Misinformation can spread at a feverish pace and in this guide we will address the essential verification questions of where, what, why and who as well as introduce a number of tools and techniques to assist investigators with verifying data that they find online.
The focus of this chapter starts from the Syrian conflict. The conflict is the most documented war in history with a range of documentation efforts under way: from tracking the extent of damage to Syrian archaeological sites to listing abuses against women and missing persons. Each of these efforts draws information from a range of media sources such as text documents, photographs and videos.
This is not just documentation that shapes public opinion about Syria and makes the truth of the Syrian reality accessible; it is equally important documentation for the future. When the Syria regime is held accountable for their crimes, a lot of this documentation has the potential to serve as evidence and be presented in an international court of law. However, for this information to be used in courts of law or for a source to be trusted, the content must be verified.
In media coverage of emergencies, information often spreads quickly and without others checking its veracity before sharing. The prevalence of User Generated Content (UGC), content that is generated from tweets, digital images, blogs, chats, forum discussions and so on, also means that more and more people are documenting human rights violations and images of war and disaster. Newsrooms often have tight deadlines and can prioritise speed over accuracy, leading to the spread of images and videos that have been taken out of context or digitally enhanced and text documents that contain misinformation.
Journalists from Syria and other countries have been putting lots of effort to verify digital content related to the conflict as there has been many proven incidents of fabricated content. An example of this can be seen from Abdulaziz Alotaibi posting an image on Instagram of a child sleeping between his parents' graves as a depiction of a Syrian child who just lost his family. It went viral on social media with people including politicians discussing it and even some news agencies used it to write breaking news stories.
Image taken by Abdulaziz Alotaibi
No effort was made to verify this image and no-one asked questions like:
Where was the photo taken?
What date was it taken?
Why was it taken? What is the story behind it?
When Alotaibi saw that the image had been used in a wrong context, he released another photo to show that this was actually an art project. The photo was not taken in a grave yard and the child was his nephew.
Image taken by Abdulaziz Alotaibi
Misinformation can spread at a feverish pace and in this chapter we will address the essential verification questions of where, what, why and who as well as introduce a number of tools and techniques to assist investigators with verifying data that they find online.
Before this chapter begins, we would like to highlight two important factors: there is no single, magic tool that can be used for verification purposes, and how using online tools could compromise you if you do not take specific precautions.
One Tool to Rule Them All
Later in the chapter we will introduce various tools that could assist you in working out the veracity of online content. However, these tools are often useful only in combination with other tools and in many cases it is helpful to speak to sources on the ground. But make sure you communicate with them securely so you don't put them or yourself at risk, especially if you are investigating sensitive issues.
One Tool to Find Them
Many tools and services featured below belong to private companies and are closed source. This means that when uploading content to these services you will not be able to control how these companies use it nor who they share it with.
Some of these services do not facilitate a secure connection to the internet, which might put you at risk if you are on a public Wi-Fi network. Also, your location will be accessible to these sites if you do not take measures to obscure it. At the end of this chapter we will delve deeper into using open source tools for verification and how you can protect yourself while carrying out an online investigation.
In 2014 a video was published on YouTube that featured a child being shot by the Syrian regime. It was watched over eight million times. The video was then cross-posted on BBC Trending alongside an article saying that the video was most probably not a fake.
A few days later a Norwegian film director stated that he was the one who staged the video showing a “Syrian hero boy” under gunfire. It was shot in Malta in May 2014, not Syria. The video was picked up by news agencies and social media activists to spread information about the suffering of children in war. Unfortunately, this had a negative political impact overall. Releasing this fake video and spreading it on social media made it easier for war criminals to dismiss credible images of abuse by saying most videos online are fake.
In both incidents above it was difficult to find the original source of the content. It becomes even harder when content is downloaded from social media websites such as Facebook, YouTube, Instagram and Twitter and uploaded again on the same platform from different users accounts and channels or uploaded onto different platforms.
News aggregators like ShaamNetwork S.N.N 'scrape' content from original uploaders onto their own YouTube channel, making it harder to find the source that created or first shared the content. The photo below shows how they scraped content from a media centre in Daraya (Damascus Suburbs) showing a helicopter dropping bombs.
