Criminal Network Investigation - Rasmus Rosenqvist Petersen
Criminal Network Investigation - Rasmus Rosenqvist Petersen
Criminal Network Investigation - Rasmus Rosenqvist Petersen
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Criminal</strong> <strong>Network</strong> <strong>Investigation</strong>:<br />
Processes, Tools, and Techniques<br />
Ph.D. dissertation (revised version)<br />
Author Supervisor<br />
<strong>Rasmus</strong> <strong>Rosenqvist</strong> <strong>Petersen</strong> Uffe Kock Wiil<br />
The Maersk Mc-Kinney Moller Institute The Maersk Mc-Kinney Moller Institute<br />
University of Southern Denmark University of Southern Denmark<br />
Campusvej 55, Odense, Denmark Campusvej 55, Odense, Denmark<br />
rrp@mmmi.sdu.dk ukwiil@mmmi.sdu.dk<br />
May 13, 2013<br />
Committee member Committee member Committee member<br />
Kasper Hallenborg Patricia L. Brantingham Kaj Grønbæk<br />
The Maersk Mc-Kinney Moller Institute School of Criminology Department of Computer Science<br />
University of Southern Denmark Simon Fraser University Aarhus University
Abstract<br />
<strong>Criminal</strong> network investigations such as police investigations, intelligence analysis, and investigative<br />
journalism involve a range of complex knowledge management processes and tasks. <strong>Criminal</strong><br />
network investigators collect, process, and analyze information related to a specific target to create<br />
intelligence products that can be disseminated to their customers. Investigators deal with an<br />
increasing amount of information from a variety of sources, especially the Internet, all of which<br />
are important to their analysis and decision making process. But information abundance is far<br />
from the only or most important challenge for criminal network investigation, despite the massive<br />
attention it receives from research and media. Challenges such as the investigation process, the<br />
context of the investigation, human factors such as thinking and creativity, and political decisions<br />
and legal laws are all challenges that could mean the success or failure of criminal network<br />
investigations.<br />
Information, process, and human factors, are challenges we find to be addressable by software<br />
system support. Based on those three challenges we formulated our hypothesis for tool support,<br />
and analyzed problems related to each individual challenge. Our response to these problems<br />
is a list of research focus requirements, to guide our development of new processes, tools, and<br />
techniques that ultimately would reduce the impact of the challenges and support the hypothesis.<br />
We propose hypertext as the key technology to bridge human and tool related requirements to<br />
provide integrated support for both, resulting in increased capabilities, that ultimately will create<br />
a synergy effect useful for criminal network investigation.<br />
We create a target-centric process model (acquisition, synthesis, sense-making, dissemination,<br />
cooperation) encouraging and supporting an iterative and incremental evolution of the criminal<br />
network across all five investigation processes. The first priority of the process model is to address<br />
the problems of linear process models that introduce compartmentalization, reducing sense<br />
of responsibility and deterioration of information as it passes through compartments. We have developed<br />
a list of criminal network investigation tasks encapsulating the work within each process,<br />
selected based on their contributions to the success of investigations.<br />
Basic criminal network investigation concepts have been developed and tested using proof-ofconcept<br />
prototyping, resulting in generic software components for tool support of criminal network<br />
investigation. We have used these components to build CrimeFighter Investigator, iteration by<br />
iteration, embracing the concepts embedded in the components. We analyze, design, and demonstrate<br />
support of individual criminal network investigation tasks for each of the five processes,<br />
and we also describe the deployment of CrimeFighter Investigator in scenarios that span multiple<br />
processes and tasks. We have used three methods to evaluate CrimeFighter Investigator, capability<br />
comparisons, end user interviews, and measures of performance. We have found that our<br />
evaluation methods provide good coverage of the research focus requirements. When summarizing<br />
evaluation of the requirements, we found strong support of most and medium or weak support<br />
of few. In general, our evaluation showed that we had focused on the right challenges, and the<br />
interdependency of the requirements made it clear that a more narrow focus, leaving out one of<br />
the challenges, would have provided much less support.<br />
We can conclude that all indicators point toward support of the hypothesis: addressing the challenges<br />
of information, process, and human factors by providing tool support based on advanced<br />
software technologies is a useful tool for investigators, as it increases the capabilities of both<br />
human and tool, thereby reducing the impact of the challenges. Rather than focusing on the<br />
inner-workings of network analysis techniques, we have worked toward supporting end user interactions<br />
with techniques, to achieve better investigation results. We consider our results to represent<br />
guidelines for how to conduct research of tool support for criminal network investigation.
To my father<br />
for his insistent fight to live<br />
To my mother<br />
for fighting alongside her husband, my father
Preface to revised version<br />
This dissertation is the result of three years Ph.D. studies. The work was carried out from<br />
September 1 st 2009 to September 30 th 2012. The initial version was submitted October 1 st .<br />
This revised version is based on feedback from my Ph.D. committee members Patricia L. Brantingham,<br />
Kaj Grønbæk, and Kasper Hallenborg. Furthermore, working in the network visualization<br />
and analysis industry changed my views on the importance and power of visualization. But the<br />
foundation of my research is still the same: structure domains, agile processes, and human cognition.<br />
Finally, ideas have kept emerging and evolving after the initial version was submitted.<br />
Happy investigation . . .<br />
The Maersk Mc-Kinney Moller Institute<br />
University of Southern Denmark, Odense<br />
<strong>Rasmus</strong> <strong>Rosenqvist</strong> <strong>Petersen</strong><br />
May 13, 2013<br />
v
Acknowledgments<br />
First of all thanks to everybody at the Maersk-McKinney Moller Institute (University of Southern<br />
Denmark), professors and lecturers, for their academic advice and encouragements to continue my<br />
research, secretaries, for helping me out on numerous occasions and without who no one at the<br />
institute would get anything done. To my fellow Ph.D. students, with whom I have spent countless<br />
hours at the foosball table or discussing foreign politics and cultural differences and similarities<br />
over a cup of chai, coffee, or beer: shukria, dhanyavaad, gracias, tak, . . . thank you!<br />
A special thanks goes to my supervisor, Professor Uffe Kock Wiil, who has guided and supported<br />
the basic ideas of my research over the past five years. He has always taken the time to provide<br />
constructive feedback whenever I was doubtful about which direction to take, even after becoming<br />
project manager for the largest grant in the history of our university. Thank you Uffe, for always<br />
supporting my ideas and guiding me if I was about to get lost in some case, theory, or book - I<br />
have learned a lot from your approach to research, and I hope to one day achieve your sense of<br />
information and structure.<br />
I have been fortunate to make two 1-month visits to international research institutions: at Imperial<br />
College in London, I worked closely with Dr. Christopher J. Rhodes, developing CrimeFighter<br />
Investigator support for inference-based prediction. Thank you Chris, and everybody else at Imperial<br />
College, for showing me around, introducing me to indian pale ale, and always being willing<br />
to help. Also thank you to the Research Councils United Kingdom, Institute for Security Science<br />
and Technology (Imperial College) and the United Kingdom Ministry of Defense for supporting<br />
the work and publication of a paper on node removal. At University of Hof in Bavaria, I worked<br />
closely with Dr Claus Atzenbeck, director of Institute for Information Systems (iisys), primarily<br />
focusing on domain analysis and discussions of how to design usability experiments. Thank you<br />
Claus, and everybody else at iisys, for welcoming me and showing me various aspects of Bavarian<br />
life. Also thank you to Claus for writing several knowledgeable papers related to criminal network<br />
investigation.<br />
The places that I have worked on my dissertation around the world, and the friends living in<br />
those places, deserve a special thanks; it has been incredibly motivating and inspiring for me.<br />
Unfortunately, the list is too long to mention everybody and everywhere here. To everyone not<br />
mentioned: thank you!<br />
My Ph.D. dissertation builds upon previous publications in hypertext and security informatics<br />
conference proceedings, one accepted security informatics journal paper, and one accepted computational<br />
approaches to counterterrorism handbook chapter. I am thankful to the numerous<br />
reviewers who have helped me improve my work by giving useful and insightful comments on<br />
submitted manuscripts.<br />
vii
Resumé<br />
Efterforskninger af kriminelle netværk udført af politi, efterretnings analytikere, og undersøgende<br />
journalister involverer en række komplekse processer og opgaver relateret til h˚andtering af viden.<br />
Efterforskere af kriminelle netværk indhenter, bearbejder, og analysere information relateret til<br />
et specifikt efterretningskrav, for at skabe efterretnings produkter der kan rapporteres til kunden<br />
der formulerede kravet. Efterforskere skal h˚andtere en stigende mængde informationer fra mange<br />
forskellige kilder, især internettet, og de kan alle sammen være vigtige for efterforskernes analyseog<br />
beslutnings-proces. Men en overflod af informationer er langt fra den eneste eller den vigtigste<br />
udfordring i forbindelse med efterforskning af kriminelle netværk, p˚a trods af den massive<br />
opmærksomhed “de mange informationer” bliver givet i forskningsverdenen og af medierne, m.fl.<br />
Udfordringer s˚asom efterretningskredsløbet (processen), en efterforsknings kontekst, menneskelige<br />
faktorer som f.eks. problem løsning og kreativitet, og politiske beslutninger og deraf følgende<br />
lovgivning, er alle udfordringer der kan betyde succes eller fiasko for en efterforskning.<br />
Information, proces, og menneskelige faktorer er efterforsknings relaterede udfordringer som kan<br />
adresseres ved hjælp af software systemer. Baseret p˚a disse tre udfordringer formulerede vi vores<br />
hypotese for værktøjsunderstøttelse, og analyserede specifikke problemer relateret til hver enkelt<br />
udfordring. Vores modsvar i forhold til disse problemer er en liste med forsknings krav, der kan<br />
styre vores udvikling af nye processer, værktøjer, og teknikker der ultimativt vil reducere virkningen<br />
af udfordringerne og understøtte hypotesen. Vi foresl˚ar hypertekst som den kerneteknologi<br />
der kan bygge bro imellem de menneske- og værktøj relaterede krav vi har til vores forskning,<br />
for at tilbyde integreret understøttelse for begge, resulterende i øgede kapaciteter der vil skabe en<br />
synergi effekt i forbindelse med efterforskning af kriminelle netværk.<br />
Vi skaber en krav-centreret proces model der involverer indhentning og bearbejdning, syntese og<br />
forst˚aelse (tilsammen analyse), rapportering, og samarbejde. Det er en process model der tilskynder<br />
og støtter en iterativ og inkremental evolution af det kriminelle netværk p˚a tværs af alle fem<br />
efterforsknings processer. Førsteprioriteten for proces modellen er at adressere de problemer som<br />
lineære proces modeller introducerer i efterforskningsarbejdet, primært adskillelser i processen,<br />
der reducerer efterforskernes ansvarsfølelse for efterforskningen samt forringer oplysninger som de<br />
passere igennem proces adskillelserne (en adskillelse kan være mellem to afdelinger i en organisation,<br />
eller f.eks. mellem to efterretningstjenester). Vi har udviklet en liste med efterforsknings<br />
opgaver der indkapsler arbejdet inden for hver enkelt proces. Opgaverne er udvalgt baseret p˚a<br />
deres potentielle bidrag til veludført efterforskning.<br />
Grundlæggende koncepter for efterforskning af kriminelle netværk er blevet udviklet og testet<br />
ved hjælp af s˚akaldte proof-of-concept prototyper, hvilket har resulteret i generiske softwarekomponenter<br />
til værktøjs understøttelse af efterforskning. Vi har anvendt disse komponenter til at<br />
bygge CrimeFighter Investigator, iteration efter iteration, og derigennem omfavnet de begreber<br />
ix
der er indlejret i komponenterne. Vi analyserer, designer og demonstrerer understøttelse af individuelle<br />
efterforskning opgaver for hver af de fem omtalte processer, og vi beskriver ogs˚a anvendelse<br />
af CrimeFighter Investigator i scenarier, der involverer flere processer og opgaver. Vi<br />
har brugt tre metoder til at evaluere CrimeFighter Investigator: sammenligning af opgave- og<br />
model-understøttelse, slutbruger interviews, og forskellige metrikker der kan m˚ale effektiviteten af<br />
algoritme-baserede analyse teknikker p˚a flere omr˚ader. Ved hjælp af diagrammer har vi opsummeret<br />
relationerne mellem efterforsknings opgaver og vores opsatte forsknings krav, vi fandt at<br />
de tre evalueringsmetoder ydede god dækning af disse krav. N˚ar vi opsummerer vores evaluering<br />
af forsknings kravene finder vi at mange er godt understøttet, imens f˚a er nogenlunde eller svagt<br />
understøttet. Helt generelt viser vores evaluering at vi har fokuseret p˚a de rette udfordringer,<br />
og at den gensidige afhængighed imellem forskningskravene gjorde det klart, at havde vi valgt<br />
et mere snævert fokus, f.eks. udeladt en af udfordringerne, ville det have resulteret i d˚arligere<br />
understøttelse af de resterende krav.<br />
Vi kan konkludere at alle indikatorer peger imod understøttelse af den hypotese vi har stillet:<br />
hvis udfordringerne information, proces, og menneskelige faktorer adresseres ved værktøjs understøttelse<br />
baseret p˚a avancerede software teknologier, vil resultatet være et brugbart værktøj<br />
for efterforskere, da det øger kapaciteten for b˚ade mennesker og værktøj, og dermed reducerer<br />
den indflydelse som udfordringer ellers ville have. I stedet for at fokusere p˚a specifikke algoritmebaserede<br />
teknikker til netværks analyse har vi arbejdet hen imod understøttelse af slutbrugerens<br />
(efterforskerens) interaktion med og kontrol af s˚adanne analyse teknikker, med det form˚al at<br />
opn˚a bedre efterforskningsresultater. Vi betragter vores resultater som retningslinjer i forhold til<br />
forskning indenfor software værktøjer der understøtter efterforskning af kriminelle netværk.
Contents<br />
Preface v<br />
Acknowledgements vii<br />
Resumé x<br />
I Introduction and method 1<br />
1 Introduction 3<br />
1.1 Myths and disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4<br />
1.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
1.2.1 Selecting challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
1.2.2 Research focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
1.3 Theory and technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
1.4 CrimeFighter toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
1.4.1 CrimeFighter Investigator within this framework . . . . . . . . . . . . . . . 14<br />
1.5 Dissertation structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
1.5.1 Reading directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
2 Method 19<br />
2.1 General Ph.D. approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<br />
2.2 Software development methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
2.2.1 Prototyping reviewed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
2.2.2 Proof-of-concept prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
2.2.3 Software baseline and evolution . . . . . . . . . . . . . . . . . . . . . . . . . 24<br />
2.3 Empirical evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
2.3.1 Case study research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
2.4 Ph.D. study program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
xi
II The domain 29<br />
3 <strong>Criminal</strong> network investigation 33<br />
3.1 <strong>Criminal</strong> network? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
3.1.1 <strong>Criminal</strong> networks and other networks . . . . . . . . . . . . . . . . . . . . . 34<br />
3.1.2 The emergence and evolution of criminal networks . . . . . . . . . . . . . . 35<br />
3.1.3 The strengths and weaknesses of criminal networks . . . . . . . . . . . . . . 35<br />
3.1.4 Pre- and post-crime criminal networks . . . . . . . . . . . . . . . . . . . . . 36<br />
3.1.5 Ethical aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
3.2 Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
3.2.1 Basic entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
3.2.2 Organizational (meta) structures . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
3.2.3 Smaller (sub) structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
3.3 Linear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
3.3.1 Intelligence failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
3.4 Target-centric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
3.5 Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
3.5.1 The Daniel Pearl investigation . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
3.5.2 The hunt for Khalid Sheikh Mohammed . . . . . . . . . . . . . . . . . . . . 55<br />
3.5.3 Homicide investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56<br />
3.5.4 Organized drug crime investigation . . . . . . . . . . . . . . . . . . . . . . . 58<br />
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
3.6.1 Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
3.6.2 Counterterrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<br />
3.6.3 Investigative journalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
4 Related work 65<br />
4.1 Commercial tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
4.1.1 Analyst’s Notebook 8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
4.1.2 Palantir Government 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
4.1.3 Xanalys Link Explorer 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
4.1.4 COPLINK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
4.2 Research prototypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
4.2.1 The Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
4.2.2 POLESTAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
4.2.3 Aruvi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
4.2.4 Dynalink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
4.3 Investigative journalism tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
4.3.1 Namebase.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77<br />
4.3.2 Mindmeister . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
4.3.3 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
5 Theory and technology 81
5.1 Hypertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
5.1.1 Associative structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
5.1.2 Spatial structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86<br />
5.1.3 Taxonomic structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
5.1.4 Issue-based structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88<br />
5.1.5 Annotation and meta data structures . . . . . . . . . . . . . . . . . . . . . 89<br />
5.1.6 Structural computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89<br />
5.2 Semantic web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89<br />
5.3 Information science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91<br />
5.4 Human cognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
5.4.1 Two types of creativity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92<br />
5.4.2 Case: Besheer and Pellegrino . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
5.4.3 Representational structures for human cognition . . . . . . . . . . . . . . . 94<br />
5.5 The creative process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95<br />
5.5.1 History of creative process models . . . . . . . . . . . . . . . . . . . . . . . 95<br />
5.5.2 Are more heads better than one? . . . . . . . . . . . . . . . . . . . . . . . . 96<br />
5.5.3 The life cycle of creative endeavors . . . . . . . . . . . . . . . . . . . . . . . 97<br />
5.5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100<br />
5.6 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100<br />
5.6.1 Agile modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100<br />
5.7 Case-studies of individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103<br />
5.7.1 Omar Saeed Sheikh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104<br />
5.7.2 David Coleman Headley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105<br />
5.7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106<br />
5.8 Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106<br />
5.8.1 Intelligence and information . . . . . . . . . . . . . . . . . . . . . . . . . . . 107<br />
5.8.2 Open source intelligence and secret intelligence . . . . . . . . . . . . . . . . 107<br />
5.9 Mathematical models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107<br />
5.9.1 Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
5.9.2 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110<br />
5.9.3 Other mathematical models . . . . . . . . . . . . . . . . . . . . . . . . . . . 110<br />
5.10 Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111<br />
5.10.1 Ethical impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111<br />
5.10.2 Denmark and terrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113<br />
5.11 Trust and user acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115<br />
5.12 Interaction and visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
5.12.1 Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
5.12.2 Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
5.13 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
6 Problem definition 119<br />
6.1 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119<br />
6.1.1 Research focus (requirements) . . . . . . . . . . . . . . . . . . . . . . . . . . 121<br />
6.2 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.2.1 Research focus (requirements) . . . . . . . . . . . . . . . . . . . . . . . . . . 123<br />
6.3 Human factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123<br />
6.3.1 Research focus (requirements) . . . . . . . . . . . . . . . . . . . . . . . . . . 124<br />
6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125<br />
III The tool 127<br />
7 Process model and tasks 129<br />
7.1 Process model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
7.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
7.2.1 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
7.2.2 Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
7.2.3 Sense-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132<br />
7.2.4 Dissemination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
7.2.5 Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
8 Software components 135<br />
8.1 Conceptual model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136<br />
8.1.1 Entity layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137<br />
8.1.2 Information element designs . . . . . . . . . . . . . . . . . . . . . . . . . . . 138<br />
8.1.3 Relation designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139<br />
8.1.4 Composite designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140<br />
8.2 Computational model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140<br />
8.2.1 Entity association design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141<br />
8.3 Concepts and components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143<br />
8.4 Component requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144<br />
8.4.1 Entity requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145<br />
8.4.2 History requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145<br />
8.4.3 Algorithm requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146<br />
8.4.4 Datafile requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<br />
8.5 Component design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<br />
8.5.1 Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148<br />
8.5.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149<br />
8.5.3 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149<br />
8.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150<br />
9 Acquisition 153<br />
9.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
9.1.1 CONCEPT: Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
9.1.2 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
9.1.3 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
9.1.4 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<br />
9.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.2.1 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<br />
9.2.2 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<br />
9.2.3 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156<br />
9.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156<br />
9.3.1 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 156<br />
9.3.2 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 157<br />
9.3.3 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
10 Synthesis 161<br />
10.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
10.1.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
10.1.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
10.1.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 162<br />
10.1.4 TASK: Create, delete, and edit associations . . . . . . . . . . . . . . . . . . 164<br />
10.1.5 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
10.1.6 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
10.1.7 TASK: Collapsing and expanding . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
10.1.8 TASK: Information types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166<br />
10.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166<br />
10.2.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166<br />
10.2.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166<br />
10.2.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 166<br />
10.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
10.3.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
10.3.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
10.3.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 168<br />
10.3.4 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
10.3.5 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
11 Sense-making 171<br />
11.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172<br />
11.1.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173<br />
11.1.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 175<br />
11.1.3 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175<br />
11.1.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 175<br />
11.1.5 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 176<br />
11.1.6 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177<br />
11.1.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177<br />
11.1.8 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178<br />
11.1.9 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 179<br />
11.1.10 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179<br />
11.1.11 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 180<br />
11.1.12 TASK: Terrorist network analysis . . . . . . . . . . . . . . . . . . . . . . . . 180<br />
11.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
11.2.1 CONCEPT: Algorithm (sense-making work flows) . . . . . . . . . . . . . . 181<br />
11.2.2 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 183<br />
11.2.3 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184<br />
11.2.4 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186<br />
11.2.5 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
11.2.6 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
11.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
11.3.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188<br />
11.3.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 189<br />
11.3.3 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194<br />
11.3.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 195<br />
11.3.5 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 195<br />
11.3.6 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
11.3.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
11.3.8 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199<br />
11.3.9 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 199<br />
12 Dissemination 201<br />
12.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
12.1.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
12.1.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
12.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
12.2.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
12.2.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
12.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
12.3.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
12.3.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
13 Cooperation 205<br />
13.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205<br />
13.2 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
14 Work flow support 207<br />
14.1 Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
14.1.1 Modeling jihadist terrorist cells in the UK and Europe . . . . . . . . . . . . 209<br />
14.1.2 CrimeFighter Investigator model and rules . . . . . . . . . . . . . . . . . . 210<br />
14.1.3 Demonstrating the need for rule-based model adaption . . . . . . . . . . . . 212<br />
14.1.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213<br />
14.1.5 Conclusions and future work . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
14.2 Node removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215<br />
14.2.1 Conclusions and future work . . . . . . . . . . . . . . . . . . . . . . . . . . 220<br />
14.3 Investigating linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221<br />
14.3.1 The work flow scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<br />
14.3.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
14.3.3 Conclusions and future work . . . . . . . . . . . . . . . . . . . . . . . . . . 227<br />
14.4 Summary of deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227<br />
IV Evaluation and conclusion 229<br />
15 Evaluation 231<br />
15.1 Post-crime data and information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234<br />
15.1.1 Comparing post-crime and real-time data . . . . . . . . . . . . . . . . . . . 235<br />
15.2 End-user interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236<br />
15.2.1 Alex Strick van Linschoten (Trafalgar Square, London) . . . . . . . . . . . 236<br />
15.2.2 British home office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
15.2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
15.3 Capability comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238<br />
15.3.1 <strong>Criminal</strong> network investigation task support . . . . . . . . . . . . . . . . . . 238<br />
15.3.2 Capability comparison of the computational model supported . . . . . . . . 240<br />
15.4 Measures of performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240<br />
15.4.1 Extended centrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241<br />
15.4.2 Predict missing links algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 243<br />
15.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
15.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246<br />
15.6.1 Visualization or visual filtering . . . . . . . . . . . . . . . . . . . . . . . . . 246<br />
15.6.2 End user involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
15.6.3 Discussing end user interviews . . . . . . . . . . . . . . . . . . . . . . . . . 248<br />
15.6.4 Discussing capability comparisons . . . . . . . . . . . . . . . . . . . . . . . 248<br />
15.6.5 Discussing measures of performance . . . . . . . . . . . . . . . . . . . . . . 250<br />
16 Conclusion 253<br />
16.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254<br />
16.2 Requirements, challenges, and hypothesis . . . . . . . . . . . . . . . . . . . . . . . 254<br />
16.2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
16.2.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
16.2.3 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
16.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256<br />
16.4 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
16.4.1 Literature reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
16.4.2 Future software development . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
16.4.3 Future evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
A Publications and other work 279<br />
A.1 Published papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
A.2 Unpublished papers and manuscripts . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
A.3 Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280<br />
A.4 Previously published . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
B DDIS web documents 281<br />
B.1 Efterretningskredsløb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281<br />
B.2 FE foretager omprioriteringer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Part I<br />
Introduction and method<br />
1
CHAPTER 1<br />
Introduction<br />
First, the taking in of scattered particulars under one Idea so that<br />
everyone understands what is being talked about . . . Second, the<br />
separation of the Idea into parts, by dividing it at the joints, as<br />
nature directs, not breaking any limb in half as a bad carver might.<br />
Plato, Phaedrus, 265D, as quoted in [8].<br />
A criminal network investigation is an investigation of a criminal network. Pardon the tautology,<br />
but this repetition is important, as it can be tempting to reduce criminal network investigation<br />
to simply networked information; but investigation is a process, and a criminal network is information<br />
from a particular network domain. A criminal network is a special kind of network,<br />
often emphasizing on both secrecy and efficiency, depending on the purpose of the network; it is<br />
a complex system of entities that are associated directly (e.g., using links) or semantically (e.g.,<br />
using visual symbols or co-location). Basically, a criminal network is information entities and their<br />
associations from a specific network domain, forming information structures.<br />
<strong>Criminal</strong> network investigations such as police investigations, intelligence analysis, and investigative<br />
journalism involve a range of complex knowledge management processes and tasks. <strong>Criminal</strong><br />
network investigators collect, process, and analyze information related to a specific target to create<br />
products that can be disseminated to their customers. Investigators deal with an increasing<br />
amount of information from a variety of sources, especially the Internet, all of which are important<br />
to their analysis and decision making process. But information abundance is far from the only<br />
or most important challenge for criminal network investigation, notwithstanding the attention it<br />
receives in research and media. Challenges such as the investigation process, the context of the<br />
investigation, human factors such as thinking and creativity, and politics etc. can all decide the<br />
success or failure of criminal network investigations.<br />
Knowledge about the structure and organization of criminal networks is important for both investigation<br />
and the development of effective strategies to prevent terrorist attacks and organized<br />
crime. Theory from the knowledge management field plays an important role in dealing with<br />
criminal network information. Knowledge management processes, tools and techniques can help<br />
criminal network investigators in various ways, when trying to make sense of the vast amount of<br />
data being collected. The CrimeFighter toolbox is an initiative at The Maersk Mc-Kinney Moller<br />
Institute started in 2009. CrimeFighter provides advanced software tools and mathematical models<br />
to assist criminal network investigators in harvesting, filtering, storing, managing, analyzing,<br />
structuring, mining, interpreting, and visualizing terrorist information.<br />
3
1.1. MYTHS AND DISCLAIMERS CHAPTER 1. INTRODUCTION<br />
<strong>Criminal</strong> network investigators merge and organize pieces of information from different sources<br />
in order to reason about them and support their decision making process. The structure of<br />
the relationships between these pieces of information is fragile by nature, since new information<br />
may change it substantially. Besides supporting the emergent nature of incoming information,<br />
such structures should also be an appropriate medium for communicating with others. This<br />
includes keeping track of previous discussions, representing their evolution, and permitting various<br />
parallel versions that occur by following different directions of thought. Finally, their presentation<br />
should foster awareness and permit notification services that inform the analyst about potential<br />
unseen and non obvious connections beyond the borders of individual information sources [20].<br />
When investigators work with this type of information, following a target-centric and iterative<br />
process would encourage and support the continuous restructuring of the information and the<br />
communication with other investigators by making everybody stakeholders of the investigation,<br />
building a network of information around their target, in a shared information space. Despite<br />
the many iterations over the information and structure, interpretations and decisions must be<br />
maintained. To solve the type of complex problem that a criminal network investigation can be,<br />
the investigator must cooperate with their tools during investigations. The investigator must be the<br />
decision maker (especially in low probability situations), while algorithms should be responsible for<br />
routine calculations. The investigator will fill in the gaps, either in the final intelligence product<br />
or in the tool, when the tool has a technique or work flow that is applicable in a particular<br />
circumstance [130].<br />
This dissertation is the result of three years of Ph.D. studies (with 18 months allocated to research),<br />
toward the analysis, design and implementation of CrimeFighter Investigator, a criminal<br />
network investigation tool addressing information, process, and human factors challenges in criminal<br />
network investigation. The remainder of this chapter is organized as follows: we start out by<br />
debunking a number of myths about work focused on tool support for criminal network analysis;<br />
myths that we have encountered during our research. We would like to present our view on these<br />
myths to the reader, to sort out any confusion from the start (Section 1.1). Having introduced<br />
the domain criminal network investigation above, we move on to defining the challenges for this<br />
domain, and based on an analysis, we select those challenges that a software systems engineer can<br />
address, and we discuss why these challenges will benefit from software system support (Section<br />
1.2). We move on to present the theory and technology that has underpinned our work (Section<br />
1.3). We describe the CrimeFighter toolbox, and how CrimeFighter Investigator fits into that<br />
framework (Section 1.4) and provide our readers with and overview of dissertation structure (Section<br />
1.5). Finally, we provide reading directions based on the expected areas of interest in Section<br />
1.5.1.<br />
1.1 Myths and disclaimers<br />
We find it necessary to start by debunking a couple of myths, in order to explain what this<br />
work is not about 1 . After 9/11 (2001), having recognized that some important leads had been<br />
missed prior to the attacks, it was decided that all information was now important and had to<br />
be investigated [146]. In that situation, it was not only the Internet that caused the information<br />
overload, especially since a lot of the information was not open source intelligence, but secret<br />
intelligence, human intelligence, tips from citizens and interrogations of suspects, etc. The goal<br />
was to find out where the next attack would be, which was why the central intelligence agency<br />
(CIA) was put in charge of the terrorism related affairs. But this decision did not help the<br />
investigation to find those involved in the 9/11 (2001) attacks.<br />
This desire not to miss any (potential) lead created a demand for tools that could take all the<br />
(often unprocessed) information and tell the user who the key players are. For 11 years researchers<br />
have been trying to provide such a tool without success 2 . But why has this effort failed? Mainly<br />
because of a desire to simplify the world too much and in the wrong way, in order to create a single<br />
red emergency button for providing simple answers to complicated questions, such as “who did<br />
4
CHAPTER 1. INTRODUCTION 1.1. MYTHS AND DISCLAIMERS<br />
it‘” or “who are going to do it?”. That is simply a wrong approach undermining the very nature<br />
of criminal network investigation. That is the first myth, we would like to debunk, formulated as<br />
a question to us (and other researchers in the field):<br />
Myth #1 Isn’t your ultimate goal to create big red “who did it?” or “who are going to do it?”<br />
buttons, for world leaders and decision makers, to weed out the criminals?<br />
No, this has never been the objective of our work. We believe this myth is the result of one of<br />
two visions for artificial intelligence; the compelling vision, that “human intelligence can be<br />
so precisely described, that it can be matched by a machine” [202]; a machine that think and<br />
create new abstractions and concepts, just like living organisms [202]. But this vision has not<br />
yet been realized, the computer cannot detect complex patterns it has never seen [131]. The<br />
other vision for artificial intelligence focuses on the synergies between man and machine [131].<br />
It has been called human-computer symbiosis, and was initially described by Licklider in<br />
1960 [130], and summarized in a 2012 TED talk: “Licklider wanted humans and machines to<br />
cooperate. The idea is that humans are great at certain things, like creativity and intuition.<br />
Computers are great at calculation, scale, and volume. The idea is [. . . ] to take a human and<br />
make [him or] her more capable” [131]. The hypertext research community has developed<br />
many technologies for the “augmentation of human intellect” [62]. We propose hypertext<br />
technology as a bridge between humans and computers to leverage the above mentioned<br />
synergies to solve the complex problems associated with criminal network investigation.<br />
Myth #2 Shouldn’t you consider the ethics of what you are doing before applying social network<br />
analysis algorithms to decide who are criminals and who aren’t?<br />
Well, it has never been our goal to perform rode black box calculations on data sets, and<br />
then think that any criminal network investigator would use that information as his sole<br />
evidence of charging someone with something. As described above, we aim for cooperation<br />
between humans and computers (with the human as the controlling entity), bridging human<br />
intellect and computational power using hypertext technologies to benefit from the resulting<br />
synergies.<br />
Myth #3 Information overload is the key challenge for criminal network investigation?<br />
Sure, information overload (or abundance) is one of several problems for the challenge that<br />
information poses to criminal network investigation. But there are many important challenges<br />
(and related problems) for criminal network investigation to consider. Whether or<br />
not information overload is a problem depends on the nature of the information: How is it<br />
stored, does it contain many different entity types, etc.<br />
All of the above are myths and assumptions. It has always been our intention to understand the<br />
processes involved in the work of criminal network investigators, the structures of the criminal<br />
network information that investigators collect, process and analyze, and the human factors that<br />
decides the successes and failures of criminal network investigations. Our work has always been<br />
about that, and this dissertation is about that. Before continuing, we encourage our readers to<br />
study the following disclaimers as well:<br />
Disclaimer #1 While we have studied visualizations and layouts to some extent, this work does<br />
not focus on visualization. This causes some problems, as one reviewer has pointed out to<br />
us, “it is unfair to compare the strengths of one tool with the weaknesses of another tool” -<br />
a situation that occurs in Chapter 15, when we present an capability comparison of various<br />
representative tools. We do, however, discuss visualization (also in Chapter 15).<br />
Disclaimer #2 This is not a big data analytics project. While the aim might be the same, the<br />
means are not. In a recent talk, Chen (2012) stated that a research aim of “leveraging big<br />
data analytics [for] delivery of a patient-centric decision support and patient empowerment<br />
solution” 3 . The general approach of the research was first to understand the information<br />
5
1.2. CHALLENGES CHAPTER 1. INTRODUCTION<br />
structures in a certain domain (e.g., health or security informatics), then create database<br />
tables to match these information structures before applying big data analytical methods.<br />
The understanding of information structures had taken two years for the health informatics<br />
domain. When asked after his talk, Chen admitted that this was indeed a somewhat static<br />
approach, in that if changes were made to the structures, all the data would have to be<br />
aggregated again before analytics could continue. Actually, Chen was facing a concrete<br />
challenge of transitioning from version 9 to version 10 of the international classification of<br />
diseases (ICD).<br />
Disclaimer #3 I am first and foremost knowledgeable in the domain of software systems engineering<br />
with a strong foundation in hypertext technologies. However, as it will be clear later<br />
on, a prerequisite to successful software development is understanding the domain. Taking<br />
a course on media and terrorism in the middle east and participating in and giving a talk<br />
at an interdisciplinary conference on terrorism and new media has made it clear that I am<br />
not an expert in global jihad or radicalization processes. But it has made it possible for<br />
me to talk to people who are. Nor has reading books about organized crime or watching tv<br />
shows about criminals selling drugs made me an expert in these matters. But participation<br />
in the annual European international security informatics conference (EISIC) 2011 and 2012<br />
has provided me with new ideas and a network of people who work within that domain.<br />
And studying research areas such as human cognition, creativity, information science, social<br />
science, and so on, has not made an expert on these areas either. But it has to some extent<br />
made me knowledgeable about the different areas of research and made it possible for me to<br />
talk with the real experts about it.<br />
1.2 <strong>Criminal</strong> network investigation challenges<br />
<strong>Criminal</strong> network investigations fail. The reasons for failure can be found in one or several challenges<br />
complicating criminal network investigation. The sciences have been developing solutions<br />
to either dealing with the root causes of crime, others to develop tools and techniques to assist<br />
criminal network investigators. Computer science offers many techniques and software systems engineering<br />
has been building tools that assist investigators in applying those techniques to ongoing<br />
criminal network investigations. However, many challenges are also associated with developing<br />
support of a computer science technique and then have a criminal network investigator use it<br />
(e.g., an agency intelligence agent, a homicide detective, or a reporter), often resulting in tools<br />
and techniques that look good on paper but are actually not used during investigations:<br />
I typically use Analyst’s Notebook to generate a report for the state attorney handling<br />
the case in court. I do not use Analyst’s Notebook before I am done with my<br />
analysis. Statement (translated from Danish) by an intelligence analyst from the<br />
Danish security and intelligence service, who we met at an Analyst’s Notebook user<br />
conference 4 .<br />
Analyst’s Notebook is good for making visualizations but it has a very static feeling<br />
to it. Statement from Alexander Strick van Linschoten, a historian, investigative journalist,<br />
and an author of several books (e.g., [134]) at a meeting on Trafalgar Square,<br />
London.<br />
Based on cases and observations of criminal network investigation, contact with experienced endusers<br />
from various communities (see Section 15.2), examination of existing process models (see<br />
Sections 3.3 and 3.4) and existing tools for criminal network investigation (see Chapter 4) we<br />
maintain a list of criminal network investigation challenges. The list of challenges can be seen as a<br />
list of potential pitfalls that can cause criminal network investigation failure, either on their own,<br />
or in combination with other challenges; the list serves as the basis for our problem definition and<br />
research focus. The list is not exhaustive; we expect to uncover additional challenges over time.<br />
6
CHAPTER 1. INTRODUCTION 1.2. CHALLENGES<br />
We divide criminal network investigation challenges into the following groups: information, process,<br />
context, human factors, tacit knowledge, management, and finally problems related to politics<br />
and legal framework. Some of these challenges are more relevant than others in terms of developing<br />
software tools supporting criminal network investigation. We therefore review them all here, but<br />
do not make a detailed review of political and legal framework challenges - we merely recognize<br />
that they are there.<br />
Information. <strong>Criminal</strong> network investigation challenges related to information are many, e.g.,<br />
the structure of the information is often emerging and evolving, i.e., no pre-defined structure<br />
can be applied to guide the analysis work. Information abundance and scarcity are other central<br />
problems. Finally, the information might be inconsistent and impartial, showing variation in types<br />
of meta data or missing entities. The following quotes emphasize these problems:<br />
“No, there was no shortage of information. There was too much – a blizzard of it,<br />
a whiteout so complete investigators routinely lost their way in it.” - in the months<br />
