Social Media Primer for Investigators


Authors' Note: Headlines repeatedly cite the dangers of victims posting sensitive information online, and the amount of information posted daily which criminals can misuse is nothing short of staggering. It is imperative for investigators to understand the information being routinely posted, the technology involved and common posting practices. Understanding the social media websites used in popular culture may enable law enforcement to use these same websites as investigative tools.

This article examines the methods and technology typically used by the public that are readily available to law enforcement if they make Internet based research a standard part of their investigations.

Investigators are in the people business. They always have been. A pen and notebook are considered to be essential to any investigator who gathers information. With the advancements in personal computing, the Internet, social media and smart phones, these items are now just as critical as a pen and notebook when it comes to documenting personal information about suspects, witnesses, family or friends.

Computers are now utilized in conjunction with every imaginable crime and will become even more entwined in the future due to the wide spread use of cyber technology in modern life.  As part of this phenomenon, law enforcement investigators should be familiar with the popularity of social networking, its uses and abuses and understand that the actual user figures are unprecedented.

Starting with targeted age groups, most police arrests occur within the 18-29 year old age group. According to 2009 statistics from the FBI Uniform Crime Report, young adults ages 18-29 comprised 44% of all arrests, whereas adults ages 30 and older comprised 42% of all arrests (Federal Bureau of Investigation, 2010).

Combined with this information, investigators should note as of 2009, 72% of young adults ages 18-29 have at least one social networking profile, and 47% have a public profile available for viewing by anyone on the Internet (Cox Communications, 2009).   The study published by Cox Communications noted users willingly provided personal information including their real age, photos of the user, current city, videos and pictures of the user and friends, cell phone numbers and email addresses. For older Americans, 47% of online adults ages 30 and older have an account on at least one social networking site (Lenhart, Purcell, Smith, & Zickuhr, 2010), and 52% of these adults have two or more different profiles.

While these two age groups possess nearly equal arrest rates, young adults are much more active in social networking than older adults and are more likely to have elaborate online contacts and viewable personal information.

Research Options
Cyber based inquiries have the ability to gather and display extensive personal information in seconds instead of days or weeks of record searches. Google searches were originally seen to be a vast improvement upon Internet searches of individuals who may have been cited on the web. Building upon the Google concept, searches via the Internet have been upgraded and expanded by Internet search sites like, which are known as social network aggregators. These aggregators scour data from many online as well as offline sources and report it back to the user. This type of service digs much deeper into information that isn't always viewable via a standard search.

Some of the information is free, but they also offer affordable subscription rates like $14.85 for a three month subscription, which provides the subscriber with the ability to research names, phone numbers, email addresses, usernames and associated friends. Entering a name into the search engine can result in routine reporting on the name, age, address, email addresses, gender, photos, videos, hobbies, economic health, estimated wealth, review of 86 social media sites, blog posts, family household make up, property details, maps, estimated value of property, politics, religion, education and occupation, family tree and neighborhood information. All of the information is publicly available, but the aggregator pulls from sources not routinely viewed or thought of when research is conducted on potential suspects.

In addition to Internet based search engines, the emerging platforms of choice for researchers are social networking websites, where users create a profile and upload content ranging from pictures, video, maps, and live check-ins. Some of the most popular social networking websites include Facebook, Twitter, Foursquare and Hi5.  Often, these sites encourage constant interaction, so other people can update and comment on a person’s profile, in near real time. This information can range from posting a link to an interesting article, music, photographs, videos and comments on the most important or banal moments of a person’s day-to-day life. The ease with which people can expose their private lives often results in over-sharing of private information, leaving users vulnerable to exploitation or attack.

“Profile” Of a Typical Cyberstalking Victim and Facebook
With such huge amounts of personal information being posted, it is a boon to cyberstalkers who want to gather intimate information with minimal risk while remaining anonymous.

Cyberstalking victims are similar to what we know as “normal” stalking victims; 83% of cyberstalking victims are women (Bocij, 2004). Most cyberstalking victims know their stalkers in real life. Relationships between the stalker and victim can include a current or former romantic partner, a suitor whose advances were rejected, and fans of a celebrity or well-known persons. Online dating and online flirting can also serve as catalysts to cyberstalking when the relationship does not progress as the stalker hopes.