The same thing happened when the U.S. Senate Intelligence Committee released a playlist of 13 videos that had originally appeared on YouTube which they had used to look for evidence related to the 2013 chemical weapons attack on Damascus Suburbs in Syria.
A number of these videos were taken from the YouTube channel of a well-known Syrian media aggregator, ShaamNetwork S.N.N, which regularly republishes videos from other people’s channels. Félim McMahon of Storyful was able to discover the original versions of these videos by using a range of different verification techniques including checking the original upload date of the videos and examining their profiles to assess whether they looked real or fake. This is a very good example of how verified videos can be used to strengthen the investigation of an incident.
One of the key issues in verification is confirming the Who and the What:
Source: Who uploaded the content?
Provenance: Is this the original piece of content?
Date: When was this content captured?
Location: Where was this content captured?
Identifying the original source is essential when verifying digital content. It is essential that human rights investigators confirm the authenticity of any information or content they get online via social media websites and other platforms as it can be easily fabricated. For example, it is very easy to fake a tweet using this website, which can then be shared as a picture.
The image above can then be shared on twitter, creating the appearance of it being an authentic tweet. Another approach to spread misleading information is to retweet fake information such as: (Good news! RT@PresidentSY I'm announcing my retirement from politics).
In this section we will introduce a number of tools and techniques to verify that the person or organisation that you believe has uploaded or shared the content you want to verify is in fact the individual or group you believe they are.
First, a few questions to think about when checking an account to confirm it as the original source:
Has the account holder been reliable in the past?
Where is the uploader based?
Are the descriptions of videos and photos consistent and mostly from a specific location?
Is their logo consistent across the videos?
Does the uploader 'scrape' videos/photos, or do they upload only user-generated content?
How long have these accounts been active? How active are they?
What information do affiliated accounts contain that indicates the recent location, activity, reliability and bias or agenda of the account holder?
Once you have some answers to the questions above like the name of the uploader from his or her YouTube channel or websites linked to the uploader's social media accounts you can use tools to get more information about the source.
Facebook, Twitter and YouTube have a way of verifying personal profiles or pages through blue ticks added to personal profiles or social media pages. Hover over the blue tick and you will see the text “verified account” pop up. If it’s not there, then it is not a verified account. Since, those who spread misleading information can also add a blue verification check mark to the cover photo of the faked accounts, here are a few steps to check the authenticity of the content:
Twitter verified account
Facebook verified account
YouTube verified account
However we can't depend on these official verification programmes as it is not available for all users. As a result we end up most of the time checking profiles or pages that do not include any blue tick on them at all.
Check out details available on the profile to confirm that it's original and not fake by checking the following pieces of content:
Are there any websites linked to this profile?
View the previous pictures and videos.
If they share content, where do they usually post about/from?
How many followers, friends or subscribers they have?
Who are they following?
For example, let’s say that someone shared a YouTube video on a specific platform about a human rights violation incident. The first thing we need to do is to go to the user's YouTube profile. In the case below, you will see that his name is Yasser Al-Doumani. He has been uploading daily videos about human rights violations in Syria which are all located in the Damascus suburbs. We understand from this that he is a Syrian journalist, most probably based in the suburbs of Damascus.
When we check out the 'about' page on his YouTube profile we can see a number of important pieces of information:
Website links: There are two linked URLs to the Facebook pages of a coordination group in the Damascus suburbs which usually do media work. The description says that this YouTube channel is dedicated to Douma Coordination group.
Number of subscribers: He has 590 subscribers.
Joining date: He joined in 1 January 2014.
Profile views: His profile has 281,169 views.
All this information provides more clarity as to whether this account is fake or not. In this case, the account is authentic. Indicators of possibly fake accounts include a recent joining date, few profile views, a low number of subscribers and whether other websites are linked to in the 'about' section.
You can check the original person who uploaded a video on YouTube. If you come across a specific video and you want to get to the original uploader of this video, you need to use the filter to sort by upload date as shown below. In this case, we got a video from social media showing alleged chemical attacks in Idlib province in Syria. By typing the title of the video in the search and sorting by 'Upload date' we get to the account of the original uploader, which is 'Sarmeen Coordination Group'.