after 9/11 FBI and CIA analysts received an “overpowering” amount of unprocessed<br />
intelligence, and the fear of the next attack made them “chase tens-of-thousands dead<br />
end leads” [146].<br />
We typically have much less data, or not so many attributes, as it was the case in<br />
the November 17 case you used - comment from intelligence analyst after presenting<br />
work on inference-based prediction at the British Home Office [167].<br />
Process. It has certain consequences whether the criminal network investigation follows a linear<br />
process model or a target-centric process-model. Research of linear intelligence cycles has shown<br />
it to define an “antisocial series of steps that constrains the flow of information [. . . ] and too often<br />
results in throwing information over the wall” [40], causing compartmentalization 5 [40, 113, 146].<br />
For security reasons, compartmentalization can seem compelling, since it provides organizations<br />
and departments complete control over the information they receive, and the information which<br />
they disseminate to the next link(s) in the chain. But the approach has received bad reviews in<br />
prominent commission reports [45, 110, 152, 153], which should weigh heavier than the desire for<br />
complete control.<br />
“With a better working methodology and a wider focus the Norwegian police security<br />
service (PST) could have tracked down the offender prior to July 22. However, the<br />
commission does not have the basis for arguing that PST thereby could have preempted<br />
the attacks.” - One of six main conclusions in the July 22 Commissions report [153]. 6<br />
“The police has for 10 years isolated themselves and rejected all criticism. Norwegian<br />
police has been very closed and unwilling to change. The commission repeats<br />
criticism that has been raised many times before, but this time they can not reject it.”<br />
- translated comment by Professor Petter Gottschalk when interviewed about the 22<br />
July Commissions report [78]. 7<br />
Context. The location of a criminal network investigation (e.g., country or neighborhood) can<br />
influence what technologies and tools are available for an investigation. If the country of the investigation<br />
has a high level of corruption, it can be hard to trust the information given by government<br />
officials, because their affiliations are not known. The organization leading an investigation can<br />
have a different approach to investigation, deeply rooted in their culture, making cooperation with<br />
others complicated. Two competing intelligence agencies could also inhibit investigative progress<br />
for one another. Simple things, like the control of surveillance cameras or the interception of cell<br />
phone calls, could mean an important difference in available intelligence. If the investigators and<br />
the criminals are at the same level in terms of technology and tools, the investigators are not likely<br />
to gain an advantage based on that.<br />
7
1.2. CHALLENGES CHAPTER 1. INTRODUCTION<br />
“Societies where there are strong professional law enforcement and intelligence<br />
forces are very different in their susceptibility to terrorist attack from societies where<br />
the police and security services are weak, corrupt or compromised.” - Woo (2009)<br />
comments on the difference in environments (or contexts) that criminal network investigations<br />
might have to navigate [252].<br />
“Here on the ground in Karachi [. . . ] the people conducting the raids and brushing<br />
off death threats do not have the most rudimentary printer, let alone computers, access<br />
to databases, cell phones. They don’t even have decent cars.” - Mariane Pearl on<br />
the technology available in Karachi, Pakistan, for the team investigating her husbands<br />
kidnapping [162].<br />
Human factors. Knowledge about how human cognition and creativity helps investigators solve<br />
problems and is important for a better understanding of the human factors involved in criminal<br />
network investigation. There are also a number of important aspects when investigators solve<br />
crimes together: Because of the different professions, traditional ways of doing things, and their<br />
personal knowledge (see below) of the members on the investigative team it can be challenging to<br />
work with a shared target model, in a so called common information space. When investigators<br />
use tools for criminal network investigation, the factors make them trust the information that<br />
these tools are of course of high value (just as the factors that have the opposite effect).<br />
“The human mind does not work that way. It operates by association. With one<br />
item in its grasp, it snaps instantly to the next that is suggested by the association<br />
of thoughts, in accordance with some intricate web of trails carried by the cells of<br />
the brain.” - Bush (1945) denouncing that humans find information by traversing a<br />
complex hierarchical structure of classes [33].<br />
“One [type of creativity] is to be flexible and freely associating - the traditional understanding<br />
of creativity, and what might be called the artistic approach. The other type<br />
of creativity is to be persistent and focused – a more rational and conscious creativity,<br />
which we maybe could call the engineering approach” - interview with leading cognition<br />
researchers Carsten De Dreu and Bernard Nijstad about a model of two types of<br />
creativity [210].<br />
“Many researchers have attempted to explain the mass of evidence contradicting<br />
[the] claim that real group creativity is more effective than nominal group creativity.<br />
The three major explanations that have been explored thoroughly by the creativity community<br />
are the social influences of production blocking, evaluation apprehension and<br />
free riding.” - Warr and O’Neill (2005) commenting on the well documented fact that<br />
real groups (individuals working face-to-face) are actually less creative than nominal<br />
groups (individuals working independently) [239].<br />
Tacit knowledge. The kind of knowledge that investigators apply during investigations and<br />
which is learned through experience. It might be possible to document this knowledge, but during<br />
investigations is often applied in an ad-hoc manner and cannot be quantified and then be disseminated<br />
to other investigators (and tool support is therefore also not possible). Interrogation is a<br />
prominent example of such tacit knowledge: asking the right questions, tricking the suspect or<br />
potential suspect by setting up traps that make them give up their secrets.<br />
“This, too, is role playing, and it requires a seasoned actor. If a witness or suspect<br />
is belligerent, you wear him down with greater belligerence. If the man shows fear, you<br />
offer calm and comfort. When he looks weak, you appear strong. When he wants a<br />
friend, you crack a joke and offer to buy him a soda. If he’s confident, you are more<br />
so, assuring him that you are certain of his guilt and are curious only about a few select<br />
details of the crime.” Simon (1991) on interrogation [204].<br />
8
CHAPTER 1. INTRODUCTION 1.2. CHALLENGES<br />
Management. The capabilities of the individual investigator will have different impact on the<br />
decisions made by, i.e. the shift manager. The approach of the team manager can affect the<br />
outcomes of investigations: If the leader is playing the statistics game and adhering to what<br />
his superiors say, then maybe only a certain type of cases are being solved. And if higher level<br />
management does not provide the investigative teams with the warrants, technology, tools, and<br />
general resources they need, it is certain it will have an effect on the outcome of criminal network<br />
investigations?<br />
Politics and legal framework. What kind of resources does politicians make available for the<br />
criminal network investigation units. What legal framework does the investigators have to follow<br />
- is there even a framework of laws? Police and counterterrorism organizations are institutions of<br />
power, existing in a forced and ever changing relationship with the media, the world of the investigative<br />
journalist and proliferation of terrorism, where the publication of a new lead as provided<br />
by an anonymous source can send ripples through those organizations, relocating resources and<br />
changing the focus from open investigations to current issues in order to protect the power of the<br />
leadership.<br />
1.2.1 Selecting challenges<br />
In order to select the challenges to work on we have positioned them in the matrix of criminal<br />
network investigation challenges as shown in Figure 1.1. The challenges are positioned on the<br />
y-axis based on their coupling with criminal network investigation compared to an institution or<br />
an environment. The challenges are positioned on the x-axis, based on an estimate of whether or<br />
not the challenge is quantitative and can be modeled, or if it is more internal and qualitative, not<br />
suitable for modeling.<br />
Of the seven listed challenges we choose the three in the upper left quadrant (information, process<br />
and human factors), as these are the challenge characteristics we find suitable for software<br />
system support. And more importantly, they are the challenges we believe that a software system<br />
would have the biggest impact on, in terms of criminal network investigation success. Proper<br />
management of investigators could be an important way to successful investigations, and even<br />
though it could be argued that resource management could be added to a software system, we<br />
find management to be too tightly coupled with the organization (e.g., intelligence service). And<br />
while the context of a criminal network investigation (as mentioned above) may be the reason for<br />
an unsuccessful investigation, and it could be argued that for example the level of corruption in a<br />
country where a crime is being investigated could be measured, we find context too tightly coupled<br />
with environments and difficult to manage, that the effect of software system support would not<br />
be beneficial or useful.<br />
We state the following general hypothesis based on the three selected criminal network investigation<br />
challenges:<br />
A software system addressing information, process, and human<br />
factors challenges would be a useful tool for assisting criminal<br />
network investigators in their work.<br />
1.2.2 Research focus<br />
We define a research focus for each of the problem areas we have decided to focus on, namely<br />
information, process, and human factors, to guide our work:<br />
1. Information: A basic understanding of criminal networks (types, cases, etc.) and criminal<br />
network information (complexities, structures, etc.) is required to define an appropriate<br />
conceptual model thereof. Related to that is a study of analytical techniques, to find those<br />
techniques suitable for criminal network complexities and structures.<br />
9
1.3. THEORY AND TECHNOLOGY CHAPTER 1. INTRODUCTION<br />
Figure 1.1: Matrix of criminal network investigation challenges. Along the y-axis is the degree of<br />
coupling to criminal network investigations vs. institutions or environments, and along the x-axis<br />
is an estimate of whether or not the challenge is quantitative and can be modeled, or if it is more<br />
internal and qualitative of nature, hence not suitable for modeling.<br />
2. Process: A criminal network investigation process must support the mechanisms required<br />
for successful investigation of criminal networks. The investigative process should not introduce<br />
compartmentalization and bureaucracy to please management or organizations, thereby<br />
inhibiting the natural flow and ultimately the success of the investigation.<br />
3. Human factors: Knowledge about the human factors involved in criminal network investigation<br />
is key to the development of a software system that truly supports criminal network<br />
investigation processes. Both in terms of how investigators solve problems cognitively and<br />
general consideration of interactions with information and algorithms required for criminal<br />
network investigation.<br />
In Section 6.1.1, 6.2.1 and 6.3.1 our research focus is outlined based on the challenges presented<br />
here.<br />
1.3 Theory and technology<br />
At a 2010 conference on advances in social network analysis and mining 8 , a trend was observed:<br />
<strong>Network</strong> science is a multidisciplinary field of research at the intersection of the computing, statistics,<br />
and the social and behavioral sciences. Keynote speaker of the conference, Stanley Wasserman,<br />
co-author of the often referred to book on social network analysis [240], based his talk on<br />
the following statement: The invasion of network science by computer scientists has produced<br />
much interesting, both good and bad research. Another keynote speaker, Chris Pallaris, director<br />
and principal consultant of i-intelligence, had the conference participants come full circle stating<br />
that the intelligence discipline is increasingly divided between analysts and technologists: the former<br />
struggle to grasp technology’s potential while the latter often fail to appreciate the human<br />
challenges associated with intelligence collection and analysis.<br />
Having established that network theory for criminal network investigation purposes is a interdisciplinary<br />
field of research, we began to think about how to bridge the gab between social and<br />
behavioral sciences, and computer science. We have divided software system support of criminal<br />
network investigation into a number of pillars, each representing a high-level functional or nonfunctional<br />
(sometimes it is a mix) software system requirement. The building blocks of the pillars<br />
are theories or technologies from various research areas. We introduce those pillars of theory<br />
and technology here (see Figure 1.2), and elaborate on them and present detailed reviews of each<br />
building block in Chapter 5.<br />
10
CHAPTER 1. INTRODUCTION 1.3. THEORY AND TECHNOLOGY<br />
Figure 1.2: <strong>Criminal</strong> network investigation pillars of theory and technology. Each pillar represents<br />
important aspects of engineering software tool support for criminal network investigation.<br />
11
1.4. CRIMEFIGHTER TOOLBOX CHAPTER 1. INTRODUCTION<br />
As indicated in Figure 1.2 the list of pillars is not exhaustive and the theories and technologies<br />
are not limited to the ones shown inside each pillar; we expect to uncover additional theories and<br />
technologies for all five pillars (and potentially new pillars) over time.<br />
1.4 CrimeFighter toolbox<br />
Several knowledge management processes are involved in the attempt to provide a toolbox that<br />
can support intelligence analysts in their work with terrorist information as shown in Figure<br />
1.3 [247]. As mentioned earlier, we focus on supporting the management of knowledge (last<br />
column), primarily the analyzing knowledge management phase focused on support of the work<br />
with emergent and evolving structure of terrorist networks to uncover new relationships between<br />
people, places, events, etc. However, the interpreting and visualizing knowledge management<br />
phases will also play a role.<br />
Figure 1.3: Knowledge management processes for counterterrorism<br />
To support the knowledge management processes described, CrimeFighter provides a number of<br />
tools (Figure 1.4). The CrimeFighter toolbox philosophy is that the humans (criminal network<br />
investigators) are in charge of the knowledge management processes and the tools are there to<br />
assist the analysts. “The toolbox contains the following semi-automatic tools [. . . ] that need to<br />
be configured by the intelligence analysts to perform the dedicated task. After configuration, the<br />
tool will automatically perform the dedicated task” [247]:<br />
Web harvesting tools make use of data acquisition agents (spiders) to harvest data from the<br />
Web. The spiders are controlled by the data conversion tools.<br />
Data conversion tools are responsible for both collecting (through spiders) and transforming<br />
data.<br />
Data mining tools provide selected data mining algorithms to discover new knowledge in<br />
data based on defined patterns.<br />
Social network analysis tools perform analysis to uncover new patterns and to gain deeper<br />
knowledge about the structure of terrorist networks.<br />
12
CHAPTER 1. INTRODUCTION 1.4. CRIMEFIGHTER TOOLBOX<br />
Visualization tools use graph layout algorithms to visualize discovered knowledge regarding<br />
terrorist networks. It can also be used as a graphics engine to support some of the tasks<br />
performed by the other tools in the toolbox.<br />
“The toolbox also contains the following [human-centric] tools”, supporting “the intelligence analysts<br />
in performing specific tasks by providing dedicated features that enhance the work efficiency<br />
when performing manual intelligence analysis work” [247]:<br />
Knowledge base tools help maintain the knowledge base by allowing intelligence analysts<br />
to explore and revise the knowledge base content as well as to work with meta data.<br />
Structure analysis tools focuses on supporting the manual work with emergent and evolving<br />
structure of terrorist networks to uncover new relationships between people, places,<br />
events, etc.<br />
Figure 1.4: Tools supporting the knowledge management processes<br />
CrimeFighter Investigator is part of the CrimeFighter toolbox. The CrimeFighter toolbox for<br />
counterterrorism is a novel approach to terrorism network analysis [245]. The goal is to provide<br />
a number of desktop tools that are grouped into three overall software packages each containing<br />
knowledge management tools and services relevant to counterterrorism [247]. These tools and<br />
services are designed and implemented to enable them to inter operate and exchange information.<br />
The CrimeFighter toolbox is depicted in Figure 1.5.<br />
The Explorer and Investigator packages each support different knowledge management processes<br />
that result in generation of terrorist networks consisting of nodes and links. These terrorist<br />
networks are stored in the knowledge base. The Assistant package provides various features to<br />
analyze and visualize networks - as generated by the Explorer and Investigator packages.<br />
The research on CrimeFighter can be divided into four overall areas:<br />
1. CrimeFighter Explorer is a software package with various services aimed at acquiring<br />
data from open sources and extracting valuable information from the data by processing it<br />
in various ways (filtering, mining, etc.).<br />
2. CrimeFighter Investigator is a software package that provides various services that enables<br />
an intelligence analyst to work with emergent and evolving structure of terrorist networks<br />
to uncover new relationships between people, places, events, etc.<br />
13
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION<br />
Figure 1.5: The CrimeFighter toolbox for counterterrorism.<br />
3. CrimeFighter Assistant is a software package with various services that supports analysis<br />
and visualization of terrorist networks. Terrorist network analysis is aimed at finding<br />
new patterns and gaining a deeper knowledge and understanding about terrorist networks.<br />
Terrorist network visualization deals with the complex task of visualizing the structure of<br />
terrorist networks.<br />
4. CrimeFighter toolbox architecture. In order for the developed tools and services to<br />
be able to inter operate and exchange information, the overall software architecture of the<br />
toolbox must enable a service in one package to use a service in another package. For<br />
instance, the structure generated by the services of the Investigator package must be able to<br />
use the analysis and visualization services available in the Assistant package.<br />
1.4.1 CrimeFighter Investigator within this framework<br />
The CrimeFighter toolbox describes a knowledge management angle for counterterrorism investigation<br />
tools, from the automatic harvesting of different data sources, over the processing and<br />
mining of the information, to counterterrorism knowledge building. Within this framework, Crime-<br />
Fighter Investigator covers the human-centric knowledge base and structure analysis tools. For<br />
CrimeFighter Investigator seen in isolation, we have taken a hypertext approach to understanding<br />
these knowledge management problems. It means, that we use hypertext technology to support<br />
knowledge base, structure analysis, and other tasks, and we therefore do not consider the other aspects<br />
of the broader knowledge management perspective, nor do we review knowledge management<br />
theory elsewhere in this dissertation.<br />
We have extended the focus initially outlined for the CrimeFighter toolbox to cover criminal<br />
network investigations in general, not only counterterrorism investigations. That means that we<br />
cover a wider range of crime types (Figure 1.6) and investigation domains (Figure 1.7). When<br />
studying crime literature, we came across different crime types and matching investigation domains<br />
with the same underlying characteristics in terms of ill structured problems, investigative approach,<br />
and generation of new leads based on analysis.<br />
1.5 Dissertation structure<br />
We outline the dissertation structure in this section and provide a few suggested reading directions<br />
according to the expected primary interests of the reader (see Section 1.5.1). The dissertations<br />
overall structure and individual chapters is shown in Figure 1.8.<br />
The dissertation is divided into four parts. Part I introduces the dissertation and describes the<br />
method we have used to develop a tool for criminal network investigation:<br />
14
CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE<br />
Figure 1.6: A selection of different types of<br />
crime we have come across when analyzing<br />
criminal network investigation.<br />
Figure 1.8: Ph.d. dissertation structure.<br />
Figure 1.7: We have extended our focus from<br />
counterterrorism to three specific investigation<br />
domains with similar characteristics: policing,<br />
intelligence analysis, and investigative journalism.<br />
Chapter 1 (Introduction) starts out by debunking some myths about our work which people<br />
have confronted us with during the last three years, either when presenting at conferences,<br />
having lunch with colleagues or discussions about work with family and friends. We also<br />
present a number of disclaimers to provide an understanding of the boundaries for our<br />
research in criminal network investigation, a subfield of security informatics 910 . Normally<br />
it is discouraged to define something by what it is not, but we feel it is necessary here to<br />
provide the reader with an opportunity to get an initial idea of what this Ph.D. dissertation<br />
is about.<br />
We outline a list of criminal network investigation challenges Chapter 1 (Section 1.2), and<br />
argue our choice to focus on three of them (information, process, and human factors) for<br />
software system support (Section 1.2.1). To guide our research we analyze problems related<br />
to each of the challenges and formulate research focus requirements as a response to these<br />
problems. Our research has been based on extensive literature reviews of related research<br />
15
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION<br />
areas (theory) and studies of relevant technologies (see Section 1.3), together they constitute<br />
our state-of-the-art on criminal network investigation 11 . Section 1.4 describes the role of<br />
CrimeFighter Investigator and the other tools in the CrimeFighter toolbox. The section also<br />
discusses how we expanded our focus from counter terrorism to criminal network investigation.<br />
The introduction is concluded with this section on the structure of our dissertation<br />
and provides reading directions for different categories of readers (see below).<br />
Chapter 2 (Method) deals with both the general method applied throughout the entirety of<br />
the Ph.D. project described in this dissertation, in terms of literature studies, software<br />
development, how paper writing has been planned and done, conference participations etc.<br />
This work was guided by Bardram’s (2007) so called fish model (see Section 2.1).<br />
Our software development methodology has been an iterative approach to incrementally<br />
implementing tool support for criminal network investigation tasks based on the research<br />
focus requirements. Software increments have been proof-of-concept prototypes supporting a<br />
specific criminal network investigation task or work flow and we therefore have both a general<br />
review of prototyping and the (our) more specialized proof-of-concept prototyping in Section<br />
2.2. Section 2.3 covers our approach to acquiring empirical evaluation of our developed<br />
concepts, which has been a mix of the prototyping already described, case-studies, enduser<br />
(usability) feedback and measures of performance. Finally, we describe the framework<br />
provided to us by our employer, University of Southern Denmark (Technical Faculty), within<br />
which we had to conduct our research (Section 2.4)<br />
Part II describes various aspects of our domain criminal network investigation. First, we take a<br />
closer look at criminal networks and investigation thereof: what is a network, what is a criminal<br />
network, and how do investigators investigate networks? Then we study what existing knowledge<br />
(theory) and technology that is useful, in terms of understanding and supporting criminal network<br />
investigation. What are the existing tools and what can they do? In the final chapter of this part<br />
of the dissertation we define the problem by describing a number of specific problems and give<br />
detailed descriptions of research focus requirements as a response to these requirements.<br />
Chapter 3 (<strong>Criminal</strong> network investigation) is a difficult research area to frame. The network<br />
part indicates links to the field of network science comprising complex systems research.<br />
<strong>Criminal</strong> tells about the nature of the information in the network. But unlike other domains,<br />
deciding what is and what isn’t criminal network information is something rooted in our laws,<br />
unlike the biologist’s classification of let’s say butterflies (see Section 3.1). <strong>Criminal</strong> network<br />
investigations such as police investigations, intelligence analysis, and investigative journalism<br />
share many characteristics, and we use example from each of these to define the type of<br />
criminal network investigation we want to support (Section 3.6). Knowledge about the structures<br />
that criminal networks have formed in the past, is an important tool for investigators,<br />
and we review both meta structures and sub structures in Section 3.2.<br />
<strong>Investigation</strong> is a process with the aim of producing an intelligence product for the customer<br />
(decision maker). Like any other process with a specific end goal, several types of processes<br />
have been developed. We review the traditional linear investigation process (Section 3.3)<br />
as well as a new target-centric approach (Section 3.4). Finally, we present four criminal<br />
network investigation cases in Section 3.5, describing the aspects of each investigation, that<br />
we find to be particularly interesting.<br />
Chapter 4 (Related work) focuses on reviewing commercial tools (Section 4.1), research prototypes<br />
(Section 4.2), and investigative journalism tools (Section 4.3. We try to emphasize<br />
the areas where the tools are strong, i.e., their support of criminal network investigation<br />
tasks that could help reduce the impact of criminal network investigation challenges. At<br />
the same time we also highlight support of investigation tasks that would inhibit criminal<br />
network investigation.<br />
16
CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE<br />
Chapter 5 (Theory and technology) is dedicated to presenting the theories and technologies<br />
that are part of our state-of-the-art for criminal network investigation. Some theory and<br />
technology is core to criminal network investigation, like: hypertext, semantic web, human<br />
cognition, the creative process, intelligence, and mathematical models, and they receive more<br />
attention i Chapter 5 because of that. But theory from information science and social<br />
science, knowledge about simple tools for idea generation, case studies of sub groups and<br />
individuals, ethics, trust and user acceptance, and interaction and visualization are also<br />
important, and therefore introduced.<br />
Chapter 6 (Problem definition and research focus) is a crucial chapter, as it binds our dissertation<br />
together. The chapter takes the three challenges selected in Chapter 1, and based<br />
on the domain knowledge acquired in Chapter 3, 4, and 5, problems associated with the<br />
three challenges are analyzed, and four research focus requirements to guide the tool development<br />
are formulated for each challenge. The research focus requirements are used<br />
throughout the dissertation. The introduction to Part II (the domain) contains a map of<br />
the interrelationships of chapters with Chapter 6 at the center.<br />
Part III presents our model for criminal network investigation and outlines the boundaries for tool<br />
support. Analysis, design and implementation is described for each of five investigation processes.<br />
Chapter 7 (Process model and tasks) This chapter presents a target-centric and iterative<br />
model for criminal network investigation, addressing the problems of linear process models.<br />
The model has five main processes (acquisition, synthesis, sense-making, dissemination, and<br />
cooperation), and the role of each process is described. A list of criminal network investigation<br />
tasks for each of the five processes is also described. Further analysis, design, and<br />
implementation of each individual task is presented in Chapter 9 to Chapter 13.<br />
Chapter 8 (Concepts, models, and components for CrimeFighter Investigator) starts out<br />
by presenting the foundation for our tool support: a conceptual model with first class entities<br />
is presented in Section 8.1. We separate mathematical and structural models, to provide<br />
a computational model that can apply algorithms to the emerging and evolving structures<br />
synthesized by investigators (see Section 8.2). Knowledge management and hypertext concepts<br />
are introduced together with a list of software components (Section 8.3), requirements<br />
for key components are presented in Section 8.4, and designs for three of these components<br />
are presented in Section 8.5.<br />
Chapter 9 (Acquisition) is a process assisting investigators in dealing with information arriving<br />
from various sources. As it will be mentioned later, the acquisition and dissemination<br />
processes have received less attention compared to synthesis and sense-making. The chapter<br />
presents analysis, design, and implementation of selected acquisition tasks for criminal<br />
network investigation.<br />
Chapter 10 (Synthesis) tasks assist investigators in enhancing the target model. The chapter<br />
presents analysis, design, and implementation of selected synthesis tasks for criminal network<br />
investigation.<br />
Chapter 11 (Sense-making) tasks assist investigators in extracting useful information from<br />
the synthesized target model. The chapter presents analysis, design, and implementation of<br />
selected sense-making tasks for criminal network investigation.<br />
Chapter 12 (Dissemination) tasks help the investigative team to formulate their accumulated<br />
knowledge for the customer. The chapter presents analysis, design, and implementation of<br />
selected dissemination tasks for criminal network investigation.<br />
Chapter 13 (Cooperation) Cooperation has received little attention in our research, and this<br />
chapter therefore contains a brief introduction to thoughts and analysis of support for the<br />
17
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION<br />
cooperation tasks defined in Chapter 7, together with a short description of implemented<br />
support for one cooperative task, sharing the common information space.<br />
Part IV describes our evaluation approach and discusses the results, presents our final conclusions<br />
and outlines future work.<br />
Chapter 15 (Evaluation and discussion) evaluates our tool support for criminal network investigation<br />
using three methods: end user interviews (Section 15.2), capability comparisons<br />
(Section 15.3), and measures of performance (Section 15.4). The evaluations are summarized<br />
and discussed. The chapter also discusses the issues of visualization and end user<br />
involvement in tool development and evaluation.<br />
Chapter 16 (Conclusion and future work) concludes the Ph.D. dissertation by summarizing<br />
our research. We make our conclusions about support for research focus requirements,<br />
criminal network investigation challenges, and the hypothesis in Section 16.2. Our contributions<br />
are presented in Section 16.3 and future work in terms of literature studies, software<br />
development, and software evaluations in Section 16.4<br />
1.5.1 Reading directions<br />
All readers should start with the introduction in Chapter 1, and our debunking of myths, and<br />
project disclaimers, and then continue to the category below more suitable for them (we apologize<br />
if any readers feel left out):<br />
Academics in security informatics. We would of course like to say that the dissertation in<br />
its whole is relevant for readers in this category. However, it might be relevant first to<br />
skim through the myths and disclaimers in Chapter 1 and then, if it still sounds relevant<br />
and interesting, turn to Chapter 3 to see if our focus areas within the domain of criminal<br />
network investigation matches the reader’s expectations. After that, we suggest the reader<br />
proceeds freely, to his or her liking.<br />
Decision-makers (government and private). Readers in this category might have a primary<br />
interest in the operational application of the concepts we have developed for criminal network<br />
investigation and the evaluation and discussion thereof. For these readers we recommend<br />
studying Chapter 3 on criminal network investigation first, and then quickly turning the<br />
focus toward Chapter 9 to Chapter 13 to read about our implemented support for individual<br />
criminal network investigations, or go straight to Chapter 14 for a description of criminal<br />
network investigation work flows and our support thereof.<br />
The media might find it interesting to start by reading the dissertation abstract, and then turn<br />
to the final chapter of the dissertation, Chapter 16, for our general conclusions and lists of<br />
contributions. If more information is required about a certain contribution, the reader may<br />
return to this section (or the list of contents), to locate the chapter(s) with more information<br />
related to the particular contribution.<br />
18
CHAPTER 2<br />
Method<br />
Today functional problems are becoming less simple all the time. But<br />
designers rarely confess their inability to solve them. Instead, when a<br />
designer does not understand a problem clearly enough to find the<br />
order it really calls for, he falls back on some arbitrary chosen formal<br />
order. The problem, because of its complexity, remains unsolved.<br />
Christopher Alexander (1964), in notes on the synthesis of form [8]<br />
Iteration is a significant component of design activity that occurs<br />
frequently throughout the design process; and measures of iterative<br />
activity were significant indicators of design success . . . and greater<br />
engineering experience.<br />
Adams (2002), on constitution of designs [132].<br />
This chapter presents our method. The development of suitable software system support for<br />
criminal network investigation is a, by no means, simple problem. We have approached this<br />
problem iteratively, to get an incremental understanding of the challenges involved, in the hope<br />
that we would not “fall back on some arbitrary chosen formal order” [8], as Alexander (1964)<br />
warns solution designers in general. We hope that our method will help others to understand and<br />
create their own support for criminal network investigation as well. We find our method to be a<br />
general method for solving ill structured problems.<br />
We have followed Bardram’s (2007) fish model during the three years of research (see Figure 2.1):<br />
first, a open-minded approach to the problem during the first year (the fish head), then a one<br />
and a half year where the focus is continuously narrowed (the fish body) and then a short six<br />
month period of writing the dissertation (the fish tail). This overall process is outlined in Section<br />
2.1. Our software development methodology has been iterative and incremental, each increment<br />
a proof-of-concept prototype, a manifestation of a design idea that concretize and externalize a<br />
conceptual idea [132] (see Section 2.2). Our method for empirical evaluation is tightly coupled<br />
with our prototyping approach, but also has other aspects, such as the use of case-studies, which<br />
are described in Section 2.3. Finally, we take time to describe the study program we have followed<br />
in Section 2.4, since the Danish model only leaves room for 18 months of actual research during<br />
three years of Ph.D. studies. We feel it is necessary, that our work is evaluated accordingly, but<br />
more importantly it is the framework within which we had to conduct our research, and hence<br />
19
2.1. GENERAL PH.D. APPROACH CHAPTER 2. METHOD<br />
relevant for our method.<br />
2.1 General Ph.D. approach<br />
Bardram’s (2007) fish model [22] shown in Figure 2.1 has provided the process framework for our<br />
Ph.D. project and research.<br />
Figure 2.1: Bardram’s (2007) fish model [22] describes a useful framework for a 3 year Ph.D.<br />
project: the open minded phase (12 months), followed by an increasingly focused phase (18<br />
months), and finally the writing up phase (6 months).<br />
In the first year our overall goals were: (1) to conduct literature studies of the application domain<br />
and the relevant supporting research fields. (2) to develop a first set of design concepts for the<br />
software tool and to evaluate the concepts based on a first prototype. This was achieved using an<br />
open-minded approach as described in Figure 2.1. The first year of our Ph.D. project included<br />
activities such as attending courses & conferences, conducting literature studies (reading related<br />
work etc.), prototype development (which includes making experiments) and participating in and<br />
organizing various conferences and symposiums, such as the international workshop on counterterrorism<br />
and open source intelligence (2009), the international conference on advances in social<br />
networks analysis and mining (2010), the international symposium on open source intelligence ‘&<br />
web mining (2010) and finally giving an invited presentation at the interdisciplinary terrorism and<br />
new media conference (2009) 12 .<br />
The work in year one made it possible for us at the beginning of the second year to start writing and<br />
publishing papers. The first one was for Hypertext 2011 13 describing a model of criminal network<br />
investigation we had developed 14 , indicating the responsibilities of tools for criminal network<br />
investigation and humans (investigators) [174]. The year continued with further implementation<br />
of the system requirements outlined in that paper. Half way through my second year I spent<br />
a month in London at Imperial College, Institute for Security and Science Technology, where I<br />
studied inference prediction methods under the supervision of Dr. Christopher J. Rhodes. At the<br />
end of the year I went to Germany and visited University of Hof, Institute of Information Systems,<br />
where I studied spatial hypertext and started the analysis and design of usability experiments<br />
under the supervision of institute director Dr. Claus Atzenbeck.<br />
20
CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY<br />
The third year focused on continued increments of CrimeFighter Investigator, authoring of conference<br />
papers, a journal paper for the Springer security informatics journal (special issue on criminal<br />
network investigation) [176], and a book chapter for the Springer handbook on computational approaches<br />
to counterterrorism [175]. The final months were focused on writing up the dissertation,<br />
aggregating all published and unpublished work into one cohesive whole.<br />
2.2 Software development methodology<br />
During periods of software development, we have applied our own knowledge about best agile<br />
practices [170–172] and concepts from agile development literature (e.g., [11, 43, 44, 125]). The<br />
cycle shown in Figure 2.2 is representative of both the overall release as well as the intermediate<br />
iterations 15 . The client testing upon delivery of a release is of course the intended end user (i.e.<br />
intelligence analyst), while the client testing the software after delivery of an iteration is most<br />
likely to be the supervisor, co-supervisor or other lab members. In the beginning, feedback would<br />
primarily be the result of discussions at supervisor meetings, and as the prototype grows it would<br />
become more and more about specific requirements for the prototype.<br />
Figure 2.2: A typical agile development loop of feedback, coding, delivery, and client testing. The<br />
cycle can be a month, a week, or even a day on an agile project, whereas the traditional alternative,<br />
sequential water fall methods, typically have cycles of several months to years, providing the<br />
development team with less feedback to learn from and adapt to [43].<br />
Prototyping will be based on relevant scenarios related to the criminal network investigation<br />
domain. Selected scenarios are described in Section 3.5 and provide requirements and design<br />
concepts for initial prototypes.<br />
2.2.1 Prototyping reviewed<br />
This is primarily a review of Floyd (1984) [70], which we find relevant because a prototypes have<br />
formed the increments of our work. In this review, we focus on the term prototype in relation<br />
to software development, the different steps that characterizes prototyping and the different approaches<br />
to prototyping. We have included reviews of specific parts of the article relevant for our<br />
work.<br />
21
2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD<br />
A software development prototype: process not product<br />
A “prototype” literally means “first of type”, a notion which makes sense in those<br />
branches of engineering where the manufacturer’s aim is to mass-produce goods of the<br />
same type.<br />
Software development prototyping however takes place in the context of an overall system development<br />
process. When we use the term “prototyping” in connection with software development it<br />
indicates that we are primarily interested in the process rather than the “prototype” as a product.<br />
Due to a number of working experiences a lot of software developers are motivated to employ an<br />
approach that involves an early practical demonstration of relevant parts of the desired software<br />
on a computer.<br />
According to the iterative and incremental cycle of agile software development described above,<br />
prototyping helps introduce the element of communication and feedback. The degree of this<br />
depends on the chosen approach to prototyping.<br />
The four steps of prototyping<br />
Prototyping can be seen as consisting of four steps; functional selection, construction, evaluation<br />
and further use:<br />
1. Functional selection refers to the choice of functions which the prototype should exhibit.<br />
The interesting part of this is that the selection should be based on work tasks relevant for<br />
a later demonstration. The prototype is usually differentiated from the final product, by<br />
selecting a few functions that are completely implemented (“vertical prototyping”, see figure<br />
2.3) or a larger set of functions not implemented in detail (“horizontal prototyping”, see<br />
figure 2.3). The two directions are often both used in a single prototype.<br />
Figure 2.3: If you have a set of system requirements (functions) to prototype, then horizontal<br />
prototyping means implementing a few of those functions completely and vertical prototyping<br />
means implementing some part of many functions.<br />
2. Construction refers to the effort required to make the prototype. When constructing the<br />
prototype focus should be kept on the selected functions that are expected to be working at<br />
the intended evaluation. This also means that “certain quality requirements pertaining to<br />
the final product, such as reliability, data security or efficiency” [70] can be omitted, unless<br />
these requirements are supposed to be part of the demonstration. Morale: You should only<br />
do what is necessary in order to get the prototype ready for demonstration.<br />
3. Evaluation is the step where it is decided how to proceed with the further development of<br />
the prototype. Hence it is important that all necessary resources are made available during<br />
22
CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY<br />
the evaluation. The communication channels should be considered at the level of which the<br />
evaluation takes place, e.g. problems arising from man-machine or man-man interactions<br />
should be considered.<br />
4. Further use of prototype. The prototype can be used “as a learning vehicle and be<br />
thrown away after wards, or it may be used fully or partially as a component of the target<br />
system” [70]. Creating the learning process involves the following aspects:<br />
Early availability (e.g. rapid prototyping),<br />
Demonstration, Evaluation and Modification (e.g. user feedback at evaluation<br />
of demo results in a modification of the prototype),<br />
Teaching and Training (preparing users for their work with the target system),<br />
Commitment (users also become stakeholders for design and functionality demonstrated<br />
by the prototype)<br />
It must be kept in mind that if a prototype is demonstrated and there is a<br />
discussion with the prospective users about its evaluation, the commitment to<br />
the target system is very strong. Should essential changes of some features of<br />
the prototype be made during implementation of the final product without the<br />
explicit content of the user, serious problems regarding its acceptance must be<br />
expected.<br />
We find the most important points for our work to be those related to commitment (why we<br />
had a complete quote).<br />
Three approaches to prototyping<br />
The purposes for creating a prototype can be many, and Floyd (1984) [70] distinguishes between<br />
the following three broad classes of prototyping:<br />
1. Exploratory prototyping. The emphasis is on clarifying requirements and desirable<br />
features of the target system and where alternative possibilities for solutions are discussed.<br />
2. Experimental prototyping. The emphasis is on determining the adequacy of a proposed<br />
solution before investing in [a] large-scale implementation of the target system.<br />
3. Evolutionary prototyping. The emphasis is on adapting the system gradually to changing<br />
requirements, which cannot reliably be determined in one early phase.<br />
Summary<br />
Since the initial prototypes of this Ph.D. project were based on architecture, design concepts and<br />
specific components from previous research within the same field, as well as development of new<br />
concepts and components all three approaches to prototyping will come into play. We specialize<br />
our approach to prototyping below.<br />
2.2.2 Proof-of-concept prototyping<br />
The above review of prototyping by Floyd (1984) represents the “current approaches in software<br />
[systems] engineering contexts where engineers use prototypes to identify and satisfy requirements”<br />
[132]. A more recent view is that “designers communicates the rationales of their design decisions<br />
through prototypes. Prototypes stimulate reflections, and designers use them to frame, refine, and<br />
discover possibilities in a design space” [132]. Lichter et al. (1993) also mentions communication:<br />
“prototyping provides a communication basis for discussions among all groups involved in the<br />
development process” [129]. Prototypes help traverse design space by their incompleteness. “This<br />
23
2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD<br />
characteristic of a prototype - being an incomplete portrayal of a design idea - is the reason behind<br />
[the] metaphorical description of prototypes as filters. [. . . ] When incomplete, a prototype reveals<br />
certain aspects of a design idea - that is, it filters certain qualities” [132].<br />
We have adopted aspects of both the traditional requirements approach, and the communication<br />
of design rationale as well as functioning as a filter for a design space, to create our own proof-ofconcept<br />
prototyping approach:<br />
Requirements: We adopt the horizontal prototyping, realizing that our prototypes may span<br />
multiple requirements (criminal network investigation tasks). We adopt a mix of Floyd’s<br />
(1984) three approaches to prototyping: exploratory prototyping; experimental prototyping;<br />
evolutionary prototyping.<br />
Communication and filter: We use proof-of-concept prototypes for communication with supervisor,<br />
fellow lab colleagues, readers of scientific papers and of course potential end users.<br />
We use proof-of-concepts prototypes for filtering the design space, focusing on particular<br />
characteristics of prototypes (see Section 2.2.2).<br />
Following Lichter et. al (1993) and the four kinds of prototypes presented there [129], we typically<br />
develop presentation prototypes to present functionality to either our Ph.D. supervisor, other lab<br />
members, potential end users (i.e., intelligence analysts at the British Home Office [167]), or to<br />
explain functionality to the readers of our scientific papers. The presentation prototype then<br />
becomes part of our pilot system (CrimeFighter Investigator), either after some refactorings, or<br />
maybe the architecture is already suitable for the implemented extension. Figure 2.4 (below)<br />
describes our prototyping approach (process in lower left corner), as well as how it relates to the<br />
incremental growth of our pilot system, CrimeFighter Investigator.<br />
Finally, starting with a proof-of-concept approach has been noted as a common characteristic of<br />
successfully funded and high impact intelligence and security informatics projects [37].<br />
How we have designed the prototypes<br />
We have in general focused on interactive visual functionalities, when designing and implementing<br />
our proof-of-concept prototypes (testing human-computer interaction). That means, that graphics<br />
(visualizations) such as information about what is happening on the screen, or which algorithm<br />
currently running, has not been implemented: “the designer screens out unnecessary aspects of<br />