How do cyberstalkers get the information? A study by Nicholas Kendrick and Shana Rakowsky at Georgetown University in 2009 examined how readily users would expose their profiles to unknown people. The researchers created two Facebook profiles in the Georgetown network with generic names and profile pictures that did not show faces. The two profiles sent out random friend requests, and 34% of users accepted this unknown request (Rakowsky & Kendrick, 2009). One hundred percent of these new “friend” profiles included identifying information such as photos, birthdate and current city. This data shows students, and young adults in general, will likely accept unknown requests and inadvertently provide information that makes them susceptible to cyberstalking.

Facebook is generally viewed as more “trustworthy” than other social networking sites, and this is because in the beginning it was more secure.  When the site launched in 2004, only students with .edu email addresses from certain schools could join, creating a small community.  Facebook gradually accepted all .edu addresses, then high school students, and now all people worldwide who claim to be at least 13.  As of May 2011, Facebook lists over 500 million users with their site. With this expansion, Facebook has become a ready source of information posted by users who feel protected, and who believe their use of Facebook is trustworthy. This false sense of security acts as a ready channel for online victimization and creates an atmosphere in which users do not feel obligated to keep their information private. News stories involving online stalking continue to cite Facebook as one of the frequent avenues of gathering data on a victim.

Cybercasing is the process of finding Global Positioning System (GPS) type geotagged or location based information about a subject from their online posts. It is possible with very little software or experience to track a subject’s location or past locations and activities (Friedland & Somner, 2010). Cybercasing is a growing trend which has been facilitated by using websites such as Twitter and Foursquare, which focus on posting a user’s location, and Picasa and Flickr, image-hosting websites which organize pictures by location. Investigators attempting to track a subject’s communication or travel patterns can employ cybercasing to find detailed information subjects have knowingly or unknowingly posted to the World Wide Web.

Geotagging, the hallmark of cybercasing, is the routine process of embedding digital photos with time and location information. A simple digital photo taken from various sources such as cell phone cameras with geotagging enabled can contain the time and GPS location where the photo was taken. Geotags are automatically embedded with most smartphone pictures from phones including iPhone, Android and Blackberry. From the factory, these camera phones have geotagging enabled by default, so if a user is aware of this function, they must navigate through several layers of menus to manually disable this function in order to prevent geotagging future pictures.

Just as humans have DNA that serves as a unique code, digital pictures have EXIF data.  EXIF, or Exchangeable Image File Format, is the metadata located inside the properties of a picture. EXIF files contain four main types of data: General, EXIF, GPS and TIFF.

General and EXIF data include color or gray scale ratings, pixel size, camera properties, focal length and shutter speed. If geotagging is enabled, the GPS data will list the latitude and longitude of where the photo was taken, accurate to within approximately 15 feet. TIFF data shows the exact date and time of when the picture was taken, as well as the make and model of the camera. This type of information can obviously help verify where a person was at the time a picture was taken or by the subject matter perhaps where they live, work or were they were at a certain time. TIFF data can also help investigations in obtaining warrants, since the make and model of the camera used to take the picture in question is listed with the file.

EXIF data can be viewed through free EXIF viewer plug-ins or applications on various Internet browsers. These viewers include “Exif Viewer” for Google Chrome, “FxIF” for Firefox, and “Opanda iExif” for Internet Explorer. Installed within minutes, users can simply right click on an image, select “View EXIF data,” and see any EXIF data included on the photo such as the latitude and longitude of where the photo was taken. Additional clicks can instantly bring up additional online resources like Google Maps, and graphically show the location in a variety of ways, including 360-degree panoramic street views taken from ground level in that area.

An Example
The picture provided was posted online by a celebrity who was apparently unaware of the risk posed by the amount of data embedded in the EXIF photo that traveled with the picture when it was posted to Twitter. A number of news stories documented this photo and explained how viewers could quickly establish the exact location of where the celebrity lived and extrapolate additional data about the celebrity’s life (Murphy, 2010).

Since these websites are openly accessible via the Internet, with little or no expectation of privacy, investigators or anyone else with Internet access can easily view the displayed data. Some sites require the viewer to have an account or profile before allowing access, however, users or investigators can create sham profiles to gain access to a subject’s profile.