As we mentioned earlier, you also need to check for websites linked to their channel and the number of subscribers and viewers to make sure that this is not a fake channel.
When checked, Sarmeen Coordination Group had 2,074 subscribers, over a million views and around 3,000 followers on Twitter. They also have been sharing visual evidence from the location for the last four years. Taken together we can confidently verify that the source Sarmeen Coordination Group was the original source of the video.
On Twitter there are many fake accounts called ‘bots’ created to spread information, or sometimes to spy on people by following them. Most bots, and other unreliable sources, will use stolen photographs of other people as their avatars. For example, the Twitter bot @LusDgrm166 seen highlighted in red in the image below:
A quick investigation of the account's avatar reveals that the Twitter account is not likely to be operated by a human. Indeed, all the accounts on the screenshot above are likely not operated by a human. They are tweeting about Syria with the hashtag #NaturalHealing and the content of their tweets is taken from Wikipedia and other pages.
After copying the URL of the avatar of @LusDgrm166 or downloading the avatar image, paste the link/photo into a Google reverse image search to find similar pictures elsewhere online. As you can see in the image of the search results below, the image has been used by many twitter users as their profile picture.
If you have the name or username of the person who uploaded the content to YouTube, Facebook, Twitter, etc., you can run their name through a service called Webmii to find more information about them from websites, news outlets and social media accounts.
Most importantly, contact the source directly to get information verified when possible. Make sure to ask how they know the specific information. They might be able to send you additional photos and videos to help you verify specific incidents. Always connect to sources securely so that you don't put them at risk.
For example, you have found visual evidence on YouTube, but you don't know the uploader. You don't know if he's the original source, and you don't know if he's located in the area where the footage was taken.
You can get more information about this source by running his name on Webmii as below.
You will find most of the photos or videos that he has uploaded online.
You will also find other digital content from different social media accounts that he shared online, or that others shared with him.
This will give you a better understanding if this source reliable or not, especially if you find information that answers the questions we have mentioned above to verify the source.
In our example, the person works in a local media centre in a city called Al-Safira. He has been doing this for years from the same location which gives him more credibility.
You can use a different technique to check the source in cases where you don't find the name of the person who uploaded the content online through social media platforms. The technique is often used when you are looking at verifying information that has been uploaded onto a website rather than social media.
If you are looking at a website that contains information that you would like to verify but the website doesn't include the name of person who runs it, or if you want to find more information about the person who runs the website such as their location or phone number, then you can use a number of online services that provide this information.
When you register a domain name with a domain provider they will usually ask you for a number of identifying details including:
Name of the person registering the websites
Email (The email below was obfuscated, but usually you can find clear email as firstname.lastname@example.org )
Many websites offer a service to see all this registered data, such as: https://who.is/. Most of domain registration websites offers this service as well.
Below are the results of running whois on a website such as www.example.org.
Note: Some domain providers offer services to keep this information from being public, in other instances individuals purposely obscure personally identifying information for privacy reasons.
In this section we will look at three different verification approaches that can help you to determine 'the What'. These are the provenance (whether this piece of content is the original or whether it is a duplication of a previously posted piece of content), the date the content captured and the location of the captured content. Finding the answers to these questions will help you to identify the veracity of the content.
If you are looking into visual evidence such as photo or video, you need to investigate whether this is the original content, how it is used and if modified copies exist.
Use reverse image search tools such as TinEye or Google Reverse Image Search to find out if the image you are looking at has been posted online previously.
Note: Make sure to read the Protecting Data chapter on how to securely carry out online investigations before using this tool.
How TinEye works:
Go to TinEye's website.
Upload the image you want to search for. We will use the photo taken by the Norwegian film director from the earlier example.
We sort the filter by the “oldest” which will lead us to the people who used this image first, or to the originator of the image. You can also sort by “Biggest Image” because sometimes the originator will be the one uploading a high quality version of the image. In the case below, we see that this image was first used by a Norwegian online news website.