the design that a particular prototype does not need to explore” [132].<br />
2.2.3 Software baseline and CrimeFighter Investigator - evolution from<br />
prototype to tool<br />
The software baseline for this Ph.D. project was the output of our master thesis, the ASAP<br />
tool [170, 171]. The transition from the agile software planning domain to the criminal network<br />
investigation domain is briefly described in [172], and to some extent in Chapter 8 which describes<br />
our analysis of general software components for tool support of criminal network investigation.<br />
ASAP was based on relevant parts of the Construct Spatial Service [246] (Construct from now<br />
on), as illustrated in Figure 2.4. Construct is “a component-based open hypermedia environment<br />
for supporting scholarly work processes such as associative storage and retrieval, information<br />
analysis, and classification in digital libraries” [246]. The concept of digital libraries is highly<br />
related to hypermedia structuring mechanisms. Many investigations within this area focus on<br />
linking structures only, where the Construct environment also “provides support for [. . . ] work<br />
settings such as spatial and taxonomic” [246].<br />
The basic idea of Construct is to assist the user in gaining a clear overview and a fundamental<br />
understanding of a problem domain. Organizing knowledge entities (e.g., research papers, web<br />
24
CHAPTER 2. METHOD 2.3. EMPIRICAL EVIDENCE<br />
pages, brainstorming ideas, scientific quotes, etc.) will reveal relationships between the entities<br />
and their associated topics [246]. This basic idea made Construct very interesting and usable with<br />
regards to ASAP. The following features of Construct were adopted (and refactored to a varying<br />
extent) in by ASAP: a square 2D movable entity with changeable fields, various mouse events for<br />
registering clicks, dragging etc. and the hierarchy feature. Construct had a feature for linking<br />
entities, but it was not utilized in ASAP, and therefore had to be re-introduced when starting the<br />
work on CrimeFighter Investigator. We refer to Chapter 8 for further details on the features and<br />
concepts adopted from ASAP when starting the work on CrimeFighter Investigator.<br />
Figure 2.4: The software baseline for this Ph.D. project was the output of our master thesis, the<br />
ASAP tool. The ASAP tool has been refactored to support various versions of the CrimeFighter<br />
Investigator, before the final version presented in this thesis.<br />
To illustrate the changes (or increments) made between the different tools, we list basic software<br />
metrics for each of the tools in Table 2.1 16 . CrimeFighter Investigator 1 (September 2010), 2<br />
(September 2011), and 3 (September 2012) are the major releases of CrimeFighter investigator,<br />
but metrics are only shown for the third and final release in the table.<br />
Metric Construct ASAP CFI 1 CFI 2 CFI 3 (Final)<br />
Packages 2 8 11 28 45<br />
Classes 22 69 38 167 245<br />
Methods 77 689 400 2385 3863<br />
MLOC 731 4572 2133 14767 22342<br />
LOC 1211 7398 3742 24129 37250<br />
Table 2.1: Selected software metrics for Construct, ASAP, and CrimeFighter Investigator after<br />
year 3 (CFI: CrimeFighter Investigator, MLOC: method lines of code, LOC: total lines of code).<br />
2.3 Empirical evidence<br />
When visiting the institute for information systems (iisys) at University of Hof, we talked with<br />
Dr. Atzenbeck about the importance of empirical 17 quantitative evidence in software systems<br />
engineering research:<br />
25
2.3. EMPIRICAL EVIDENCE CHAPTER 2. METHOD<br />
“Many Ph.D. students do cool projects, but to have statistical evidence for the effect<br />
of your implemented software features, you need to design and report usability<br />
experiments.” - Dr. Claus Atzenbeck, Director for Institute of Information Systems,<br />
University of Hof.<br />
However, as Dr. Atzenbeck also pointed out, designing and report usability experiments is a long<br />
process not suitable for a 18 months research project. We started designing usability experiments<br />
for CrimeFighter Investigator features under Dr. Atzenbeck’s supervision and following his for<br />
the WildDocs spatial hypertext system [18], guided by Field and Hole (2003) [69]. We hope to<br />
complete this work in the future.<br />
We decided to gather empirical, quantitative and qualitative, evidence using other methods. Because<br />
of the wide range of criminal network investigation processes and tasks we cover, several<br />
methods have been necessary to evaluate all aspects of our developed software system support:<br />
post-crime data sets and investigations 18 , end-user interviews, capability comparisons, and measures<br />
of performance. These methods are described in detail and discussed in Chapter 15.<br />
Before continuing to Section 2.3.1 on case study research, it is important to note that we have been<br />
doing case study research in the context of software systems engineering, not case study research<br />
of the effect of applied software systems engineering or criminal network investigation concepts.<br />
2.3.1 Case study research<br />
Prior to establishing whether or not we have been doing case study research, we need a definition<br />
of what a case study is. According to Thomas (2011), “case studies are analyses of persons, events,<br />
decisions, periods, projects, policies, institutions, or other systems that are studied holistically by<br />
one or more methods. The case that is the subject of the inquiry will be an instance of a class<br />
phenomena that provides an analytical frame - an object - within which the study is conducted<br />
and which the case illuminates and explicates” [224]. Let us consider this definition of the case<br />
study in the context of the criminal network investigation of the individuals who kidnapped and<br />
murdered Daniel Pearl, a case we use throughout this dissertation and which we have studied<br />
extensively (see Section 3.5.1):<br />
Subject: The kidnapping and murder of Daniel Pearl.<br />
Object: There has been several objects of study, in relation to the subject, namely our three<br />
challenges:<br />
1. Information What information structures are created in this investigation (complex<br />
system, project)? How does the information evolve? What information configurations<br />
causes what decisions? What events triggers information (i.e., about persons) being<br />
recorded?<br />
2. Process What are the policies for adding information? What persons are involved in<br />
the investigation process? Recording a chronology of events (periods)<br />
3. Human factors How do investigators (persons) interact with information? What<br />
types of persons are involved in investigations or in the kidnapping and murder? What<br />
is the policy of the investigation team?<br />
But can we generalize our findings in case studies and use them as arguments for the software<br />
requirements we generate? The strengths and weaknesses of case studies as compared to for<br />
example formal experiments (e.g., usability experiments) are summarized in the following quote:<br />
“Although [case studies] cannot achieve the scientific rigor of formal experiments,<br />
[they] can provide sufficient information to help you judge if specific technologies will<br />
benefit your own organization or project. Even when you cannot do a case study of<br />
26
CHAPTER 2. METHOD 2.4. PH.D. STUDY PROGRAM<br />
your own, the principles of good case-study analysis will help you determine if the<br />
case-study results you read about are applicable to your situation” [118].<br />
Flyvbjerg (2006) further advocates the use of case studies and their scientific value by explaining<br />
and correcting five common misunderstandings about case studies: “(a) theoretical knowledge is<br />
more valuable than practical knowledge; (b) one cannot generalize from a single case, therefore,<br />
the single-case study cannot contribute to scientific development; (c) the case study is most useful<br />
for generating hypotheses, whereas other methods are more suitable for hypotheses testing and<br />
theory building; (d) the case study contains a bias toward verification; and (e) it is often difficult<br />
to summarize specific case studies.” [71] (misunderstandings are also discussed in Flyvbjerg (2011)<br />
[72]). An interesting conclusion on the strengths of case studies from the business management<br />
domain comes from Gill (1995): “theory developed from case study research is likely to have<br />
important strengths such as novelty, testability and empirical validity, which arise from its close<br />
linkage with empirical linkage” [76].<br />
2.4 Ph.D. study program<br />
This Ph.D. project described in this dissertation, has been conducted according to the requirements<br />
of the Ph.D. school’s research training program Software Engineering 1 at the Technical Faculty,<br />
University of Southern Denmark. The program is three years (six semesters) of length, and<br />
includes the following compulsory activities: 30 ECTS (1 semester) of Ph.D. courses, one semester<br />
(1 semester) of work for the institute, environmental change ( 1<br />
2 semester), 300 hours of knowledge<br />
semester), ideally leaving room for 18 months of research.<br />
elicitation ( 1<br />
2<br />
1 The research training program was previously known as Information and Communication Technology.<br />
27
2.4. PH.D. STUDY PROGRAM CHAPTER 2. METHOD<br />
28
Part II<br />
The domain<br />
29
The chapters in part II introduces the domain of tool support for criminal network<br />
investigation, and then sharpens further our initial problem definition and hypothesis<br />
from Chapter 1. Chapter 3 describes criminal network investigation. Chapter<br />
4 describes existing tool support for criminal network investigation and explains<br />
strengths and weaknesses of these state-of-the-art tools. Chapter 5 summarizes a<br />
range of theories and technologies required for tool support for criminal network<br />
investigation. These three chapters represents our domain knowledge. Chapter 6<br />
expands our initial description of the three challenges information, process, and<br />
human factors, which we chose to focus on in Chapter 1, and which formed the<br />
foundation of our research hypothesis. For each challenge, a set of specific problems<br />
are listed, based on our domain knowledge. We also define our research focus for<br />
each of the three challenges, framed by a set of requirements. Each requirement<br />
is viewed as a software feature, which, if supported in a suitable fashion, would<br />
strengthen a software tool’s support of the related challenge.<br />
Figure 2.5 provides an overview of the central role that Chapter 6 plays in terms<br />
of previous and future chapters. Figure 2.5 shows that the research focus requirements<br />
relate to the criminal network investigation process model and tasks, and<br />
subsequently how the processes relates to Chapter 9 to 13, each of these chapters<br />
describing analysis, design, and CrimeFighter Investigator support for tasks associated<br />
with a process. Chapter 8 is also part of the foundation for Chapter 9 to<br />
13, and the concepts and components analyzed and designed in that chapter have<br />
been developed to support the research focus requirements in Chapter 6. Chapter<br />
9 to 13 leads to Chapter 14, describing criminal network investigation work flows<br />
involving multiple criminal network investigation processes and tasks. Chapter 15<br />
and Chapter 16 evaluates and concludes our dissertation.<br />
Figure 2.5: How Part II links to Part I, III, and IV of this dissertation.<br />
31
CHAPTER 3<br />
<strong>Criminal</strong> network investigation<br />
If we are to think seriously about the world, and act effectively in it,<br />
some sort of simplified map of reality . . . is necessary.<br />
Samuel P. Huntington (1996), in the clash of civilizations and the remaking of world order [102].<br />
<strong>Network</strong>-based techniques are widely used in criminal investigations because patterns of association<br />
are actionable and understandable, but a criminal network is a special kind of network and a<br />
focused review of this domain is necessary. We start this chapter with our understanding of<br />
what a criminal network is and is not (Section 3.1). This includes a comparison of criminal<br />
networks with other networks such as social networks, biology networks, physics networks, and<br />
other complex systems. <strong>Investigation</strong>s of how criminal networks evolve over time is important to<br />
understand the need for information structure support; a criminal network is not a static entity.<br />
Equally important is an understanding of how criminal networks form (emerge) and what ties a<br />
network together to sustain the required level of secrecy and efficiency necessary for the networks<br />
survival, as mentioned above. We discuss the differences between pre- and post-crime criminal<br />
networks, and again, how one becomes the other, e.g., through a radicalization process. Finally,<br />
we discuss the implication that individuals and other entities (organizations, locations, etc.) in<br />
criminal networks are criminals or part of criminal activity. Part of the explanation is given below,<br />
that criminal networks are investigated for potential criminals or criminal activity in situations<br />
where decision makers want to take proactive measures. But again, we need to be aware of the<br />
difference between legal and illegal activity [87].<br />
We start the chapter with an introduction to what a criminal network is Section 3.1, followed by a<br />
review of criminal network structures. An investigator in any domain would benefit from a general<br />
knowledge about the known basic information structures within that domain [8,9,90]. In Section<br />
3.2, we present the building blocks of such structures. We divide the structures created with<br />
those entities in two categories, organizational (meta) structures and smaller (sub) structures, and<br />
discuss the structures in each category often appearing in criminal networks.<br />
After this review of various structures, we review two different types of processes for criminal<br />
network investigation; the linear approach and the target-centric approach. The analysis of these<br />
two different approaches will also serve as input for our problem definition in Chapter 6. The<br />
classic linear approach to investigation (see Section 3.3) is the “faulty” investigative process,<br />
because it introduces compartmentalization which has a negative impact on information sharing<br />
and shared responsibility, ultimately causing intelligence failure. The target-centric approach, on<br />
the contrary, has all stakeholders (collectors and processors, analysts, and customers) working<br />
33
3.1. CRIMINAL NETWORK? CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
on the same shared target-model removing compartmentalization from the equation and in stead<br />
helps introduce concepts such as ownership and transparency. Read about the our preferred<br />
investigative process in Section 3.4.<br />
We present four case studies of criminal network investigations in Section 3.5. We discuss and<br />
reference those cases throughout the dissertation. The cases are: the Daniel Pearl investigation, the<br />
hunt for Khalid Sheikh Mohammed, the Latonya Wallace and John Scott homicide investigations,<br />
and finally the Barksdale drug organization in Baltimore. For each of these case studies, we set the<br />
scene for investigation, we describe the investigative team and the individuals that constitute it,<br />
we discuss the investigative approach of the team, and the criminal network under investigation.<br />
We conclude this chapter with a summary based on three distinct criminal network investigation<br />
types 3.6. We give a short introduction to the the general characteristics of the criminal network<br />
investigations we focus on, and then we present the three specific investigation domains of our<br />
particular interest, namely policing, counterterrorism, and investigative journalism. We discuss<br />
each investigation domain in terms of the three challenges information, process, and human factors<br />
and present case-studies from each investigation domain.<br />
3.1 What is a criminal network?<br />
A criminal network is a special kind of social network with emphasis on both secrecy and efficiency<br />
19 [244]. <strong>Network</strong>-based techniques are widely used in crime investigations, because patterns<br />
of association are actionable and understandable. We later define the building blocks of criminal<br />
networks as well as observed structures (i.e., their organizational and smaller sub structures) to<br />
be three basic entity types (nodes, links, and groups) which are associated to form the network.<br />
Following this definition, a criminal network could be something as different as the Enron email<br />
dataset 20 where a network could be Enron individuals as nodes, links represent email send between<br />
individuals, and groups the position of individuals in the Enron company hierarchy. A<br />
criminal network could also be physical evidence (hair, bullets, knife, etc.), suspects and witnesses<br />
associated with a homicide crime scene.<br />
To get an initial understanding of what a criminal network more specifically is we discuss how they<br />
are different from more well known networks such as social networks or real world networks from<br />
e.g., biology like predator-prey networks (see Section 3.1.1). Since criminal networks emerge from<br />
entities already in the real world, we review why (root causes) they emerge (ideology, financial gain,<br />
radicalization, etc.) and how they then evolve (further radicalization) as described in Section 3.1.2.<br />
The strengths and weaknesses of criminal networks provides us with further understanding, and<br />
explains the proliferation of criminal networks as well as their demise (see Section 3.1.3). <strong>Criminal</strong><br />
networks of associations between entities prior to crime or criminal activity are very different from<br />
criminal networks depicting the associations between entities after a crime or criminal activity<br />
as we show in Section 3.1.4. This brings forth another dimension of criminal networks, when<br />
compared to networks in other domains. There is an ethical aspect to criminal networks, since<br />
individuals are made suspects of having associations with some criminal activity or crime before<br />
it happens, at least when taking proactive measures. This issue is discussed in Section 3.1.5.<br />
3.1.1 <strong>Criminal</strong> networks and other networks<br />
“Many objects of interest in the physical, biological, and social sciences can be thought of as<br />
networks” [155]. <strong>Criminal</strong> networks differentiate from other networks in a number of ways. Given<br />
the popularity of social networks research, the differences between criminal and social networks<br />
are often in focus. Morselli (2009) discusses the criminal network perspective and his first task is<br />
therefore, according to him, “to establish why criminal networks are different from non-criminal<br />
social networks. Crime, after all, is a social phenomenon, but criminal networks and general criminal<br />
behavior do have distinctive features from noncriminal counterparts” [150]. As we mentioned<br />
in the introduction to this chapter, a criminal network is a special kind of social network with<br />
34
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.1. CRIMINAL NETWORK?<br />
emphasis on both secrecy and efficiency [244], but as we will see criminal networks also have other<br />
distinctive features.<br />
While the emphasis is different in terrorist networks and social networks, the entities are often the<br />
same, namely humans. In other network domains theory from physics is used to localize the source<br />
of diffusion in complex networks (e.g., “the source of a contaminant or virus”) [177], where the<br />
nodes might be houses or cities and links represent means of transportation between them, and<br />
so on (see Section 5.9 for examples). In all these networks the entities are of the same type within<br />
each individual network. But in criminal networks, as we will see in the investigations described in<br />
Section 3.5.1 to 3.5.4, it will be clear that many different types of entities can be expected to occur<br />
in the networks. And furthermore, the relations between entities are not of one type, but multiple<br />
types. In general, we think of criminal networks as semantic webs (see Section 5.2 for detailed<br />
review) of information entities. It is important to understand both the differences in emphasis<br />
and entity types, when analyzing criminal networks. Consequently, this is also important when<br />
developing tools support for criminal network investigation.<br />
3.1.2 The emergence and evolution of criminal networks<br />
<strong>Criminal</strong> networks often emerge as a consequence of radicalization, either of individuals or groups.<br />
The violent Islamist radicalization of individuals toward forming or joining terrorist networks<br />
is described in various studies of radicalization aspects such as radicalization phases [203], root<br />
causes [234], and violent online radicalization [29, 48, 49, 236, 241].<br />
What complicates the analysis of criminal networks of a certain complexity, is that the picture<br />
constantly changes. “With every interaction, people change, group dynamics change, and social<br />
dynamics change” [28]. Morselli (2009) comments on this flexible order, as he calls it: “These<br />
ongoing interactions in criminal networks combine to create a context of flexible order. The idea<br />
of flexible order begins with the assumption that there is common ground to be found in the<br />
interaction between individual and collective interests. A second claim emphasizes the bottomup<br />
organizational force of individual interactions and that a central governing authority is not a<br />
necessary condition for reaching social order. In brief, the network is a self-organizing structure<br />
that is essentially driven by the emergent behavior of its parts” [150]. To summarize, associations<br />
are created between network entities from these interactions, and the addition of new associations<br />
evolve the criminal network and the structures within it.<br />
3.1.3 The strengths and weaknesses of criminal networks<br />
The emerging nature and strength of a criminal network can be the result of several aspects, such<br />
as ideology, cultural or family bonds, or the very structure and powerful entities of the milieu<br />
where people live. The success or failure of a criminal network has recently been found, not to<br />
be because of top-down leadership: “In Krebs’ (2002) analysis of the hijacker operation behind<br />
the September 2001 attack [122], it is the dense under-layer of prior trusted relationships that is<br />
found to be at the base of the network’s stealth and resilience and not the commanding control of<br />
a single or select few leader(s)” [150]. In urban organized crime, it is the different institutions of<br />
the city that impacts or controls the criminal networks and criminal (police) investigations: “it is<br />
the different institutions in the city that are the real powerful entities” [34, 127].<br />
Node removal is a well known technique for destabilization of criminal networks [35,36]. Deciding<br />
which node or group of nodes to remove, i.e., finding the weak “spots” in the network, is dependent<br />
on available intelligence and the topology of the criminal network (hierarchical, cellular, etc.), complicating<br />
the prediction of secondary effects following a node removal. Inference-based prediction<br />
and social network analysis provides different perspectives on criminal networks, thereby assisting<br />
investigators in their decision making by answering the ’what if’ questions they inherently would<br />
like to ask [169].<br />
35
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
3.1.4 Pre- and post-crime criminal networks<br />
The criminal networks we see are normally organized in a classic nodes-and-links way before presentation.<br />
The typical organizational structures in these networks include hierarchical structures,<br />
cellular structures comprised of subgroups connected by bridges, and flat (or fluid) structures<br />
where individual entities are distributed in some (more or less) random manner, maybe based on<br />
subgroups or their relationship with nearby nodes. The entities are simply organized in a certain<br />
way, because it creates an easier to comprehend visualization of the criminal network. These<br />
networks are organized after the crime and the investigation thereof has been concluded, and we<br />
therefore refer to these networks as post-crime criminal networks.<br />
But as described in the previous sections, criminal network structures are emergent and evolving<br />
and the networks go through many iterations after a target is selected until the structure types<br />
mentioned above emerge. When investigations start, criminal network entities are often associated<br />
in other ways than through well established relationships to other entities. First, the entities are<br />
randomly positioned in an information space and maybe only a few are directly linked (e.g.,<br />
the known accomplishes of the target). Later, more entities are linked, groups are created, and<br />
structures emerge. During the first iterations, spatial associations like entity co-location play an<br />
important role. A spatial association with a specific semantic meaning could be entities placed<br />
in close proximity of each other to indicate a subgroup in the network or snippets of information<br />
about a certain individual. Or entities might be placed above and below each other to indicate<br />
hierarchical importance [168]. In other words, “semantics happen” [197]. We refer to this type of<br />
networks as pre-crime criminal networks.<br />
The network visualizations we see in magazines, news papers and scientific journals and proceedings<br />
(post-crime) are often created specifically for presentation purposes. But they tell very little<br />
about the investigative efforts required to synthesize and making sense of the respective networks.<br />
The networks therefore convey limited information to the reader about what processes, tasks and<br />
techniques that a tool for criminal network investigation, working with pre-crime networks, should<br />
support.<br />
3.1.5 Ethical aspects<br />
Studying criminal networks from the initial relations are forged (and the increasing radicalization of<br />
each individual in the network) reveals that the individuals in the network are often not criminals,<br />
before a certain level of radicalization and extremism is reached. And this is certainly the case<br />
from a criminal network investigation perspective (see Section 3.6), in which a lot of individuals<br />
and other entities will be part of an investigation and then later excluded from that investigation,<br />
when it is realized that they are not criminals (part of the criminal network). [87]<br />
3.2 <strong>Criminal</strong> network structures<br />
Knowledge about the structures that criminal networks have formed in the past, is an important<br />
tool for investigators, as highlighted by the following comment from Alexander (1964): “Today<br />
functional problems are becoming less simple all the time. But designers rarely confess their<br />
inability to solve them. Instead, when a designer does not understand a problem clearly enough<br />
to find the order it really calls for, he falls back on some arbitrarily chosen formal order. The<br />
problem, because of its complexity, remains unsolved.” [8]. If required to choose a structure<br />
beforehand, then you would at least have to choose one that fits the nature of the criminal<br />
network that you are trying to model. But preferably, one should let the structure (evolve) and<br />
emerge as discussed in hypertext research [197,198], the right approach being to “seek, rather than<br />
anticipate, structure” [150]. In Section 5.1 we review hypertext structure domains that support<br />
emerging and evolving structures assisting analysts searching for structure.<br />
Based on literature studies of a mathematical perspective (e.g., [195, 240]) and the investigation<br />
36
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES<br />
Figure 3.1: The three first class entities of criminal networks are information elements (nodes, left),<br />
relations (links, middle), and composites (groups, right). The circles indicate connection points<br />
for directly associating the entities, while the small light gray squares are for resizing entities.<br />
perspective (e.g., [188]), interviews and presentations (e.g., [166, 167]), and informal talks with<br />
criminal network investigators together with our own ideas, we present an outline of general<br />
organizational (meta) structures and smaller (sub) structures. The organizational structures are<br />
often used to describe the network as a whole 21 . However, large networks may exhibit the outlines<br />
of many such meta structures. The sub-structures are smaller structural components above the<br />
abstraction level of the basic network building blocks, the first class entities node, link, and group.<br />
3.2.1 Nodes, links, and groups: the basic entities of criminal network<br />
structures<br />
The building blocks of criminal networks are information entities. Our network model (Figure 3.1)<br />
defines three such entities, namely information elements (nodes), relations (links), and composites<br />
(groups). Nodes hold information about real-world objects. Investigators basically think in terms<br />
of people, places, things, and their relationships. We use rectangles as visual abstractions here<br />
for simplicity, but any symbol (circles, triangles, etc.) could have been used to illustrate different<br />
types of real-world objects. Links of different types and weights can associate information entities<br />
directly. Links have two endpoints, they can be both directed and undirected, and they have<br />
different visual abstractions (see Figure 3.1, middle). Composites are used to associate entities<br />
in sub groups. We work with three types of composites [174]: Reference composites are used to<br />
group entities in the common information space. Inclusion composites can collapse and expand<br />
information to let investigators work with subspaces. Relation composites can collapse and expand<br />
multiple relations between two information elements. The circles in Figure 3.1 indicate connection<br />
points for direct association of entities. The smaller light gray squares are for resizing entities.<br />
Later, we will abstract the concepts of the circles and light gray squares to a single concept.<br />
We formalize our criminal network model mathematically by stating that a criminal network (CN)<br />
is a list of entities (E) and entities are lists of nodes (N), links (L), and groups (G). Beyond this,<br />
the organizational structures and smaller sub structures described below have not been formalized<br />
mathematically. We leave this perspective for others and instead take a structural perspective,<br />
allowing for some investigative flexibility, that strict mathematical formalization might inhibit.<br />
3.2.2 Organizational (meta) structures<br />
As mentioned above, we will take a structural and investigative (i.e., operational) perspective<br />
on the presented structures. By an investigative perspective, we mean what information and<br />
knowledge does the structure reveal to the investigators, e.g., about the functional or operational<br />
nature of the criminal network. A mathematical description (or formalization) of a criminal<br />
network structure will rarely, if ever, be utilized during criminal network investigation, and it<br />
therefore makes more sense to focus on the investigative implications that the structure can have<br />
37
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
on immediate operational decision-making.<br />
We consider the structures to be independent of the information entities they structure. That<br />
is, the links could represent flow of information between people nodes, or money flow between<br />
geographic position nodes. Typical criminal network information entity structures that form<br />
during investigation include hierarchical structures (Figure 3.2, left), cellular structures comprised<br />
of cohesive subgroups (cliques) connected by bridges (Figure 3.2, middle), and flat (or fluid)<br />
structures where individual entities are distributed in some (more or less) random manner (Figure<br />
3.2, right), maybe based on factions or their relationship with nearby nodes, or simply because of<br />
a more desirable visual layout.<br />
It is important for us to point out here, that the structure examples from investigations that we<br />
present below are often the results of laborious research and then incremental synthesis of a network<br />
(see examples in Figure 3.2). Hence, it is not representative of the structures encountered during<br />
the early phases of investigations (see Figure 3.3). However, the more structures an investigator<br />
knows prior to investigation, the more likely it is that he/she will move toward the true nature<br />
of a criminal network and not a biased choice of structure due to the limited knowledge of the<br />
investigator.<br />
Figure 3.2: An example of hierarchical (left), a<br />
cellular (middle), and flat structure (right).<br />
HIERARCHICAL<br />
Figure 3.3: Emerging structures in the early<br />
phases of criminal network investigations.<br />
As previously mentioned, criminal network structures are emergent and evolving and the criminal<br />
network is modeled incrementally, from the selection of a target is selected to some meaningful<br />
structure emerges, that can provide insight and new potential leads for the investigators.<br />
Sageman (2004) state that “terrorist networks are not static; they evolve over time” [188]. A<br />
large organization like al-Qaeda has developed many “levels and concepts of organization” [155]<br />
from it’s establishment to now. Sageman depicts al-Qaeda as four clusters with one leadership<br />
cluster, the central staff. “After 1996, the central staff was no longer directly involved in terrorist<br />
operations, but the other three major clusters were connected to their central staff contacts by<br />
their lieutenants in the field” [188] (see Figure 3.5). Two of the al-Qaeda clusters are comprised<br />
of several cohesive subgroups, while the southeast Asian cluster is more hierarchically structured,<br />
with a leader and a consultative council at the top. When the cluster was created it was divided<br />
into four geographical regions, and each region had several branches:<br />
Building Jemaah Islamiyah was a remarkable achievement accomplished in very little<br />
time. Hambali and his Chinese wife moved into a tiny wooden shack in a small<br />
village [. . . ] south of Kuala Lumpur. [. . . ] Five years later he commanded a network.<br />
[. . . ] Hambali sat in his tiny Malaysian village and meticulously planned, then<br />
patiently built, Jemaah Islamiyah into an extraordinarily disciplined network. It had<br />
more structure than anything bin Laden ever attempted, with strict geographic sectors<br />
that covered all of Southeast Asia, an organizational chart in each of the sectors, and<br />
command tables delineating clear lines of authority and responsibility up and down.<br />
All the network information was gathered from public domain sources: “documents and transcripts<br />
of legal proceedings [. . . ], government documents, press and scholarly articles, and Internet<br />
38
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES<br />
Figure 3.4: Sageman’s (2004) ‘global salafi network’,<br />
as depicted in [188]. At first, the network<br />
may seem rather cellular, but when considering<br />
that one of the four clusters is central<br />
staff, links from there to other clusters creates a<br />
hiearchy. There are however also links between<br />
the clusters, flattening the structure.<br />
Figure 3.5: (mock-up) “After 1996, the central<br />
staff was no longer directly involved in terrorist<br />
operations, but the other three major clusters<br />
were connected to their central staff contacts<br />
by their lieutenants in the field. [. . . ] Each of<br />
these field lieutenant hubs was then connected<br />
to the operational field commanders in charge<br />
of specific operations” [188].<br />
articles” [188]. Based on this information, an elaborate list of person attributes was synthesized.<br />
Hierarchical criminal networks can emerge in both top-down (i.e., recruitment [188]) and bottomup<br />
(i.e., linkage [236]) ways.<br />
CELLULAR<br />
After 10 years of investigative journalism the Pearl Project published a report on the kidnapping<br />
and murder of Daniel Pearl depicting five cells responsible for various tasks, with all cells connecting<br />
to the mastermind behind the kidnapping [227] (see Figure 3.6). However, from the account of the<br />
official investigation we know how fragmented and inconsistent information about the kidnappers<br />
initially was [162], and from another account we get a vivid description of how investigations<br />
faced “the eternal problem of any investigation into Islamist groups or Al-Qaeda in particular: the<br />
extreme difficulty of identifying, just identifying, these masters of disguise, one of whose techniques<br />
is to multiply names, false identities, and faces” [128].<br />
FLAT<br />
Krebs’s almost iconic network of 9/11 hijackers has been referenced widely [122] (see Figure 3.7).<br />
It was aggregated based on open sources, but it is not possible to see the intermediate states of the<br />
network prior to the published version, which would have been interesting from an investigation<br />
point of view. Also, it is not clear what exact evidence that formed the individual links between<br />
the hijackers. But the final relatively flat structure of the network is informative for investigators,<br />
since it can be observed that each individual and cells on each of the flights have low connectivity.<br />
SEMI-LATTICE<br />
From an investigative point of view, it can be argued that the semi-lattice is a better structure<br />
for modeling for example organized crime networks (like the drug selling organization described<br />
in Section 3.5.4). And from a mathematical point of view we expect that the semi-lattice could<br />
39
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Figure 3.6: The network of individuals involved<br />
in the kidnapping and murder of Daniel Pearl<br />
[227].<br />
Figure 3.7: Krebs’ (2002) network of 9/11 hijackers<br />
(rotated 90 ◦ counterclockwise) [122].<br />
more precisely be used to model overlapping network entities, whatever they might be. Alexander<br />
(1965) defines a semi-lattice based on sets: “A collection of sets forms a semi-lattice if and only if,<br />
when two overlapping sets belong to the collection, then the sets of elements common to both also<br />
belongs to the collection” [9] (see Figure 3.8). A semi-lattice can be used to represent overlaps<br />
between different (groups of) entities. This is a very interesting feature, since an overlap indicates<br />
some sort of association between entities, and that association can be key to solving the case. As<br />
commented by Hirtle (1995), “a tree structure is one realization for a hierarchical structure for<br />
the representation of space. It is easily constructed and understood, but it is also a rigid structure<br />
that does not allow for overlap. Ordered trees provide an extension that allows for some degree<br />
of overlap, whereas a semi-lattice is an even richer structure that appears to be consistent with<br />
many aspects of cognitive space [9]” [89]. In some literature, the organized crime networks are<br />
defined as hybrids [228]. We have observed that a hybrid of a flat tree (hierarchy) and the clique,<br />
shaped by the environment in which it resides, is an often occurring structure.<br />
The Wire is a television show about organized crime, based on yearlong embedded field work by<br />
the authors, that has inspired our work in this domain. It has been argued that the The Wire is<br />
actually a show about the city [10, 34, 163] and not the individual characters (e.g., criminals and<br />
police officers). It is the different institutions in the city that are the real powerful entities (quote<br />
from [127] as quoted in [34]):<br />
The narrative first emerges out of the police investigation of the drug trade, as law<br />
enforcement tries to capture Avon Barksdale by proving that he is the hub of a network<br />
of linked corners and dealers. In order to succeed, the law enforcement side must<br />
gain access to the dealers’ principles of interconnectedness, and they do so through the<br />
wiretap, which itself both emerges from and exposes new links: it first brings together<br />
the Baltimore police, the FBI, the District Attorney, and the courts, and it then allows<br />
them to piece together the structure of the Barksdale drug dealing hierarchy, which<br />
then links up to local politics and the real estate market; later, when the wire takes in<br />
the evidence of dockworkers, it also reveals global economic trading patterns that link<br />
urban poverty to unions and local politics to transnational criminal traffic. Thus the<br />
networking technology of the wiretap is itself a point of contact among other networks.<br />
The whole social world then emerges, in The Wire, not as a set of discrete hierarchies<br />
and institutions, but as the sum of the sites where they intersect.<br />
And it is exactly such intersections that the semi-lattice could be used to model. Taniguchi et al.<br />
(2011) presents a study of open air drug markets and the gangs selling drugs there. These drug<br />
markets are the street corners vividly described by Simon and Burns [204,205] and brought to life<br />
in The Wire. Taniguchi et al. provides the following definition of a gang: “a group of five or more<br />
people with (1) some type of structure, (2) a common identifier, (3) a goal or philosophy that binds<br />
40
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES<br />
them and (4) whose members are individually or collectively involved in criminal activity” [221].<br />
To model street corners and associate gangs with those individual corners, Thiessen polygons are<br />
used to describe the corners, and census geography polygons are used to indicate individuals on<br />
each of those corners (see Figure 3.9).<br />
We find that specific structures often underpin or shape criminal networks. Krebs’ (2002) analysis<br />
of the hijacker operation behind the September 2001 attack found that it is the dense underlayer<br />
of prior trusted relationships that is found to be at the base of the network’s stealth and<br />
resilience and not the commanding control of a single or select few leader(s)” [122]. For urban<br />
organized crime “groups organize around criminal values and activities just as other groups would<br />
converge around noncriminal activities” [150]. The city has a great influence on organized crime<br />
networks: “[a network] can be, but does not have to be, a product of urban design and economic<br />
conditions” [150]. If the city shapes urban organized crime, then it could be interesting to know<br />
what the structure of a city is? Alexander (1965) argues that “a city is not a tree” but a semilattice:<br />
“I believe that a natural city has the organization of a semi-lattice; but that when we<br />
organize a city artificially, we organize it as a tree. [. . . ] Both the tree and the semi-lattice are<br />
ways of thinking about how a large collection of many small systems goes to make up a large and<br />
complex system.” [9].<br />
Figure 3.8: The structure illustrated in a and<br />
b is a semi-lattice, since “wherever two units<br />
overlap, the area of overlap is itself a recognizable<br />
entity and hence a unit also” [9].<br />
Figure 3.9: The solid line polygons are Thiessen<br />
polygons, forming unique spatial regions, systematically<br />
allocating crimes to the physically<br />
closest street corner. While the Thiessen polygons<br />
do not overlap or have gaps between them,<br />
other polygons could be added in a different<br />
layer to represent overlaps with the Thiessen<br />
polygons (in this case census geography for each<br />
of the polygons) [221].<br />
<strong>Criminal</strong> networks of a certain complexity will typically have the features of more than one organizational<br />
meta structure. And the criminal networks we have studied have featured more than<br />
one of the smaller sub structures described below.<br />
41
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
3.2.3 Smaller (sub) structures<br />
As mentioned above, organizational meta structures will contain multiple smaller sub structures.<br />
Most prominent examples include cliques, bridges, hubs, singletons, dyads, and triads. Only<br />
the clique can be considered a criminal network within the larger network; a sub network. We<br />
characterize the other sub structures, as structural features of either the clique or the larger<br />
network.<br />
The sub structures described below can have a certain behavior associated with them, which<br />
could be formalized mathematically and used for pattern analysis together with the structural<br />
characteristics. But as we have mentioned earlier, we do not take the mathematical perspective<br />
here. We give examples of for example cliques (cohesive subgroups) where possible and also discuss<br />
attempts at profiling different types of subgroups. The three main sub structures (clique, bridge,<br />
and hub) are presented in Figure 3.10.<br />
(a) Clique (b) Bridge (c) Hub<br />
Figure 3.10: Examples of sub structures include cliques (left), bridges (middle), and hubs (right).<br />
CLIQUE<br />
A clique is a network structure where “every node is connected to every other node” [188], as<br />
shown in Figure 3.10a. Wasserman and Faust (1994) classifies the clique as cohesive subgroup,<br />
and gives the following definition of the clique: “a clique in a [network] is a maximal complete<br />
sub[network] of three or more nodes. It consists of a subset of nodes, all of which are adjacent to<br />
each other, and there are no other nodes that are also adjacent to all the members of the clique.<br />
The restriction that the clique contain at least three nodes is included so that mutual dyads are not<br />
considered to be cliques.” [240]. Scott (2000) suggests a distinction between strong cliques (cliques<br />
in directed networks) and weak cliques (when the direction of links is disregarded). For criminal<br />
network investigation (and perhaps sense-making algorithms in particular), the n-clique [195,240]<br />
is very interesting:<br />
“In this concept n is the maximum path length at which members of the clique<br />
will be regarded as connected. Thus, a 1-clique is the maximal complete sub-[network]<br />
itself, the set in which all pairs of [nodes] are directly connected at distance 1. A<br />
2-clique, on the other hand, is one in which the members are connected directly (at<br />
distance 1) or indirectly through a common neighbor (distance 2)” [195].<br />
In our deployment of a custom made node removal algorithm (outlined in Section 14.2) we setup<br />
rules to detect a change in distance between nodes, changing from distance 2 prior to the node<br />
removal to distance 1 after the node removal (followed by an inference-based prediction of missing<br />
links in the network). In the deployment scenario, the investigators argue that links matching these<br />
rules might be indication of tasks being shifted from the removed node, to the new destination<br />
nodes of distance 1 from the source nodes. It could be interesting also to investigate a change in<br />
n-cliques after a node removal.<br />
“A clique is a very strict definition of cohesive subgroup. [. . . ] The absence of a single line, [. . . ]<br />
will prevent a subgraph from being a clique” [240]. To present examples of cliques in criminal<br />
networks, we have to take the mathematical (and textual) definition loosely, and think more of it as<br />
42
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES<br />
a tight-knit group 22 . A good example is provided by Sageman (2004) who references his discovery<br />
that “people joined the jihad in small groups” (he later refers to them as bunches-of-guys), and<br />
then states that:<br />
“When one of the friends was able to find a bridge to the jihad, they often went<br />
as a group to train in Afghanistan. Examples abound in [Sageman’s] sample: the<br />
Montreal group, the Hamburg group, the Khamis Mushayt group, the Lackawanna<br />
group. These are dense, small networks of friends who can vouch for each other. In<br />
network terminology, they form cliques.” [188].<br />
Omar Saeed Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl<br />
(see Section 3.5.1 made an effort to keep his operational cells separate purposefully, as described<br />
below. “Amjad Hussain Farooqi, Asim Ghafoor, and Asif Ramzi were all allegedly implicated in<br />
helping Omar Sheikh plot Daniel Pearl’s kidnapping” [227]. Amjad Farooqi was a friend from<br />
militant circles. Asim Ghafoor came with Omar to Karachi, a 28 year old deputy in a militant<br />
group, “which would be instrumental in doing Sheik’s dirty work on the streets of Karachi” [227].<br />
Salman Saqib met Omar and Asim at the airport to pick them up, but Omar kept introductions<br />
short, and Saqib therefore only knew Asim Ghafoor as “the fat guy”. Upon arrival in Karachi,<br />
Sheikh had only two days to setup his operation [227], another factor that surely helped keep the<br />
operational cells secret.<br />
BRIDGE<br />
“A bridge is a line that is critical to the connectedness of the graph. A bridge is a line such that<br />
the graph containing the line has fewer components than the subgraph that is obtained after the<br />
line is removed” [240]. Applying this to criminal networks, we define a bridge to be an entity<br />
or structure (several associated entities) who connects to distinct parts of the network. In more<br />
structural terms, Scott (2000) references work on cycle analysis which “goes on to define a bridge<br />
as a line that does not itself lie on a cycle but that may connect two or more cycles” [195]. This<br />
is illustrated in Figure 3.11, the link between node B and E bridges the two cycles ABDC and<br />
EFIH. In peak analysis a node is a peak if it is more central than any other point to which it is<br />
connected and a bridge is then a central node that connects two or more peaks [195]. An example<br />
of a bridge between peaks is shown in Figure 3.12 and the bridge was found to be an important<br />
feature of the al-Qaeda network that Sageman (2004) investigated:<br />
“In the case of global Salafi mujahedin [. . . ] there is one common element that is<br />
specific to them and to no one else, and that is the fact that they made a link to the<br />
jihad. These links are key to the dynamics of terror networks. How does one go about<br />
joining the global Salafi jihad?” [188].<br />
Questions similar to that asked in the quote above are equally important for other types of criminal<br />
networks, such as “how does one go about joining organized crime groups?”, like for example a<br />
group selling criminals selling drugs (see Section 3.5.4).<br />
HUB<br />
