Updated: Jun 8, 2020
Before discussing how to create a covert account for Internet Investigations we must first discuss when an account can be used. Within a law enforcement environment, adequately trained internet investigators and researchers are allowed to create ‘false persona’ or covert accounts to allow covert investigations to be conducted. A covert account ensures reduced risk of detection or compromise of an ongoing investigation and should be used whenever any evidence collection is being done through the internet to support action against a bad actor. A false persona account is one which is created under a false name, to hide the identity of the individual conducting open-source activity. It's worth noting that a covert account may breach the terms and conditions of some sites, particularly social networks.
Law Enforcement Principles
Within the UK, the creation of a false persona for the purposes of online research and investigation does not, in itself, require authorisation under the Regulation of Investigatory Powers Act 2000 (RIPA). The Regulation of Investigatory Powers Act 2000 governs internet investigations in the UK, ensuring that the privacy of individuals is protected. Whilst many parts of RIPA have been updated within the Investigatory Powers Act 2016, RIPA still governs internet investigations today.
Under RIPA, a covert account can be used without authorisation for an online deployment as long as there is no repeated or continuous monitoring of a subject's account. During a deployment, an individual is authorised to visit the social media site of a subject more than once, as long as each visit is justified as part of intelligence gathering. However, I would advise that a deployment should generally not exceed three days before it is considered 'monitoring'.
It is crucial that an internet investigator keeps records of the details associated with their covert accounts. Any information used to establish a background for a persona for covert accounts and any passwords must be recorded. Recorded details will provide useful if any social media site restricts access to an account and asks the owner to prove they are the account holder by asking questions based on the information provided. However, more importantly, it's crucial that in the case that evidence is taken to court an investigator can provide the information used for their false persona.
Any account that has been used to gather intelligence that has been presented in court should be considered 'burned'. This account can be linked back to you and your organisation and as such is no longer covert. Therefore, it should not be used again.
Standard advice has always been to use a brand new covert account for each deployment. That way each account is tied to one investigation only. However, social media sites are making it increasingly difficult to establish a covert account. Accounts established for investigations are commonly and increasingly being shut down through social media sites that detect "unusual activity". Therefore, there is an argument for supporting the re-use of covert accounts that have not been compromised through evidential disclosure.
The creation and use of a false persona must only be completed by an individual with training to conduct Level 2 or above Open-Source activity, under the NPCC's current guidance. Under no circumstances should an individual with only Level 1 training or no OSINT training be conducting any activity on behalf of an LEA or organisation through a social media account that uses a false persona or an account that in any way attempts to mask their identity. Further, individuals should never use their own private social media accounts for investigative purposes.
Training ensures that investigators know not just the optimal techniques for navigating sites to collect intelligence but also that investigators understand the framework that an internet investigator must work to.
To create a covert account, also known as a sock-puppet account, I would advise the below steps:
Buy a brand new sim card using cash. In the UK, you can purchase a Pay-As-You-Go sim with a small amount of credit from a number of providers. In the US, I believe that buying a sim card in cash is more difficult. Therefore, an alternative is to use a 'burner' credit card. An anonymous card can be set up through Privacy. This card can then be used to buy a sim card through providers like Mint. Amazon is a fantastic place to order SIM cards, as it allows you to send them to Amazon lockers, rather than an address linked to you. Just remember to use a covert amazon account, rather than your own.
Place the new sim into a non-attributable phone. Any smartphone will do here, so feel free to buy the cheapest handset available. Use cash or an anonymous card when you purchase the phone, to ensure that the handset isn't linked to you. If cash is limited, a factory reset phone will work, however, a new phone is advised.
Generate a false persona using a fake name generator. It's important not to create a persona yourself, as you may inadvertently reveal information that links back to you. Make sure that you record the details of the persona for any questions to restore your deactivated account and for evidential purposes.