Every image has metadata attached to it (read more in the chapter on Metadata), which can include details about the type of device the image was taken on, camera settings, date and location information. There are various free tools that will analyse a photograph’s metadata and compression information, allowing further verification of an image’s veracity. There's also a possibility to verify the dates and location of images if it's included in the metadata of the image.
FotoForensics is a toolbox that provides a suite of photo analysis tools. The public site permits viewing metadata, visualizing the JPEG error level potential and identifying the last-saved JPEG quality. FotoForensics does not draw any conclusions. Nothing says "it's photoshopped" or "it's real". The website highlights artifacts that may not be otherwise visible in the picture.
You can upload the image you want to analyse for metadata. This works best if you get a raw photo from the source. You won't get the same results when analysing images taken from social media networks such as Facebook, Twitter and Instagram because they strip most metadata when the images are uploaded to their platforms.
You can upload the image on the FotoForensics website or enter the URL of where the image is stored online and then click on 'Metadata' to see the information below the image. In this case, the image uploaded was taken from MMC marramedia center in Syria which is run by activists in that area. The photo shows remains of the weapons used recently in Idlib.
The results are not always clear, however, and depend on the copy of the file uploaded.
For example, a JPEG that has been resized, recompressed or changed from the original file will have much less reliable data than the original full-resolution image recorded by a camera.
However, if an image was edited in Photoshop by the originator, it doesn't necessarily mean that it was manipulated. Izitru is a tool that can help you figure out if the image is modified or not.
You can upload an image on Izitru to check whether it has been manipulated or edited, which will help you confirm if it is a raw image or if it has been edited.
In this image below, Izitru indicates that it is not the original image and that the image has been edited.
There's a different technique to analyse an image which is called error level analysis (ELA.) It's a forensic method to identify portions of an image with a different level of compression. You can do this through fotoforensics.com as well.
There are applications that can be useful to automatically capture the date of a video or photo as well as capturing other important details such as GPS data. One such application is Camera V which we introduced in the Metadata chapter of this guide.
There are no services available for reverse video searches such as we saw with Google image reverse or TinEye so it's not as easy to verify the provenance and original source of videos. However, there are ways to carry out a reverse-verification of a video to see if the video has been used and shared in the past or not. This requires you to capture a screenshot of the video at an important moment to get the best results (the most opportune moment to capture the screenshot is when an incident happens). Alternately, you can capture a screenshot of the video thumbnail as it could have been used previously on YouTube or other video hosting services. Then run the captured screenshot through TinEye or Google image reverse as we did earlier in this chapter.
Amnesty International created a tool that will help you implement this technique which you can find here.
Enter the YouTube URL that you are interested in, as seen in the example below, then select ‘Go to get Thumbnails’ which you can then run a reverse image search on.
In this case, this video was uploaded by 'Abu Shadi AlSafrany', who works in a local media centre in a city called Al-Safira. They haven't been shared online before which means that the videos haven't been used in different countries or contexts. Once you verify that a video is unique, it will be important to then verify the location and the date of the incident to make sure that the video is not fabricated. Reverse image searches do not always reveal any duplications of videos or photos so there's a need to carry out other forms of verification as well.
Verifying the date is one of the most important elements of verification. The key questions to consider when finding visual evidence online are:
When was the content created?
When did the incident happen?
This is made easier when people in the video mention the date of when the event happened or show newspapers or write the date on a piece of paper and show it to the camera such as in the example below.
In the Syrian context, most of the time the original uploaders of the videos on YouTube will write the exact date of the incident with the video title. In most cases this is the correct date, especially if you are looking to a video from a vetted, verified source.
This does not often happen in other contexts, however, and even in Syria it was a challenge to verify the date of some events without adding other ways to confirm it such as looking at the weather during the event or connecting with the person who took the original footage and obtaining raw photo/video with metadata attached that verified the date of the event.
Hundreds of videos were uploaded on YouTube by media activists in Syria during the chemical attack that happened in Damascus on 21 August 2013. The uploaded videos were accused of being fabricated because the YouTube videos uploaded by activists were dated as 20/08/2013, while activists were saying that the attack happened in 21/08/2013. This happened because YouTube time and date stamps videos according to Pacific Standard Time (PST) rather than Eastern European Time (EET), as in this case, something it's important to be aware of.