“A major topic of research in recent years has been the investigation of hubs on the performance<br />
and behavior of network[s]. Results indicate that hubs can have a quite disproportionate effect,<br />
playing a central role particularly in network transport phenomena and resilience, despite being<br />
few in number” [155].<br />
A hub in a criminal network is a well-connected (high degree) node [155], e.g. the entrepreneur of<br />
a terrorist cell [154] (i.e., clique), receiving information from the outside and communicating it to<br />
the other members of the cell.<br />
43
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Figure 3.11: An example of a bridge in cycle<br />
analysis: the link between node B and E<br />
bridges the two cycles ABDC and EFIH (figure<br />
adopted from [195]).<br />
Figure 3.12: An example of a bridge in peak<br />
analysis: a node is a peak if it is more central<br />
than any other point to which it is connected<br />
and a bridge is then a central node that connects<br />
two or more peaks [195] (figure adopted<br />
from [195]).<br />
Figure 3.13: The three isomorphism classes of dyads: null dyads (left), asymmetric dyads (middle),<br />
and mutual dyads (right). (figure adopted from [240])<br />
DYAD<br />
Knowledge about triads, dyads, and singletons in criminal networks can be useful for pattern<br />
searching (see sections and example below), and it is also primarily with this in mind that we<br />
review these three structures.<br />
“A dyad is an unordered pair of actors and the arcs that exist between the two actors in the<br />
pair” [240]. There are three possible states or isomorphism classes for dyads as shown in Figure<br />
3.13: null dyads (left), asymmetric dyads (middle two), and mutual dyads (right).<br />
TRIAD<br />
Three nodes (information elements) without the links that may exist between them is called a<br />
triple; when we also consider the links between these nodes we have a triad [155, 240]. Following<br />
our claim, that an understanding of basic network structures is advantageous when analyzing<br />
complex criminal networks, Scott (2000) refers to sociology researchers who argue that “complex<br />
social structures can be seen as built from simple structures” [195] and say specifically about<br />
the triad: “simple triadic structures are the building blocks of larger social structures, and the<br />
properties of complex networks of social relations can, they argue, be derived from an analysis of<br />
these building blocks” [195].<br />
For directed networks, “a triple of actors gives rise to sixty-four possible configurations of choices<br />
and non-choices” [240]. Figure 3.14 shows the 16 triad isomorphism 23 classes (types) encapsulating<br />
these sixty-four configurations (adopted from [240]). The triad types in Figure 3.14 are organized<br />
in seven columns, and within each column the types have the same number of links present, where<br />
a mutually directed link counts as two links (i.e., mutual dyad), from 0 in the first column to 6 in<br />
the last column. Each triad class is labeled using standard MAN labeling 24 , which consists of three<br />
to four characters. The first character indicates number of mutual dyads, the second character is<br />
44
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES<br />
Figure 3.14: A triple of nodes gives rise to sixty-four possible triad configurations, 16 isomorphism<br />
classes of which are shown here with standard MAN labeling (see text). The classes are organized<br />
in columns, according to number of links present. (figure adopted from [240])<br />
asymmetric dyads, and the third character represents null dyads. Finally, the fourth character, if<br />
present, is D for down, U for up, T for transitive, or C for cyclic [240].<br />
SINGLETON<br />
We define a criminal network singleton as a structure consisting of one node that has zero to<br />
unlimited links or associations to other entities in the criminal network. In online social networks,<br />
a singleton is described as the type of user that does not connect with any other users [124]. This is<br />
an interesting structural concept for criminal network investigation, e.g., when investigating lone<br />
wolf terrorism [153]. Maybe the singleton does not have any relations to other users in the online<br />
social network, but could have relations to entities in the real world, like persons, activities etc. A<br />
challenge here will of course be the mapping of the online social network avatar of the individual<br />
and the persons identity in the real world [29]. In Section 14.1 and 14.3, we discuss analysis of<br />
criminal networks where single entities (individuals) played key roles.<br />
As with triads and dyads discussed above, the singleton is useful for building patterns, based on the<br />
experience of investigators (their heuristics), which can be used for searching and (visual) filtering<br />
purposes. We illustrate this with a short discussion of a technique using importance flooding to<br />
identify networks of criminal activity [139]. The technique uses three kinds of importance rules<br />
(activity-based group rules, multi-group membership rules, and path rules), as shown in Figure<br />
3.15. “Weights are assigned to rules, nodes are evaluated for group membership based on the rule,<br />
and nodes are assigned initial importances scores equal to the sum of the weights of groups to<br />
which they belong” [139].<br />
45
3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Figure 3.15: Three types of initial importance rules. Examples of how singletons, dyads and triads<br />
can form the foundations of rules and search patterns [139].<br />
3.3 Linear process models<br />
Intelligence has traditionally been described as following a series of steps called the intelligence<br />
cycle. “The cycle defines an antisocial series of steps that constrains the flow of information. It<br />
separates collectors from processors from analysts and too often results in throwing information<br />
over the wall 25 to become the next person’s responsibility” [40], which makes it difficult to pinpoint<br />
responsibility for intelligence failures. Bruce and George (2008) follows up, by stating in their<br />
work, that “this definition of analysis conveys a mechanistic and also somewhat linear process.<br />
The production-line metaphor conjures up an image of analysts writing, reviewing, editing, and<br />
publishing an assessment, and then moving on to the next question or task” [32]. Figure 3.16 and<br />
3.17 shows examples of linear processes). The flaw of this linear problem-solving approach is that<br />
it obscures the real, underlying cognitive process: The mind does not work linearly - it jumps<br />
around to different parts of the problem in the process of reaching a solution [40, 239].<br />
Figure 3.16: The intelligence cycle: “adapted<br />
from factbook on intelligence, office of public<br />
affairs, central intelligence agency (October<br />
1983), p. 14” [113].<br />
Figure 3.17: The intelligence cycle as “adapted<br />
from a briefing, the intelligence community,<br />
available at the director of national intelligence<br />
website (www.dni.gov)” [32].<br />
While the intelligence cycles presented in Figures 3.16 and 3.17 are linear and mechanistic in<br />
their approach, the cycle or circular visualization actually illustrates an important point, which<br />
should be included in future designs of intelligence analysis processes. Bruce and George (2008)<br />
says about their process model: “despite its simplification of what is a very complex process, this<br />
conceptualization does underline the analyst’s pivotal role in transforming information provided<br />
46
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.3. LINEAR<br />
by various collection systems into judgment and insight for the policy customer” [32]. Clark’s<br />
linear intelligence process model (shown in Figure 3.18 captures the two linear models discussed<br />
above, as well as others.<br />
Figure 3.18: The linear intelligence process.<br />
“The dotted line represents the transition from<br />
one cycle to the next, during which the customer<br />
reviews the analysis product and formulates<br />
new requirements and needs” [40].<br />
Figure 3.19: The intelligence cycle of the<br />
Danish Defense Intelligence Service (DDIS) as<br />
adopted from a textual description on their web<br />
site [52] (see original text in Appendix B.2).<br />
The dotted line represents a feedback loop, in<br />
case new questions need to be asked, or a new<br />
intelligence need in general arises.<br />
The intelligence cycle of the danish defense intelligence service is described on their website [52] (in<br />
Danish, see Appendix B.2 for original text). We have adopted the visual model shown in Figure<br />
3.19 from the text version. The process is straightforward and individual steps resemble those<br />
of the other linear processes discussed in this section: (1) the starting point is a prioritization,<br />
considering the service’s tasks and resources, and the customers input; (2) next, it is outlined what<br />
the service already knows, and what it wants to know, resulting in a formulation of the intelligence<br />
need; (3) then follows intelligence gathering from open and closed sources; (4) intelligence gathering<br />
is followed by analysis, and the hypothesis is tested with available information. If the information<br />
doesn’t match the expectations, there might be a need to go back to (2), asking new questions<br />
and formulating a new intelligence need; (5) finally a report is generated, preferably as precise as<br />
possible, in which a special focus is put on the distinction between what is information and what<br />
is an assessment made by analysts.<br />
We make three interesting observations about the DDIS intelligence cycle: Although there is a<br />
feedback loop from analysis to intelligence need, it is stated that it will only be needed if there are<br />
new questions to be asked. From Figure 3.19 we can also see how the customer is actually “cut<br />
out” of the loop: once the prioritization of the task is made, then DDIS takes over until analysis is<br />
complete and a report can be generated for the customer. We find the recognition that analysis is<br />
not something that one analyst can do alone positive; it is team work. However, it is stated that<br />
it cannot be done by one person, which doesn’t recognize the negative impact that team work can<br />
also have (see Section 5.5 on the creative process which discusses this aspect).<br />
3.3.1 Intelligence failures<br />
Bruce and George (2008) warns against the listing of intelligence failures without analyzing how<br />
to improve on intelligence analysis, exemplified by the 9/11 Commission Report [152]: “The 9/11<br />
Commission Report provides a brilliant recounting of the hijackers’ plot and copious recommendations<br />
on how to improve intra governmental information sharing [. . . ]. However, there is scant<br />
47
3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
attention at all devoted to understanding how analysis might have been better and to laying out<br />
any game plan for improving intelligence analysis on terrorism” [32]. The general problem seems to<br />
be a lack of focus on the analytical process it self, also in policing where “process models generally<br />
include some form of feedback or evaluation; however, there is a widespread paucity of evaluation<br />
of police tactics and the intelligence process” [180]. We have therefore decided not to list failed<br />
criminal network investigation, and then try to sum up the failures of those investigations, knowing<br />
it very likely would be “a linear criminal network investigation process or mechanistic approach<br />
was the key reason for intelligence failure. Compartmentalization was introduced, inhibiting information<br />
sharing”. Instead we review the Curveball case, which is a very good example of how<br />
a transnational intelligence operation increases compartmentalization and can potentially lead to<br />
war. The case is reviewed below in Section 3.3.1.<br />
CURVEBALL<br />
In this section, we take the intelligence process perspective on the intelligence estimates of weapons<br />
of mass destruction (WMD) in Iraq: “In addition to faulting collection efforts, fragmented intelligence<br />
community operations, management, and other aspects of the intelligence system, the<br />
Silberman-Robb WMD Commission [45] was explicit in critiquing the analytic record as well as<br />
the analytic process” [32]. We discuss how intelligence traveled from the mouth of an Iraqi defector<br />
to the German intelligence services, crossing the Atlantic to CIA Director George Tenet,<br />
who briefed the president and U.S. secretary of state Colin Powell. On February 5 (2003) Colin<br />
Powell presented to the United Nations (UN) council the evidence against Saddam Hussein and his<br />
allegedly active WMD program. The intelligence was based on a single source, an Iraqi defector<br />
who manufactured a story based on open source UN reports and his work as a chemical engineer.<br />
CIA director George Tenet convinced Powell that the intelligence was solid and in March 2003 the<br />
U.S. and their allies invaded Iraq (without UN mandate).<br />
Every piece of available intelligence was used for the UN<br />
presentation. Analysts created colored 3D versions of<br />
Curveball’s sketches and descriptions of mobile chemical<br />
laboratories (Figure 3.20), recorded audio was transcribed<br />
onto slides and played simultaneously and various<br />
satellite photos of mentioned locations were annotated<br />
with indications of suspicious activity.<br />
Figure 3.20: 3D drawings used as evidence<br />
in UN presentation.<br />
The Curveball investigation mainly involved overall tasks<br />
concerned with translation, interpretation, and re-formulation of the contents of interrogation<br />
reports crossing the Atlantic. Preparation of the evidence for the UN presentation involved linking<br />
many different information types. Issues were information scarcity, versioning of information, and<br />
most importantly compartmentalization between and within agencies: “Clandestine operatives are<br />
trained to spread falsehoods. Intelligence agencies spin or hide the truth as a matter of policy and<br />
law. And spy services, even close allies, routinely conceal information from each other” [59].<br />
The channels through which the information traveled from Curveball to Colin Powell are depicted<br />
in Figure 3.21 using pictures and in a schematic form in Figure 3.22 26 . The Iraqi defector, ironically<br />
codenamed Curveball, was interrogated by the German foreign intelligence agency BND. The<br />
Germans normally interviewed Curveball in Arabic, using a translator, but the Iraqi spoke English<br />
sometimes (and even started to use a few words in German). The BND sent German summaries<br />
of their English and Arabic interview reports to the U.S. Defense Intelligence Agency (DIA) unit<br />
in Germany (Munich House) as well as the British intelligence service (not in Figure 3.21).<br />
The DIA team at Munich House translated the German back to English and prepared their own<br />
summaries. The summaries were sent to DIA’s directorate for human intelligence in a high-rise<br />
office building in Clarendon, Virginia. The directorate delivered 95 DIA reports to, among others,<br />
the new CIA unit named weapons intelligence nonproliferation and arms control, also known as<br />
WINPAC. WINPAC had been established to streamline CIA’s reporting and analysis of weapon<br />
48
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC<br />
Figure 3.21: Conceptual, structural, mathematical and computational models.<br />
related threats, and reported to CIA’s analysis department. 700 analysts worked in WINPAC,<br />
but only six analysts worked in the unit focused on biological warfare programs that handled the<br />
Curveball reports. The biological warfare unit sent the reports up the CIA hierarchical ladder. At<br />
some point they caught interest, and the CIA created new versions of the streamlined WINPAC<br />
reports to put in the president’s daily brief, which George Tenet brought to the White House [242].<br />
On February 5 (2003) Colin Powell presented to the United Nations (UN) council the evidence<br />
against Saddam Hussein and his allegedly active WMD program.<br />
We bring this lengthy account of the Curveball informations journey, because it illustrates how<br />
many different compartments there was in the process, each compartment amending information<br />
with their own interpretations and translations, based on the text given to them from the previous<br />
compartment. The flow of intelligence reports and documents being sent between, assessed and<br />
reformulated by different compartments, is shown in great detail in Figure 3.22.<br />
3.4 Target-centric process models<br />
A target centric approach is now being promoted in the intelligence analysis community [40], due to<br />
the failure of previous investigations. We listed (sequential) investigation failures in Section 3.3.1.<br />
An alternative to the traditional intelligence cycle is to make all stakeholders (including customers)<br />
part of the intelligence process. Stakeholders in the intelligence community include collectors,<br />
processors, analysts and the people who plan for and build systems to support them [40] 27 :<br />
“Here the goal is to construct a shared picture of the target, from which all participants<br />
can extract the elements they need to do their jobs and to which all participants can<br />
contribute from their resources or knowledge, so as to create a more accurate target<br />
picture. [. . . ] It is important to note that the collaborative process is not a substitute<br />
for competitive analysis - the process by which different analysts present alternative<br />
49
3.4. TARGET-CENTRIC CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Figure 3.22: Overview of the complete intelligence process from the interviews with Curveball to the Presidents Daily Brief and secretary of state<br />
Colin Powells presentation at the UN. The figure shows the many cycles of interpretation, summarization, rewriting and analysis it went through<br />
before reaching its destination [59].<br />
50
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC<br />
views of the target.”<br />
Figure 3.23: A target-centric view of the intelligence process [40].<br />
To create and evolve information technologies assisting criminal network investigators “requires<br />
a deep understanding of the analytical processes that intelligence analysts carry out” [39]. Investigative<br />
teams from the terrorism and police fields are facing complex threat environments. As an<br />
example experts across academia, business, and government sectors have indicated that terrorism<br />
is becoming more amorphous, more complex, more sporadic, more amateurish, more difficult to<br />
predict, more difficult to trace, and more difficult to observe and analyze [109]. This issue was<br />
also outlined in the Home Office Strategic plan 2004-2008: “The growth of organized crime, fueled<br />
by the ease of communication and travel, as well as the changing terrorist threat, have demanded<br />
a significant shift in the way we operate”.<br />
Figure 3.24: Gill’s cybernetic model [77], as reproduced with permission in Ratcliffe (2008) [180].<br />
Within the investigative domain of policing, intelligence policing has produced many interesting<br />
inputs toward a target-centric approach to criminal network investigation. As mentioned in Section<br />
3.3, the intelligence cycle “emphasizes the intelligence in intelligence-led policing, but not<br />
necessarily the policing” [180]. Ratcliffe (2008) references Gill’s cybernetic model [77] (see Figure<br />
3.24) as a positive development in that direction, because Gill (2000) in his process model has<br />
embedded the assertion “that the reality of the intelligence cycle is that time and other constraints<br />
play a limiting role on the ability of this ideal-type process to function as a cycle and that the<br />
process in reality is more messy and complex, and that each stage is autonomous” [180]. Another<br />
51
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
interesting feature of Gill’s model is the concept of the filter (or power screen) to indicate that, in<br />
generic terms, some entity has influence on the process in question [77,180]. Similar model filters<br />
could also be used to indicate responsibilities during criminal network investigation.<br />
We believe that human factors are a significant part of these other constraints mentioned above.<br />
Our target-centric model for criminal network investigation (see Chapter 7) is inspired by Clark’s<br />
target-centric approach to intelligence analysis [40]. However, while Clark’s model puts focus on<br />
the shared target-model (common information space) between all stakeholder of the intelligence<br />
process, he lacks to describe the human factors involved, e.g. human cognition and creativity,<br />
when modeling emerging and evolving information structures. In a review of Clark’s book, Wirtz<br />
(2006) states that the human element of identifying appropriate analytic techniques “limits the<br />
effectiveness of the techniques identified by Clark: their success and failure rest on analysts’ initial<br />
definition of the problem they face. If this cognitive framework is incorrect or unsophisticated,<br />
then it is unlikely that even the most advanced analytical techniques will yield useful results”<br />
[251] and concludes: “after all, no one has yet linked failure of intelligence to the fact that the<br />
opponent had better equations” [251]. To summarize, while the target-centric approach creates<br />
the right foundation for criminal network investigation process, there is a need also to include an<br />
understanding of human factors and information structures, to improve further on this approach.<br />
An example of how to work successfully in a target centric manner was Deuce Martinez, a CIA<br />
top analyst, who was assigned to temporary duty in Pakistan to help pinpoint the location of Abu<br />
Zubaydah 28 . Deuce Martinez “was regarded as one of the best targeters the agency had” [146].<br />
In the following quote Martinez has been flown into Pakistan and is briefed about the target<br />
and available (limited) intel (see Section 3.5.2 for more details on that investigation), quotation<br />
from [146]:<br />
Martinez went to work immediately. He put Zubaydah’s name in the center of an<br />
analytical report, and then added lines radiating outward, representing NSA 29 signals,<br />
ground intel, emails, and whatever else he could – phone numbers of people Zubaydah<br />
had called or who had called him, and a second layer of calls made by and to the people<br />
he had talked to. He used a link-analysis computer program to build images of networks<br />
from the raw data. He drew his own crude reconstruction of the analysis on a huge piece<br />
of butcher paper pinned to a wall inside the CIA’s rooms in the Islamabad embassy. In<br />
a few weeks, Martinez had narrowed the range to fourteen distinct addresses that stood<br />
out as the most likely sites. Ten of the sites were in Faisalabad, four in Lahore.<br />
That list was later shortened down to two Faisalabad prospects, they were attacked simultaneously,<br />
and Zubaydah and two accomplishes where shot, but Zubaydah survived long enough to be<br />
interrogated [146].<br />
The fact that Deuce Martinez did this targeting largely on his own (at least the analytical part,<br />
he was given access to intel already processed by others) leads to another important point of the<br />
target-centric approach: The target-centric approach is not an advocation for group work, albeit<br />
being a human-centered process. Years of research show that group work does not create more<br />
ideas or increase creativity [4]. We discuss human cognition and creativity in Section 5.4 and 5.5.<br />
A target-centric approach is about having a common information space, the target model, as a<br />
frame of reference for investigators on a team to refer to), so that no information is hidden from<br />
other investigators at any time. As opposed to the traditional intelligence process reviewed in<br />
Section 3.3, which introduces compartmentalization into investigations.<br />
3.5 <strong>Criminal</strong> network investigation cases<br />
In this section, we review four criminal network investigation cases that have inspired our work: the<br />
kidnapping and murder of Daniel Pearl, the hunt for Khalid Sheikh Mohammed, two overlapping<br />
homicide investigations, and an investigation of organized drug crime in Baltimore constructed<br />
52
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES<br />
from year-long observations and experiences in the domain. For each review we set the scene<br />
for the investigation to get the reader situated, followed by a description of the criminal network<br />
investigation team and the investigative approach they take. Each review is concluded with<br />
summary of pre- and post-crime network structures, focusing on organizational meta structures,<br />
building block sub structures, and complexities and emergent behaviors of the network information.<br />
We will provide an overview of other criminal network investigation cases elsewhere (e.g., Section<br />
5.7).<br />
3.5.1 The Daniel Pearl investigation<br />
On January 23, 2002 Daniel Pearl, a reporter for the Wall Street Journal (WSJ), was kidnapped in<br />
Karachi, Pakistan [128,162]. As a result, an elaborate investigation was started to figure out who<br />
the kidnappers were and where they were keeping Daniel Pearl against his will. Eight days later<br />
Daniel Pearl was beheaded. The execution was recorded on video and distributed world-wide.<br />
SETTING THE SCENE<br />
When The Wall Street Journal reporter Daniel Pearl was kidnapped on January 23 2002 in<br />
Karachi, Pakistan, an elaborate investigation was started to figure out who the kidnappers were<br />
and where they had taken Daniel Pearl. We have chosen this specific investigation for four main<br />
reasons: First of all because of its complexity. It has been stated that societies where the police and<br />
security services are weak, corrupt or compromised are more susceptible to terrorist attacks [252].<br />
The leader of one cell involved in the kidnapping of Daniel Pearl and responsible for exterior relations,<br />
was in fact a police man part of an elite anti-terrorist unit but also an Afghan war veteran<br />
and linked to Jaish e-Mohammad 30 [128, 162]. Adding to the complexity of the investigation is<br />
the city Karachi itself and its population that no one seems to know how to count: “there are<br />
two million Afghans, Bengalis, Arabs, Sudanese, Somalis, Egyptians, Chechens, in short, foreigners<br />
without papers forming an army of natural candidates for al-Qaida recruiting agents” [128].<br />
Hence aliases play a key role because “you run up against the eternal problem of any investigation<br />
into Islamist groups or al-Qaida in particular: the extreme difficulty of identifying, just identifying,<br />
these masters of disguise, one of whose techniques is to multiply names 31 , false identities, and<br />
faces” [128].<br />
THE TEAM<br />
The investigative team (see Figure 3.25) consisted of Mariane Pearl (wife and French magazine<br />
journalist) and Asra Nomani (Indian-born Muslim and reporter for the WSJ). After the Pakistani<br />
authorities were involved, Captain (leader) and Dost (both representing a Pakistani counterterrorism<br />
unit) and Zahoor (also from Pakistan), joined the investigation. They are followed by four<br />
Americans: Randall Bennett (regional security officer at the U.S. consulate in Karachi), two FBI<br />
computer experts, and Maureen Platt. Finally, John Bussey (Daniel Pearl’s boss at the WSJ) and<br />
Steve LeVine (fellow foreign correspondent at the WSJ normally posted in Kazakhstan) joins the<br />
team.<br />
THE INVESTIGATIVE APPROACH<br />
Mariane and Asra start a link chart (target model) on a white board when they realize Daniel is<br />
missing (Figure 3.26). They add information as they discover it going through Daniel’s calendar<br />
and computer. They work asynchronously, taking turns adding text (mainly person names) and<br />
directed links (relations) to the chart. As more and more information is added, the link chart<br />
becomes increasingly complex. Attributes like phone numbers and pictures are added to the<br />
existing text entities. As more relations between persons are discovered, their lines start crossing<br />
each other and symbols like colored shapes are used to highlight and differentiate information.<br />
53
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Figure 3.25: The team investigating the kidnapping<br />
of Daniel Pearl.<br />
Figure 3.26: Link chart complexity has increased<br />
significantly.<br />
Figure 3.27: The network behind the kidnapping of Daniel Pearl as synthesized by The Pearl<br />
Project [227] using Palantir software [5], a tool reviewed in Section 4.1.<br />
When the team encounters a dead end, the link chart is used to go through missing information<br />
that would potentially reveal something important. Team members joining the investigation late<br />
(e.g., Steve LeVine) use the chart to get up to speed on things.<br />
The type of information related to the Daniel Pearl investigation and the environment in which<br />
it takes place is very complex. In Karachi there are two million foreigners without official papers<br />
forming an army of potential candidates for Al-Qaeda kidnapping operations. The Daniel Pearl<br />
investigation was “up against the eternal problem of any investigation into Islamist groups or<br />
Al-Qaeda in particular: the extreme difficulty of identifying, just identifying, these masters of<br />
disguise, one of whose techniques is to multiply names, false identities, and faces” [128].<br />
THE NETWORK<br />
The post-kidnapping network shows some well defined structures, that we review here. The prekidnapping<br />
network (i.e., the investigation) faced information complexities and dynamics, which<br />
we will also review here since it represents important knowledge about the early stages of criminal<br />
network investigations.<br />
The organizational meta structure of the Daniel Pearl kidnapping network was cellular with<br />
6 distinct cells as shown in Figure 3.27. The prominent and interesting sub structures of the<br />
network are the individual cells. Each cell in the kidnapping network were tightly nit cliques:<br />
Khalid Sheikh Mohammad alledgly brought his nephews for the killing of Daniel Pearl; Fahad<br />
54
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES<br />
Naseem and Salman Saqib, responsible for sending out ransom notes, where cousins. Omar Saeed<br />
Shaikh was the mastermind bridging them together and transmitting orders around the network.<br />
We find that several complexities and emergent behaviors were introduced into the Daniel<br />
Pearl investigation. Aliases as mentioned above (multiple names, false identities, and faces), made<br />
the identification of individuals involved in the investigation very difficult.The social and political<br />
context the criminal network investigation team had to work and navigate in, was very complex<br />
and hence an obstacle to progress. Omar Saeed Shaikh recruited individuals for the different cells<br />
only a few days before the kidnapping, and this sudden emergence of the network helped keep<br />
it secret and hence protected from detection. The fact that Daniel Pearl was meeting Shaikh<br />
Gilani on the day of his kidnapping made him the obvious suspect in the team’s “who did it?”<br />
hypothesis. Unfortunately, the hypothesis was wrong.<br />
3.5.2 The hunt for Khalid Sheikh Mohammed<br />
“Throughout the modern age of terror, Khalid Sheikh Mohammad has had the eerie<br />
ability to be at its center yet glimpsed only in the margins. He’s been the ghost of our<br />
times.” [146]<br />
As we saw in the previous criminal network investigation case (and which we will see in later<br />
investigations as well) Khalid Sheikh Mohammad (KSM) has an important role in many of them.<br />
In the investigation of Daniel Pearl’s kidnapping (Section 3.5.1), KSM was later revealed to have<br />
performed and video-recorded the murder of Daniel Pearl assisted by two of his nephews [146,227].<br />
McDermott and Meyer (2012) describes how KSM had safe houses throughout Afghanistan, and an<br />
elaborate logistics network, though his connections with high ranking Afghan Taliban individuals<br />
are unclear - we summarize an interview with van Linschoten about the Afghan Taliban network<br />
in Section 15.2.1 and have also studied his book on the subject [134]. KSM was a key figure in the<br />
al-Qaeda organization (al-Qaeda and affiliated movements (AQAM) is reviewed in Section 14.3).<br />
SETTING THE SCENE<br />
KSM is the uncle of the worlds most famous Islamist terrorist before 9/11, Ramzi Yousef: “Yousef<br />
had attempted to blow up the world trade center in 1993, killing six people, wounding scores of<br />
others, and causing hundreds of millions of dollars in damage” [146]. KSM played a minor role<br />
by wiring 660 dollars to an accomplish of Yousef (Basit), for the planning and execution of the<br />
attack. Basit ended up using 3000 dollars on the building a bomb. KSM and Yousef then went to<br />
the Philippines planning to assassinate “the Roman Catholic pope and the American President<br />
Bill Clinton, and blow up a dozen American flagged jumbo jets in flight over the pacific” [146].<br />
“KSM was secretly indicted in the US in 1996, thanks to [Pellegrino and his team]. When the<br />
indictment was unsealed, no one noticed. If your target wasn’t al-Qaeda, it didn’t matter” [146].<br />
Shortly after 9/11 Abu Zubaydah informs FBI agents hat KSM was the mastermind of 9/11 [146].<br />
The hunt for KSM continued until one year after 9/11.<br />
THE TEAM<br />
After 9/11 (2001) many agencies and even more agents were assigned to the KSM case, but we<br />
focus on the initial case officer Frank Pellegrino and his investigation partner, Michael Besheer.<br />
Pellegrino is the personification of the artistic creative type [210]: “Pellegrino was the real deal<br />
[. . . ]. Everybody wore by and large what might as well have been FBI issued dark suits. Their<br />
desks were perpetually clean. Pellegrino’s was a mess. By outward appearances so was he. His<br />
hair was long, at least by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ].<br />
He was always busy, always late, always in a hurry” [146]. “Free association analytical work”<br />
is Pellegrino’s basic approach. Michael Besheer on the other hand, is the focused, rational, and<br />
conscious investigator. Besheer’s approach to collecting evidence was always the same, no matter<br />
55
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
the size of the task, in the following example a plane: “Parts of the plane had to be disassembled,<br />
examined, tagged as evidence and shipped to New York to be used as exhibits in a trial. His<br />
attention to detail was perfectly suited for the task” [146]. See Section 5.4.2 for a more detailed<br />
review of Pellegrino and Besheer’s collaboration and cognitive approach to investigation.<br />
THE INVESTIGATIVE APPROACH<br />
The hunt for KSM has been called the most fragmented investigation in U.S. history [146], spanning<br />
multiple terrorist attacks prior to and after the 9/11 attacks (2001). As such, it is difficult to<br />
categorize the investigation to catch KSM as following either a linear process or a target-centric<br />
approach, since it actually comprises many investigations.<br />
To avoid the pitfall of setting intelligence failure equal to information sharing [32], we list the<br />
investigative efforts rooted in analytical process and tasks that inhibited the investigation progress:<br />
First failure was the overly adherence to the complete analyst skill that says: “self-confidence to<br />
admit and learn from analytical errors” [32]. Before 9/11 important leads had been missed, and<br />
after 9/11 there was a “white-out” of information. The 9/11 attacks created so much information<br />
that no one could make sense of it all: “there was no shortage of information. There was too<br />
much – a blizzard of it, a white out so complete investigators routinely lost their way in it” [146].<br />
The second failure was, that the two main agencies on the investigation (FBI and CIA) had very<br />
different approaches: “the FBI, given its criminal investigation into the 9/11 attacks, was primarily<br />
concerned with the past, with what had happened, with the crime that had been committed.<br />
The CIA was interested in the future, what might happen tomorrow, or even today. The FBI<br />
wanted evidence; the CIA needed intelligence” [146]. In our opinion, the third failure of the<br />
KSM investigation was the removal of the case officer Frank Pellegrino from the investigation; the<br />
investigator with the most subject matter knowledge.<br />
THE NETWORK<br />
The organizational meta structure of KSM’s criminal network is a flat structure. KSM was a<br />
freelancer and an entrepreneur who over the years created his own network of contacts, however<br />
tightly embedded it was (became) in the al-Qaeda organization and other (smaller) organizations<br />
with allegiance to al-Qaeda, like Hambali’s Jemaah Islameyah [146]. Based on these observations<br />
it would be fair to argue that KSM’s network had resemblance of a social network of business<br />
contacts. He had relationships with individuals that had certain abilities that could help sort<br />
different problems when needed, often logistical problems. Interesting sub structures in KSM’s<br />
criminal network are the network cells that he deploys throughout the world to carry out terrorist<br />
plans hatched somewhere else. An early example was his nephew Basit (also known as Ramzi<br />
Yousef) and the people he recruited for the World Trade center bombing in 1993.<br />
The complexities and emergent behaviors in the KSM investigation are similar to those<br />
of other investigations into transnational terrorism or national security matters (e.g., see the<br />
Curveball case in Section 3.3.1). KSM used up two dozen aliases but curiously also sometimes<br />
traveled under his own name [146]. He was able to stay under the radar, not leaving any too<br />
obvious evidence around, or his world wide network helped him, either by hiding him or warning<br />
him before raids. Agency bureaucracy and inter-agency communication problems also inhibited<br />
and stalled investigations and sharing of important information.<br />
3.5.3 The Latonya Wallace and John Scott homicide investigations<br />
A homicide investigation is a special kind of criminal network investigation. There is one or more<br />
victims, there is a network of potential suspects together with a web of interrelated physical evidence,<br />
such as statements from witnesses, and information in general linked to particular locations<br />
at the crime scene. This section is primarily based on the account by Simon (1991), who spent<br />
one year with the Baltimore Police Department’s homicide unit [204].<br />
56
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES<br />
SETTING THE SCENE<br />
The two homicide investigations that we use as an example here were investigated by detectives<br />
from the Baltimore Police Department’s homicide unit during 1988. In 1988, there were 234<br />
homicides in the city of Baltimore. “The vocabulary of the homicide unit recognizes two distinct<br />
categories of homicides: whodunits and dunkers. Whodunits are genuine mysteries; dunkers<br />
are cases accompanied by ample evidence and obvious suspect” [204]. Both the investigations<br />
described here were of the genuine mystery kind, which is why we found them relevant for analysis.<br />
Latonya Wallace’s body was found, 11 years old, in the alley behind a residential block in the city’s<br />
midtown. She lived three and a half block away with her mother and stepfather. She went to the<br />
library on a Tuesday, and was seen leaving the library, disappearing “into the daytime bustle of a<br />
Baltimore street and vanished” [204] until her body was then found the following Thursday in the<br />
morning. The John Scott homicide starts with John Scott stealing a car. A car chase is begun,<br />
and when the police catches up with John Scott, he leaves the car and starts running. An officer<br />
leaves starts pursuit by foot, but trips while releasing his gun from it’s holster and accidentally<br />
fires a round in the direction of John Scott. Moments later he is found death by other police, face<br />
down and with a bullet in his back. It seems to be a dunker, but it turns out that the bullet in<br />
John Scott’s back was not from the police officers service weapon; a genuine mystery.<br />
THE TEAM<br />
Homicide detectives usually work in pairs, where one is the primary investigator. The primary<br />
investigator owns the crime scene, and to a lesser degree the investigation. Two shifts, the night<br />
shift and the day shift. Simon (1991) follows the shift led by lieutenant Gary D’Addario. The shift<br />
has three squads of five detectives, each led by a squad supervisor (Detective Sergeant). When a<br />
little girl is shot or a police officer is involved in a shooting, the whole shift takes on the task of<br />
investigating those murders.<br />
THE INVESTIGATIVE APPROACH<br />
The investigator who answers the phone will become the primary investigator, and the secondary<br />
investigator will depend on who’s turn is up, or simply who is nearby and free when the phone<br />
is answered: “by that argument, the repetitive violence of the city’s drug markets betrayed the<br />
weakness in the homicide unit, namely that investigations were individual, haphazard and reactive”<br />
[204]. Sometimes investigators participate in more long-term, surveillance based (intelligence-led)<br />
investigations: “Edgerton’s detachment from the rest of the unit was furthered by his partnership<br />
with Ed Burns, with whom he had been detailed to the Drug Enforcement Administration for an<br />
investigation that consumed two years. [. . . ] Unable to prove the murder, Burns and Edgerton<br />
instead spent months on electronic and telephone surveillance, then took the dealer down for drug<br />
distribution to the tune of thirty years, no parole.” [204].<br />
THE NETWORK<br />
The network structures of homicide investigations are not focused on social networks (i.e., mainly<br />
with person entities) as in the investigations described earlier in this chapter. And the complexities<br />
and dynamics are also somewhat different, as it is outlined below.<br />
There isn’t much organizational meta structure to a dunker homicide investigation. Typically<br />
there is the victim, the assailant still at the crime scene, admitting to committing the murder and<br />
holding the weapon that was used to do it. The whodunit investigations also have a victim, and<br />
then no, one or multiple suspects. The meta structure of a whodunit investigation can be seen as<br />
a star network [240], with the victim at the center, and then each surrounding node represents the<br />
a suspect (an individual or a group of individuals), who has their own network of home address,<br />
friends, time lines, etc.<br />
57
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Again, the sub structures of homicide investigations are not focused on social networks, like<br />
many of the other investigations discussed above, but focuses on other aspects (evidence). A lot<br />
of reasoning structures exist in reactive policing. “A body in an alley leaves a detective with<br />
questions: What was the dead man doing in that alley? Where did he come from? Who was<br />
he with?” [204]. The time line mentioned below is also used for reasoning, e.g., in relation to<br />
time of death. If time of death was at this particular hour, we create these hypotheses, but if<br />
it was 10 hours later, then we can create these other hypotheses. Since it was suspected that a<br />
cop had shot John Scott, all the radio communication from that night was transcribed, in order<br />
to match it up with statements taken from police officers during interrogation. Time lines are<br />
used extensively in the Latonya Wallace case to match the alibi’s of suspects with a chronology<br />
of events as the investigators has them synthesized at the time of interview with the suspects.<br />
The crime scene presents a network of physical evidence related to the scene and the victim.<br />
Homicide detectives typically solve cases by the use of physical evidence, and not first establishing<br />
the motive, as it is often portrayed in movies, tv shows, etc. When detective Edgerton realizes<br />
that Latonya Wallace’s body may not have been carried into the alley from the ground, but could<br />
also have been carried down from the fire stairs he draws a map. “Edgerton taped two sheets<br />
of letter paper together and divided the space into sixteen long rectangles, each representing one<br />
of the sixteen adjoining rowhouses on the north side of Newington Avenue. In the center of the<br />
diagram, behind the rectangle marked 718, Edgerton crudely drew a small stick man to mark<br />
the location of the body. The he indicated the location of the fire stairs at 718, extending from<br />
the rear yard to a second-floor landing and then the roof, as well as other fire stairs and ladders<br />
on other properties” [204]. Edgerton uses the drawing to narrow down the houses with roof top<br />
access, which means a person could have could the body down from the roof and put in the alley.<br />
Complexities and emergent behaviors are introduced in several ways. The location of the<br />
crime scene can add many new complexities to an investigation. The crime scene could be on<br />
the street, in an alley, or in a row house, each place associated with different challenges [204]. A<br />
homicide detective has three open cases on his desk at all times. On top of that, the bosses may<br />
decide that the homicide unit needs to focus on a particular series of murders for political reasons.<br />
The shift commander assigns the investigations of detectives busy with other prominent cases to<br />
new detectives, ruining their previous leg work and trust build up with informants etc. But the<br />
shift commander is often under pressure to raise the clearance rate and may see no other way.<br />
Information may change for homicide investigations in many different ways, e.g in the Latonya<br />
Wallace investigation the autopsy showed two meals in her stomach: One nearly digested meal of<br />
spaghetti and meat ball, and one only slightly digested meal of hot dogs with sauerkraut. This<br />
information is used to give an estimate of time of death. But deep into the investigation the<br />
criminal network investigation team learns that the menu at Latonya’s school did have those two<br />
meals on the menu at two days following each other, but each was in fact a day earlier than<br />
the police was initially informed, changing an important parameter in the estimate of time of<br />
death, and hence also the basis of many hypotheses. Witness statements can change many times<br />
during an investigation. The general thought is that suspects lie, often for no reason, and the<br />
investigators use physical evidence from the crime scene to catch the witnesses lying and make<br />
them tell the truth. A typical example is mentioning something that was or wasn’t at the crime<br />
scene, formulating interrogation questions accordingly.<br />
3.5.4 Organized drug crime investigation<br />
The Wire is a tv series, renowned for its authentic depiction of urban life on each side of the law 32 .<br />
In the first season we follow drug dealers on one side and law enforcement officers on the other [163].<br />
The Wire is interesting and relevant as a criminal network investigation case study for a number of<br />
reasons. First of all, the target-centric, board-based approach 33 chosen by the investigative team<br />
maps well onto our criminal network investigation model [174]. Secondly, Analyst’s Notebook [2],<br />
a commercial software tool for visualization and analysis of criminal networks, is used to narrow<br />
down a list of suspects, based on a large number of intercepted phone calls. Finally, the shows<br />
58
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES<br />
ability to describe investigative context is exceptional. By context, we mean factors such as power,<br />
the pros and cons of law enforcement culture, distribution of resources, and the impact of politics<br />
that ultimately can decide the success or failure of investigations [34].<br />
SETTING THE SCENE<br />
The organized crime investigation begins with narcotics lieutenant Cedric Daniels being ordered<br />
“to organize a detail of narcotics and homicide cops to take down Avon Barksdale’s drug crew which<br />
runs the distribution of heroin in several of Baltimore’s projects. Realizing that low-level buyand-busts<br />
are getting them nowhere 34 , the detail of cops [. . . ] add visual and audio surveillance<br />
to their law enforcement tools” [34]. The team is provided with office space in a basement, from<br />
where they can work the case and monitor the many wires they set up in an attempt to map out<br />
the network of individuals in the Barksdale organization.<br />
THE TEAM<br />
The criminal network investigation team has one narcotics lieutenant (Daniels) who is the team<br />
leader, four detectives, three police officers, and one informant. The lieutenant manages the team<br />
and is the final decision maker, the detectives take care of investigation and following leads, the<br />
police officers bring people in, take pictures, and so on. The informant provides the team with<br />
inside information from the streets, e.g., how to dress if a police detective is going undercover.<br />
THE INVESTIGATIVE APPROACH<br />
A senior police officer, recognizing that “all the pieces matter” is put in charge of information<br />
collection and processing and he starts adding snippets of information on to the investigation<br />
board shown in Figure 3.28a. The board functions as the team’s common information space.<br />
Figure 3.28b shows some of the information entities used on the investigation board. There are<br />
polaroid close-ups of individuals, and two types of text cards: one with meta information about<br />
entities and one functioning as headers. In the middle, there is a surveillance photo and at the<br />
bottom a newspaper clipping.<br />
(a) investigation board (b) information entities<br />
Figure 3.28: The Wire case - a shared information space, in this case a physical board (left), with<br />
different types of information entities (right).<br />
59
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
THE NETWORK<br />
The organizational meta structure of the Barksdale organization is a hierarchical and somewhat<br />
flat structure, that maintains a top-down chain of command as shown in Figure 3.29 [10,206,249].<br />
The top consists of the leader Avon Barksdale, his second-in-command Stringer Bell who administrates<br />
and manages the organization, and, Avon’s sister Briana Barksdale, who is responsible<br />
for the financial side together with Stringer. Maurice Levy is the organizations lawyer who offers<br />
legal advice and acts as defense lawyer for members of the organization. At the bottom of the<br />
organization are the drug selling crews: typically a crew is responsible for a high-rise building,<br />
an area in the low-rises, or a street corner (so called open-air drug markets [221]). Each crew<br />
