Leicester City football star Jamie Vardy’s un-following of Wayne Rooney’s Instagram account and the entry of “Wagileaks” into our collective vocabulary are just some of the twists in a drawn-out and high-profile social media spat that kicked off when Rooney’s wife – Coleen – announced “It’s …… Rebekah Vardy’s account” that had been leaking stories from her Instagram account to the media.
While Rebekah Vardy denies the accusation and has reportedly hired experts to help clear her name, the story seems destined to be played out in the full glare of the public eye for some time. Yet perhaps even more interesting than the human drama is the fact that the case highlights the broader role that social media is playing in investigations and legal proceedings – ranging from big business, workplace disputes, criminal cases, and everything in between.
In this Q&A, we’ve asked Brandy Wityak and Amy Francis, London-based investigations and incident response professionals from Aon’s Cyber Solutions, about how you might attempt to prove ‘who’ was responsible for activity on a social media account, and ‘how’ mobile devices and social media accounts might be important in an investigation. (Note: Neither Ms. Wityak nor Ms. Francis are associated with or engaged on this matter).
Q: How often is social media involved in investigations?
Brandy Wityak: As investigators our day to day work involves interrogating data to uncover facts critical to a case. In our work on legal matters and internal investigations we are seeing a definite rise in the number of times that social media accounts, and the devices that people use to access them, are brought into play. Why? The use of social media is flourishing, but also because there seems to be a growing crossover between business and personal data – for example, with workplace ‘bring your own device’ (BYOD) policies where people are using their own devices and using apps for both work and personal purposes.
As social media becomes more influential, businesses seem to be increasingly expecting employees to engage in these communications channels to promote their business. Not only does this blur the line between work and personal, it can create complications when social media feeds turn out to be useful evidence to help build a picture of what has happened in a matter which turns into an investigation.
Amy Francis: There are also so many different social channels that people use to directly communicate with each other including private messaging tools such as Facebook Messenger, SnapChat, LinkedIn, and Instagram. This means that there are more communications channels to analyze but also more data sources to build up a fuller picture of what happened. It is relatively simple technically to capture, preserve and analyze these forms of communication for use in an investigation.
Many people think that chat apps such as WhatsApp are more secure and that these forms of communication cannot be accessed in an investigation because they are encrypted – this is not necessarily true; they can often be decrypted, and messages can often be recovered even if the user attempts to delete the chats.
BW: There’s also no doubt that social media can be hugely informative in a case. For example, data from social media apps such as Facebook has been used in cases to help prove that a person was in a particular location at a particular time. In cases involving collusion or corruption, we’ve been able to draw on publicly-available information from social media platforms to define or open up lines of inquiry. There is now wider recognition of the rich pickings available from social media when looking for evidence.
Q: People use social media on a number of devices, how easy is it to tie activity to a specific device?
AF: While it’s easy to tie activity down to a specific account, it can be difficult to narrow social media activity down to the most likely device used because there are so many different ways people can access their accounts – from using applications on our phones and iPads whilst on the move, to checking Instagram on a corporate computer during lunch. However, there are many digital forensic methods that can pull together information regarding location, time zones, and many other artefacts to work out the most likely device or rule out a device.
Q: Is it possible to prove who was responsible for activity on a social media account?
AF: There are two questions here: firstly, has there been any unauthorized access to the account on another device (hacked)? This requires looking at all the devices and geographic locations that have had access to the device to see if any of these seem malicious in any way. For example, if we have a user from the US and we see access from Russia, it could indicate it’s malicious. By analyzing forensic evidence relating to the way the account was accessed, we can get insight into whether the account may have been hacked.
BW: Have their credentials been stolen and available to attackers on “data dump” site? Have they used passwords that might be guessed by people who know them or follow their social media feeds? There are numerous instances where people in high-profile positions are victims and personal information was leaked when personal details were exploited by attackers to “phish” them (for example, the 2014 scheme that targeted Jennifer Lawrence and other celebrities).
AF: Secondly, who else could have accessed the account on an authorized device? The obvious answer would be the owner, but what about trusted friends who know their password? Did the owner leave their phone unlocked and unaccompanied? Did they log into someone else’s computer with their credentials and perhaps accidentally save their password on that computer?
If access has been made from an authorized device, proving who handled the device becomes more reliant on physical evidence such as fingerprints and CCTV which is obviously harder to find.
Q: Can you create a timeline of a person’s activity to tell where they were and which devices they could have been using?
AF: If we determine the activity was from a particular device, how do we put a person’s hands actually on the keyboard? Can we prove they were using a device at a specific time? It is complicated but there are lots of data sources and information that we can use to try and put this together. Numerous applications on devices store location data to tell us whether an individual was having a coffee and surfing the net in the local coffee shop, on a plane, or in a meeting at work. There is a lot of forensic evidence that can help draw inferences, if not proof. However, these can still be useful in providing a basis for questioning a witness or obtaining access to additional data, for example.
Q: How easy is it to obtain access to mobile devices in an investigation?
BW: If an employer is doing the asking, and the physical hardware is the property of the company, it is relatively common for our clients to have analysis done on the company device and as part of an internal inquiry, legal proceedings, or a data subject access request (“DSAR”). Companies that issue work devices to employees often have a policy to include provisions that could potentially open up anything the employee does on the corporate device to the company, though policies and rules vary in different jurisdictions. When engaged by lawyers advising a company, we may be asked to analyse work email accounts, messaging apps or social media apps present on the phone.
With solely personal devices, it’s a different story. As third party investigators, we usually will carry out this type of work only where the client has consulted with legal counsel, and counsel often is the one instructing us. We are not attorneys and can’t advise on when personal devices should come into play and what the permissible scope of inquiry should be. In our experience in such situations, we often perform analysis of personal mobile devices or social media accounts under a court order, or where an agreement has been reached with the person to whom the device belongs – it all depends on the case. Using a third party consultant such as Amy’s and my team is common, because we can review the data independently and only report back on what is within the permitted scope.
When a company uses BYOD policies, it can create a grey area around getting access to investigation the contents of the device. A business will have to balance its employees’ privacy considerations against the needs of the business to access the data. As with personal devices, we typically see clients consulting with counsel on the proper parameters.
Q: What should businesses be doing to protect themselves further?
BW: For businesses, it’s important that they have a good look at their policies around the use of devices and social media – both for company-owned and situations where employees are using personal devices for business – and be explicit as to what is considered as acceptable use, and the implications on data privacy.
Also, they should keep sight of the fact that the open web and social media can reveal a lot about an individual – much of which they don’t share themselves or know exists or is available about them. For businesses, there is usually sufficient personal information to impersonate executives for financial fraud, phishing schemes, or ransomware attacks on the company. We have worked on many such cases; huge sums of company funds were diverted to attackers, and executives were targets of extortion, because the attacker was able to convincingly “phish” or impersonate them.
Proactively, businesses can carry out periodic assessments of their key staff for social media vulnerability, can monitor threat intelligence posted about the company in open sources and the dark web, and pre-emptively “take down” information that shouldn’t be exposed. In one case, we showed our client a list of their employees whose credentials were for sale on the dark web, and one of the executives in the room confessed that his leaked password matched the one he was using for the company network that day, because he tended to re-use passwords.
Q: What about individuals?
AF: For individuals using their own devices, it is critical to think about who has access to your devices and how you sign into social media accounts like Facebook and Instagram. Many of us can be too blasé when it comes to ensuring others can’t access our accounts and the consequences of this poor security are starting to come to light. Simple things like using strong passwords for your accounts, not reusing passwords, and not sharing passwords with others can go a long way to protect your accounts from being accessed without your permission.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.