Create a password using a random word generator and a random number generator. Again, It's important not to create a password yourself, as you may inadvertently reveal information that links back to you. Cybersecurity advice about not using words and numbers for passwords is not as relevant here, as no information about yourself is at risk. You can use the same password for different social media accounts for the same false persona, however, ensure that you never use the same password for different persona's. Data breaches happen and passwords can be searched just as easily as email addresses. Identical or similar passwords could be used by other individuals to link your covert accounts, which could compromise on-going investigations and put you in danger. Make sure you've recorded the password that you use for each covert account.
Set up a brand new email address using a less common domain. I currently rely on Protonmail and have had great success in long-lasting covert accounts. However, older services like GMX are also great.
Set up accounts on social media sites using the new email address and when prompted, the covert phone number. A phone number makes a covert account look more realistic, so use it when possible, however, it's largely impossible to create accounts without a phone number these days.
Standard advice for Internet Investigations is to have a VPN on at all times. A VPN should be used when any covert account is being used. However, it's important not to have a VPN turned on when setting up a new Facebook account. A VPN is an indicator to Facebook that your account is 'suspicious', making it more likely that your account will be flagged and deactivated.
Use a photo of an object or animal for your profile photo. There are some sites offering great AI-generated photos like thispersondoesnotexist.com. However, sites like Facebook can easily detect these due to commonalities and flaws in the photos.
Set up 2-factor authentication (2FA) with Authy. This not only ensures that only you can log in but helps to establish the account as looking like one belonging to a 'real' user.
Sign in to other websites using your covert account when possible, as another way to establish your account as 'real'. A great time to do this is setting up a Strava account.
Further Advice and Comments
You may find it beneficial to create a number of covert accounts at once and deactivate all but one account. Deactivated accounts are less likely to be shut down and its good to have a reserve account, for if your main one gets shut down mid investigation. However, Facebook accounts only get access to Marketplace after a set period of time, which is generally a considerable number of months. It's likely that deactivated accounts won't be accruing any time to support access to Marketplace, so don't do this is you will need to investigate items for sale.
A password manager can be of great assistance in recording passwords. As you create more and more covert accounts, you will likely be tempted to resort to reusing passwords. However, there is no need to resort to bad practice, or flicking through a paper notebook looking for the right account. A password manager can remember every account that you have associated with each account. Simply select or enter the correct email address and the password will automatically be entered. Password managers will also auto-generate passwords using random strings of characters and symbols. This will mean that you can do away with using word and number generators to manually create passwords.
The supporting action of adding “friends” or “followers” to your social media accounts, which are also created false personas, is something that is not necessarily prohibited. Individual Law Enforcement Agencies may prohibit this activity, however, it is at the discretion of agencies and organisations rather than being enforced through legislation. Friends and followers make an account appear more legitimate and this can, therefore, assist in “legend building” for your account. Some organisations may permit the owners of covert accounts to accept friend requests to assist in legend building, however, at no point should a friend request ever be sent to a private individual without authorisation under RIPA.
Social Media accounts of subjects can be monitored for future posts in some circumstances without it being considered "monitoring" and requiring authorisation under RIPA. Any manual monitoring of accounts would need RIPA authorisation, however, automated tools can be used to monitor accounts for any posts containing an established list of keywords without authorisation. The software must, however, be set to report notifications to the investigators only when a specified keyword is used, rather than just any future posts.
Level 5 activity under the current NPCC guidance is Undercover activity, which involves direct interaction with the subject of an investigation. To conduct this activity in Law Enforcement the individual needs both Undercover Training and Advanced OSINT training, however, private companies may work to a lower standard. For any account created where this level of activity is required, there should be attempts made to support the building of a legend. You no longer just need an account that doesn't get deactivated but will need one that looks like it belongs to a real person under close scrutiny. An account with a strong legend will be at least 6 months old, will have a profile picture and will contain details such as hometown filled out. Active accounts generally post, so yours should too. You should also have as many “friends” or “followers” from acceptable accounts as possible. However, remember that you can't just ask everyone to be your friends, you must only accept friend requests or add other covert accounts to support legend building, as long as this activity is authorised by your organisation.