has a chief, one or more high ranking lieutenants who control a number of dealers and runners,<br />
responsible for arranging a buy, getting the money, retrieving the drugs from a nearby location<br />
and handing it over to the buyer. For communicating strategies and commands to the crews,<br />
the leadership (primarily Stringer) has lieutenants to enforce his commands (in season one Anton<br />
Artis and Roland Brice work as the lieutenants), and they in turn have their enforcers who they<br />
forward tasks to. But Stringer Bell also shows up in person to ask crew chiefs to solve specific<br />
tasks or follow a new strategy.<br />
Figure 3.29: The Barksdale organization in season<br />
one of The Wire, chart from [249].<br />
Figure 3.30: The Barksdale organization in season<br />
two of The Wire, , chart from [249].<br />
Interesting network sub structures are the crews (or gangs), a group working their individual<br />
corners. The lieutenants function both as bridges between the leadership/top and the crews,<br />
while enforcing orders from the leadership, in terms of destabilizing other organizations, etc.<br />
Complexities and emergent behaviors are (again) introduced in several ways. Complexity in<br />
a surveillance-based investigation like that of the Barksdale organization, are a bit different than<br />
the complexities related to counterterrorism investigations. Examples include communication<br />
encryption used by the drug crews, e.g., applying a numerical encryption to phone numbers sent<br />
via pagers, or taking pictures to designate where to meet [10,206]. The legal framework is also<br />
responsible for some complexity. To arrest someone for dealing drugs (of a street corner) you<br />
typically have to catch the individual receiving money and then handing over the drugs. The<br />
60
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY<br />
crew running the street corner can circumvent this by having one person receive the money, a<br />
runner to get the drugs from a stash, and then a third will deliver the drugs around a corner or at<br />
the purchasers car. The police often make an undercover cop buy the drugs to be able to arrest<br />
individuals on a street corner (buy and bust).<br />
Dynamics are introduced by emergent and evolving information and political and management<br />
decisions: When investigations start, criminal network entities are often associated in other ways<br />
than through well established relationships to other entities. First, the entities are randomly<br />
positioned in the information space and maybe only a few are directly linked (e.g., the known<br />
accomplishes of the target). Later, more entities are linked, groups are created, and structures<br />
emerge. During the first iterations, spatial associations like entity co-location play an important<br />
role. A spatial association with certain semantics could be entities placed in close proximity of each<br />
other to indicate a subgroup in the network or snippets of information about a certain individual.<br />
Or entities might be placed above and below each other to indicate hierarchical importance. And<br />
it may take many iterations before it is clear what attributes (entity meta data) are relevant as<br />
input for analysis algorithms. In other words, “semantics happen” [197].<br />
3.6 Summarizing criminal network investigation<br />
In this chapter we have discussed the characteristics of criminal networks compared to other complex<br />
networks. We have presented the building blocks of criminal networks and reviewed basic<br />
(abstracted) criminal network structures found to be re-occurring across investigation cases. Then<br />
we took a closer look at two very different processes for criminal network investigation, the linear<br />
and target-centric process models. We presented four criminal network investigations comprising<br />
three distinctive investigation domains (policing, intelligence analysis, and investigative journalism).<br />
We conclude this chapter by summarizing our findings for each of the three investigation<br />
domains. For each domain, we summarize work related to each of the three criminal network<br />
investigation challenges on which our main hypothesis is pinned (information, process, and human<br />
factors).<br />
<strong>Investigation</strong>s such as police investigations, intelligence analysis, and investigative journalism involves<br />
a number of complex knowledge management tasks. Investigative teams collect, process,<br />
and analyze information related to a specific target, to create products that can be disseminated<br />
to their customers. We focus specifically on knowledge management situations where a lot of<br />
information must be interpreted rapidly or where a group shares and restructures information<br />
in order to coordinate or reach consensus [198] until now (see Figure 3.31). Collaboration and<br />
communication are important aspects of such group oriented situations, and connecting pieces of<br />
information that become known over time are a vital activity [20]. The described situations are<br />
very creative and social influences on creativity such as production blocking, evaluation apprehension<br />
and free riding has to be considered [239]. Different process models have been proposed to<br />
handle the complex tasks and issues involved in investigations (such as police investigations [53],<br />
intelligence analysis [40], and investigative journalism [136]). The three investigation types are<br />
briefly summarized below, in terms of process, information, and human factors.<br />
3.6.1 Policing<br />
Reactive policing is getting competition from intelligence-led policing, more information is being<br />
gathered and used, but evidence from interrogations and other street human intelligence weighs<br />
heavy; human factors play are large role for that aspect, less so for the analytical methods. We<br />
describe process models, information, and human factors related to policing below.<br />
Process (e.g., [7,53,83]). Many models have been developed over the years, ranging from reactive<br />
community and problem-oriented policing models to the more proactive intelligence-led and<br />
61
3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Figure 3.31: A criminal network investigation example illustrating the preferred approach to<br />
analysis for policing, counterterrorism, and investigative journalism investigations. The screen<br />
shot is from the Daniel Pearl investigation, where two investigators discussing the relevance of one<br />
individual’s connection to the terrorist organization Jaish e-Mohammad.<br />
terror-oriented (i.e., political) policing models. These models run in parallel to the traditional<br />
law enforcement model characterized by its paramilitary and bureaucratic “command<br />
and control” structure, and focus on incident-driven response to calls for service. Police<br />
investigations include a variety of tasks like criminal profiling, crime scene analysis, data<br />
processing, and storing and sharing of information.<br />
Information (e.g., [10, 53, 204]) Most information produced by police officers is difficult to represent<br />
and thus to access and communicate due to its nature. Police knowledge tends to be<br />
implicit and experience-based. Human intelligence includes statements from witnesses and<br />
informants living on the street. A whodunit homicide crime scene produces a lot of physical<br />
evidence like crime scene photos, lifted fingerprints, hairs, etc., which gets examined and<br />
cataloged. Surveillance is used on bigger investigations producing signal intelligence such as<br />
audio (telephone calls), pager communication, and video.<br />
Human Factors (e.g., [204, 210, 239]) As mentioned, police knowledge tends to be implicit and<br />
experience-based, e.g., the questions an investigator asks himself or witnesses when confronted<br />
with a complicated investigation. Or what approach to use when you have a certain<br />
type of individual in the interrogation room. Other human factors relate to problem solving:<br />
detectives must have an ability to “think out of box” and associate different items, facts,<br />
and individuals from the crime scene and investigation to come up with new hypotheses<br />
that could potentially solve a standstill case. The capacity of a detectives working memory<br />
decides how many entities he or she can joggle when processing information.<br />
3.6.2 Counterterrorism<br />
Counterterrorism investigations are by far the investigation domain with most focus on keeping information<br />
classified, information is often signal and imagery intelligence, and human factors relate<br />
more to creativity and cognition for analytical abilities. We describe process models, information,<br />
and human factors related to counterterrorism below.<br />
Process (e.g., [39,40,178]). Before 9/11 (2001), investigations were mainly handled by a nations<br />
security services, but are now moving toward joint operations with police in what is often<br />
62
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY<br />
referred to as the emerging policing-security nexus. Counterterrorism investigations are, like<br />
many of their targets, covert operations. The goal is to transform intelligence from different<br />
sources (humans, signals, images, open, etc.) into actionable intelligence products, typically<br />
for governments to take proactive measures in order to thwart high risk plots. Due to the<br />
complexity of terrorism and the people involved, some traditional crime-related investigative<br />
tasks like profiling have not yet been transferred to this domain.<br />
Information (e.g., [40, 146, 214]) Counterterrorism information mainly uses secret intelligence 35<br />
obtained from surveillance such as satellite imagery or phone calls. Open source intelligence<br />
is information readily available for everyone and has been found to actually represent 80%<br />
value whereas secret intelligence has been only to represent 20% of the value 36 . Information<br />
can vary from knowing whether it will be full moon and the fields have just been harvested<br />
before inserting troops on the ground in a foreign country 37 to year long surveillance (video,<br />
audio, infiltration, etc.) following a groups increasing radicalization and knowledge of bomb<br />
making right up to the point prior to a terrorist attack.<br />
Human factors (e.g., [146, 225]) Given the often proactive nature of counterterrorism efforts, a<br />
lot of “free association” and “out of the box” thinking is often required to generate hypotheses<br />
about potential outcomes.<br />
3.6.3 Investigative journalism<br />
We have chosen investigative journalism as a third domain of criminal network investigation,<br />
because of the many similarities it bears with counterterrorism and policing investigations, as<br />
the following quote illustrates: “we soon learned that tracking the story of a ghost is not much<br />
different than tracking the ghost itself” [146]. The Daniel Pearl investigation was an example<br />
of a criminal network investigation team with journalists, police officers, and counterterrorism<br />
experts working together to create a target-centric model with the goal of resolving a kidnapping<br />
situation [174]. But also because the tools and techniques that investigative journalists apply<br />
could benefit the domains of counterterrorism and policing. When Klerks (2001) joined a law<br />
enforcement intelligence department as an academic criminologist he gained the appreciation he<br />
had hoped for, “although it was gained mostly by displaying research skills [he] picked up in<br />
journalism instead of university” [120].<br />
Process (e.g., [101,128,136]). While police and counterterrorism units enforce the law, investigative<br />
journalism often results in the first rough draft of (new) legislation. It has helped bring<br />
down governments, imprison politicians, reveal miscarriages of justice, and shame corporations.<br />
Classical investigative journalism was primarily about digging. It was done on the<br />
street, talking to people, drinking in bars, while tracing down leads, all the time scribbling<br />
notes on scraps of paper and stashing them away in files and boxes. The human factor is<br />
still important (see below), but the availability of computer-assisted reporting tools to search<br />
public databases and the online open source information overload has changed the game for<br />
ever. Everything has become more complex, and the investigators are adapting to this new<br />
situation.<br />
Information (e.g., [120, 162, 204]). Investigative journalism is still to a certain degree based on<br />
human intelligence (interviews with anonymous sources), especially in areas where a lot of<br />
local information might not be available on line. Open source intelligence for background<br />
checks or similar, database searches, interviews with relatives, colleagues, etc. Pictures by<br />
photographers and own audio from interviews. Information could also be the investigative<br />
journalists own observations, e.g., spending a year in a Baltimore police department homicide<br />
unit. Maybe a journalist will gain access to otherwise classified information, government or<br />
commercial, again based on interviews with anonymous sources.<br />
63
3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION<br />
Human factors (e.g., [128,146]). Experience and tacit knowledge (ability to ask the right questions,<br />
personal network, etc.) are key tools for a successful investigative journalist. Mind<br />
mapping abilities (linking together facts for correct understanding and coherent stories) are<br />
important, just as when a homicide detective is trying to understand a complicated crime<br />
scene. A journalist can sometimes have an advantage in gaining access to interviews and<br />
information, since the journalist is the protector of civil liberties and the voice of the people,<br />
while police officers and secret agents might have more trouble getting people to talk about<br />
an incident.<br />
64
CHAPTER 4<br />
Related work<br />
“We are good at modeling static networks,” he says, “but networks<br />
like these change over time. And we don’t yet have a dynamic graph<br />
theory.” When one terrorist is caught or killed, for example, “he is<br />
replaced by a cousin” with different social links. “Changing a single<br />
link can completely change the graph.”<br />
Interview with March Sageman (2009) [26].<br />
Existing work related to criminal network investigation falls into two categories. Related work<br />
from various research fields has provided much inspiration in the design and development of<br />
CrimeFighter Investigator. This type of related work is reviewed in Section 5.1. The other type of<br />
related work is centralized around tools that support criminal network investigation tasks. This<br />
chapter focuses on such tools. A comparison of our approach against existing work in that area is<br />
described in Chapter 15.<br />
A number of existing tools support criminal network investigation processes and tasks. The tools<br />
have been selected to cover prominent commercial tools (Section 4.1), tools actually used by<br />
investigators, as well as research prototypes (Section 4.2) and tools for investigative journalism<br />
(Section 4.3) to get a comprehensive overview of the state-of-the-art tool support for criminal<br />
network investigation tasks. We find the review of investigative journalism tasks relevant, due to<br />
the supported tasks.<br />
Our analysis of state-of-the-art tools is mainly based on open source material (tool websites,<br />
reviews and blogs, academic papers, etc.), but for a few of the commercial tools, statements<br />
from end users have also been included. Naturally, the commercial tools have lots of information<br />
about their products on their website, but while there are many colorful screen shots and videos,<br />
and statements generated by the marketing department, there isn’t much technical depth to that<br />
material (with Palantir Government providing most technical explanations through the videos on<br />
their site). The research prototypes on the other hand are described with a technical point of view<br />
in academic papers, but other than that, not much material can be found (except if papers mention<br />
research prototypes other than their own). <strong>Network</strong> analysis tools, frameworks, and libraries gets<br />
perhaps the best open source coverage, since they are used by everyone when building their tools:<br />
the technologies are detailed described in academic papers, journal papers and books; their usage<br />
and examples thereof are provided by all the researchers, developers, and companies who utilize<br />
the technologies; even the software itself is often open source.<br />
65
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK<br />
For each of the reviewed tools, we focus on support of criminal network investigation tasks. Our<br />
related work review is applied later, in Chapter 15, where we compare the capabilities of these<br />
state-of-the-art tools from the policing, counterterrorism, and investigative journalism domains<br />
against each other and CrimeFighter Investigator (see Section 15.3). The analysis of conceptual,<br />
structural, and mathematical models is also used later for a capability comparison of the tools on<br />
those parameters.<br />
The remainder of this chapter is organized as follows: we start out with a review of commercial tools<br />
in Section 4.1 covering Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer<br />
6.0, and COPLINK. We indicate the tool versions to set the boundaries of our analysis. Next, we<br />
look at research prototypes in Section 4.2, covering The Sandbox for Analysis, POLESTAR, Aruvi,<br />
and the mentioning of a new research prototype Dynalink. Tools for investigative journalism are<br />
reviewed in Section 4.3 and covers Namebase.org, Mindmeister, and a range of simple tools.<br />
4.1 Commercial tools<br />
The following commercial tools for policing and counterterrorism have been selected as particularly<br />
related to our work: Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer 6.0,<br />
and COPLINK. Our reviews of these tools is presented below, except for COPLINK since it is a<br />
tool that takes a different approach compared with the other three. It is however included in our<br />
capability comparisons in Section 15.3, given its relevance for criminal network investigation in<br />
general.<br />
4.1.1 Analyst’s Notebook 8.5<br />
Analyst’s Notebook 8.5 (AN) is part of IBM i2’s analysis product line 38 and “aims at supporting<br />
a rich set of analysis and visualization capabilities to support analysts in quickly turning large<br />
sets of disparate information into high-quality and actionable intelligence to prevent crime and<br />
terrorism” [2]. In Section 15.3, where we compare the capabilities of all the related work it is<br />
pointed out that Analyst’s Notebook is not strong on sense-making, except for their support of<br />
visualization and various filtering views.<br />
AN aims at supporting a broad spectrum of customers including national security, defense, law<br />
enforcement, government and private sector organizations. The tool has diagrammatic visual<br />
representations and is mainly used for visualizing connections (e.g., transactions, phone calls, ‘isrelated-to’<br />
relations, etc) between various types of entities, social network analysis and different<br />
interactive views such as histograms and heat matrices [2, 107]. AN hides the full content and<br />
context of information (lack of transparency) and it seems better suited as a report tool than<br />
a thinking tool since it does not encourage various alternative thinking [254]. This claim was<br />
supported by end-users we met at an i2 user conference [106]: “I typically use Analyst’s Notebook to<br />
generate a report for the state attorney handling the case in court. I do not use AN before I am done<br />
with my analysis”. Furthermore, assumptions and evidence are not easily distinguishable [254],<br />
making it impossible to back-track how reasoning was done and on what grounds decisions were<br />
made.<br />
SPECIFIC FEATURES<br />
Analyst’s Notebook supports “flexible data acquisition via intuitive drag-and-drop, importing or<br />
multiple database access capabilities” [108]. Another interesting import feature is, that “when<br />
importing data into Analyst’s Notebook 8, users now have the ability to export transformed data<br />
into a comma separated or tab separated file allowing them to save and reuse the transformed<br />
version of their original file” [104]. Analyst’s Notebook supports column actions 39 on import [107],<br />
such as Add Prefix (“Adds text or values immediately before the values imported from a data<br />
66
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS<br />
column”) and Extract Portion of Text (“Extracts a specific portion of text or data from a data<br />
column”).<br />
AN supports information elements and relations, and visualization of groups in a network (see<br />
Figure 4.1). A range of 3D icons are supported as visual abstractions for information elements,<br />
e.g., ‘male person’, ‘telephone’, and ‘refugee center’ in Figure 4.1. Information elements are created<br />
using drag and drop from a special pane, and attributes are added to information elements<br />
also using drag and drop from a similar pane [104]. As mentioned, relations between information<br />
elements are supported and Figure 4.1 (upper left corner) shows simple examples such as ‘associate’,<br />
‘address’, and ‘subscriber’. Three types of directed links are supported: multiple, directed,<br />
and single. If information elements are phones, then the type multiple can be used to indicate<br />
number of phone calls between the two phones at different times of day. The type directed can be<br />
used to indicate phone calls from phone a to phone b and vice versa, and the type single could<br />
have the total number of phone calls between the two phones. Group entities (composites) are not<br />
supported, only indirectly using visualizations (see Figure 4.1). That also means that information<br />
cannot be collapsed or expanded. All information found relevant for the investigation exists at the<br />
same level in the information space, and then parts of it can be highlighted or emphasized using<br />
various filters, histograms, etc. [2, 104, 107]. AN supports multiple information types, e.g., drag<br />
and drop of pictures onto information elements to add the picture as a visual abstraction.<br />
The focus of AN is on visual analysis. It has support for many perspectives on information such<br />
as visual symbols in the information space, chronologies of events, heat matrices (e.g., indicating<br />
during what time spans crimes occurred in the past), positioning of information entities onto maps<br />
to do geographic analysis, etc. AN has strong support of social network analysis and visualization<br />
thereof. Multiple centrality measures (eigenvector, betweenness, degree, and closeness) can be<br />
selected to run simultaneously, the results of which are visualized using color and entity size in<br />
the information space.<br />
Finally, AN supports the generation of a wide range of reports for dissemination of analysis results.<br />
Creating hypotheses in a collaborative manner is not supported, but in one product video [105]<br />
there is an example of analysts that are asked to assemble a single target profile. While they are<br />
working they can comment on and review each others work, and when finished they can assemble<br />
their work into “a multi-dimensional report”.<br />
4.1.2 Palantir Government 3.0<br />
We analyze the tool with the most criminal network investigation capabilities of the state-of-theart<br />
in this section (see capability comparison in Section 15.3). Palantir Government 3.0 is a<br />
platform for information analysis designed for environments where the fragments of data that an<br />
analyst combines to tell the larger story are spread across a vast set of starting material. Palantir<br />
is currently used in various domains such as intelligence, defense, and cyber security. According<br />
to the company website of Palantir Technology, Palantir Government is increasingly “seen as the<br />
platform of choice for the spectrum of hard problems that we face today. Palantir provides an<br />
out-of-the box foundation for information management - full source tracking, fine grained access<br />
control, flexible data modeling, structured and unstructured data ingest - with a powerful frontend<br />
to explore all of this richness” [5].<br />
A recent article in The Economist (2012) on big data analytics, stated that Palantir Technologies is<br />
the company “that has perhaps gone furthest in finding useful connections in disparate databases.<br />
[. . . ] Its specialty is building systems that pull together information from different places and try to<br />
find connections” [229]. The article also comments on Palantir’s initial customers, the spy agencies:<br />
“in America, the CIA and the FBI use it to connect individually innocuous activities such as taking<br />
flying lessons and receiving money from abroad to spot potential terrorists” [229]. Interestingly,<br />
Palantir Technology, is the producer of a commercial tool partially supporting criminal network<br />
investigation, which has put most thought into civil liberties and other ethical issues. Privacy<br />
and civil liberties are “embedded in Palantir’s DNA” [223], exemplified by technologies like access<br />
67
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK<br />
Figure 4.1: Augmented screen shot of Analyst’s Notebook illustrating supported entities and concepts: information elements and relations, various<br />
visual symbols, a satellite view, tabbed panes with e.g., chart creation tasks and examples of visual filtering for different purposes. (source: [2])<br />
68
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS<br />
control model, revisioning database and immutable audit logs. Palantir also used existing legislation<br />
as guidelines on how to address ethical issues in implementation [223], e.g., the 9/11 commission<br />
implementation act [152].<br />
Our analysis of Palantir Government is based on open source material such as white-videos (e.g.,<br />
[191,194,237], video demonstrations (e.g., [230]), white-papers (e.g., [222,223]), and academic and<br />
other papers and articles (e.g., [26, 161]). For the intelligence community Palantir have described<br />
an intelligence infrastructure, where visualization and link analysis is the “top of the iceberg”, in<br />
a layered architecture comprising the four layers data integration, search & discovery, knowledge<br />
management and collaboration [192], as shown in Figure 4.2.<br />
Figure 4.2: Visualization and Link Analysis is the “top of the iceberg”, in a layered architecture<br />
comprising the four layers Data Integration, Search & Discovery, Knowledge Management and<br />
Collaboration (source: [192]).<br />
SPECIFIC FEATURES<br />
Palantir Government has a data integration platform, which is a framework for data integration<br />
with “a powerful model that accommodates every kind of enterprise data source” [194], structured<br />
and unstructured, such as online sources, databases, text files and spread sheets [192, 194]. To<br />
get an understanding of what Palantir means by structured and unstructured data, we use an<br />
example from a counterterrorism demonstration video [230]. In this video, a text file (document)<br />
describing an investigation asset meeting three other individuals at an charity event. When the<br />
document is viewed in a so called Browser, some entities such as names and email addresses, are<br />
recognized and highlighted as if they were hyperlinks in a web browser. The entities were high<br />
lighted using one of several entity extraction methods (automated or manual). If using automated<br />
extraction, errors will occur and not all important entities are highlighted (e.g., the home address<br />
of an individual). The user now has the option to manual extract entities such as phone numbers<br />
and addresses, indicate their type and link them to the already recognized entities (individuals)<br />
in the document. Furthermore, entities can be merged (i.e., they represent the same entity) using<br />
drag and drop, and the data is becoming increasingly structured. [230]<br />
In general, Palantir data integration focuses on the importance of supporting open formats and<br />
application programming interfaces (api): “you need a platform that allows you to import information,<br />
interact with that information, and then get it out of the system” [194]. A short, but precise,<br />
description of the purpose of criminal network investigation tools. The object (entity) model of<br />
Palantir Government is very impressive. It has its own separate architecture layer between the<br />
data storage and the end user (analysts, developers, and administrators) as shown in Figure 4.3<br />
69
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK<br />
(left). This separate layer for the data model leverages “lossless data abstractions” [237], making<br />
it possible to “track every piece of information back to its source” [237] (see Figure 4.3, right).<br />
Figure 4.3: The object model has its own separate architecture layer between storage and end<br />
user (left). This approach secures lossless data abstractions, even with multiple sources forming<br />
the basis for object properties, e.g., name or email (right). (source: [237])<br />
Palantir Government supports nodes, links, and groups for synthesis and “users interact with<br />
their data as first order conceptual objects” [237]. It is our impression that objects only cover<br />
the nodes in criminal networks, not the relations between nodes nor the groupings of nodes, links,<br />
and groups, especially since we are to think about objects “as empty containers or shells, within<br />
which we fill attributes and other information about them. Examples of entities could be people,<br />
places, computers, phones, events like meetings or phone calls, or documents like email or message<br />
traffic” [237].<br />
Figure 4.4: Different kinds of relations are<br />
shown (round icons), with the same visual relation<br />
(blue line). (source: [230])<br />
Figure 4.5: Expanded group object and other<br />
objects (individuals) are shown on the left,<br />
and the result of collapsing the group object<br />
is shown on the right. (source: [230])<br />
“We haven’t encoded any semantics into the object model itself. The organization actually gets to<br />
define their semantics using a tool called Dynamic ontology” [237]. Palantir Government supports<br />
directed links, either representing single relationships or multiple as shown in Figure 4.4, where<br />
there are multiple relations for each link (each one represented by a circle with an icon). The<br />
technological support relationships as means for connecting objects is based on ontologies, as<br />
shown in Figure 4.6. There is one ontology for objects, one for relationships, and one for object<br />
properties (attributes).<br />
Palantir Government supports group objects to which other objects can then connect (see Figure<br />
70
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS<br />
Figure 4.6: Palantir Government supports an object model that is different from the ontology<br />
describing relationships, objects, and properties (left). On the right is an example of an object<br />
model with an ontology. (source: [237])<br />
4.5, left). While expanded we notice that the group icon remains in the space. When the group<br />
is collapsed all the connected objects are hidden (see Figure 4.5, right).<br />
Palantir government also records a history of the users actions. This means that investigators<br />
can return to a point in an investigation, i.e., a point where a certain action was done by the<br />
investigator (e.g., a search). However, if the investigator makes a change now, a branch is created<br />
in the investigation, visualized with a new icon in the history bar, indicating the number of old<br />
slides (the old branch), as shown in Figure 4.7 [230]. This means that investigators can use<br />
branches to represent different hypotheses, or maybe they are just alternate interpretations of<br />
the same information: “Unlike a typical undo redo, Palantir maintains a fully branched history<br />
of everywhere an investigation has been. This allows an analyst to explore hypotheses or see<br />
where [some evidence] might lead an investigation, without fear of in anyway contaminating or<br />
corrupting that investigation” [230]. Finally the history adds a learning perspective to Palantir<br />
Government: “this investigation [history] provides an importing training aid, allowing analysts to<br />
show other analysts how they reached their conclusions, which paths they take, and what they do<br />
when they reach dead ends” [230].<br />
Figure 4.7: An example of Palantir history with a branch (the slide<br />
that says ‘3 old slides’). (source: [230])<br />
Figure 4.8: How to search<br />
for Mike Fikri in investigations<br />
created by other<br />
analysts. (source: [230])<br />
Palantir Government investigation summaries can be exported into Microsoft Powerpoint or HTML<br />
formats [230]. The user can select the individual history slides that are to included in the summary<br />
using check boxes, additional information about each individual slide can be added, and the<br />
summary can be given a title.<br />
Real-time update of database indexes is supported, since Palantir Government found it was necessary<br />
“in order to truly enable enterprise-wide real-time collaboration” [230]. The collaboration<br />
focuses on sharing data as well as analyses, collaboration inside as well as across agencies, across<br />
71
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK<br />
compartments and across classification. The collaboration concepts are based on how engineers<br />
collaborate. Finally, Palantir Government is the “only system designed with civil liberties and<br />
privacy protections” [192]. An example of how an investigator can search for a specific object in<br />
other investigations is shown in Figure 4.8. In terms of human-computer interaction, the circular<br />
object action menu in Figure 4.8 is interesting and an intuitive method for doing so; the object is<br />
in the middle with available menus around, no matter where it is positioned in the investigation.<br />
4.1.3 Xanalys Link Explorer 6.0<br />
Xanalys Link Explorer 6.0 (previously Watson [7]) allows investigators to apply powerful query<br />
and analysis techniques to their data, presenting the answers in a range of visualizations such as<br />
link charts, time lines, maps, and reports [6].<br />
Xanalys Link Explorer information spaces are referred to as charts. In the hierarchy chart information<br />
elements can be organized, with pre-defined icons or the users own pictures as visual<br />
abstractions. Links can be placed between the information element to model relationships [6].<br />
Link Explorer supports many different charts (perspectives) for information including “tabular,<br />
hierarchy, link, timelines, maps, clocks etc.” [6]. The user is free to move data entities between<br />
the charts.<br />
Two interesting features of Xanalys Link Explorer is the support of exporting a chart to a Microsoft<br />
Excel spreadsheet (Figure 4.9) and the ability to create search queries using drag and drop (Figure<br />
4.10). We have not come across these features in any of the other related work 40 . The drag and<br />
drop query example presented in Figure 4.10, a person, a vehicle, and a location are all linked to<br />
an incident report. We interpret this query as a desire to search for single individuals, who have<br />
been involved in an incident, where a car was also involved, and it happened at a specific location.<br />
Figure 4.9: Example of exporting a Link Explorer<br />
chart to Microsoft Excel spreadsheet.<br />
(source: [6])<br />
4.1.4 COPLINK<br />
Figure 4.10: An example of to create search<br />
queries in Link Explorer by the use of drag and<br />
drop. (source: [6])<br />
COPLINK is designed for both general policing and specialist use for detectives/crime analysis<br />
[53]. The tool consists of three modules: “Connect” database, “Detect” criminal intelligence, and<br />
“Collaboration” [84]. With the merger between Knowledge Corporate Computing and i2 in 2009,<br />
COPLINK became a separate product line within i2 Limited. In 2011, i2 Limited was purchased<br />
by IBM. We do not present our analysis of the COPLINK tool here, as we have chosen to focus<br />
on the other three tools reviewed above (Analyst’s Notebook, Palantir Government, and Xanalys<br />
Link Explorer), since they target a more complete investigation cycle.<br />
72
CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES<br />
4.2 Research prototypes<br />
We analyze three research prototypes in this section: The Sandbox for analysis focuses on easy<br />
drag-and-drop acquisition, expressive thinking, and implements interesting interaction gestures<br />
[254] (Section 4.2.1). POLESTAR is an integrated suite of knowledge management and collaboration<br />
tools for intelligence analysts [178] (Section 4.2.2), and Aruvi is the implementation of an<br />
information visualization framework that supports the analytical reasoning process [201] (Section<br />
4.2.3). Finally, we mention Dynalink, a recent prototype that demonstrates interesting features<br />
(Section 4.2.4).<br />
4.2.1 The Sandbox for Analysis<br />
Sandbox is a flexible and expressive thinking environment that supports both ad-hoc and formal<br />
analytical tasks [254]. Investigators can acquire “any relevant information, including documents,<br />
snippets, images, tables, etc. by dragging them into the Sandbox from TRIST 41 as well as MS<br />
Word, MS Explorer, IE and other systems” [254]. The Sandbox and TRIST are integrated in the<br />
same cognitive workspace (called nSpace), which means that information (e.g., text snippets or<br />
pictures) can be dragged directly to an investigation in the Sandbox, and entities in the Sandbox<br />
can be dragged to TRIST to function as a search query for additional information [254].<br />
“Analysts need to be able to quickly and easily place, arrange, re-arrange, group, emphasize,<br />
highlight and compare information” [254]. Information is arranged, linked and grouped according<br />
to topics and issues. Based on Figure 4.11, associations are either made using simple unweighted<br />
relations or visual associations by spatial arrangement of entities.<br />
As shown in Figure 4.11 (d, b, and c), the conceptual model of the Sandbox has support for cardlike<br />
entities and groups (d), picture entities (b), and relations (c). The creation of hypotheses<br />
(argumentation for topics and issues) has clearly been a key requirement and has resulted in<br />
strong, intuitive, support. Hypothesis questions can be stated using ‘pin’ labels, and can be<br />
branched out to several sub questions in the work space. In Figure 4.11, the question Who wants<br />
to [. . . ]? is followed by the questions Who attacked [. . . ] in the past? and Who would benefit<br />
from [. . . ] death? 42 . Assertion groups can be used to gather evidence proving a hypothesis true<br />
or false. The assertion group has “Support and Refute Gates” along the sides. See Figure 4.11<br />
(e) for an example of dragging evidence through the support gate to an assertion group.<br />
Figure 4.12 shows some of the interesting information interaction gestures that the Sandbox supports:<br />
grouping of entities can be performed with a loop gesture (Figure 4.12a, entities not aligned<br />
vertically or horizontally can be selected using a so called lasso selection Figure 4.12b, and entities<br />
are delete with an x gesture (Figure 4.12c). Finally, the Sandbox supports direct manipulation,<br />
providing a sense of writing on physical objects (e.g., white boards or paper cards): “direct manipulation<br />
and annotation are used to build and express meaning.” [254].<br />
4.2.2 POLESTAR<br />
POLESTAR (POLicy Explanation using STories and ARguments) is an integrated suite of knowledge<br />
management and collaboration tools for intelligence analysts [178]. Pioch and Everett (2006)<br />
points out the reasons for intelligence failure relating to current information systems that “inhibit<br />
collaboration and stifle insight with antiquated processes that encode [. . . ] compartmentalization”<br />
[178]. POLESTAR supports the end-to-end intelligence analysis process, covering the processes<br />
search, read, collect, structure, write, review, and revise. The entities in POLESTAR are<br />
so called Facts, which are basically text snippets collected from websites by first highlighting the<br />
text and then dragging it into a portfolio browser. The user can augment the fact with various<br />
meta data, such as the source of the information and their interpretation of it.<br />
The portfolio browser has tools for knowledge structuring such as the wall of facts (see Figure<br />
4.13) that includes a time line view (Figure 4.14). The wall of facts “is a blank workspace onto<br />
73
4.2. RESEARCH PROTOTYPES CHAPTER 4. RELATED WORK<br />
Figure 4.11: An augmented screen shot from the Sandbox for analysis, illustrating basic entities and features. ‘Pin’ labels are used to ask questions<br />
and start hypotheses (a). The conceptual model supports card-like entities and groups (d), picture entities (b), and relations (c). An assertion<br />
group are used gather evidence proving a statement true or false and the assertion group has “Support and Refute Gates” along the sides - (e) is an<br />
example of dragging evidence through the support gate to an assertion group. (source: [254])<br />
74
CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES<br />
(a) Loop-to-group (b) Lasso-selection (c) X-to-delete<br />
Figure 4.12: The Sandbox interaction gestures includes loop-to-group gestures, lasso-selection<br />
gestures, and x-to-delete gestures.<br />
which the analyst can drag and drop snippets of information that they have collected” [178].<br />
Snippets placed at the edge of the wall of facts is shrunk, while snippets at the center are full<br />
size. Investigators can add claim text boxes around which snippet arguments can be positioned,<br />
or snippets can be grouped hierarchically using sub-workspaces. The wall of facts time line view<br />
shows the chronology of snippets according to the dates that investigators have added: “seeing this<br />
arrangement can clarify relationships that are hard to detect when looking at a series of textual<br />
dates” [178]. Interestingly, the time line view supports also sub-time lines.<br />
Figure 4.13: POLESTAR Wall of Facts. Figure 4.14: POLESTAR Timeline.<br />
POLESTAR has strong support for creating hypothesis (like the Sandbox, see Section 4.2.1), and<br />
mentions the importance of having an explicit structure to easier locate weak arguments. As with<br />
any argumentative structure, the basis in POLESTAR is a hypothesis. The hypothesis can be<br />
supported or rebutted by claims (i.e., the claim box mentioned above) and assumptions. Claims<br />
and assumptions are typically based on interpretation of a fact, which the investigator has entered<br />
meta data about, such as info type, reliability, classification, and source. The fact originates from<br />
a source document.<br />
4.2.3 Aruvi<br />
Aruvi is the prototype implementation of an information visualization framework that supports<br />
the analytical reasoning process [200,201]. As mentioned, analysis is focused on what can be done<br />
using visualizations, but has some structure in terms of the argumentative reasoning support and<br />
the navigation history. Shrinivasan and Wijk (2008) formulate five requirements for the analytical<br />
reasoning process in information visualization [201], which are summarized to the challenge of<br />
providing the user with an overview of what has been done and found: “to keep track of the<br />
exploration process and insights, a history tracking mechanism and a knowledge externalization<br />
75
4.2. RESEARCH PROTOTYPES CHAPTER 4. RELATED WORK<br />
mechanism respectively are essential” [201]. Figure 4.15a, 4.15b, and 4.15c explain the Aruvi<br />
support of history tracking. Initially, Shrinivasan and Wijk (2008) . . .<br />
“. . . use a history tree representation to show the structure of the exploration process.<br />
A node represents a visualization state. An edge between the adjacent nodes is<br />
labeled with the user action (see Figure 4.15a). [. . . ] Figure 4.15a shows the structure<br />
of the navigation. A branch represents a revisit and reuse of an already existing visualization<br />
state. To understand the temporal context, it is important to see the sequence<br />
of visualization states along with the structure of the navigation. Figure 4.15b shows<br />
the structure of the navigation ordered by time in the horizontal direction. The user<br />
can toggle between the two representations during the analysis via the settings interface<br />
(see Figure 4.15c-1). The user can revisit the visualization states sequentially in the<br />
order of creation using the back and forward arrow keys. This action is similar to the<br />
undo-redo mechanism. Also, the user can hover over a node to get information about<br />
the visualization state (see Figure 4.15c-3) and jump to any visualization state in the<br />
navigation view. An overview window is used for panning over the history tree (see Figure<br />
4.15c-4). When a visualization state is linked to objects in the knowledge view, it is<br />
marked with a star in the navigation view (see Figure 4.15a, 4.15b and Figure 4.15c-2).<br />
The current visualization state in the navigation is highlighted in yellow.” [201]<br />
(a) History tree showing navigation structure.<br />
(b) History tree with navigation structure ordered by<br />
time.<br />
(c) Aruvi navigation view implementation.<br />
Figure 4.15: History trees and navigation view. Figure 4.16: Aruvi knowledge view.<br />
For knowledge externalization, Shrinivasan and Wijk (2008) decided to design a knowledge view<br />
as a basic graphics editor, because “it helps the users to construct diagrams to externalize their<br />
mental models and structure arguments” [201]. Figure 10.8 shows the Aruvi knowledge view,<br />
where:<br />
“A note is the basic entity to record findings. A note is either rectangular (see<br />
Figure 10.8a) or elliptical (see Figure 10.8b) in shape. Notes can be organized into a<br />
76
CHAPTER 4. RELATED WORK 4.3. INVESTIGATIVE JOURNALISM TOOLS<br />
group with a title (see Figure 10.8c). The tool supports multiple group levels (see Figure<br />
10.8d). A connector line can be drawn between notes, groups, and a note and a group<br />
([with or without direction], see Figure 10.8e). When an entity in the knowledge view is<br />
linked to a visualization state it is marked with a star” [201] (see Figure 10.8f).” [201]<br />
4.2.4 Dynalink<br />
Dynalink is a framework for visualizing dynamic criminal networks. “The interactive and visual<br />
features of Dynalink can be useful in discovering and analyzing both relational patterns of criminal<br />
networks” [160]. A primary strength of Dynalink “is that it can process huge datasets” [160], the<br />
system has been tested against a crime dataset consisting of 125.558 criminals.<br />
4.3 Investigative journalism tools<br />
Tools for investigative journalism are not nearly as elaborate as the above commercial tools for<br />
policing and counterterrorism. The market for policing and counterterrorism tools are much bigger<br />
than the market for watchdog journalism tools. Tools for computer-assisted reporting (CAR)<br />
spans from simple tools to more advanced mapping, statistical, and social network analysis tools.<br />
Compared to normal journalism, CAR tools are highly relevant for the amount of digging that<br />
investigative journalism requires while other tools are used for thinking tasks. The following tools<br />
have been selected for the comparison:<br />
4.3.1 Namebase.org<br />
Namebase.org 43 is a database of books and clippings where users can search for names and<br />
individuals, groups, and corporations [136]. The search finds books and clippings that cite the<br />
name searched. It also has an option to draw a social network diagram (see Figure 4.17). Searching<br />
can be performed in the following ways: ‘name search’, ‘proximity search’, ‘country search’ and<br />
‘document scan’, but only in the existing databases; no ingestion of additional data is possible.<br />
The before mentioned social network diagram can be used to draw relations between the search<br />
results, providing an alternative perspective to listed results. The user can click entities in the<br />
social network diagram, to focus on that entity.<br />
Figure 4.17: Namebase.org social network diagram based on a database search.<br />
77
4.4. SUMMARY CHAPTER 4. RELATED WORK<br />
4.3.2 Mindmeister<br />
Mindmeister is a collaborative tool for online mind mapping [3] (see screen shot in Figure 4.18).<br />
Mindmeister supports the following formats for import of mind map data: original Mindmeisterfiles,<br />
FreeMind TM 44 , Mindjet MindManager TM 45, and finally text files where entities are simply<br />
separated using spaces or tabs and the first line is the title of the mind map.<br />
Figure 4.18: Augmented Mindmeister screen shot, high lighting various concepts that the tool<br />
supports: entity types, groups, visual symbols, multimedia, and hypotheses.<br />
Entities are for example topics and ideas, or relations as shown in Figure 4.18. All entities support<br />
grouping. If one entity is dropped on another entity, it becomes a sub-entity of the entity it is<br />
dropped on (a group is started or expanded). Sub-entities can be collapsed by clicking the circle<br />
with a minus (see Figure 4.18). The minus becomes a plus which could be used for expanding that<br />
information again. Mindmeister supports real-time brainstorming: “simultaneously work with<br />
colleagues on the same map and see changes as they happen” [3]. Finally, like any mind mapping<br />
tool, Mindmeister is strong on generation of hypotheses and alternate interpretations.<br />
4.3.3 Simple tools<br />
Simple tools include applications for database searching, Microsoft Word, Excel, and Powerpoint<br />
for information overview, physical tools like paper, maps, calendars, etc. As we assume our readers<br />
will have a basic understanding of what can be done with these tools we do not review them here.<br />
4.4 Summary of related work<br />
The commercial tools (Analyst’s Notebook, Palantir Government, and Xanalys Link Explorer)<br />
all had a strong focus on visualization, together with their own particular feature support: Analyst’s<br />
Notebook has strong support of perspectives such as the heat matrix, Palantir Government<br />
has strong synthesis support through their expandable and collapsible information features (i.e.,<br />
groups), and Xanalys Link Explorer supports drag and drop search queries.<br />
The research prototypes have a strong focus on the creation of hypotheses and argumentative<br />
structures in general. However, the Aruvi prototype is based on an extended understanding and<br />
analysis of reasoning theory: model construction, revision, and falsification. Furthermore, decisions<br />
78
CHAPTER 4. RELATED WORK 4.4. SUMMARY<br />
made in the Aruvi knowledge view are also indicated in the workspace (using the same color).<br />
This sort of decision-making support was not found in the other research prototypes.<br />