Checking the weather (if possible) from a photo/video is another helpful way to confirm the date of the event.
Below is a video posted on Al-Aan TV claiming that clashes had been stopped in few areas in Syria because of the snow.
To verify this, enter the same date posted on YouTube to the website WolframAlpha, as shown below, to see if the weather was indeed snowy or not.
As you can see above, you can verify that the date posted on YouTube is likely to be correct based on the similar weather conditions.
The process of geolocating visual evidence is essential to verifying whether or not the evidence you find is in the location it claims to be. Mapping platforms such as Open Street Map, Google Earth, Google Maps, Wikimapia and Paronamio will help you to locate those materials when possible. The key issue for geolocation is to collect as many images as possible and use them all to verify as it will be harder to verify an incident from only one piece of footage.
Some details to consider for confirming the location:
License/number plates on vehicles
Landmarks such as schools, hospitals, religious places, towers, etc.
Type of clothing
Identifiable shops or buildings in the photo
The type of the terrain/environment in the shot
In this case, we wanted to identify the location of a suspected ISIS member. For many years she posted many pictures from Guyana, South America on a social media account. To confirm that she was actually in Guyana, we looked at images where vehicle numbers are clearly visible. The white car in this picture holds the number BMM-5356.
When searching this number through Wikipedia, we found the page below that confirmed to us that those particular plate numbers match vehicle registration plates in Guyana.
Looking at landmarks such as schools, hospitals, towers and religious buildings is very helpful when you are trying to geolocate visual evidence. Mapping platforms such as Wikimapia, Google Earth, Panoramio and Google Maps are tagged with thousands of photos that can be used to geolocate your evidence.
A search for 'schools' on Wikimapia, returns all schools in the area as shown below.
Panoramio works in a different way; it shows you all photos in a specific area that are tagged to Google Maps.
With both services you can find photos that will help you geolocate your evidence as demonstrated below. You can see a screenshot from Panoramio of a photo of a shop found through the site. The photo includes the phone number of the shop and a small board with the full address on it.
Once you find the suspected location of your evidence, Google Earth can be very helpful to confirm if this is indeed the actual location.
Use Google Earth to:
Look at structures
Look at terrain
View Google satellite image history
Below is an image of a mosque which was captured by an activist who claims that this mosque is located in Jisr al-Shughur, Idlib. We located the mosque on Google Earth and compared the structure in the satellite image to the image provided by the activist to make sure that it is actually located in the claimed location. In this case we looked at the building's black windows and its structure. For more information about this technique, see the work of Eliot Higgins and Bellingcat, who have a series of detailed case studies and tutorials on this technique.
Verify location by checking out the terrain of the claimed location in satellite imagery.
Below is one of thousands of photos leaked depicting violations of human rights in Syrian prisons. The leaked photo was geolocated by looking at the satellite image below; note the terrain which shows the hill that with communication towers.
Below are images of Aleppo in 2010 and in 2013. You can see clearly the damaged areas. This can help you geolocate streets in this area even an attack as you can see the images before the damage/attack.
As you can see from the above examples, technology has changed how we find and deal with sources and information as witnesses and activists share events in text, photos and videos on social media and blogs in real time. This can help human rights investigators verify events that are happening through visual evidence by using different techniques and tools. Remember to read our chapter on how to use verification tools as securely as possible before using any of them.
Using online search tools and investigation techniques can be very helpful to verify user generated digital content such as photos and videos as we saw earlier in this chapter. But there are security issues related to this that you need to consider before carrying out your online investigation.
Some important questions are:
These are some of the questions that you need to think about when using online tools and cloud-based services to conduct an investigation. Below we will go through basic steps on how you carry out an online investigation as securely as possible. We will also go through the open source tools that you can use for investigation instead of commercial software. By open source, we mean tools that let you review how they are built so you, or a technical expert that you know, can understand if violates your security and privacy at any point. Commercial software doesn't let you do this so you won't be able to understand if it's respecting your privacy or if it is secure to use it.