Most websites require a valid email address to register; however, free unverified email accounts can be set up in minutes on Yahoo, Gmail or Hotmail using nebulous identifying information for this purpose. Once the investigator creates an account, he or she can enter whatever information they want in their profile and attempt to interact with other users of social media. For users who do have privacy blocks in place, they may still accept “friend” requests from complete strangers to build their social status. Once a “friend” is accepted, that person can view all of the content on the target’s media site. Looking at the results of Rakowsky’s study, where over one third of users accepted a random friend request, investigators could create an attractive profile and directly attempt to add a subject as a friend in order to gain access to information not shared with the entire Internet audience. Once allowed as a “trusted” or “accepted” friend, the investigator can see all of the user’s profile data, photos and connections to other listed friends.

Another technique can be utilized to avoid directly approaching a subject.  Indirect approaches starting with linking to friends of the target first can establish the new user as “trustworthy” and they may be shown as having friends in common and thus considered safer to interact with.

Privacy Settings: A Protection Measure Rarely Taken Seriously
Geotagging creates two main threats to user privacy. The first, and most important, is many users are simply unaware they are exposing their information. Users frequently do not know about the EXIF data in their cameras, or if they do know about it, do not bother to disable the feature before posting online.  Most smartphones from the factory enable geotagging by default. Users must manually disable location tracking in their phone to prevent their camera from embedding GPS data in the photos they take and upload.

On popular social networking websites, the default privacy settings may also leave users viewable and vulnerable. Facebook’s default privacy settings leave every aspect of a user’s profile except photos and wall posts as publicly viewable information. Twitter accounts are public by default. With both of these sites, the user must manually adjust the privacy settings in order to change their profile from public to more restrictive privacy. These are actions that few younger subscribers seem to understand or implement.

The second threat is the sheer amount of data available to stalkers online. The SANS institute conducted a study with the Internet Storm Center blog analyzing pictures from TwitPic, a website allowing users to post pictures to Twitter. The study analyzed 15,291 images at random from TwitPic. From these, over 10,000 images contained EXIF tags, 5,297 contained camera information, and 389 had GPS tags. Although the 2.5% of the sample seems like a small percentage, the amount of photos uploaded online each day is staggering and provides more than a sufficient amount of data for both stalking and other privacy attacks (Friedland & Somner, 2010).

Given the high volume of data available online, users are routinely reporting who they are, where they go and who else may have been involved all in a matter of hours.  Resources range from Foursquare, where users post where they are in real time, to Google Maps, which can corroborate potential addresses identified during the cybercasing process. Due to the rise of these location-based websites, cybercasing has evolved into a nearly effortless act.

Vulnerabilities in Popular Social Networking Sites
Facebook, one of the most popular social networking websites, and as cited above, has over 500 million active users (Facebook, 2011). The average user has 130 friends and posts 90 pieces of content (status updates, photos, videos, etc.) per month, with over 30 billion pieces of content shared site-wide each month. Users accessing Facebook on their mobile device are twice as active on Facebook as other Facebook users.

When setting up a new account, users are asked to fill in sensitive contact information for their profile, including physical addresses, birthdays, email accounts and phone numbers. Under the default privacy settings, this information is publicly displayed; around half of young adults will not change the privacy settings when creating their profile and entering contact information (Cox Communications, 2009).

Facebook Places is new online check-in system. The Places application registers where users are physically located.  Most locations, landmarks and businesses have public web based pages and users post that they are at a location by “checking in.”  In order to check in, Facebook determines the user’s location either by the IP address of their desktop computer or the GPS location being broadcast from their smartphone.  Once checked in, Facebook posts the user’s location on their wall (personal site) along with a link to the location’s public page.

The public page includes the address of the location, a map, directions of how to get to the location and when other associated friends checked into the location. This “check-in” is also posted on the News Feeds of all of the user’s friends ‘pages. Again, under the default privacy settings, a user’s wall is public, so anyone can see a user’s Places updates unless privacy settings are manually configured. In addition to announcing the subject’s location, it also automatically displays maps and turn-by-turn directions to the location.

Why would anyone use this application to track his or her own location? The answer may lie within popular psychology related to status and self importance, but there is another motivator. Money. Facebook Places allow business to provide financial incentives for users to check in. Checking in at a business through Facebook Places can result in the user receiving instant discounts at stores, or rewards for repeated check-ins. This incentive encourages users to check in at their favorite businesses as frequently as possible. The unintended consequences, of course, are documented patterns of behavior and times and typical routes taken, which are captured and displayed.