Each individual simple tool for investigative journalism solve the task they are intended for, but if<br />
more than one simple tool is required to solve task, it becomes a problem, since they do not exist<br />
in an integrated environment. And simple import and export tasks might be more complicated<br />
than for example solving (some of) the tasks by hand.<br />
In summary, the reviewed commercial tools and research prototypes supporting a cards-on-table<br />
metaphor, have some basic features in common. They support information elements and relations,<br />
the basic building blocks for creating networks. The support of composites (groups) is<br />
more sporadic, with Palantir having better support. For further comparison of criminal network<br />
investigation task and model support we refer to Section 15.3.<br />
79
4.4. SUMMARY CHAPTER 4. RELATED WORK<br />
80
CHAPTER 5<br />
Theory and technology<br />
Stick with simple tools, like pencil, paper, and whiteboard.<br />
Communication is more important than whizzbang.<br />
Kent Beck and Martin Fowler, Agile modeling by Ambler (2002) [11].<br />
This chapter presents state-of-art on core theories and technologies relevant to the development<br />
of tool support for criminal network investigation, addressing the challenges associated therewith<br />
(see Section 1.2 and Chapter 6). We will elaborate our initial discussion of the theory and technology<br />
pillars introduced in Chapter 1. The pillars represent high level functional and non-functional<br />
aspects of developing criminal network investigation tools. Lower level (functional) software requirements<br />
are the research focus requirements presented in Chapter 6. The theories (sciences)<br />
and technologies listed for each pillar have provided us with the knowledge and understanding<br />
necessary to develop tool support of that particular aspect. The pillars are shown in Figure 5.1,<br />
and colors are used to indicate how well the different theories and technologies are covered in this<br />
chapter or in a fragmented manner throughout the dissertation (see the coverage legend at the<br />
bottom of Figure 5.1). The theories and technologies have been selected based on their relation<br />
to the overall hypothesis and the three criminal network investigation challenges, information,<br />
process, and human factors.<br />
We will present each theory and technology from the perspective of criminal network investigation.<br />
The pillars and their theory and technology building blocks are briefly described below, with<br />
references to the respective sections reviewing them in greater detail.<br />
Emerging and evolving pillar. A complex software systems engineering problem is the support<br />
of emergent and evolving information structures [172]. The complexity arises because<br />
the premise for such support is that you don’t know what structures will emerge as end<br />
users synthesize and organize their domain information: they might end up with spatial, hierarchical,<br />
or argumentation structures, and most often the result will be a mix of multiple<br />
structure types. In general terms, structure is an abstraction used to describe the form of<br />
some object, whether it is a house [8], a city [9], a software development plan [165, 170] or<br />
criminal network information entities pieced together, forming network structures [174]. We<br />
have presented basic sub structures and organizational meta structures of criminal networks<br />
in Section 3.2.<br />
Hypertext is a technology that provides methods for supporting various structure domains.<br />
Research of these structure domains is helpful in understanding how structures are formed<br />
81
CHAPTER 5. THEORY AND TECHNOLOGY<br />
Figure 5.1: <strong>Criminal</strong> network investigation pillars of theory and technology. The colors indicate<br />
how well each individual research area or technology has been covered, e.g., green building blocks<br />
are covered in great detail while red building blocks are not covered.<br />
82
CHAPTER 5. THEORY AND TECHNOLOGY<br />
and to learn general ways of implementing software support of similar structures, that can<br />
then be mapped to the other information domains (see Section 5.1). Semantic web is a<br />
technology aiming at adding semantics to web pages, to make them understandable by<br />
machines, through the description of knowledge domains using ontologies to describe the<br />
objects on web pages and their interrelationship. This has been extremely helpful in terms<br />
of supporting networks, where information elements can be of different types, where relations<br />
can be weighted and of different kinds (we cover basic semantic web technology relevant for<br />
our work in Section 5.2). Information science has helped find the appropriate trade-off<br />
between having a completely generic system that the end user can customize to suit any<br />
particular information domain and adding some domain knowledge into the system prior to<br />
providing the user with access (see Section 5.3).<br />
Problem solving pillar. This pillar deals with cognitive processes, creativity, and tools supporting<br />
a human-centered, target-centric team approach to criminal network investigation. We<br />
think of criminal network investigation as a process (or processes) for crime related problem<br />
solving. Section 5.4 deals with human cognition in terms of the mind’s approach to solving<br />
problems. More specifically, what are the strengths, weaknesses, and limitations of human<br />
cognition, so that we know how not to inhibit the strengths in any way and to decrease the<br />
impact of weaknesses and limitations. Software systems engineering has different processes<br />
describing approaches to software development, one of which, the agile approach, we find<br />
useful for our target-centric approach to criminal network investigation. Agile modeling is<br />
described in the section of software systems engineering and Section 5.6, covering a range of<br />
modeling techniques, very different from traditional approaches to problem solving. Many<br />
different tools - both physical and software - could be used for and are good for different<br />
kinds of problem solving. Such tools are described in Section 5.6. Finally, we have conducted<br />
a review of the creative process, which talks about creativity in general, and discusses the<br />
benefits of creativity in real versus nominal groups (Section 5.5).<br />
Suspects and criminals pillar. Domain knowledge has provided us with many functional and<br />
non-functional aspects of tool support for criminal network investigation. The functional<br />
aspects comes from experiences and literature that tells us about the individuals that form<br />
the type of criminal networks we want to investigate, and how and why these individuals<br />
became part of those networks; for example radicalization tendencies and processes. It can<br />
be argued, that such knowledge is more important than knowledge about individuals who<br />
have already committed a crime, in terms of the ability to take proactive (de-radicalizing)<br />
measures. But it is not the focus we have chosen in this Ph.D. dissertation, and would<br />
require very detailed modeling capabilities, but we hope our approach will evolve in that<br />
direction in the future. The field of Social Science is a large provider of such knowledge,<br />
and we used it and described in fragments throughout the dissertation. Also, studies from<br />
social science about criminals, i.e., the profile characteristics of individuals (Case-studies of<br />
individuals is covered in Section 5.7). For similar studies of groups we refer to Section 3.5.<br />
<strong>Investigation</strong> pillar. We reviewed two different approaches to criminal network investigation<br />
(linear and target-centric) in Chapter 3 and we will cover our process model and tasks for<br />
criminal network investigation in Chapter 7. Here we will focus on studies of technologies that<br />
can help investigators make sense of criminal networks together with a review of intelligence<br />
and the ethical issues involved in dealing with and making decisions based on criminal<br />
network investigation.<br />
We review the concept of intelligence, by focusing on open source intelligence and what role<br />
it has played for our work in Section 5.8. Section 5.9 on mathematical models covers different<br />
types of computational network analysis (also referred to as techniques or algorithms), and<br />
how these mathematical models can be useful in terms of supporting various analysis needs<br />
when investigating criminal networks. Ethical issues such as privacy and civil liberties is<br />
discussed in Section 5.10, an aspect of security informatics often neglected by academic<br />
software system engineers.<br />
83
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY<br />
Tool usage pillar. In terms of tool usage aspects, this pillar focuses mainly on trust and user acceptance<br />
(see Section 5.11). Models for assessing the acceptance of new technology are many,<br />
e.g., the technology acceptance model (TAM) for information technology [51]. And technology<br />
assessment researchers have given their suggestions for the “fundamental determinants<br />
of user acceptance” [51], e.g. Davis (1989) suggests perceived usefulness and perceived ease<br />
of use. In the criminal network investigation domain we find trust to be the fundamental<br />
determinant for tool user acceptance. Because of the security nature of the information and<br />
the importance of decision being made based on that information, it is highly relevant that<br />
investigators and decision-makers (intelligence customers) trust the information, knowledge,<br />
and ultimately intelligence products that tools for criminal network investigation produce.<br />
We have a brief introductory review of interaction and visualization in Section 5.12. Computersupported<br />
collaborative work (CSCW) or simply groupware is not covered in this dissertation,<br />
but we have studied important work in the field (e.g., [60]), and a substantial part of the<br />
course advanced software technologies for knowledge management focused on groupware 46 .<br />
As indicated in Figure 5.1, software systems engineering is the foundation, on which all the theory<br />
and technology pillars stand. The color indicates that we do not have a separate section or<br />
chapter on the software system engineering concepts we have applied in this project, it is covered<br />
throughout the dissertation.<br />
5.1 Hypertext<br />
Organizing and making sense of information has been the main focus of hypertext research from<br />
its very beginning. Hypertext systems aim at augmenting human intellect, i.e. increasing the capability<br />
of man to approach a complex problem situation, to gain comprehension to suit particular<br />
needs, and to derive solutions to problems [62]. The most widely used structure abstractions in<br />
hypertext are nodes and links. Nodes are informational units that can be connected through links.<br />
Users can traverse links and thereby navigate through a hypertext (graph). Nodes and links, however,<br />
have been criticized for a lack of support for emergent and evolving structures [199]. Spatial<br />
hypertext was designed for dealing with these shifting structures, and is found to be well suited<br />
for the purpose, e.g., the ease of changing a visual property or moving an object [198].<br />
”Hypertext, in its most general sense, allows content to appear in different contexts” 47 [141].<br />
That is, a person who is about to encounter a diverse amount of knowledge (or data) can augment<br />
that knowledge with different hypertext structures, making it more intuitive and easier to<br />
comprehend. All the structuring domains reviewed below “contain basic notions, although each<br />
also has its own specialized and tailored abstractions” [159]. Over the years, various hypertext<br />
structuring mechanisms have been proposed to support different types of information structuring,<br />
organization, and sense-making tasks. Several of these structuring mechanisms (or structuring<br />
domains) play a vital role in the design and development of tool support for criminal network<br />
investigation.<br />
5.1.1 Associative structures<br />
Associative structures allow arbitrary pieces of information (nodes) to be associated (linked).<br />
Bush (1945) [33] reasoned that since people use associations to store and retrieve information in<br />
and from their own minds, a machine-supported mechanism that provided this ability would be<br />
useful for organizing information stored in external memory.<br />
Halasz (1988) [82] argued that the basic associative hypermedia model lacks a composition mechanism,<br />
i.e., a way of representing and dealing with groups of nodes and links as first class entities.<br />
The term composites was coined for this type of grouping mechanism. Composites group other<br />
first class entities (nodes, links, and composites) either by inclusion or by reference. The Device<br />
84
CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT<br />
Hypermedia System (DHM) [115] is a prominent hypermedia system that provides a rich set of<br />
composite types.<br />
For criminal network investigation purposes, associative structures (including composites) are useful<br />
for synthesis tasks such as manipulating entities and relations, re-structuring, and grouping.<br />
Relations can be unidirectional or bidirectional and either weak (suspected but unconfirmed relationship)<br />
or strong (known close relationship such as family or friendship ties). Bush (1945)<br />
summarizes how information is usually found by traversing a complex hierarchical structure of<br />
classes and then claims that: “The human mind does not work that way. It operates by association.<br />
With one item in its grasp, it snaps instantly to the next that is suggested by the association<br />
of thoughts, in accordance with some intricate web of trails carried by the cells of the brain” [33].<br />
NoteCards is an example of a navigational hypertext system that allows the user to create such a<br />
“intricate web of trails” [73].<br />
NoteCards<br />
We have selected NoteCards for analysis because the basic entities are cards: “The basic construct<br />
in NoteCards is a semantic network composed of note cards connected by typed links. NoteCards<br />
provides two specialized types of cards, Browsers and FileBoxes that help the user to manage<br />
networks of cards and links” [170]. Figure 5.2 illustrates some notecard examples, where “each<br />
notecard contains an editable [content] such as a piece of text, a structured drawing, or a bitmap<br />
image. Each card also has a title” [73]. Figure 5.3 illustrates examples of Browser cards and<br />
FileBox cards.<br />
Figure 5.2: Example Notecards with embedded link icons. [73]<br />
The purpose of the NoteCards environment is “to help people formulate, structure, compare, and<br />
manage ideas”. NoteCards intends to support the nature of idea processing, something that is very<br />
important to our work as described in Section 5.4. Halasz et al. (1987) considered idea processing<br />
to be “a convolution of several different activities that can be roughly divided into three phases:<br />
acquisition, analysis, and exposition” [73]. These phases are very similar to the three phases of<br />
the generic creative process model: problem preparation, idea generation and idea evaluation (see<br />
Section 5.5). Furthermore, the goal of idea processing is described as a way of moving “from<br />
a chaotic collection of unrelated ideas to an integrated, orderly interpretation of the ideas and<br />
their interconnections”. It comes as little surprise that the most common use of the NoteCards<br />
environment “is as database for storing personal information such as notes to oneself, clippings<br />
from electronic mail messages, quick ideas jotted down, sections of a paper in progress, etc”.<br />
Halasz et al. (1987) assess NoteCards according to the subjects information management and<br />
idea processing [73]. It is concluded that information management is appropriately supported,<br />
especially when it comes to organizing information “into arbitrary (e.g., non-hierarchical) network<br />
85
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY<br />
Figure 5.3: Example Browser Card (large) and FileBox Card (small). [73]<br />
structures tailored to their specific applications”. Idea processing was found to be “relatively<br />
difficult” by many users. This is mainly because “representing and manipulating ideas in Note-<br />
Cards is a task that requires considerable strategic planning”. In other words, it is not intuitive<br />
for the users how to make a structure that can clarify their “unorganized and poorly understood<br />
collection[s] of ideas” [73]. 48<br />
5.1.2 Spatial structures<br />
Spatial structures were designed to deal with emergent and evolving structures of information<br />
which is a central task in information analysis. Marshall and Shipman [141] note that information<br />
analysts faced with the task of organizing and understanding large amounts of information develop<br />
structures over this information over time. As their understanding of the information space<br />
changes, the structures they use to characterize the space also change. Systems designed for such<br />
analysts are required to support emerging, dynamic structures that avoid the problems associated<br />
with premature organization and formalization, as discussed by Halasz [73, 82].<br />
In the context of criminal network investigation, spatial structures (including spatial parsing and<br />
navigable history) are useful in various analysis and dissemination tasks such as re-structuring,<br />
brainstorming, retracing the steps, creating alternative interpretations, and story-telling.<br />
According to [20], the relevance and importance of spatial structures for intelligence analysis is<br />
documented by the fact that CIA’s Office of Research and Development funded early development<br />
and associated studies related to the first spatial hypertext systems (Aquanet [140] and VIKI [142]),<br />
as well as one of their earlier relatives (NoteCards [82], described above).<br />
Systems<br />
A spatial hypertext system allows its users to represent information elements as visual “icons”.<br />
Analysts can represent relationships among objects implicitly by varying certain visual attributes<br />
(e.g., color, size, and shape) of the icons and by arranging the icons in arbitrary ways in a large 2D<br />
space (spatial proximity). Information elements can be grouped in collections. A spatial parser<br />
can then recognize the spatial patterns formed by these icons. First generation spatial hypertexts<br />
primarily focus on research-related information analysis [142] and general idea-processing. Second<br />
generation spatial hypertexts have been used in tasks such as “note taking, writing, project<br />
management, and conference organization” [198] and scholarly work processes [246]. But first and<br />
86
CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT<br />
second generation spatial hypertexts are considered to be general-purpose as described in [199] due<br />
to their purely spatial hypertext concepts implementations [121] and non-formalized information<br />
elements. We do not consider them to be usage-oriented like the following tools (some of which<br />
have multiple usage-orientations). Over the years several strains of spatial hypertext systems<br />
have been developed and evolved, e.g. from NoteCards [73] over Aquanet [140] and VIKI [142]<br />
to VKB [198] and VITE [95] and from the Construct Space Tool [246] to ASAP [170–172]. A<br />
prominent example of a spatial hypertext system is the Visual Knowledge Builder (VKB) [198].<br />
Aquanet (1991) started the strain and facilitates spatial manipulations and visually indicated<br />
links, using a browser-based approach [121, 140, 141]. Experiences with use showed that users<br />
created linkless spaces of nodes arranged in regular graphical patterns that indicated relationships<br />
among nodes spatially and visually [199]. Figure 5.4 shows an excerpt of an analysis of machine<br />
translation systems and technologies. The distinct patterns of graphical objects indicates the<br />
composites build by the users to represent a single machine translation system or technology (i.e.,<br />
the red/pink, blue, green and white with gray border rectangles).<br />
Figure 5.4: Aquanet information element mock-ups. [140]<br />
VIKI (1994) was developed next to explore spatial hypertext as a geometric and visual structuring<br />
paradigm [142]. VIKI’s emphasis is on flexibility, informality and change. VIKI’s spatial<br />
hypertext model is based on information elements, visual symbols, collections and composites.<br />
The information elements in VIKI are semi-structured content-holding entities that may have no<br />
internal structure, or may have a number of fields added to them in order create user-specified<br />
structure. Visual symbols are manipulable references to an information element. The symbol size<br />
can be used to limit the amount of content revealed. Users can also specify which field’s contents<br />
are shown and they can scroll through content to focus attention on a specific segment. VKB<br />
extends on VIKI in a number of ways, but the focus is primarily on more advanced visual cues<br />
and support of collaborative tasks [198]. VKB kept the notion of information elements, collections,<br />
and subspaces (see Figure 5.5). VITE is a system developed to explore the design and reuse of<br />
systems incorporating two-way mappings, again following the cards-on-table metaphor [95, 97].<br />
The attribute/value mapping pairs are the primary content rather than meta data attached to<br />
a larger plain text or image information element, which is likely to be the case in a structural<br />
computing environment (see Section 5.1.6).<br />
The Socs application “permits the intuitive connecting of information on a space. It supports<br />
emergent and dynamic knowledge structures, fosters communication, awareness, and notification<br />
services, enables multiple trails of thought in parallel (i.e., thought experiments), as well as versioning<br />
with easy access to previous states” [20]. The tool is targeted at criminal profiling or crime<br />
scene analysis supporting small teams of officers, following the cards on table metaphor. Atzenbeck<br />
(2008) presents the Socs social space on which information elements represent collaborators,<br />
87
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY<br />
using a graphical icon and a label as visual abstraction [19]. The space could be divided into<br />
separate areas, indicating the role of the persons in that specific setting.<br />
Figure 5.5: VKB information elements and menu options.<br />
The ASAP tool 49 uses spatial and taxonomic hypertext structuring mechanisms to provide support<br />
for project planning [170]. “Project planning in agile teams is a collaborative process relying<br />
on face-to-face communication and shared information to succeed” [171, 172]. The ASAP tool<br />
implements a bi-directional mapping between the interactive areas of the task card and the underlying<br />
data. Based on the tool’s usage-orientation, the separator was implemented as a novel<br />
structuring mechanism, allowing the user to create a temporal separation of grouped cards, enabling<br />
auto generation of views and reports. ASAP lets the user interact with an information<br />
element’s underlying content.<br />
To summarize, the majority of the reviewed tools implement a cards-on-table metaphor, and hence<br />
the geometric shapes representing pieces of information has not evolved considerably. The focus<br />
has been on developing powerful general purpose structuring mechanisms and support of long<br />
term collaboration, as the primary means for the users to reach their ends [198].<br />
5.1.3 Taxonomic structures<br />
Taxonomic structures can support various classification tasks. Parunak (1991) argued that<br />
taxonomic reasoning is a particular kind of reasoning task that deals with the comparison and<br />
classification of highly similar nodes, in which an analyst viewing one node thinks not in terms of<br />
linking it to another node, but of including it in or excluding it from a set of related nodes [232].<br />
Taxonomic structures are in essence hierarchical (tree) structures. Hierarchical structures are also<br />
known from other structuring domains (such as composites from the associative domain and collections<br />
from the spatial domain). In the context of criminal network investigation, taxonomic<br />
structures can provide a different visual (hierarchical) perspective of associative and spatial structures<br />
- hence supporting the exploring of perspectives on information.<br />
5.1.4 Issue-based structures<br />
Issue-based structures support argumentation and reasoning. McCall et al. (1992) describe<br />
community argumentation support systems in the context of capturing design rationale [145]. The<br />
88
CHAPTER 5. THEORY AND TECHNOLOGY 5.2. SEMANTIC WEB<br />
focus is on a unified community understanding of an information space. Argumentation support<br />
systems designed to support participants in a joint decision process or an argument must support<br />
simultaneous structure and information creation operations. Argumentation spaces consist of<br />
typed entities that represent issues to be discussed, positions with respect to issues, and evidence<br />
that argues for or against a position. Conklin and Begeman (1988) have produced issue-based<br />
hypertext tools during the last two decades [47]. For investigative purposes, issue-based structures<br />
can be used to support the creation of hypotheses and decision-making.<br />
5.1.5 Annotation and meta data structures<br />
Annotation and meta data structures. Finally, two other types of hypertext structuring is<br />
relevant for investigation purposes. Annotation structures can be used to add arbitrary comments<br />
in relation to entities and structural elements in the shared information space (i.e., to make a note<br />
about having to find additional evidence that supports the existence of a weak relation between<br />
two entities). Meta data structures can be used to add meta data to entities and structural<br />
elements in the shared information space (i.e., details about a person such as address, work,<br />
education, terrorist training, etc. or details about a relation such as weight, type, time, place,<br />
etc.). Adding annotation and meta data structures enrich the shared information space, hence<br />
these structures are created as part of synthesis tasks. However, the existence of annotation and<br />
meta data structures are for analysis.<br />
5.1.6 Structural computing<br />
The term structural computing was coined to describe the unification of various hypertext structuring<br />
mechanisms [158]. Hence, structural computing is in its own right an approach to knowledge<br />
management, being a generalization of hypertext [157]. Structural computing focuses on separation<br />
of structure and data, making it suitable for construction and management of meta data,<br />
especially in situations where the user does not have write access to data [243]. “Part of this structural<br />
focus is the understanding that all abstractions (data or structure) may stand in relation to<br />
other abstractions” [157] and “different users can manage their own personal structure over the<br />
same set of data” [243].<br />
5.2 Semantic web<br />
The drastic increase of information on world wide web has made it impossible for humans to<br />
manage. Semantic web technology is a vision about using the full potential of the world wide<br />
web with its many documents which refer to each other. The vision was originally formulated by<br />
the inventor of semantic web Tim Berners-Lee in 1994 50 : “The web is a set of nodes and links<br />
(Figure 5.6). To a computer, then, the web is a flat, boring world devoid of meaning (Figure 5.7).<br />
This is a pity, as in fact documents on the web describe real objects and imaginary concepts, and<br />
give particular relationships between them (Figure 5.8). Adding semantics to the web involves two<br />
things: allowing documents which have information in machine-readable forms, and allowing links<br />
to be created with relationship values (Figure 5.9)” [23]. A semantic web would make it possible<br />
to use the computers processing power to gain an advantage of this information to a much larger<br />
degree than it is possible through human reading and interpretation.<br />
It is widely recognized that automatic interpretation requires a prior systematic structuring of the<br />
information. Basically, a formulation of concepts, terms and relations within a limited knowledge<br />
area is required. This is typically done using an ontology, which describes information classifications,<br />
the properties of each classification, and statements about interrelationships, together with<br />
rules that define these properties and relations [75]. Let us, as an example, use an ontology describing<br />
families. A family consists of persons, men and women, who individually could be either<br />
parent or child, which makes it possible to represent hierarchies of families using this ontology. An<br />
89
5.2. SEMANTIC WEB CHAPTER 5. THEORY AND TECHNOLOGY<br />
Figure 5.6: The World Wide Web in 1994 as<br />
presented by Tim Berners-Lee [23].<br />
Figure 5.8: “A document might describe a person,<br />
the title document to a house describes a<br />
house and also the ownership relation with a<br />
person”, etc. [23].<br />
Figure 5.7: A flat world, devoid of meaning [23].<br />
Figure 5.9: Semantics have been added to web<br />
documents [23].<br />
example of a relation rule for a family could be that a hasMum property can only exist between<br />
two persons if the hasParent property exists.<br />
Figure 5.10 presents these concepts and the technology used to realize the semantic part of semantic<br />
web. Each individual layer in Figure 5.10 is dependent on technology in underlying layers. The<br />
red layers represent technology that functions as the basis for the semantic technology: an URI is<br />
a web identification that can point to a specific semantic web resource. XML is an element-based<br />
syntax making it possible to create documents with structured data. Semantic web provides these<br />
structured data with meaning.<br />
The blue layers represent standardized semantic web technology: RDF is a simple language<br />
for description of data models referring to resources (using URI web identifications) and their<br />
relations [75]. An RDF based model could for example be written using XML syntax and consist<br />
of so called triples using the following formatting < subject, property, object >. A simple example<br />
of a web page sentence is shown in Figure 5.11, where the RDF triples for that sentence is explained.<br />
Where RDF adds meta data to documents, RDFS and OWL are used to annotate RDF data<br />
with semantic meta data [75]. Semantic meta data could be object properties such as how objects<br />
are related to each other hierarchically (taxonomies) as shown in Figure 5.12 where t-shirt and<br />
pants are subclasses in relation to the classification clothesType. An ontology, which only contains<br />
subclass-relations is also called a taxonomy. Another type of semantic meta data is data type<br />
properties, e.g., which brand a single piece of clothes belongs to.<br />
Even though semantic web projects have shown the advantages of using this technology within<br />
specific information domains parts of the technology has not yet been realized and standardized.<br />
90
CHAPTER 5. THEORY AND TECHNOLOGY 5.3. INFORMATION SCIENCE<br />
Figure 5.10: Semantic Web technology architecture - the blue layers is the semantics technology<br />
while the red layers are basic World Wide Web technology.<br />
Figure 5.11: RDF t-shirt example - graph visualization<br />
and matching RDF triples.<br />
Figure 5.12: A hierarchical taxonomy with<br />
classes and subclasses.<br />
A list of primary security related layers are left out in Figure 5.10: A vertical encryption layer for<br />
securing and verifying the authenticity of data from the semantic web. This could be achieved by<br />
using suitable digital signatures for RDF statements. Related to this layer are layers for creating<br />
trust in semantic web information. The user interface is the final layer making it possible for<br />
humans to use semantic web applications. [75]<br />
5.3 Information science<br />
As a consequence of the central role that information has in criminal network investigation, information<br />
science has provided many important ideas and answers. Information science is considered<br />
an unclassified discipline, albeit a discipline with a central theme [187]: “It is evident, perhaps<br />
self-evident, to note that all of the variant definitions and explanations of the information science<br />
discipline have centered on the idea of information”. Hjørland and Albrechtsen (1995) talk about<br />
the importance of focusing on information objects: “the path to understanding how information<br />
should be organized is to analyze the nature of common information objects themselves” [91].<br />
91
5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY<br />
Hjørland and Albrechtsen (1995) are particular concerned with a theoretical background from<br />
which to make priorities between all possible information connections and relations [91]. The<br />
domain-approach to information science is argued to be able to provide such a theoretical framework.<br />
Putting this in a system context, “it is probably useful to specify some conceptual relationships<br />
to provide the system with at least a rudimentary domain knowledge facility prior to<br />
any interaction with users” [91]. Hjørland and Albrechtsen (1995) also present an user-centered<br />
paradigm in information science: “By a user-centered paradigm, we refer to information access<br />
driven not by the structure of the database in the system, but rather by views of the databases<br />
needed to satisfy an information need as perceived by the user. Thus, the user defines dynamically<br />
the type, amount, and structure of the data required to satisfy an information need. This implies<br />
not just the user definition of the view, but the user selection of the model in which the view is<br />
framed.” [91]<br />
Some positive synergies exist between the information science discipline and hypertext (described<br />
in Section 5.1). Hjørland and Albrechtsen (1995) argue that “hypertext is a fascinating research<br />
area and a promising technology. It is however only a technology, and as such cannot substitute<br />
for a theoretical approach such as domain analysis. But a theoretical approach can illuminate a<br />
technology and its possibilities” [91]. And follow up by stating that, “hypertext is a technology,<br />
which is fertile soil for remedies to classical problems in information science” [91].<br />
5.4 Human cognition and problem solving<br />
We found in Chapter 3, that a linear problem-solving approach obscures the real, underlying<br />
cognitive process of criminal network investigation: the mind does not work linearly - it jumps<br />
around to different parts of the problem in the process of reaching a solution [40, 239] (Figure<br />
5.13 left). When a computer solves a problem it is typically done based on a series of pre-defined<br />
steps (Figure 5.13 right), taking a linear approach to problem solving [130]. But what if software<br />
systems supported criminal network investigation in a way consistent with the internal cognitive<br />
map of the investigators?: “The ability to present and interpret spatial data in a method that is<br />
consistent with the internal cognitive map of the user would lead to systems that are more flexible<br />
and will provide greater functionality in terms of cognitive spatial tasks” [89]. Bush (1945) [33]<br />
reasoned that since people use associations to store and retrieve information in and from their own<br />
minds, a machine-supported mechanism that provided this ability would be useful for organizing<br />
information stored in external memory. Augmenting human intellect, i.e. increasing the capability<br />
of man to approach a complex problem situation, to gain comprehension to suit particular needs,<br />
and to derive solutions to problems [62].<br />
Humans are in control of software tools and they are to be the ultimate decision-making body (and<br />
thereby be responsible for the majority of the ethical impact). Therefore, we review research on<br />
human cognition, with a particular focus on creativity, to understand it’s influence on the success<br />
and failure of criminal network investigation. We will attempt to learn what role creativity,<br />
and hence human cognition, plays for individual criminal network investigation processes (i.e.,<br />
information collection, processing, and analysis). “Creativity is a general capacity of our brain,<br />
which we all possess, and which we use every day” [210].<br />
The goal of this section is ultimately to find out whether or not we can define the cognitive<br />
“characteristics” of criminal network investigation tasks. A map of such characteristics would<br />
serve as important arguments for the challenges related to human factors during criminal network<br />
investigation. Human factors is one of three challenges we have chosen to focus our research on,<br />
as described in Section 1.2.<br />
5.4.1 Two types of creativity<br />
In an interview with leading cognition researchers, De Dreu and Nijstad, their hypothesis about<br />
two basic types of creativity is outlined (translated from danish): “one is to be flexible and freely<br />
92
CHAPTER 5. THEORY AND TECHNOLOGY 5.4. HUMAN COGNITION<br />
Figure 5.13: Human and computer approaches to problem solving.<br />
associating - the traditional understanding of creativity, and what might be called the artistic<br />
approach. The other type of creativity is to be persistent and focused – a more rational and<br />
conscious creativity, which we maybe could call the engineering approach” [210]. “The two ways of<br />
being creative does not exclude each other Bernard Nijstad explains in the interview and continues:<br />
the majority of us switch between the methods based on needs and switch back and forth several<br />
times during a task” [210]. We call the rational and conscious approach to creativity problem<br />
solving because it exists in a less free domain, where goals and means are defined beforehand [210].<br />
Human working memory and long term memory is described by De Dreu and Nijstad:<br />
The working memory was initially described as our ability to remember seven different<br />
things, such as names or numbers. Today, we have a more complex picture of<br />
working memory as a sort of central arena, where you put the things that are part of<br />
your conscious thinking - it still only has room for a rather limited number of elements,<br />
normally five to nine. But the elements should rather be seen as a sort of focus points<br />
into your collective pool of knowledge and associations. Think about a super advanced<br />
3D version of Wikipedia (see Figure 5.14), where all words and images has dozens of<br />
associations to other places. A memory element is a piece of this spider web, that you<br />
have lifted up to look at. [210]<br />
5.4.2 Besheer and Pellegrino - a case in point of rational and free association<br />
creativity<br />
FBI case officer Frank Pellegrino hunting Khalid Sheikh Mohammed and Matthew Besheer [146]<br />
serve as an example of the two types of creativity described above from the domain of criminal network<br />
investigation. Their background is outlined in Section 3.5.2. Pellegrino is the personification<br />
of the artistic, creative, and free-association type described in [210]. Michel Besheer (see below)<br />
makes the following observations about him: “Pellegrino was the real deal [. . . ]. Everybody wore<br />
by and large what might as well have been FBI issued dark suits. Their desks were perpetually<br />
clean. Pellegrino’s was a mess. By outward appearances so was he. His hair was long, at least<br />
by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ]. He was always busy,<br />
always late, always in a hurry” [146]. When Pellegrino asks Besheer if he wants to join in the hunt<br />
for an international target to the Philippines and Malaysia, he offers the following arguments: “If<br />
this guy is going, [. . . ] I’ll be happy to go with him. Maybe even protect him; free him up to do<br />
his free-association analytical work” [146].<br />
93
5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY<br />
Figure 5.14: When a person thinks about something the memory element (green cube) related to<br />
that is brought from the long term memory (left) into the working memory (right).<br />
Michael Besheer is the focused, rational, and conscious creative type. Detective Besheer had<br />
written a report about the security at the World Trade Center in 1992, stating that the Trade<br />
Center garage was vulnerable to truck bombs. Nobody listened to that report, but when the<br />
attack happened in 1993, his expertise was suddenly needed: “Even with high security clearance,<br />
he ended up digging through stacks of parking tickets, any record that somebody wanted chased.<br />
It was pure grunt work. He did it all tirelessly and without complaint”. His approach to collecting<br />
evidence was always the same, no matter the size of the task, in this case a crashed plane: “Parts<br />
of the plane had to be disassembled, examined, tagged as evidence and shipped to New York to<br />
be used as exhibits in a trial. His attention to detail was perfectly suited for the task” [146].<br />
5.4.3 Representational structures for human cognition<br />
Given our focus on hypertext structure domains, we are interested in learning what structures<br />
are better suited for representation of human cognition: “a tree structure is one realization for a<br />
hierarchical structure for the representation of space. It is easily constructed and understood, but<br />
it is also a rigid structure that does not allow for overlap. Ordered trees provide an extension that<br />
allows for some degree of overlap, whereas a semi-lattice is an even richer structure that appears<br />
to be consistent with many aspects of cognitive space [9]” [89]. We discussed the semi-lattice in<br />
Section 3.2.<br />
Hypertext research found that the premature decisions of structure was inhibiting human information<br />
organization capabilities (see review of NoteCards [73], Section 5.1.1). New approaches that<br />
avoid this early commitment to structure were therefore researched, developed, and formalized.<br />
Researchers on creativity have written about how the personal need for structure can have both<br />
a negative and a positive impact on creativity depending on that persons level of personal fear of<br />
invalidity [239].<br />
94
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS<br />
5.5 The creative process<br />
When researching the human factor aspects of agile software development planning in our master<br />
thesis [165], we reviewed the creative process. And given the relevance for criminal network<br />
investigation, we bring that review here, almost in its entirety. Warr and O’Neil (2005) and<br />
Gabora (2002) discuss what creativity is, how the mind actually conceives creative ideas, why<br />
real groups ought to produce more creative ideas than nominal groups and finally the articles<br />
review the phases of some existing creative process models [74, 239]. Moore (1997) presents nine<br />
possible phases in the life cycle of creative endeavors and uses the geometric shape of an irregular<br />
enneagram 51 surrounded by a circle to visualize this [149]. This model is appealing since it allows<br />
for relevant “jumps” between phases which shows support of iterative and incremental behavior.<br />
Another interesting fact is that the work is based on experiences from the computer software<br />
industry, e.g. participation in “countless innovative projects” [149].<br />
The discussion of what being creative really means is interesting, but we keep our focus on the<br />
phases that the creative process includes and how groups compared to individuals may affect<br />
the level of creativity (Figure 5.15). The ‘Product’ in Figure 5.15 is considered to be the ideas<br />
generated during the ‘Creative Process’ [239].<br />
Figure 5.15: The components of creativity [239] are an individual or a group going through a<br />
creative process to develop a product.<br />
At the end of this chapter we hope to have gained enough knowledge to conclude where creativity<br />
ends and planning starts, what skills (creative, systematic, analytic) are important when planning<br />
or managing and the phases included in these very different processes. We begin the review, by<br />
looking at relevant creative process models.<br />
5.5.1 History of creative process models<br />
We will present a number of creative process models that all apply to the generic stages in Figure<br />
5.16. It should be noted that the models presented are not step-wise linear models, “but rather<br />
models which show various phases of the intertwined and iterative nature of creativity” [239]<br />
(Figure 5.16).<br />
Figure 5.16: Generic creative process model [239].<br />
95
5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY<br />
One of the first models was given by Wallas [74, 239] in 1926. Wallas describes creativity as<br />
involving four phases: preparation, incubation, illumination and verification. In the preparation<br />
phase “the creator becomes obsessed with the problem, collects relevant data and traditional<br />
approaches to it, and perhaps attempts, unsuccessfully, to solve it” [74]. During incubation the<br />
creator unconsciously continues to work on the problem without actively attempting to solve it. In<br />
the illumination phase “a possible [solution] surfaces to consciousness in a vague and unpolished<br />
form” [74], i.e. a creative insight has occurred. Finally verification of the idea is performed by<br />
proof and communication to others.<br />
Later models by Osborn (1963), Amabile (1983), and Scheiderman (2000) all “moved away from<br />
proposing unconscious stages of incubation and illumination, toward a more conscious process<br />
of deliberately coming up with ideas” [239]. Table 5.1 summarizes the phases included in their<br />
individual models.<br />
Table 5.1: Generic creative process model as described by Warr and O’Neil (2005) [239].<br />
Summary and discussion<br />
All the creative process models presented in Table 5.1 have an analytical phase of preparation,<br />
where relevant information is collected to understand the problem and its domain. Then there<br />
is “the more specifically creative phase” where ideas are generated based on the gathered and<br />
reviewed information. Finally all the models have an idea evaluation phase, where it is evaluated<br />
if the goal of producing truly creative ideas is achieved.<br />
We believe that the generic problem preparation phase (analysis of problem in Table 5.1) would<br />
be difficult to support by a computer system, since it is a head-on approach where traditional<br />
solutions are applied and not much time is spend on creative thinking. The idea generation phase<br />
however has a brainstorming feel to it which is very interesting because it seems to map into<br />
initial phases of a criminal network investigation process, just as it does the planning process.<br />
Idea evaluation using for example communication to or response from others would benefit from<br />
an electronic version of the generated ideas, because they could easily be altered, deleted and<br />
moved around. And it would be easy to distribute the ideas to people at other locations.<br />
5.5.2 Are more heads better than one?<br />
When going through the creative process, what is better: real or nominal groups? 52 The question is<br />
essential to our work because we believe that using a real group for criminal network investigation<br />
will increase that groups effectiveness. Theoretical proof exists that a real group produces more<br />
creative ideas than a nominal group [239] and by intuition this should also be true in practical<br />
situations. However, research comparing the production of novel ideas in real groups compared to<br />
nominal groups, shows that the real groups actually produce less ideas. According to [239] this is<br />
mainly due to a number of social influences on creativity:<br />
96
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS<br />
Production blocking. Production blocking has the highest negative effect when ideas are expressed<br />
verbally within a group. Only one person can speak at a time and hence communicate<br />
his/her ideas. People “may subsequently forget their ideas or suppress them because they<br />
may feel their ideas less relevant as time passes”. Or they rehearse their ideas internally not<br />
paying attention to other group members. Usually, however, ideas are not only communicated<br />
verbally but also jotted down on notepads, white boards or flip charts. A number of<br />
synchronous interaction techniques have been applied to solve the production blocking problem.<br />
Examples relevant to our work are: writing ideas down on cards and using electronic<br />
brainstorming systems. This also helps the influence of evaluation apprehension discussed<br />
next, because such methods make ideas anonymous by allowing the group members to use<br />
writing as a communication channel.<br />
Evaluation apprehension “Members of a group may [. . . ] fear criticism from other group<br />
members, preventing them from expressing ideas” [239] and thoughts which results in a<br />
reduced number of ideas produced by the group. This usually happens when someone<br />
believes that another group member has expert knowledge within the domain and then<br />
expects some sort of negative evaluation from that person (This is the primary reason for<br />
separating Idea Evaluation from Idea Generation in Table 5.1). To overcome the negative<br />
effects it has been suggested [239]:<br />
[. . . ] that anonymous means of expressing ideas remove an individual’s identification<br />
with an idea and therefore help encourage people to express their ideas as<br />
the fear of criticism is removed. This anonymous communication has been a key<br />
feature of electronic brainstorming systems.<br />
Free riding. “Free riding [. . . ] is the result of group members becoming lazy, relying on other<br />
members in the group and not contributing as many ideas as they could”. This usually<br />
happens when contributors to some work are evaluated as a group, compared to when their<br />
individual performance is evaluated.<br />
Two solutions that could reduce the effect of free riding are: Highlighting identifiability in<br />
groups and increasing the accountability for individual performance. However a balance has<br />
to be kept between evaluation comprehension and free riding, e.g. exposing everybody’s<br />
work in the weekly company newsletter to avoid free riding will most likely make people<br />
more comprehensive to evaluation.<br />
5.5.3 The life cycle of creative endeavors<br />
Figure 5.17 presents a simplified version of the life cycle of creative endeavors as it is depicted<br />
in [149]. We have removed the indication of the two mental forces reason and intuition, and their<br />
role (active, responsive or passive) in each phase. The arrows indicate subtle relationships between<br />