Make sure that you are browsing sites securely, ones you are investigating and those you are just reviewing. You can do this by encrypting your communication with these sites when possible through SSL (Secure Socket Layer).
Note: Some sites don't support secure communication so people can see the websites you visit, and the information you send (log-in info, text, photos, video etc.). This can be very risky if you are working in a public space using Wi-Fi network.
You leave behind many traces while you look at websites, social media sites and use online verification tools to carry out your investigation. Most of the websites that you visit collect information about you such as your location through your IP address, your browser fingerprint, the device you are using to access the internet (mobile, tablet or computer), the unique number for your device called the MAC address, the websites you visited online, how long you stayed on a specific page and more. The Me and My Shadow project has more details about these traces.
All this collected information can create a profile of you which makes you identifiable. It's important to make sure that you are browsing the internet securely and anonymously if you don't want:
hackers connected to the same Wi-Fi network as you to see what you are doing,
the websites you are visiting to collect information about you, or
your internet service provider to see what you are doing online.
You can do this by installing and using the Tor browser bundle when doing an online investigation. Learn how to install and use this tool here. You can also use Tails which is an operating system that allows you to remain anonymous on the internet by default.
Once you install this tool you can use services such as Pipl or Webmii to verify sources, who.is to help you verify the source if it's mentioned on the website registration page and FotoForensics without divulging your identity or your investigation.
Below is a list of open source tools that can be used for safer online investigation as alternatives to their closed sourced cousins.
Confirming sources of information
You can use Maltego instead of cloud based services like Pipl and Webmii to get more information such as accounts on social media, related websites, phone numbers and email addresses of a specific source so to verify who she/he really is. Maltego is a program available for Windows, Mac and Linux that can be used to collect and visually aggregate information posted on the internet which can be helpful for an online investigation. Once mastered, this tool is extremely useful but it is fairly complicated for a first time user, so be prepared to invest some time into it.
Consider ExifTool as an alternative to FotoForensics which was presented earlier as a tool to review the exif data on a photo. With it you will be able to extract metadata from photos such as the device used to take the photo, date, location and last programme used to edit the photo (if it has been edited). By using ExifTool you won't need to upload your photo to a cloud based service that you don't trust with your data. Everything is done locally on your computer with ExifTool with no 3rd party involved. However, there are downsides to using ExifTool as well. First, it doesn't support error level analysis analysis and second, ExifTool is a command-line application so it doesn't have graphical interface. The command-line is easy to use and install.
Google Maps and Google Earth are among the most used tools to verify locations and geolocate incidents. Everything you do on Google Earth and Google Maps is connected to your Gmail once you sign-in, which means that it is possible to know that you are looking at specific locations to verify. Use a separate Gmail account from your personal one if you want to use Google Earth and Google Maps for your investigation without exposing your real email. This will make it harder to identify you as a person working on a specific investigation.
Reverse image search
Unfortunately there are no open source tools currently available that rival the functionality that TinEye or Google reverse image search offer. However the following tools are a good place to start when looking at open source reverse image tools:
It's very easy to put yourself and your sources of information at risk while communicating with them about your online investigation, especially if you are investigating a sensitive event. Make sure that you communicate with them securely and make sure that you share data securely too. There are easy-to use-tools that you can install such as Signal for safer communication and miniLock for secure file sharing. Read more about secure communication here.
Make sure to back up relevant content you find, sites you visit, social media accounts and conversations you have with sources of information. Visual evidence such as photos and videos that you find online can disappear from the internet for many reasons. Back up everything you find online so you can access it later for verification and analysis even if it's no longer online.
You can use cloud based services to backup websites and social media accounts such as:
The archives will provide you with an ID for every page you submit. Copy the codes to a file on your local computer so you can get back to pages you want to analyse later on. You can encrypt this file on your computer with a tool called VeraCrypt so no one other than you will be able to open it. You can find more info about how to install and use VeraCrypt here.
Note: Make sure that you use the above online archives over the Tor browser to hide your location.
Image created by John Bumstead