't vaporized made it as far as twenty feet from the car. ...”

OT, but all this is starting to remind me of the saying, something like:

“He was in a bad car accident and his face got smashed in.”


UhuJune 23, 2020 8:44 AM

Maybe they base parallel construction on search results from Clearview.ai.

myliitJune 23, 2020 10:22 AM

@Uhu, Dave Q, Anders, etc.

“ Maybe they base parallel construction on search results from Clearview.ai [ facial recognition technology vendor ].”

From Wikipedia[1]: “Far-right links[edit]

Going back to at least 2015, Huffington Post has linked Ton-That [ clearview.ai co-founder ] with the "far right clique" of Mike Cernovich, Andrew 'weev' Auernheimer, and Pax Dickinson, as well as close associates of Peter Thiel, Chuck Johnson and Jeff Giesea. Ton-That and associates worked on projects to advance the far- and alt-right political views ...”

For an entertaining take on the, perhaps deadly, topic of facial recognition technology, there is John Oliver:

https://www.schneier.com/blog/archives/2020/06/friday_squid_bl_733.html#c6812435

[1]
https://en.wikipedia.org/wiki/Hoan_Ton-That
https://en.wikipedia.org/wiki/Clearview_AI

MarkHJune 23, 2020 1:16 PM

@Clive:

re "flame retardant gloves"

I have an old pair of racing gloves labeled with some sort of F.I.A. compliance certification. Like many kinds of auto racing gear, they're made from nomex.

In a typical atmosphere, nomex doesn't ignite easily and quickly self-extinguishes. It's also a good insulator.

In the most dramatic cases (I seem to have seen a testing video once), the outer surface can be ablaze -- it's a loose-weave fabric, and of course can carry liquid fuel -- while protecting the person inside.

Auto racing gear is usually made with 3 layers of nomex. If I recall correctly, it can protect skin for about a dozen seconds when exposed to or engulfed in a fuel fire, which is long enough to get out of a race car if you're not dazed (as you mentioned in your harrowing account), or almost long enough for rescuers to get you out at a top-level professional event where they have excellent rescue resources.

I remember an incident from the noughties in which a famous U.S. driver had a roaring post-crash fire -- very rare in modern times, because the fuel systems are so resilient -- and was too dazed by the impact to get out on his own. He was racing again within a few days, but found it a struggle to sit in the car, because a "tender region" had gotten scorched ...

myliitJune 23, 2020 2:51 PM

re: LEOs’ leaks

https://arstechnica.com/tech-policy/2020/06/blueleaks-airs-private-data-from-more-than-200-us-police-agencies/

“Millions of documents from >200 US police agencies published in “BlueLeaks” trove

Document dump comes almost 4 weeks after murder by police of George Floyd.

Millions of law enforcement documents—some showing pictures of suspects, bank account numbers, and other sensitive information—have been published on a website that holds itself out as an alternative to WikiLeaks, according to security news website KrebsOnSecurity.

DDOSecrets, short for Distributed Denial of Secrets, published what it said were millions of documents stolen from more than 200 law enforcement groups around the country. Reporter Brian Krebs, citing the organization National Fusion Center Association (NFCA), confirmed the validity of the leaked data. DDOSecrets said the documents spanned at least a decade, although some of the dates in documents suggested a timespan twice as long.

Dates on the most recent documents were from earlier this month, suggesting the hack that first exposed the documents happened in the last three weeks. The documents, which were titled “BlueLeaks,” were published on Friday, the date of this year’s Juneteenth holiday celebrating the emancipation of enslaved African Americans in the Confederacy. BlueLeaks had special significance in the aftermath of a Minneapolis police officer suffocating a handcuffed Black man to death when the officer placed his knee on the man's neck for 8 minutes and 45 seconds. ...”

Clive RobinsonJune 23, 2020 5:18 PM

@ SpaceLifeForm,

It's tricky. Think hinky.

It is, and it's also a game both sides can play...

In this case the author does not consider that there are two types of supplier of information service,

1, Publishers.
2, Common Service Carriers.

He argues that MasterCard etc act as censors and suggests a remidial step that would be ineffective.

Whilst Publishers have liability and thus discretion for what information they provide, Common Service carriers have neither.

It would be better for the likes of MasterCard to be forced into a form of no liability no discretion model as the are a de facto monopoly like many Telco's etc are. That is outside of actual known criminality which they would be forced to report, they are forced to supply any and all with payment transaction services.

Unfortunatly politicians will not do that as it gives them significant power to not do so. Especially our current crop who appear to be at war on what most would consider Common Service Carriers/Providers.

FelixJune 24, 2020 5:53 AM

"The obvious moral isn't a new one: don't have a distinctive tattoo"

or have as distinctive a tattoo as you like but don't go around burning police cars.

ThunderbirdJune 24, 2020 10:16 AM

Which made me wonder why safer materials were not used, or if they were was there some kind of accelerant in the vehicle and importantly if so what and why.

An item that has been in my car for the last three months is a four fluid ounce clear plastic bottle of 70% alcohol. I imagine it will spray all around if I get in an accident. Not quite a can of gasoline but maybe the next best thing...

Clive RobinsonJune 24, 2020 10:58 AM

@ Thunderbird,

An item that has been in my car for the last three months is a four fluid ounce clear plastic bottle of 70% alcohol.

Ahh, a sanitary way to wash your hands of a problem.

The thing is alcohol even that we might call "wood alcohol" or "meths" is not that easy to get to explode, and believe me when I was younger a friend and myself tried when trying to make rocket fuel.

The most fun we had with it was pouring it on our hands seting fire to it and chasing others around with our burning hands.

MartinJune 25, 2020 11:30 AM

I do hope this doesn't lead to protesters attacking photographers. From my experience of protesters over 20 years ago, police use of press photographers' work to identify "ringleaders" and culprits resulted in some protesters targeting press togs.

Nowadays, just about everyone carries a camera all the time. And in the piece it specifically says the police used amateur photographers' work to identify the woman. But some protesters might still choose to target the most obvious photographers - the press togs.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.