phases: Some arrows function as feedback paths, some skip one or more phases and some reminds<br />
us to reflect on the purpose of another phase than the one we are currently in 53 . In the following<br />
tour of the enneagram we are looking for phases that are part of the creative process, the planning<br />
process or phases that usually are related to management of information.<br />
9: Encountering events. The solid arrows indicate what typically happens when some sort of<br />
event is encountered: “notice is taken of the event (9), a competent response is chosen (3),<br />
and that response is carried out (6)”. An example could be that somebody realizes they need<br />
milk, they decide to go to the grocery store and then they go get the milk. But sometimes<br />
a response doesn’t emerge right away and instead the event sparks an idea 54 . And that is<br />
when the complete tour around the life cycle of creative endeavors begins. Analysis: This<br />
phase is obviously part of what we defined as the ‘Creative Process’ in the introduction. In<br />
terms of software development the initiating event could be the investigation leader passing<br />
a task to an investigator. At this point nothing tangible (to others) has been produced; only<br />
the urge of the creator to pursue the idea exists.<br />
97
5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY<br />
1: Formulating a goal. Formulating a goal is about transforming an idea into a description<br />
of future reality, a description that is appropriately abstract. The arrow pointing to the<br />
problems associated with the idea reminds us we can think of those problems in order to<br />
refine the imagined scenario. Analysis: It can be hard to define how abstract appropriately<br />
abstract actually is, but we believe it means that no specific details should be added, because<br />
it might prevent certain ways of obtaining the goal at this point. This is a creative phase<br />
where you start jotting down problems and imagine a scenario that could fulfill our idea.<br />
The scenario spans a conceptual “space of potential future outcomes” in our mind.<br />
2: Exploring options. This phase deals with exploring the conceptual space defined by the<br />
formulated goal in search of the optimal objective. It is important that all of the space<br />
is visited in order to be sure that the most promising options are not missed. One way<br />
of boosting this exploration could be to “arrange for a group of people to join in a formal<br />
brainstorming process” [149]. Other suggested techniques are simulation and prototyping<br />
because they envision the future in a systematic way which can be illuminating. Analysis:<br />
We consider this phase both creative and analytical. Creative because we are requested<br />
to come up with ideas for unexplored conceptual space. And analytical when investigating<br />
those “discovered” conceptual spaces.<br />
3: Making a choice. At this point one of the objectives defined in earlier phases is selected or it<br />
is simply decided to do nothing and abort the endeavor. Analysis: This decision phase is not<br />
creative but a matter of making a systematic and analytic assessment of how to continue the<br />
endeavor, if any of the explored options seems promising enough. To make such a decision<br />
requires an overview of all possible objectives.<br />
4: Identifying the problems to be solved. Obstacles and problems are systematically visualized<br />
in this phase when imagining how the endeavor will unfold in the selected environment.<br />
It is important in this phase not to be tempted to start planning just yet. Premature planning<br />
might result in major problems being undiscovered. Related to this [149] suggests that<br />
all aspects of the creative endeavor (funding, staff, machinery etc.) should be considered<br />
in this phase. Analysis: We note that this is the first phase that suggests writing things<br />
on paper: “[...] list the classes of problems in a circle around the center. [...] list subproblems<br />
adjacent to each major category, and thus systematically generate a map of the<br />
difficulties” [149]. The identification of problems is a creative process, not an analytical one.<br />
The point that all aspects should be considered in this phase before continuing doesn’t seem<br />
very agile (target-centric) since too much thinking could actually delay or stop the endeavor.<br />
A solution to this could be setting a time limit for the phase, or using the arrow back to the<br />
exploring options phase creating an iterative cycle.<br />
5: Making a plan to deal with the problems. Now it is time to take all the identified problems<br />
and make a plan that will help achieve the objective. The purpose of the plan is to<br />
realize the formulated goal (the arrow), it is not enough just to create a plan that solves all<br />
goals. A way to achieve this is planning according to the customer needs by creating a feedback<br />
channel facilitating this. Strong analytical skills are needed to transform the thinking<br />
about a project (earlier phases) “into a plan of action to accomplish the objective”. If the<br />
plan is not complete, accurate and orderly it might result in “delays, confusion, extra costs,<br />
duplicate work and an unsatisfactory result” [149]. Analysis: The focus on the need of a<br />
perfect plan to avoid defects goes against our studies of agile literature, that highlights the<br />
need to acknowledge human error and change in our cognitive understanding of the problem<br />
domain and hence the appearance of new problems to be solved. The phase is obviously a<br />
planning phase and creativity has done its main part. Too much creativity when combining<br />
the defined units of work into releases and iterations would result in unrealistic plans.<br />
6: Doing the work. After the plan is finished its time to do the work. All earlier phases have<br />
been aimed at setting things up so that work can proceed. Analysis: We consider this phase<br />
to be analysis and all the activities this includes.<br />
98
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS<br />
7: Reorienting ones perspective / realizing the goal. The first product is finished which is<br />
something that needs to be acknowledged and a response to this new situation is necessary.<br />
The arrow back to ‘Formulating a goal’ is a sort of reflection arrow: Did things turn out<br />
as expected? What can be said about the goal set up in the first place? Etc. Analysis:<br />
Creativity plays a part in this phase, when trying to imagine how to maximize the outcome<br />
of the newly released product. The reflection on how the result is compared to initial<br />
formulation of the goal is considered to be an important learning process for future products.<br />
8: Using the result. Launching the product as imagined in phase 7 when the goal was realized.<br />
It “is the most spontaneous and unpredictable phase of the endeavor, and for the right<br />
people, the most exciting.” [149]. It is also the phase were it is possible to reflect on all<br />
the phases leading to the launched product, by looking at the plan as indicated by the<br />
arrow. After a while the new product is merged into the general understanding of status<br />
quo and new events are encountered because of this, i.e. the cycle is complete. Analysis:<br />
The reflective learning nature of this phase is interesting.<br />
Summary<br />
Figure 5.17: The life cycle of creative endeavors showing steps 9 to 8 [149].<br />
The phases of the lifecycle of creative endeavors are summarized in [149]:<br />
Out of routine life arises desire for change. A raw idea is refined into a goal, which<br />
is further refined into a concrete objective. A decision is then made, the consequent<br />
implementation problems identified, and a plan made which takes them into account.<br />
The work is then carried out, bringing the innovator (or team) to the realization of the<br />
goal. The result is then exploited, and eventually becomes part of the everyday routine.<br />
In Table 5.2 we consider if each phase applies to the creative process discussed in this section:<br />
(Y)es or (N)o. It is also indicated whether or not each phase is considered supportable or not by<br />
a software tool. The reasoning behind these indications are given in the analysis of each phase of<br />
the life cycle of creative endeavors above, and summarized below in the table.<br />
99
5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY<br />
9: Encountering events<br />
1: Formulating a goal<br />
2: Exploring options<br />
3: Making a choice<br />
4: Identifying the problems<br />
to be solved<br />
5: Making a plan to deal<br />
with the problems<br />
6: Doing the work<br />
7: Reorienting ones perspective<br />
/ Realizing the<br />
goal<br />
The Creative Process Y Y Y Y Y N N Y N<br />
Supportable N N Y N Y Y Y N N<br />
Table 5.2: Phases vs. the creative process<br />
We find that ‘encountering events’, ‘formulating a goal’, and ‘exploring options’ are part of the<br />
generic problem preparation phase in creative process models. ‘identifying the problems to be<br />
solved’ is similar to the generic idea generation phase and ‘making a choice’ and ‘reorienting ones<br />
perspective’ is part of the generic idea evaluation phase.<br />
The suggested tools for ‘exploring options’ like a team brainstorming process, simulation and<br />
prototyping indicates to us, that the phase is supportable by a software tool. ‘Identifying the<br />
problems to be solved’ by listing them in classes around a circle and then putting subproblems<br />
adjacent to each problem is very well suited for computational support, just like the phase ‘making<br />
a plan to deal with the problems’. When ‘reorienting ones perspective’ it would be convenient to<br />
have an electronic version of the old plan to alter according to the new perspective.<br />
5.5.4 Summary<br />
We have reviewed the creative process by analyzing relevant models (their nature and phases) and<br />
have gained important insight into this, to us, previously unknown domain. Furthermore, we have<br />
looked at some human factors that might influence the outcome of the creative process and finally<br />
we reviewed and analyzed the phases comprised in an entire creative endeavor.<br />
5.6 Simple tools for criminal network investigation<br />
We reviewed a range of tools support criminal network investigation processes in Chapter 4. And<br />
when studying criminal network investigation cases, we often found that simple tools, such as large<br />
pieces of paper on the wall (Daniel Pearl, Section 3.5.1), a pin board, with wheels, in the team<br />
common room (organized drug organization, Section 3.5.3), are central to the kind of criminal<br />
network investigation approach we aim to support. This preferred way of working and the simple<br />
tools used is very similar to those tools promoted by agile software development methodologies.<br />
<strong>Criminal</strong> network investigation can benefit from agile modeling and we therefore bring excerpts of<br />
an agile modeling review as well a look into the agile modeling toolbox, as described in our master<br />
thesis [165]. For our master thesis project, we developed tool support for a specific agile planning<br />
method (blitz planning), intended to run on a large interactive surface in a so called creative room,<br />
much like the “war rooms” setups that criminal network investigation teams work in (see Figure<br />
5.18).<br />
5.6.1 Agile modeling and simple tools<br />
Ambler (2002) addresses the fundamental question of how to model in an effective and agile<br />
manner in his book on agile modeling (AM) [11]. Ambler (2002) suggests tailoring AM with a<br />
100<br />
8: Using the result
CHAPTER 5. THEORY AND TECHNOLOGY 5.6. SIMPLE TOOLS<br />
Figure 5.18: A sketch of the creative room we designed for agile planning sessions during our<br />
master thesis. [165]<br />
base process like eXtreme Programming [165] (often referred to as XP) or Crystal Clear [42],<br />
or “alternatively, you may decide to pick the best features from a collection of existing software<br />
processes, to form your own process” [11] (see Figure 5.19). This alternative matched well with<br />
our purpose of building a creativity enhancing tool that could form software processes as well as<br />
the many different approaches to criminal network investigation.<br />
Figure 5.19: AM enhances other software processes [11], and criminal network investigation processes<br />
could also benefit.<br />
AM is not prescriptive but a collection of practices, “guided by principles and values, for software<br />
professionals to apply on a day-to-day basis” [11]. The following points describing the scope of AM<br />
are important to us: “AM is not an attack on documentation”, “AM is not an attack on CASE 55<br />
tools” and “AM is a way to work together effectively to meet the needs of project stakeholders”<br />
(which is also what the collaborative Blitz Planning 56 session is all about).<br />
We were also interested in AM’s views on tools for modeling and agile work areas (e.g., criminal<br />
network investigation work areas, or war rooms, as they are often called). These views would<br />
support the decisions made when developing the Blitz Planning prototype and creating the vision<br />
for the Creative Room. These are reviewed next. One of AM’s core practices dictates using the<br />
simplest tools. AM distinguishes between two types of modeling tools; simple tools and CASE<br />
tools where simple tools are “manual items you use to model systems” [11]. These simple tools<br />
can however also be supported with different technology which will be explained later. CASE<br />
tools (defined as “software packages”) can also be applied since the AM core practice on tools is:<br />
101
5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY<br />
“use the simplest tools” and not “use simple tools”.<br />
Agile modeling with simple tools<br />
Ambler (2002) lists a number of simple tool advantages [11]. We find that the following advantages<br />
are relevant to apply, and comments on the direct relation whenever it is found necessary. Simple<br />
tools are inclusive (we decided that our software version of Blitz Planning would have to be as<br />
similar as possible compared to the paper card version of Blitz Planning), provide tactile feedback,<br />
are flexible, are non-threatening to users, are quick to use, can be used in combination with complex<br />
ones and promote iterative and incremental development.<br />
As mentioned earlier, simple AM tools can be supported with technology. One important point<br />
here is that electronic white boards are mentioned. We limit ourselves to presenting some relevant<br />
examples here. The examples are mainly taken from [41] which presents “a survey of agile<br />
teams for tools they say help produce better software quicker”. The survey is conducted Cockburn<br />
(2004), “an internationally respected expert on object-oriented design, software development<br />
methodologies, use cases, and project management” [41].<br />
Cockburn categorizes simple tools by purpose (hiring, collaboration, communication and management)<br />
and form (environmental, social, physical devices, process and thinking). We select tools<br />
that are relevant to our work and comment when necessary. In the next section we list simple,<br />
but computerized, tools such as WIKIs and Spreadsheets.<br />
Purpose: Communication. Active communication using shared workspace technology to look<br />
at the same screen. Passive communication using information radiators, e.g. a flat monitor<br />
hung over the cubicle wall, a real traffic light in the development area or the build status<br />
maintained on a Web page expressing minute-to-minute changes. Management. Cockburn<br />
notes that project management tools like VersionOne and XPlanner (see Cockburns (2004)<br />
[41]) don’t report status with respect to planning.<br />
Form: Environmental. Again lots of wall space for posting information radiators and convex<br />
or straight desks so people can cluster around the monitor. Social. Collocated teams for<br />
fast communication, personal interaction, retrospectives and reflection activities, pair programming<br />
and posting information radiators in unusual places to attract communication<br />
(e.g., in the bathroom). Physical. Index cards and Post-it notes, butcher lining walls and<br />
halls, white boards (standard or movable, printing, recording, or with a camera) and poster<br />
sheets (plain paper, 3M sticky, or plastic cling sheets e.g. LegaMaster Magic-Charts). We<br />
note the wall-to-wall writable and movable surface concept for expressing ideas. Process.<br />
Project planning jam session (XP’s planning game [125], Crystal Clear’s blitz planning [42],<br />
or Scrum’s sprint planning [125]), reflection or retrospective workshops, pair programming<br />
sessions, refactoring, growing the system functional bit by bit, time boxing, spike prototyping<br />
57 and frequent delivery.<br />
Agile modeling with simple, yet computerized, tools<br />
As agile development moved into distributed development, people started to find and invent online<br />
collaboration tools [41]: “WikiWiki and thread-based discussion group technologies, instant<br />
messaging technologies with group and recording variants, and distributed brainstorming technologies”,<br />
e.g. CardMeeting (see www.cardmeeting.com and [165]). The Wiki Web technology<br />
discussed next was created by Ward Cunningham, one of the XP founders [125].<br />
Our own experiences with project Wikis are few, but they have proved useful during previous<br />
master courses, where it was used for fast accumulation of knowledge on the project subject.<br />
Larman elaborates further on the concept in [125]: “Like blogs, Wiki Webs (or Wikis) allow people<br />
to edit Web pages using only their browser, but they go farther: they allow one to easily create<br />
new pages. and hyperlinks between Wiki pages, using only a browser and special WikiWords.<br />
102
CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS<br />
Of course, these capabilities are available with myriad tools, but Wikis make the tasks especially<br />
simple and fast. Thus, Wikis are a popular tool on agile projects to capture project information,<br />
and as a simple knowledge management tool”.<br />
The need for, and how to make, agile planning software has been discussed by many [11, 44]. On<br />
his website www.xprogramming.com Ron Jeffries comments on planning software claiming that:<br />
“There’s something very right about a team working together with whiteboard[s], cards, things<br />
posted on the wall. Everyone can be engaged, involved, equal”. We note that the important<br />
point is not that physical items (or tools, as described in section 4.3.3) are at play, but more what<br />
these items make the users feel and do. This is highly related to the social approach to software<br />
development and management described in Peopleware [54] by DeMarco and Lister: “The major<br />
problems of our work are not so much technological as sociological in nature”.<br />
Ron Jeffries claims that making the switch to software results in “someone own[ing] the keyboard,<br />
and everyone else [being] an observer”. We interpret this as being a problem of cramping the<br />
whole team together in front of a single work station. A solution could be to move everybody in<br />
front of a larger media with which everybody can interact. Cohn (2004) [44] discusses the main<br />
advantages of paper over software and lists: “Their low tech nature is a constant reminder that<br />
stories are imprecise”, “The typical note card can hold a limited amount of writing. This gives it<br />
a natural upper limit on the amount of text.” and “note cards [. . . ] are very easy to sort and can<br />
be sorted in a variety of ways. A collection of stories can be sorted into high, medium and low<br />
priority piles”. We consider all the findings in this section so far to be requirements for any agile<br />
piece of planning software.<br />
Agile work areas<br />
AM recognizes that “the physical environment in which you work has a significant impact on how<br />
effective you are as an agile modeler”. It states a number of factors that are considered critical<br />
when creating an effective work area, like the creative room scenario envisioned in our master<br />
thesis [165] (see Figure 5.18):<br />
Dedicated space is important if the project teams are to be most effective. The team should<br />
not have to “find an available meeting room to get some modeling done”. And the team<br />
should not have to worry about other people erasing the white board sketches and other<br />
notes.<br />
Significant white board space. The working area can never have too much white board space:<br />
“My preference is white boards floor to ceiling, wherever empty wall exists” [11].<br />
A computer in the modeling area can be an advantage, if the team wants to research something<br />
on the Internet or “access previous models that have been placed under version control”.<br />
This relates to the wanted prototype feature: project methodology history database. If a<br />
computer is placed in the modeling area, we have to make sure it is not counterproductive<br />
for the team as a whole, e.g. complicated software can introduce a barrier to communication.<br />
Wall space to attach paper. Space for attaching information on paper is also important: “It’s<br />
good to have some non-white board wall space” [11].<br />
To make the concept of a creative modeling area work, it is important that private areas are also<br />
provided to team members. Everybody needs private time during the day.<br />
5.7 Case-studies of individuals in criminal networks<br />
Case-studies of individuals in criminal networks are important in terms of criminal network investigation<br />
and the development of assisting software therefore, for a number of reasons. First of<br />
103
5.7. CASE-STUDIES OF INDIVIDUALS CHAPTER 5. THEORY AND TECHNOLOGY<br />
all, we have observed that in many of the criminal network investigations we have reviewed and<br />
studied, a single individual has made plans and carried them out on his own, or an individual<br />
has been the main reason in terms of driving a network subgroup toward a crime (i.e., the entrepreneur<br />
in Nesser’s (2006) model of jihadist terrorist cells in the UK and Europe [154]). Having<br />
established the relevance of studying a single individual in criminal network (as well as the life of<br />
the person prior to joining that particular network), what should such study focus on? We list<br />
our first priority choices here:<br />
“Open source world” associations: The individual’s links (associations) to the “open<br />
source world”, particularly prior to and during a crime. By “open source world” we mean<br />
associations that could have been picked up on through open source intelligence channels.<br />
Knowledge about these associations is required, in order to analyze how that particular<br />
individual could have been found prior to the crime. Again, such associations would have to<br />
be abstracted as much as possible, in order to be found applicable to future cases. Examples<br />
of a persons associations with the “open source world” are very different in nature, but for<br />
the sake of argument we list a subset of those here: re occurring locations, other individuals,<br />
money transfers, phone calls, emails, etc.<br />
Meta data: Case-studies of individuals will reveal patterns in attribute (meta data) that<br />
are available about criminals, as well as differences in meta data. This is important in<br />
terms of establishing what attributes are typically static and which are typically dynamic.<br />
We divide attributes into biographical (year of birth, marital status, children, parents) and<br />
characteristics (employment, education, skills, etc.).<br />
The individuals we discuss below have already been subject to a lot of research, and therefore<br />
discuss the potential of looking at these individuals once more, taking an even more structural (or<br />
network) approach. Khalid Sheikh Mohammed is mentioned throughout this dissertation, but is<br />
not covered in this section. Omar Saeed Sheikh, the mastermind of the Daniel Pearl kidnapping,<br />
is reviewed in Section 5.7.1. David Headley, who was in Copenhagen to scout the locations of<br />
future Mohammed caricature attacks, is reviewed in Section 5.7.2.<br />
5.7.1 Omar Saeed Sheikh<br />
Our knowledge about Omar Saeed Sheikh is mainly based on the case study of the kidnapping<br />
plot against Wall Street Journal reporter Daniel Pearl [128,162] (see Section 3.5.1). But Sageman<br />
(2008) [189] and Levy (2003) [128] also contain lengthier biographies (profiles) which have inspired<br />
this case study.<br />
Omar Saeed Shaikh was born in London on December 23, 1973. Omar, as he was called, grew<br />
up in a upper-middle-class environment and attended expensive elite private schools. He did well<br />
in school and gained acceptance at the London School of Economics and began his studies there<br />
in October 1992. Every version of Omar’s life agrees that his commitment to Islam deepened<br />
dramatically at the London School of Economics, where he immediately joined the school Islamic<br />
society. He became involved in the situation for Bosnian Muslims at the end of 1992 and his<br />
involvement become more and more serious during the following months. In April 1993 he accompanied<br />
a convoy taking relief material to Bosnia, which also provided clandestine support for<br />
Muslim fighters there. And it was on that trip he had first contact with the jihadist infrastructure,<br />
after which a number of trips to Pakistani and Afghan training camps ensued. In June 1994, some<br />
leaders of Harakut-ul Mujahedin 58 (HUM) had been captured in India and Omar was asked to<br />
help free them. He accepted the mission and arrived in New Delhi on July 26, 1994, where he<br />
gained his first experiences in kidnapping westerners. But the mission in New Delhi failed and<br />
Omar was taken prisoner. [189]<br />
What is interesting about Omar, is not so much his life story as a whole (interesting as it may<br />
be), but his historical track record as a terrorist. Much like Khalid Sheikh Mohammed (see his<br />
104
CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS<br />
case in Section 3.5.2), but at a much smaller scale and less successful, he was the entrepreneur<br />
and mastermind in the 1994 kidnappings of tourists in India and the 2002 kidnapping of Daniel<br />
Pearl. It would be interesting to look at the individuals involved in the failed 1994 kidnappings,<br />
the 1999 hijacking that set Omar free after the 1999 failure, the 2002 kidnapping of Daniel Pearl,<br />
and finally how it came to be, that when he was arrested, he had stayed with a retired ISI general<br />
for one week, living near a Pakistani military base. It would be relevant to search for links between<br />
the different attacks and kidnappings, and if it would be reasonable to say something about how,<br />
if possible, those links could have been discovered during the investigations of the events.<br />
5.7.2 David Coleman Headley<br />
Until his arrest October 3 rd 2009 in Chicago O’Hare International Airport David Coleman Headley<br />
was the locus of activity in a terrorism plan named the ’Mickey Mouse Project’ 59 (MMP) by himself<br />
and his alleged accomplishes. Although the US official complaints does not contain any information<br />
about why that name was selected [56–58], it may have been meant as a direct reference to the<br />
Muhammad caricature cartoons 60 ?<br />
Nevertheless, the plans where obscured by cooperation of FBI and the Danish secret intellingence<br />
service PET, and after 24 days of further investigations and interrogations, the news of the arrest<br />
and the alleged plans were announced to the Danish press by PET manager Jacob Scharf on<br />
October 27 th 2009. Jacob Scharf elaborated that the initial target was the danish newspaper<br />
JyllandsPosten as a whole, while later the target set was focused on cultural editor Flemming<br />
Rose and Prophet caricature cartoonist Kurt Westergaard, resembling assassination plans.<br />
On October 3 rd 2009 David Coleman Headley entered Chicago O’Hare International Airport,<br />
unaware that his recent movements and communication had been under surveillance. “Before<br />
boarding a flight to Philadelphia, intending to travel to Pakistan” [181], he is arrested by the FBI<br />
Joint Terrorism Task Force (JTTF) [181]. In his bag they find a front page of JyllandsPosten, a<br />
map over Copenhagen, a memory stick with video sequences from Kings Square in Copenhagen<br />
where JyllandsPosten’s offices and the main train station were located 61 . Headley “was charged<br />
with one count of conspiracy to commit terrorist acts involving murder and maiming outside the<br />
United States and one count of conspiracy to provide material support to that overseas terrorism<br />
conspiracy” [181].<br />
Headley was apparently a functioning citizen back home in Chicago and not a bewildered young net<br />
surfer, complaining about lack of day centers or life content [103]. His neighbors and people from<br />
the Indian-Pakistani community in Chicago found him and his family to be somewhat introverted:<br />
“David Headley kept to himself. I have rarely seen him and his wife”, says an Islamic bookstore<br />
owner in the neighborhood [226]. Daood Saleem Gilani (changed his name to David Coleman<br />
Headley in 2006 [57]) “was born in 1960 in Washington to a couple” of very different origins: “His<br />
mother, Serrill Headley, was a 19-year-old [. . . ] woman with a memorable laugh and a taste for<br />
adventure. His father, Syed Saleem Gilani, “had a traditional Islamic view of a woman’s place<br />
in the home”. They both worked at the Pakistani Embassy, but left for Pakistan soon after the<br />
marriage. She left Pakistan in 1968 and returned to Philadelphia, where she attended bar tending<br />
school and later bought a pub which she named Khyber Pass. In 1977 she persuaded Daood to<br />
leave his military school in Pakistan and he came to Philadelphia as a teenager. [220]<br />
The military school which Headley and Rana (see below) attended from age 14 (starting 1974) [123]<br />
is located in “the Pakistani town of Hasan Abdal” [181], named Cadet College Hasan Abdal and<br />
considered to be the oldest military boarding school in Pakistan [123]. The cadets are trained to<br />
become religious elite soldiers in the Pakistani army. The daily schedule consisted of five times<br />
prayer to Allah, Koran recitals and outdoor military skills [123].<br />
On line postings in the Yahoo group named “abdalians” 62 “reflect that both Rana and Headley<br />
have participated in the group and referred to their attendance at that school” [181]. On October<br />
29 th 2008 Headley made a posting 63 central to the FBI complaints, where he among other things<br />
mentioned his anger toward the Danish caricatures of Muhammad [31, 57].<br />
105
5.8. INTELLIGENCE CHAPTER 5. THEORY AND TECHNOLOGY<br />
Tahawwur Hussain Rana usually arranged Headley’s travels, taking the role as organizer and<br />
financier. Headley was an employee of Rana’s company, First World Immigration Services, and<br />
has claimed to travel as part of his employment, however never bringing much evidence in his<br />
luggage [57]. Both Headley and Rana traveled extensively between United States, Asia and Europe:<br />
On two occasions (January and July 2009) prior to his arrest October 3 rd 2009 Headley was in<br />
Denmark, visiting JyllandsPosten in both Copenhagen and Aarhus. He also met with high ranking<br />
representatives of fundamental islamist organizations, including Lashkar-e-Taiba, Harkat-ul Jihad<br />
Islami and their leader and front figure Muhammad Ilyas Kashmiri, who supported Headley’s<br />
continued focus on Denmark, when asked by LeT to change their focus to target Indian interests.<br />
Kashmiri is a well connected man in terms of terrorism contacts: He has worked with the Afghan<br />
Taleban leader Mullah Omar and is one of the leaders in Al-Qaeda’s Brigade 313. Furthermore he<br />
has experience with guerrilla warfare and terrorism from his participation in the Kashmir conflict.<br />
In summary, Headley’s role was primarily that of a minion and planner, traveling the world,<br />
meeting people and gathering information [220], which was then communicated to other parts of<br />
the MMP network.<br />
5.7.3 Summary<br />
While Omar Saeed Sheikh was an example of the entrepreneurial terrorist, the mastermind who<br />
plans and plays minor roles, David Coleman Headley and the Mickey Mouse project was an<br />
example of a new strategy implemented by Al-Qaeda. Terror cells now have their base in a different<br />
country, using their foreign passport, plus a business visa in Headley’s case which he used to avoid<br />
questioning from immigration authorities (e.g., India, Mumbai 2008). After the announcement on<br />
October 27 th PET added this threat from “outside” to their threat level assessment [16], since the<br />
general opinion in Denmark previously was that the threat mainly was from persons already in<br />
the country. Also there has been added a new role of planner to the terrorism cell, separated from<br />
the person who actual carries out the attack. Before the attacks in India, Mumbai 2008, this was<br />
usually the same person.<br />
5.8 Intelligence<br />
The following anecdote from 2009 describes the authors first encounter with intelligence (prior to<br />
that the focus had been on information):<br />
After a successful opening ceremony for the research lab at city hall only 1 month<br />
into my Ph.D. studies, another student and I was chatting with Jarret Brachman and<br />
Arno Reuser. Little did I know who I was talking to at the time. The opening ceremony<br />
had been attended by local police brass, the mayor, the United States and Pakistan ambassadors,<br />
and so on, and I had decided that paying attention to the titles of individuals<br />
was not important. At one point, Reuser shares some of his experience on open source<br />
intelligence: “Let us say that the Netherlands wanted to deploy ground troops in an<br />
African country. The most valuable actionable intelligence for securing the success of<br />
such an operation would be information about whether or not the crops in the area had<br />
recently been harvested and if it had, is it going to be a full moon on the night of the<br />
operation, and if so, will it be cloudy?”.<br />
The anecdote makes it clear that the nature of actionable intelligence can be many things, and<br />
that simple information such as the weather and local harvest season could be more important<br />
to success than, let’s say, information about the target of Arno Reuser’s operation scenario. Hitz<br />
(2009) presents a somewhat different perspective on intelligence and intelligence gathering today:<br />
When all is said and done, counter-terrorism and counter-proliferation intelligence<br />
gathering follows a new paradigm. It is less about classic espionage than persistent<br />
106
CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS<br />
tracking of terrorists and their potential weapons by good detective work and perceptive<br />
mining of reams of open sources. This is no longer back-alley skulking in a trench coat.<br />
It is down-and-dirty police investigative work, tracing radicals and their bomb-making<br />
materials, and recruiting informants to watch mosques and radical meeting sites.<br />
Since we have discussed the intelligence process and its elements (activities) in Chapter 3 (more<br />
precisely Section 3.3 and 3.4), we will focus here on intelligence in general, and two different types<br />
of intelligence, open source intelligence and secret intelligence. We will discuss the value of open<br />
source intelligence against secret intelligence, and outline their role in a bigger intelligence picture<br />
(see Section 5.8.2). But first we take a look at the differences and similarities between intelligence<br />
and information (Section 5.8.1).<br />
5.8.1 Intelligence and information<br />
What exactly are the differences between information, which we have primarily talked about until<br />
now, and intelligence, which we discuss in this chapter? Of course intelligence is ultimately information,<br />
and it is our understanding that the difference is more in purpose of the two: information<br />
is for synthesis and sense-making, and then the thing you actual disseminate to your customer<br />
(intelligence customer) is information turned into intelligence. It is something concrete for the<br />
customer to make informed decisions upon, so-called actionable intelligence [40]. In general, intelligence<br />
has a more operational feel to it (as described in the introduction). It is either gathered<br />
in an operational setting, or it is product of intelligence analysis, an aggregate of what is known,<br />
for decision makers to base operational decisions on: “intelligence is information that has been<br />
collected, processed, analyzed, and presented in order to support a decision that increases security<br />
or profit, or reduces risk or cost. Intelligence is decision-support” [215].<br />
5.8.2 Open source intelligence and secret intelligence<br />
Steele (2009b) defines open source intelligence (osint) as “unclassified information that has been<br />
deliberately discovered, discriminated, distilled and disseminated to a select audience in order to<br />
address a specific question” [215]. Secret intelligence is typically gathered from classified sources<br />
(i.e., satellites or spies), only available to intelligence staffs, whereas open source intelligence is<br />
available to everyone [113, 214]. As shown in Figure 8.1, open source intelligence is found to<br />
produce 80% of the valuable information at 5% of the cost, while secret intelligence only provides<br />
20% of value at 95% of the cost. Steele (2009) quotes the “hard-earned and practical observations”<br />
of General Tony Zinni as the basis for 80-20 rule of thumb: 80% of what I needed to know as<br />
CINCENT 64 I got from open sources rather than classified reporting. And within the remaining<br />
20%, if I knew what to look for, I found another 16%. At the end of it all, classified intelligence<br />
provided me, at best, with 4% of my command knowledge.<br />
5.9 Mathematical models (techniques)<br />
Researchers study complex systems within different disciplines such as physics, biology, sociology,<br />
etc., and develop mathematical models to analyze the networks within their particular domain.<br />
However, these model are often generic, and can be applied to analysis of criminal networks. This<br />
type of research is often referred to as computational, i.e., computational physics, computational<br />
biology, and computational social science. And it is also scientists from physics, biology, and social<br />
science that created the foundations for network science (see Newman (2010) for more details and<br />
references). <strong>Network</strong>-based techniques are widely used in crime investigations, because patterns<br />
of association are actionable and understandable. As mentioned above, this makes network-based<br />
mathematical models applicable to the criminal network domain, e.g. the recent publication of<br />
a technique for locating the source of an epidemic, using relatively little information. The same<br />
107
5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY<br />
Figure 5.20: Secret Intelligence Misses 80 percent of the Relevant Information [source: OSS.NET].<br />
method has also been used to locate leaders in terrorist networks, by traversing a network of phone<br />
calls, locating sources [177] 65 .<br />
Specific techniques for terrorist network analysis often take the mentioned centrality measures as<br />
input to their computations. Examples include measures of link importance based on secrecy<br />
and efficiency [245], the prediction of covert network structure [184], missing links [183], and<br />
missing key players [182], and custom-made techniques developed by investigators to target<br />
network-specific analysis tasks, such as the node removal technique described in [169]. In this<br />
section we discuss various mathematical models (techniques) relevant for criminal network investigation.<br />
We look at social network analysis for criminal network investigation in Section 5.9.1<br />
and prediction techniques in Section 11.1.7.<br />
5.9.1 Social network analysis<br />
Many of the well known techniques for criminal network analysis are adopted from sociology: “the<br />
field of sociology has perhaps the longest and best developed tradition of the empirical study of<br />
networks as they occur in the real world, and many of the mathematical and statistical tools that<br />
are used in the study of networks are borrowed, directly or indirectly, from sociologists” [155]. We<br />
review the centrality measures for networks of entities and the semantic web (see Section 5.2 for<br />
more on semantic web technology).<br />
Centrality measures for entities in criminal networks<br />
Techniques from social network analysis and graph theory can be used to identify key entities<br />
in criminal networks [240]. Information about key entities (individuals, places, things, etc.) is<br />
helpful for network destabilization purposes [35], or as input for other criminal network analysis<br />
108
CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS<br />
algorithms. Relevant social network analysis measures include [111, 240]:<br />
Measures of centrality have been developed for different types of networks. Most prominent are<br />
social network analysis techniques (see [111,150,195]) that can measure the centrality of entities in<br />
criminal networks based on their direct and indirect associations to other entities in the network.<br />
But “although the premise that centrality is an indication of importance, influence, or control in a<br />
network may appear valid, it is also contestable, particular in criminal contexts. [. . . ] What does<br />
it mean to be central in a criminal network?” [150]. We argue that centrality is dependent on the<br />
specific criminal network being investigated. It depends on the associations between entities that<br />
investigators deem important, and it depends on the weights of those associations. Furthermore,<br />
the accuracy of centrality measures depends on the investigator’s ability to embed their tacit<br />
knowledge and novel associations into centrality algorithms. We review a selection of techniques<br />
below, which we find to be relevant for criminal network analysis on the above mentioned premises.<br />
Entity degree centrality. An entity is central when it has many links (associations) to<br />
other entities in the network. This kind of centrality is measured by the degree of the entity,<br />
the higher the degree, the more central the entity. Degree centrality can be divided into indegree<br />
centrality and out-degree centrality, referring to the number of incoming and outgoing<br />
links an entity has. A social network with high degrees of both is a highly cohesive network.<br />
Entity closeness centrality. Closeness centrality indicates that an entity is central when<br />
it has easy access to other entities in the network. This means that the average distance<br />
(calculated as the shortest path) to other entities in the network is small.<br />
Entity betweenness centrality. Usually not all entities are connected to each other in<br />
a network. Therefore, a path from one entity to another may go through one or more<br />
intermediate entities. Betweenness centrality is measured as the frequency of occurrence<br />
of an entity on the geodesic connecting other pairs of entities. A high frequency indicates<br />
a central entity. These entities bridge networks, clusters, and subgroups: “betweenness<br />
centrality fleshes out the intermediaries or the brokers within a network” [150].<br />
Entity eigenvector centrality is like a recursive version of entity degree centrality. An<br />
entity is central to the extent that the entity is connected to other entities that are central. An<br />
entity that is high on eigenvector centrality is connected to many entities that are themselves<br />
connected to many entities.<br />
Centrality measures for semantic web<br />
Semantic web concepts have many characteristics in common with our understanding of criminal<br />
network entities and their associations. Similar to centrality measures for criminal networks (see<br />
Section 5.9.1 above), semantic web concepts have been developed to measure the centrality of<br />
entities in online social networks. We are interested in analysis of complex systems in which nodes<br />
could be any object, relations (links) could be of any nature, and structures are generated by<br />
the users (investigators). Semantic web technology can explicitly model the interactions between<br />
individuals, places and things in complex systems of information entities, but classical social<br />
network analysis methods are typically applied to “these semantic representations without fully<br />
exploiting their rich expressiveness” [64]. A short summary of semantic web technology and a<br />
social network analysis example is given in [63]:<br />
Semantic web [technologies] provide a graph model, a query language and type and<br />
definition systems to represent and exchange knowledge online. These [technologies]<br />
provide a [. . . ] way of capturing social networks in much richer structures than raw<br />
graphs. Several ontologies can be used to represent social networks. The most popular<br />
is FOAF 1 , used for describing people, their relationships and their activity. A<br />
1 http://www.foaf-project.org/<br />
109
5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY<br />
large set of properties is dedicated to the definition of a user profile: “family name”,<br />
“nick”, “interest”, etc. The “knows” property is used to connect people and to build a<br />
social network. [. . . ] The properties in the RELATIONSHIP 2 ontology specialize the<br />
“knows” property of FOAF to type relationships in a social network more precisely (familial,<br />
friendship, or professional relationships). For instance the relation “livesWith”<br />
specializes the relation “knows”.<br />
Figure 5.21: “Queries that extract the degree centrality of [individuals] linked by the property<br />
foaf:knows and its specialization relationship:worksWith” [63].<br />
5.9.2 Prediction<br />
Prediction techniques include extrapolation, projection, and forecasting based on past and current<br />
states of a criminal network. These three predictive techniques follow the approach of assessing<br />
forces that act on an entity [40]. The value of prediction lies in the assessment of the forces that<br />
will shape future events and the state of the criminal network. An extrapolation assumes that<br />
those forces do not change between the present and future states; a projection assumes that they<br />
do change; and a forecast assumes that they change and that new forces are added.<br />
Bayesian inference is a (forecasting) prediction technique based on meta data about individuals<br />
in criminal networks. A statistical procedure that is based on Bayes’ theorem can be used to infer<br />
the presence of missing links in networks. The process of inferring is based on a comparison of<br />
the evidence gathered by investigators against a known sample of positive (and negative) links in<br />
the network, where positive links are those links that connect any two individuals in the network<br />
whereas negative links are simply the absence of a link. The objective is often to assess where<br />
links may be present that have not been captured in the collected and processed criminal network<br />
information.<br />
Prediction techniques<br />
Prediction of covert network structure [184] is useful when you have a list of individuals suspected<br />
to be part of your current criminal network investigation. The algorithm indicates probable covert<br />
members on the list and how they are linked to the existing structure. The predict missing links<br />
algorithm [183] starts prediction based on the current criminal network structure. The likelihood of<br />
a link being present between all node pairs in the network is calculated based on the attribute data<br />
of the remaining individuals. Links that have a missing likelihood higher than a pre-determined<br />
value (calculated from the product of individual attribute likelihoods) are predicted as new links<br />
in the network. Links are predicted in the same way by the covert network structure algorithm,<br />
using a Bayesian inference method.<br />
5.9.3 Other mathematical models<br />
As mentioned, there are many mathematical models for criminal network analysis, such as terrorist<br />
network analysis models: Recent work has proposed link importance as a new metric for destabi-<br />
2 http://vocab.org/relationship/<br />
110
CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS<br />
lizing terrorist networks. This novel method is inspired by research on transportation networks,<br />
and the fact that the links between nodes provide at least as much relevant information about the<br />
work as the nodes themselves. The measure of link importance offers new insights into terrorist<br />
networks by pointing out links that are important to the performance of the network. A terrorism<br />
domain model with both nodes and links as first class objects will allow additional features to be<br />
built into the terrorist network and visualization tools [80, 244]. we<br />
5.10 Ethical impact and issues<br />
Ethics are concerned in many ways with software systems that manage information about people,<br />
like tool support for criminal network investigation, involving multiple processes such as information<br />
collection, gathering, and dissemination. In this section we review how the magnitude of<br />
ethical impact and types of ethical issues are different from process to process. <strong>Criminal</strong> network<br />
investigations benefit from tool support to various degrees, depending on the processes covered<br />
and the tasks carried out. Assigning ethical responsibilities is therefore a prerequisite to assessing<br />
the ethical impact of criminal network investigation tools. But the typical black box approach does<br />
not separate end-user and tool responsibilities nor considers the ethical impact of individual criminal<br />
network investigation processes and tasks. To address tool related ethical issues we propose<br />
ethical principals and values and demonstrate what main design concepts can be implemented in<br />
tools to support these principles and values.<br />
5.10.1 Ethical impact<br />
criminal network investigations can benefit from varying degrees of tool support depending on<br />
the processes covered and the tasks carried out. The ethical impact of tools supporting criminal<br />
network investigation processes is difficult to assess, and the development of methodologies for such<br />
assessments are still in its infancy. Important reasons for this underdevelopment of a methodology<br />
for morally evaluating technology development are related to its complex, uncertain, dynamic,<br />
and large-scale character that seems to resist human control [253]. As an example, when a new<br />
criminal network investigation tool is explained in the media, there is a tendency to view the tool<br />
as a kind of black box. While this simplification is justified by the before mentioned complexity, it<br />
creates the misunderstanding that criminal network investigation tools take huge amounts of data<br />