Despite the vulnerabilities cited above, Facebook’s default privacy settings have more privacy protection in place for uploaded photos than most social networks. Facebook does capture or upload EXIF data from photos being posted on the site. During the upload process, Facebook strips all EXIF data, so it is impossible to obtain any geo-tagged information from the pictures.

During the beginning of Twitter’s rise in popularity in 2008, it had nearly 2 million accounts. As of October 2010, Twitter had over 160 million accounts, with almost 500,000 new accounts created daily (Miller & Vega, 2010). The main purpose of Twitter is to post updates, or “tweets”, of up to 140 characters via either a user’s computer or mobile device. Twitter profiles are completely public by default, so anyone can see a user’s tweets even if they do not have a Twitter account. The user can, however, manually change their privacy settings to private so only those who send a request and are accepted can see the user’s tweets.

Unless disabled, Twitter uses either a computer’s IP address or a smartphone’s GPS to determine what neighborhood the user is tweeting from. This location information, while vague compared to the coordinates found in geotagged photos, is included in the tweet along with a map of the area.

The most alarming Twitter vulnerability, as mentioned above, lies with pictures.  Users can tweet pictures by uploading them to external sites such as and, which create the URL to their picture that can be included in the tweet. With these pictures, EXIF data is not stripped. Consequently, an EXIF viewer plug-in application will determine what EXIF data, if any, is included in the photo. Many tweets relate what a user is doing throughout the day, and digital pictures are often taken from various places a user visits on a regular basis. This can expose commuting patterns and the locations of homes and workplaces along with dates and times they frequent that location.

The number of photos containing GPS tags ranges from 1.3% to 2.5% of pictures posted at any given time (Friedland & Somner, 2010). While this is a small percentage, it is important to keep in mind Twitter has over 160 million accounts as of October 2010 and a half million new accounts being opened each day. This small percentage yields a high number of geotagged photos and the explosion of smartphone sales will also increase the amount of geotagged photos being posted by uninformed users in the future.

Foursquare, which boasts over 6 million users, is a rapidly expanding website which grew 3,400 percent in 2010 alone (Foursquare, 2011). The website shares the same function as Facebook Places, in which users “check in” to businesses and other locations through their smartphones. Unlike Facebook’s elaborate multimedia displays, Foursquare’s sole function is to allow users to check in. Foursquare encourages users to check in by allowing companies to provide financial incentives and reward loyal customers. The user who checks in the most over a 60-day period is titled the “Mayor” of the location. Companies such as Starbucks offer discounts to the “Mayor” of the particular location. This practice promotes constant check-ins, which creates detailed timelines of where a user is and what places the user typically frequents

Viewers do not need to have Foursquare accounts in order to track a person’s whereabouts. Combining technology, Foursquare users can link their Foursquare account to their Twitter, which could be publicly viewable. Thus, if a user checks in via Foursquare, which is linked to their Twitter account, Foursquare automatically sends out a tweet through the user’s Twitter account which identifies the user’s location, the address of the location and the link to the original Foursquare post. If a user’s Twitter profile is public, a viewer will be able to see where the Foursquare account holder checks in, regardless of the user’s privacy settings on Foursquare. This weakness exists across all major social networking sites, which allow users to “link” their profiles together, such as posting Tweets on a user’s Facebook wall. Imagine the treasure trove of information an investigator could gain from suspects who willingly post to these accounts and record their movements and life history during the time frame they were committing crimes. Then imagine this same information in the hands of those seeking to do harm to others.

Relevance for Investigators
How valuable would it be for a criminal to provide police with a timeline of their activities on a given day along with maps of where they traveled, shared their thoughts and feelings about the day’s events, provided names and photos of co-subjects they associated with and included GPS maps − all without an interrogation, surveillance or search warrants?

Social networking sites such as Facebook and Twitter have rapidly evolved into tools that are a transparent window to view user’s personal data and photos.  Along with global access, these public websites are freely and willingly updated and displayed by the users to include GPS data. Close monitoring of these websites becomes a method to learn whom a subject interacts with, the frequency of the interaction, and their habits, hobbies and routine patterns. Most importantly, there is no expectation of privacy with publicly posted information on these websites, and it is easily accessible even if the post is sent from abroad.

The Internet has rapidly evolved beyond anything Science Fiction could have conceived only a few short years ago. Social media has emerged as a new preferred method to “keep in touch” with other people. Nearly three quarters of young adults have profiles on social networking websites. Along with this high prevalence, teens and young adults also use these websites with a new and growing purpose. Posting on someone’s Facebook wall or sending them a tweet on Twitter holds just as much weight as communicating the same information in person. Texting became a huge part of young adults communicate on their cell phones, in recent years replacing phone calls. Social media continues this trend to make limited but frequent contact with peer or friend groups with little personal effort. This generation of computer and cell phone users has demonstrated they are extremely comfortable with cyber-based postings and the continued use is not only guaranteed, but ever expanding. It is imperative investigators look at social media and online posts as investigative tools. If they do not, they risk missing a substantial percentage of the widely accepted basic communication of people in the 18-29 year old age group.

This type of communication is incredibly socially acceptable; perpetrators freely post incriminating pictures, videos and personal information without seemingly realizing the implications. Searching for personal information on these websites is becoming a common business practice, with corporations reviewing profiles of potential applicants to find evidence of their character.

Who could have anticipated one day criminals would be sharing their innermost thoughts, beliefs, habits, friends’ names, photos and travel patterns with GPS maps and date and time stamps included on publicly viewable sites? The potential sources of criminal intelligence may be limited only by an investigator’s imagination and a suspect’s desire to be online “friends.”
Bocij, P. (2004). Cyberstalking: Harassment in the Internet Age and How to Protect Your Family. Santa Barbara, CA: Praeger.

Cox Communications. (2009). Teen Online & Wireless Safety Survey: Cyberbullying, Sexting and Parental Controls. Cox Communications Teen Online and Wireless Safety Survey in Partnership with the National Center for Missing and Exploited Children. Cox Communications.

Facebook. (2011). Statistics. Retrieved from Facebook:

Federal Bureau of Investigation. (2010). Crime in the United States 2009. Washington, DC.

Foursquare. (2011, January 24). So we grew 3400% last year... Retrieved from Foursquare:

Friedland, G., & Somner, R. (2010). Cybercasing the Joint: On the Privacy Implications of Geo-Tagging. Berkeley University, International Computer Science Institute. Berkeley University.

Lenhart, A., Purcell, K., Smith, A., & Zickuhr, K. (2010). Social Media & Mobile Internet Use Among Teens and Young Adults. Pew Research Center, Pew Internet & American Life Project. Washington, DC: Pew Research Center.

Miller, C. C., & Vega, T. (2010, October 10). After Building an Audience, Twitter Turns to Ads. Retrieved from New York Times:

Murphy, K. (2010, August 11). Web Photos That Reveal Secrets, Like Where You Live. Retrieved from New York Times:

Rakowsky, S., & Kendrick, N. (2009). Cyberstalking: The susceptibility of college students due to participating in social-networking sites. Unpublished manuscript, Georgetown University, Department of Psychology, Washington, DC.

TeleGeography. (2010). Global Internet Geography Executive Summary. Washington, DC: PriMetrica, Inc.


Using Emojis as Evidence

Recent cases involving the text characters and pictures have been used to convict

CASE STUDY: 4 Departments Evaluate Mobile Data Computers Over 10 Years

In this photo taken Thursday, March 12, 2015, Seattle police officer Debra Pelich, right, wears a video camera on her eyeglasses as she talks with Alex Legesse before a small community gathering in Seattle. The camera is attached to a battery pack and controls on the officer's uniform. As police departments struggle with police body camera videos, the Seattle police, under the direction of new Chief Kathleen O'Toole, are voluntarily putting blurry, silent versions of the videos on YouTube, giving the curious a chance to see what they entail while also protecting the privacy of those depicted. (AP Photo/Elaine Thompson)

States Place Limits on Body Camera Videos

Legislators introduce bills limiting what can be recorded and what can be released.

On the Water

Cincinnati PD uses HD cameras to improve public safety along the Ohio River

Secret Service Tests Drone Flights, Disruptions

Agency faces a new challenge in protecting the President and White House.

Predictive Policing Software

Helping agencies tackle crime trouble spots & trends