as input and analyzes it using complex mathematical models, only requiring a few mouse clicks<br />
from the user. When conducting an ethical impact assessment of a new technology, one should<br />
not treat the technology as a black box. Since technologies potentially shape human actions and<br />
interpretations on the basis of which moral decisions are made, we are obligated to try and give<br />
this influence a desirable and morally justifiable form. In this section we will try to open the black<br />
box that criminal network investigation tools often implement, to facilitate the development of<br />
ethical impact assessment of new technologies for our particular domain. We identify a number<br />
of problematic tasks followed by an assessment of the ethical responsibilities as shared by end<br />
users and tools. Based on these observations a list of ethical principles and associated values for<br />
criminal network investigation tool developers are suggested. A selection of design concepts using<br />
these ethical principles and values as guidelines have been developed.<br />
Assigning ethical responsibilities<br />
<strong>Criminal</strong> network investigation involves collection, processing and analysis of information related<br />
to a specific target creating products that can be disseminated to customers. A number of complex<br />
task are associated with these processes [174]. When supported by tools these tasks have significant<br />
ethical impact because their usage is more or less controlled. One example is profiling, both<br />
personal and especially group profiling by means of data mining [50] or manually inferred rules<br />
based on observations of reoccurring relationships or characteristics of persons and groups [154].<br />
111
5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY<br />
The transparency of social network analysis (SNA) measures like betweenness and closeness centrality<br />
[240] and prediction algorithms decreases, when applied to an increasing number of nodes<br />
and links. Lack of evidence source linking might result in situations where it is unclear who created<br />
the link to the source, when was the link created, who collected and processed the information<br />
in the first place etc. [222]. Inferential judgments are based on pros and cons about positions<br />
and issues. But if the pros and cons are not saved these decisions cannot be audited by a third<br />
person [46].<br />
Figure 5.22: Determinism continuum, from open-ended to closed, indicating the degree to which<br />
technology predetermines usages [119].<br />
During analysis, especially when applying automated features such as social network analysis and<br />
prediction, the tool has more ethical impact and power of influence. The determinism continuum<br />
in Figure 5.22 illustrates this perfectly. The analyst cannot help to have his or her actions and<br />
interpretations influenced by the output of a complex analysis. When information is disseminated<br />
to the customer, the customer has the power of influence to interpret and use the disseminated<br />
information as he or she finds convenient.<br />
Addressing ethical issues on the tool side<br />
To investigate the ethical issues on the tool side, we have studied existing literature on ethical issues<br />
(e.g., [143]) and methodologies for ethical impact assessment of new (information) technology<br />
(e.g., [233, 253]). However, identification of ethical issues and the development of methodologies<br />
for impact assessments are still in its infancy [179,253]. Important reasons for this underdevelopment<br />
of a methodology for morally evaluating technology development are related to its complex,<br />
uncertain, dynamic, and large-scale character that seems to resist human control [253]. And while<br />
identified ethical issues like ‘dissemination and use of information’, ‘control, influence and power’<br />
and ‘impact on social contact patterns’ are relevant for criminal network investigation tools they<br />
are not process specific, making it difficult to assign ethical responsibilities.<br />
We believe that human control of criminal network investigation tools is possible [247]. If we<br />
combine this understanding with our findings that ethical impact at the task level is higher for<br />
criminal network investigation tasks that dictate predetermined usage (i.e. automated tasks),<br />
we have identified the core problem: The choices that analysts, collectors and customers prefers<br />
to make are never fully predictable and tool support should therefore be dynamic and openended<br />
[119] (Figure 5.22).<br />
This suggests a human-centered approach where the humans (end users) are in charge of the<br />
criminal network investigation processes and tasks and the tools are there to support them. If<br />
the end users loose control (i.e. the tool predetermines usage) the ethical impact of the criminal<br />
network investigation processes and tasks will increase. The challenge is to overcome the high<br />
level of controllability that is inherent in the security and risk burdened world of criminal network<br />
investigation.<br />
112
CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS<br />
Ethical principles and values for criminal network investigation tools<br />
We now have an initial understanding of the ethical responsibilities of end users and tools, as well<br />
as the remedy for the ethical impact on the tool side: a human-centered approach. Based on these<br />
observations we have designed the following list of ethical principles and values. The values can<br />
apply to more than one principle in various ways as seen below. Not all combinations of principles<br />
and values have been described.<br />
Transparent. Tool transparency is a precondition to human trust. A lack of transparency<br />
undermines the use of tool supported tasks.<br />
(Customizable) Entities. Using an entity-based approach in which all entities are first class<br />
is a precondition for several ethical values e.g. dynamic structuring.<br />
(Dynamic) Reasoning. Being able to record and review reasoning sessions would clarify how<br />
inferential judgments are made.<br />
(Interactive) History. Creating, updating and deleting content related to entities should<br />
be recorded for later reference. Storytelling using history events adds transparency to the<br />
progress of an investigation.<br />
Related work<br />
Two approaches to addressing the ethical impact of criminal network investigation processes have<br />
been reviewed. The following commercial tool supporting criminal network investigation work<br />
flows represents the point of view that the protection of privacy and civil liberties should be<br />
embedded in tools 66 . This is the approach we would like to adopt. Palantir Government 3.0 is a<br />
platform for information analysis designed for environments where the fragments of data that an<br />
analyst combines to tell the larger story are spread across a vast set of starting material [5]. Privacy<br />
and civil liberties are “embedded in Palantir’s DNA”, exemplified by technologies like Access<br />
Control Model, Revisioning Database and Immutable Audit Logs. Palantir used existing legislation<br />
as guidelines on how to address ethical issues in implementation, e.g. the 9/11 Commission<br />
Implementation Act [223]. More importantly, Palantir Government 3.0 has separated their entity<br />
model from the domain ontology, making the representation of entities and their relationships<br />
customizable. Furthermore, an interactive and navigable history of events is logged and finally<br />
various hypertext structures are, unintentionally, facilitated. This suggests an open-ended and<br />
dynamic approach to criminal network investigation tool support.<br />
Another approach is presented in [179]: “the solution lies in developing and integrating advanced<br />
information technologies for counterterrorism along with privacy-protection technologies to safeguard<br />
civil liberties. Coordinated policies can help bind the two to their intended use”. Examples<br />
of privacy-protection technologies are: privacy appliance involving the use of a separate tamperresistant,<br />
cryptographically protected device on top of databases. Making information anonymous<br />
is a technique used within the privacy appliance: it generalizes or obfuscates data, providing the<br />
system with a guarantee that any personally identifiable information in the released data can’t be<br />
determined, yet the data still remains useful from an analytical viewpoint.<br />
5.10.2 Denmark and terrorism (The Muhammad caricatures, legislation<br />
and civil liberties)<br />
Denmark and Danish interests have been the target of terrorism plans and attacks on numerous<br />
occasions from 2005 to 2010. It seems Denmark is getting a lot of attention compared to the<br />
relatively small population and the fact that Denmark, before the engagement in Afghanistan<br />
in 2002 and the invasion of Iraq in March 2003, had our international focus on peacekeeping<br />
missions 67 . Especially the reprinting of the Danish caricatures in February 2008 in multiple<br />
113
5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY<br />
newspapers has given Denmark a high ranking on terrorism target lists around the world. Despite<br />
this Denmark is a nation facing actual terrorism plans only intermittently, resulting in the media<br />
intensifying their coverage when such events occur.<br />
The fact that the danish politicians did not hesitate to announce they were ready to evaluate<br />
and tighten the Danish counter terrorism legislation enacted in 2002 and 2006 after the Mickey<br />
Mouse project (MMP) had been revealed, is another interesting aspect of the influence of media<br />
in “preparing” the public to support such statements. The controversy is that tightening the<br />
laws conflicts with citizen liberties. Also, if “terrorism is as much about the threat of violence as<br />
the violent act itself” [92], did David Headley (Mickey Mouse project surveillance, etc.), and his<br />
accomplishes achieve their goal? Or is it acceptable to disregard the civil liberties of the public<br />
for increased safety through more and stricter legislation?<br />
Time line (Muhammad caricatures)<br />
The first serious response to the initial printing of the Muhammad caricatures September 30 th<br />
2005 from within Denmark, was the postulated plans and intend to murder caricature cartoonist<br />
Kurt Westergaard by the use of strangulation [15]. On February 12 th 2008 three men were arrested<br />
facing these complaints, one Danish citizen was released while two Tunisians were administratively<br />
expelled [15] and controversially imprisoned without trial [151]. The final verdict in the Tunisian<br />
case is still not given, and on December 4 th 2009 it was decided to try the case at the Danish<br />
Supreme Court [138].<br />
The more recent incidents have had some interesting characteristics in common with the Mickey<br />
Mouse project (see Section 5.7.2). First of all the cases described below all had links to the training<br />
camps in north Waziristan, more specifically the Federally Administered Tribal Areas (FATA) on<br />
the border to Afghanistan. Especially the main person involved in the Glasvej case, who used<br />
some of the same codewords as in the Mickey Mouse project.<br />
On October 21 st 2008 an unanimous jury declared Hammad Khürshid (Danish-Pakistan) and<br />
Abdoulghani Tohki (Afghan) guilty of planning terrorism intending to use bombs [85, 209]. The<br />
men had experimented with producing the very unstable explosive TATP 68 in their common<br />
apartment in Copenhagen [209]. The wire-puller Hammad Kürshid was sentenced 12 years in jail<br />
at the court in Glostrup, while Abdoulghani Tohki was punished with a seven year sentence and<br />
expelled from Denmark for life because of his Afghan citizenship [209]. After the sentencing new<br />
information was revealed 69 , which showed that Hammad Khürshid had been recruited and trained<br />
by one of Osama bin Ladens most important lieutenants, the Egyptian Abu Ubaidah al-Masri,<br />
in the northern Pakistani province Waziristan [213]. The first arrests associated with the Glasvej<br />
case were made on April 2007 [209].<br />
On June 2 nd 2008 followed an incident not similar to the previous cases, primarily because it took<br />
place in Pakistan: “A car bomb exploded outside the Danish Embassy in an upscale area of the<br />
Pakistani capital” [164] Islamabad “killing eight persons and injuring up to 30” [185]. Al-Qaeda<br />
later claimed to be responsible for the attack, stating it was “revenge for the publishing of the<br />
Muhammad cartoons” [133]. The Mickey Mouse project followed this incident as the next case<br />
with links to Pakistan.<br />
On January 1 st 2010, a 28 year old Somali man attacked cartoonist Kurt Westergaard in his home,<br />
threatening him with a knife and an ax [186]. Westergaard successfully escaped to his custom made<br />
panic room, and later the Somali man was pacified by the police using gun shots [186]. According<br />
to PET the offender had close contact with the militant group al-Shabaab in Somalia [88].<br />
The political climate in Denmark in October 2009 and Danish counterterrorism legislation<br />
“During the last decade the Danish political system has undergone a polarization. Where the political<br />
scene earlier has been characterized by minority governments that have sought parliamentary<br />
114
CHAPTER 5. THEORY AND TECHNOLOGY 5.11. TRUST AND USER ACCEPTANCE<br />
support across the middle, Danish policy today is dominated by two political blocs, respectively,<br />
a center-left block and a right block” [90], a change that started with the election of a right wing<br />
government in 2001. On June 8 th 2002 the first Danish counter terrorism law was enacted as a<br />
direct impact of 9/11 (2001) 70 . The extension of the law grants the Danish secret intelligence<br />
service PET a number of extended powers concerning surveillance of private individuals and the<br />
right to perform multiple searches with a single court order [14].<br />
Denmark has been involved in the international NATO mission in Afghanistan since 2002. On<br />
January 11 th 2002 the Danish parliament unanimously decides that Danish military forces should<br />
be available for an international security force in Afghanistan [17]. A status report from October<br />
22 nd 2009 shows that Denmark has 690 soldiers in Afghanistan, and that 28 soldiers has been<br />
killed. “Denmark is one of the countries that measured per citizen has most soldiers killed in the<br />
NATO led operation in Afghanistan, consisting of 43 countries” [98]. During March 2003 Denmark<br />
also decided to join the US and British led coalition forces, although there was disagreement in<br />
government. The majority of the population was against the decision since there was no mandate<br />
from the UN [156].<br />
On June 10 th 2006 the second counter terrorism law was enacted 71 following the 7/7 bombings<br />
2005 in London 72 . The 2006 law raised concerns of Civil Libertarians, although strong support<br />
existed in the general public for the further tightening of the counter terrorism laws from 2002 [218]:<br />
“The mood has shifted in Europe more toward security than it was before the London bombings,”<br />
said Daniel Keohane, senior research fellow at the Center for European Reform in London. “The<br />
Europeans have always been very nervous about infringing on civil liberties. But when you<br />
experience terrorism, it changes your views.”<br />
However, arguments regarding whether or not these laws are too strict is beyond the scope of this<br />
Ph.D. dissertation. One comment is however describing the medias influence on Danish policy<br />
makers:<br />
In a 1987 speech at Hebrew University in Jerusalem, Associate U.S. Supreme Court<br />
Justice William J. Brennan Jr. reviewed what he called the “shabby treatment” that<br />
America’s vaunted freedoms have received in times of war and threats to national security<br />
[...] 73 . He attributed these lapses to the crisis mentality that Americans develop<br />
when faced with danger intermittently, rather than living with it constantly. America’s<br />
decision-makers have been inexperienced in assessing the severity of security threats<br />
and in devising measures to cope with them in ways that respect conflicting rights and<br />
liberties. [81]<br />
Given the relatively short list of terrorist events related to Denmark directly, the same can be said<br />
of the Danish governments experience with enacting and enforcing such counter terrorism laws.<br />
And the Danish populations propensity to support them immediately after the revelation of plans<br />
to strike against Denmark and Danish interests.<br />
5.11 Trust and user acceptance<br />
In this section we review user acceptance of information technology for criminal network investigation,<br />
and we discuss how trust is a prerequisite to such acceptance, and tightly coupled with<br />
transparency and ownership [175].<br />
Taking a computational approach to criminal network sense-making, claiming that investigators<br />
will benefit from the information provided, raises concerns about user acceptance of this computed<br />
information 74 . Experienced investigators with the skills to manually derive the computed<br />
information (given more time) might question how exactly the information has been automatically<br />
computed and they might be inclined not to trust this computed information enough to base<br />
their decisions on it [193]. For computational sense-making to be effective, decision makers must<br />
consider the information provided by such systems to be trustworthy, reliable [144], and credible.<br />
115
5.12. INTERACTION AND VISUALIZATIONCHAPTER 5. THEORY AND TECHNOLOGY<br />
See Chapter 11 for more on criminal network sense-making and Section 5.10 for a look at ethical<br />
issues and in trust in terms of tool support for criminal network investigation.<br />
5.12 Interaction and visualization<br />
We give a brief introduction to interaction and visualization in this section.<br />
5.12.1 Interaction<br />
We mention and discuss interaction theory and concepts throughout this dissertation. How we<br />
use interactive “proof-of-concept” prototypes [132] to develop tool support for criminal network<br />
investigation. What we would like to discuss in this section is human-tool synergies which better<br />
describes our goals with the aforementioned tool support development. Investigators are the<br />
decision-makers in criminal network investigations (e.g. low probability situations [130]), while<br />
algorithms do routine calculations: “Men will fill in the gaps, either in the problem solution or<br />
in the computer program, when the computer has no mode or routine that is applicable in a<br />
particular circumstance” [130].<br />
5.12.2 Visualization<br />
Information visualization technologies have proved indispensable tools for making sense of complex<br />
data [86]. Visualization techniques use both retinal properties and spatial arrangement for the<br />
presentation of structured information, taking advantage of the human perceptual system. However,<br />
most visualization systems do not support the visual editing of structured information. The<br />
lack of direct manipulation of structured information in visualization systems means that there is<br />
no expression in such an environment, and expression is part of a real decision making process [97].<br />
Another problem is that “information visualization applications do not lend themselves to “one<br />
size fits all” solutions; while successful visualizations often reuse established techniques, they are<br />
also uniquely tailored to their application domain, requiring customization” [86].<br />
Although visualization libraries primarily offer advanced unidirectional mappings, a lot can be<br />
learned from them in terms of requirements for a graphical-oriented framework design. The<br />
prefuse toolkit [86] for interactive information visualization is presented as an interesting case.<br />
Our interest is mainly due to the set of finer-grained building blocks that prefuse provides for constructing<br />
tailored visualizations. The template-modeled design process of “representing abstract<br />
data, mapping data into an intermediate, visualizable form, and then using these visual analogues<br />
to provide interactive displays” is very interesting.<br />
5.13 Summary<br />
This chapter started with an introduction to five pillars of theory and technology, describing the<br />
relevance of each pillar for developing tool support for criminal network investigation, followed<br />
by a summary of the theory and technologies within each pillar. A color legend was used to<br />
indicate whether or not each theory or technology was covered in this chapter and to what degree,<br />
or if it was covered in a fragmented manner throughout the dissertation. Then followed reviews<br />
and summaries of individual theories and technologies, covered to a certain extent, matching<br />
their role for this Ph.D. project. Hypertext, semantic web, human cognition, the creative process,<br />
intelligence, and mathematical models therefore received the most attention. But theory from<br />
information science, knowledge about simple tools for idea generation, case studies of individuals,<br />
ethics, trust and user acceptance, and interaction and visualization have also played a role and<br />
will play a role for future developments in criminal network investigation. This chapter illustrates<br />
116
CHAPTER 5. THEORY AND TECHNOLOGY 5.13. SUMMARY<br />
the many perspectives that a software systems engineer in criminal network investigation must<br />
have, when developing tool support for criminal network investigation.<br />
117
5.13. SUMMARY CHAPTER 5. THEORY AND TECHNOLOGY<br />
118
CHAPTER 6<br />
Problem definition and research focus<br />
In Chapter 1 we reviewed criminal network investigation challenges, and selected to focus on three<br />
of them (information, process, and human factors), arguing that investigator centric challenges<br />
of a quantitative nature (i.e., suitable for modeling) would be addressable by software system<br />
support. Based on the three selected challenges, we stated the following research hypothesis:<br />
A software system addressing information, process, and human<br />
factors challenges would be a useful tool for assisting criminal<br />
network investigators in their work.<br />
In this chapter we specialize our hypothesis and conduct a more detailed analysis of specific<br />
problems associated with each challenge. Based on these problems (and our own knowledge and<br />
ideas) we also formulate a research focus for each challenge, resulting in a list of requirements to<br />
guide and evaluate our work (see Section 6.4 for more details on how we propose to do this). The<br />
list of research focus requirements are considered software development requirements for developing<br />
software tool support for criminal network investigation, while the criminal network investigation<br />
tasks presented in Chapter 7 are considered criminal network investigation requirements, i.e.,<br />
a list of tasks that investigators perform (for the majority) whether or not they use dedicated<br />
tool support or not. Our review of criminal network investigation (criminal networks, structures,<br />
processes, cognitive bases, and cases 75 ), related work (commercial tools and research prototypes),<br />
and relevant theories and technologies for tool support of criminal network investigation revealed<br />
the following problems related to information (Section 6.1), process (Section 6.2), and human<br />
factors (Section 6.3).<br />
6.1 Information problems and research focus<br />
Based on criminal network investigation cases, analysis of criminal network structures, etc. (Chapter<br />
3), reviews of commercial tools and research prototypes (Chapter 4), literature studies (Chapter<br />
5), and other analysis work we state information amount, incompleteness, and general complexity<br />
as information problems for criminal network investigation.<br />
1. Information amount (e.g., [59,110,116]) includes information abundance and information<br />
scarcity problems. If information is abundant and resources required to process the informa-<br />
119
6.1. INFORMATION CHAPTER 6. PROBLEM DEFINITION<br />
tion are limited, potential suspects might not be discovered. On the other hand, if information<br />
is scarce, decisions might be based on uncorroborated intelligence later proved to be false.<br />
Many techniques have been developed that can analyze large amounts of networked information<br />
and applied during criminal network investigations. Most prominent is social network<br />
analysis, the study of human relationship networks, or the application of statistical techniques<br />
to the field of sociology (we review social network analysis in Section 5.9.1). Since<br />
its beginning, the field has become more mathematical and rigorous, and has widened in<br />
scope to encompass networks arising in other contexts. Today the field has become known<br />
as network science [68].<br />
The introduction of network science did not add to the network theory for detecting and<br />
exposing hidden terrorist networks. Time-consuming manual tasks for synthesis of criminal<br />
networks are still applied by law enforcement and intelligence services (e.g., [68, 139]). On<br />
a concrete case, it took an experienced crime analyst six weeks to manually extract a fraud<br />
link chart with 110 people, “even though most of the information in the chart came from<br />
computerized records. [. . . ] The base network extracted for the [fraud] evaluation (all links<br />
between all nodes connected within two associational hops of the targets) included 4,877<br />
nodes and 38,781 reported associations” [139]. This example also illustrates why it has been<br />
“estimated that police officers spend up to 40% of their time handling information, making<br />
it one of the most extensive police activities” [20].<br />
2. Information incompleteness (e.g., [39, 168, 183]) like variation in available meta data<br />
(attributes) for entities or missing attribute values. Other incompleteness includes missing<br />
links and missing network structure (nodes and links). It can be difficult to automatically<br />
detect associations between entities when information is incomplete.<br />
Once a criminal network is synthesized, its characteristics can be studied using standard<br />
network measures such as centrality. However, the well-established techniques are not well<br />
suited for the fragmented networks that organized crime and terrorism networks often are.<br />
An intelligence analyst at the British Home Office, pointed this out, during a presentation<br />
and talk there [167]. Researchers have started developing techniques take into account<br />
incomplete information (e.g., [177, 183]). We have developed measures of performance for<br />
transformative prediction algorithms, to see how they reacted when attributes where missing<br />
from the data or the accuracy of information was not complete [176].<br />
3. Information complexity (e.g., [20,116,128]) is typically caused by the emerging and evolving<br />
nature of information, especially within the counterterrorism domain. Information abundance<br />
or scarcity on its own does not necessarily make the relations between entities in the<br />
information more complex. The use of aliases, social complexity (e.g., culture and language)<br />
and the mix of different information types (e.g., audio, images, signals, video) are all factors<br />
that will increase the complexity of information.<br />
<strong>Criminal</strong>s prefer to remain covert, balancing secrecy and efficiency [244], e.g., by encrypting<br />
their communication or keeping individuals and groups isolated from each other and on a<br />
need-to-know basis in terms of communication. Or information is complex simply because<br />
it is fragmented, as mentioned above. The use of deliberate (semantic) aliases, i.e. using<br />
different names in different contexts, is a well known technique to remain covert. Omar Saeed<br />
Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl, was<br />
known to have used at least 17 aliases [128], and Khalid Sheikh Mohammad, who murdered<br />
Daniel Pearl, and was the mastermind behind i.a., 9/11 (2001), used two dozen aliases [146].<br />
Simon and Burns share their experiences from organized drug crime environments, where<br />
the drug dealers are out in the open, but use for example encryptions of phone numbers<br />
when paging each other, to setup business, schedule meetings, etc. [10, 206].<br />
120
CHAPTER 6. PROBLEM DEFINITION 6.2. PROCESS<br />
6.1.1 Research focus (requirements)<br />
<strong>Criminal</strong> network investigators deal with information from a variety of sources, all of which are<br />
important to their decision making process. As pointed out by the 9/11 report [152], linking and<br />
communicating those pieces of information is a critically important issue. In order to deal with<br />
the increasing amount of information available, especially through the Internet, automatic tools<br />
are used to harvest relevant information [148] and compute relationships that implicitly exist in<br />
the acquired data [55]. The output is a pre-selection that helps analysts to focus on the most<br />
relevant parts. Those tools, however, focus on a predefined repository and are limited in their<br />
structural representation. Due to their focus on computation, most of them model relationships<br />
as graphs. Graphs have been well researched and thus permit the application and use of a variety<br />
of mathematical models and algorithms. Even though machines are necessary to deal with the<br />
vast amount of information, final decisions, however, are taken by humans. Analysts need support<br />
for their decision making process, of which criminal network analysis tools play an important role.<br />
Dedicated software tools targeted at supporting criminal network investigators in their knowledge<br />
management work should fulfill the following overall requirements related to information [20]:<br />
1. Supporting the emergent and fragile nature of the created structure and fostering its communication<br />
among investigators.<br />
2. Integrating with the information sources used by the investigators, permitting them to be<br />
represented and structured in a common information space.<br />
3. Supporting awareness of, and notification based on, linked information across information<br />
source boundaries.<br />
4. Permitting multiple directions of thought through versioning support. Supporting emergent<br />
structure as a means for knowledge representation, communication, integration, and<br />
awareness/notification has been and still is discussed in depth in hypertext research.<br />
6.2 Process problems and research focus<br />
Compartmentalization is the source of several process related problems, such as responsibility and<br />
(non optimal) information sharing. By compartmentalization, we mean the restrictions on the natural<br />
flow of information and problem solving, inhibiting criminal network investigations. Based<br />
on analysis of criminal network investigation cases and processes (see Chapter 3), literature studies<br />
(Chapter 5), and other analysis work we summarize incremental deterioration, responsibility,<br />
overlapping processes, and information sharing problems for criminal network investigation.<br />
1. Incremental deterioration (e.g., [5,52,59,242]) often happens when following a linear process,<br />
where investigators receive a mix of information (evidence) and interpretations of that<br />
information, in the form of reports. Especially, if the institution is collaborating with other<br />
institutions, information is exchanged in reports. Some law enforcement institutions and<br />
intelligence services have as part of their intelligence process, to make clear the distinction<br />
between information and interpretation. But that doesn’t stop the intelligence customer from<br />
further interpretations of the analysts interpretations. And typically not all information is<br />
included in reports for the customer, or collaborators.<br />
The degree of incremental deterioration of information is different if the investigation is<br />
solely within a single organization compared to (transnational) collaboration between agencies,<br />
services, and law enforcement. However, while the problem is smaller, it is still there<br />
and important to address. The most significant example we have come across is Curveball, in<br />
which interrogation reports traveled from Germany through several compartments in agencies<br />
and national security organizations in different nations, being translated from Arabic,<br />
to German to English, before reaching CIA analysts and ultimately decision makers in the<br />
121
6.2. PROCESS CHAPTER 6. PROBLEM DEFINITION<br />
White House. Commercial tools for criminal network investigations recognizes this problem<br />
and promotes their support of loss less data abstractions in commercial material [5].<br />
2. Responsibility (e.g., [40,54,59]) often depends on whether a person has something personal<br />
at risk, the esteem of colleagues or the consequences of bad or rushed decisions. When<br />
following a process with many compartments, it becomes easier to push the work requiring<br />
responsibility on to the people responsible in the next compartment. And the individuals in<br />
that department might be reluctant to “ask back” into the compartment from where they got<br />
the information, and instead forward it to someone else.<br />
An example of responsibility, again from the Curveball case, is Alex Steiner 76 , the United<br />
States defense intelligence agency’s (DIA) liaison to the German federal intelligence service<br />
(BND), receiving the incoming intelligence reports from BND. The Germans refused Steiner<br />
or anyone else access to Curveball. Steiner didn’t mind, the case was very complex, and he<br />
was looking forward to retirement. The case was as a “hot potato”, but he let other people<br />
care about the details, his role was “to oversee things” [59]. The 22/7 (2011) commission<br />
report points out that the Norwegian police security service (PST), had received information<br />
about individuals suspicious purchases of chemicals in Poland, from the customs directorate<br />
to which other authorities such as the national postal service had raised their concerns. PST<br />
received this information on 6/12 (2010), but the lead had not been followed up on when<br />
the attacks happened 22/7 (2011), because the different sections within the police security<br />
service had spent five months deciding whose domain it was, and later when the case was<br />
assigned to a section, the responsible case officer had to go on vacation for 10 weeks [153].<br />
3. Overlapping processes (e.g., [170, 175]) becomes a software development problem, when<br />
choosing a target-centric approach. The target-centric alternative to a linear process means<br />
that criminal network investigation processes will be overlapping, i.e., the structuring of<br />
information and algorithm-based computations has to be performed on the same model. With<br />
a linear process, with process compartments, one compartment have one model to solve their<br />
task, and another compartment uses a different approach to solve theirs.<br />
Investigators move pieces of information around, they stop to look for patterns that can help<br />
them relate the information pieces, they add new pieces of information and iteration after<br />
iteration the information becomes increasingly structured and valuable. Synthesizing emerging<br />
and evolving information structures is a creative and cognitive process best performed<br />
by humans. Making sense of synthesized information structures (i.e., searching for patterns)<br />
is a more logic-based process where computers (tools) outperform humans as information<br />
volume and complexity increases [175].<br />
4. Information sharing (e.g., [40, 152, 242]) problems are often a consequence of the chosen<br />
intelligence process, the culture of intelligence agencies and the trade craft of secret intelligence.<br />
Several reports have concluded that information sharing between intelligence agencies<br />
was the root cause of intelligence failure. The main objective of criminal network investigation<br />
research should be to understand the problems, processes, and tasks involved and then<br />
develop tools assisting the people working with these processes and tasks every day to help<br />
minimize the impact of the problems faced.<br />
The wall between FBI and CIA before and after the investigations into 9/11 was high and<br />
thick, and destructing for investigations: “The wall, as it was called, was often misunderstood<br />
and frequently interpreted too broadly. The agents assigned to collecting intelligence<br />
sometimes couldn’t, or wouldn’t, talk to their colleagues who were working the criminal side<br />
of the same cases. Big things – like leads and plots and potential sources – fell through<br />
the cracks” [146]. On Baltimore police department’s homicide shifts, the numbers game of<br />
open and closed investigations, readily available for everyone to see in the coffee room took<br />
a toll on the investigators willingness to talk and discuss cases with detectives from other<br />
shifts: “For the last several years, detectives from one shift had interacted with those from<br />
the other only at the half-hour shift changes or on rare occasions when a detective pulling<br />
122
CHAPTER 6. PROBLEM DEFINITION 6.3. HUMAN FACTORS<br />
overtime on a case needed an extra body from the working shift to witness an interrogation<br />
or help kick down a door” [204].<br />
6.2.1 Research focus (requirements)<br />
A target centric and iterative approach to criminal network investigation is preferred to a linear<br />
approach, due to the failure of investigations following a linear process model that introduces compartmentalization.<br />
An alternative to the traditional intelligence cycle is to make all stakeholders<br />
(including customers) part of the intelligence process. Stakeholders in the intelligence community<br />
include collectors, processors, analysts and the people who plan for and build systems to support<br />
them: “Here the goal is to construct a shared picture of the target, from which all participants<br />
can extract the elements they need to do their jobs and to which all participants can contribute<br />
from their resources or knowledge, so as to create a more accurate target picture” [40]. To ensure<br />
shared responsibility throughout a criminal network investigation, and given the many iterations<br />
over the information and its structure, the source of network changes, interpretations, and decisions<br />
must be maintained, whether made by investigators or the tool (e.g., algorithms). Developing<br />
a common data model for both investigators restructuring and organizing information and tools<br />
analyzing the same information is necessary to support target-centric and iterative investigation.<br />
In summary, dedicated software tools targeted at supporting target-centric and iterative criminal<br />
network investigation should fulfill the following overall requirements:<br />
1. Permitting a target-centric and iterative approach to criminal network investigation is essential,<br />
thereby creating a shared information space for investigators, functioning as a common<br />
reference point.<br />
2. Supporting loss-less data abstractions, so that all investigators can see what has happened,<br />
if information has to be shared between compartments.<br />
3. Ensuring that all collectors, analysts, and customers become stakeholders in the success of<br />
the criminal network investigation, whether working alone or as a team.<br />
4. Integration of conceptual and computational models to support the target-centric, iterative<br />
approach with overlapping criminal network investigation processes.<br />
6.3 Human factors problems and research focus<br />
Human factors are inherently a challenge for criminal network investigations and often have great<br />
influence on the impact of the other problems discussed. Contextual pressures such as time<br />
constraints, dynamism, and changing goals are interrelated to required resources (see for example<br />
[110, 183, 252]). Existing evidence suggests that decision-making and information processing<br />
abilities are often not optimal because the informational complexity of the world overwhelms<br />
human cognitive abilities and creates bias:<br />
1. Human cognition and creativity (e.g., [9,89,165,201,239]) complicated tasks to support<br />
and leverage for a software system. The human mind solves problems in certain ways and<br />
creating new ideas is essential for problem solving, not similar to how a computer solves<br />
problems. And there are different approaches to creativity, such as “free association” creativity<br />
and rational creativity produced by persistent, hard work. It is not enough to support<br />
collaboration and group work, since real groups do not necessarily create more ideas than<br />
nominal groups. Certain representational structures for cognitive space must be embedded in<br />
tools supporting criminal network investigation.<br />
Understanding the boundaries of human cognition is necessary for tool support of criminal<br />
network investigation: “it is difficult for the human working memory to keep track of all<br />
123
6.3. HUMAN FACTORS CHAPTER 6. PROBLEM DEFINITION<br />
findings. Hence, synthesis of many different findings and relations between those findings<br />
increase the cognitive overload and thereby hinders the reasoning process” [201]. Because<br />
of this, humans often use simple physical tools when generating new ideas, but existing<br />
software tools used for criminal network investigation usually don’t have the necessary easeof-use<br />
compared to scribbling ideas on a whiteboard or paper cards.<br />
2. Making humans more capable (e.g., [33,62,130]) is the intended purpose of most software<br />
systems, but when humans and tools have to cooperate, it becomes a difficult task. The<br />
problem is how to make a software system augment human intellect, instead of trying to<br />
mimic it, trying to make the computer think, which it cannot. It is necessary to understanding<br />
what humans do well and what computers do well, to solve this problem.<br />
“The human eye is enormously gifted at picking out patterns, and visualizations allow is to<br />
put this gift to work on our network problems. On the other hand, direct visualization of<br />
networks is only really useful for networks up to a few hundreds or thousands of vertices<br />
[and] the number of edges is quite small” [155]. Visualizations on their own, whatever<br />
layouts are applied, are not enough for. Bush (1945) [33] reasoned that since people use<br />
associations to store and retrieve information in and from their own minds, a machinesupported<br />
mechanism that provided this ability would be useful for organizing information<br />
stored in external memory. Augmenting human intellect, i.e. increasing the capability of<br />
man to approach a complex problem situation, to gain comprehension to suit particular<br />
needs, and to derive solutions to problems [62].<br />
3. Habitual and biased thinking (e.g., [8, 116]) Contextual pressures such as time constraints,<br />
dynamism, and changing goals affects criminal network investigators. Existing<br />
evidence suggests that decision-making and information processing abilities are often not optimal<br />
because the informational complexity of the world overwhelms human cognitive abilities<br />
and creates bias. The result being that known solutions are chosen and the problems remain<br />
unsolved.<br />
“Today functional problems are becoming less simple all the time. But designers rarely<br />
confess their inability to solve them. Instead, when a designer does not understand a problem<br />
clearly enough to find the order it really calls for, he falls back on some arbitrary chosen<br />
formal order. The problem, because of its complexity, remains unsolved” [8]. Humans have<br />
a tendency to rely on hierarchical tree structures, when faced with complex problems [9,89].<br />
Pressure could also make investigators fall back on often applied methods, e.g., homicide<br />
detectives who are assigned to new crime scenes, having three open cases on their desks, and<br />
continuously pressured to turn red cases into black by the public display of their stats in the<br />
office [204].<br />
4. Trust (e.g., [144, 175]) in information generated by software tools can be difficult to attain,<br />
if it is not clear how that information was derived. For computational sense-making to<br />
be effective, decision makers must consider the information provided by such systems to be<br />
trustworthy, reliable, and credible. Trust is important for the adoption of software tools for<br />
criminal network investigation.<br />
Simply by turning to the computer when confronted with a problem, we limit our ability<br />
to understand other solutions. The tendency to ignore such limitations undermines the<br />
ability of non-experts to trust computing techniques and applications [193] and experienced<br />
investigators would be reluctant to adopt them.<br />
6.3.1 Research focus (requirements)<br />
Investigators are the decision-makers in criminal network investigations (especially in low probability<br />
situations [130]), while algorithms do routine calculations: “men will fill in the gaps, either<br />
in the problem solution or in the computer program, when the computer has no mode or routine<br />
124
CHAPTER 6. PROBLEM DEFINITION 6.4. SUMMARY<br />
that is applicable in a particular circumstance” [130]. In software system development humans<br />
seem to work better with board-based approaches (e.g., paper cards on a board) compared to<br />
the traditional form-based approach, where structure is predetermined and the humans have to<br />
adapt [171, 172]. It is often a good approach to use well known metaphors (e.g., desktop and file<br />
explorer in Windows) or the way that people interact with each other or physical tools like white<br />
boards, etc. [174]: “simple gestures help interactions with ideas” [254]. Humans can contribute<br />
with creativity, but while group work is often promoted as the way to more creativity, “the last 50<br />
years of empirical studies overwhelmingly suggest that real group creativity is not as effective as<br />
nominal group creativity.” [239]. Dedicated software tools targeted at supporting human factors<br />
problems in criminal network investigation should fulfill the following overall requirements:<br />
1. Augmenting human intellect through knowledge about human cognition, creativity, and<br />
problem solving theory and practice is essential.<br />
2. Leveraging transparency and ownership through tailorable models to ensure the end user’s<br />
trust in calculated information is an important step toward tool usage and output used for<br />
decision-making.<br />
3. Software tools used for analysis of criminal network investigation entities must have an easeof-use<br />
as close as possible to that of scribbling ideas on a whiteboard or paper cards.<br />
4. Bridging the gap between conceptual and computational models to support cooperation<br />
between man and software system tool, where humans think, make decisions, and fill the<br />
gaps, while tools do routine calculations.<br />
6.4 Summary<br />
We started this chapter by repeating our hypothesis as formulated in Chapter 1. It was based<br />
on the three criminal network investigation challenges, which we had chosen to focus on. In this<br />
chapter, we have provided a more detailed analysis of those challenges and presented specific<br />
problems related to each challenge. The problems have been used to create a set of research focus<br />
requirements to guide our development of software tool support for criminal network investigation,<br />
to address the problems and ultimately reduce the impact of the challenges significantly, supporting<br />
our hypothesis. We will base our evaluation of whether or not the challenges are met and the<br />
hypothesis supported, on the research focus requirements formulated for each challenge. In the<br />
next part of our dissertation (Part III) we use the research focus requirements during analysis<br />
and design, to ensure that our support of the criminal network investigation tasks will address the<br />
challenges information, process and human factors. In Chapter 15, we present a mapping between<br />
criminal network investigation tasks and research focus requirements.<br />
From now on we will refer to information research requirements as information #1 (emerging<br />
and fragile structure), information #2 (integrating information sources), information #3<br />
(awareness and notification), and information #4 (versioning support). We will refer to process<br />
research requirements as process #1 (target-centric and iterative), process #2 (loss less data<br />
abstractions), process #3 (make everybody stakeholders), and process #4 (integrate conceptual<br />
and computational models). Finally, we will refer to human factors requirements as human<br />
factors #1 (augment human intellect), human factors #2 (transparency and ownership), human<br />
factors #3 (simple tools ease-of-use), and human factors #4 (human-tool synergy).<br />
125
6.4. SUMMARY CHAPTER 6. PROBLEM DEFINITION<br />
126
Part III<br />
The tool<br />
127
CHAPTER 7<br />
Process model and tasks<br />
That’s the trouble with the red-ball treatment, Pellegrini tells himself,<br />
scanning one typewritten page after another. By virtue of their<br />
importance, red balls have the potential to become [. . . ] four-star<br />
departmental clusterfucks beyond the control of any single<br />
investigator.<br />
Homicide detective, in [204].<br />
<strong>Criminal</strong> network investigations such as police investigations, intelligence analysis, and investigative<br />
journalism involves a number of complex knowledge management tasks such as collection,<br />
processing, and analysis of information [173,174]. This chapter presents a human-centered, targetcentric<br />
process model for criminal network investigations that divides the investigative tasks into<br />
five overall processes: acquisition, synthesis, sense-making, dissemination, and cooperation. Based<br />
on case studies and observations of criminal network investigation teams, contact with experienced<br />
investigators from various communities, examination of existing process models and existing tools<br />
for investigation, as well as our own ideas for investigative tool support, we have generated a list<br />
of tasks that a tool for criminal network investigation should support.<br />
The process model first of all addresses the process challenge that we described in Chapter 6.<br />
Specifically, the model fulfills process #1 (target-centric and iterative”) and process #3 (make<br />
everybody stakeholders). We start out by presenting the process model in Section 7.1 and a list<br />
of criminal network investigation tasks for each of the five overall processes in Section 7.2. We<br />
conclude the chapter in Section 7.3 by summarizing the model and the tasks, we explain their role<br />
for the remainder of the dissertation and explain how we intend to evaluate the process model and<br />
the list of criminal network investigation tasks.<br />
7.1 Process model<br />
<strong>Criminal</strong> network investigation involves the collection, processing, and analysis of information related<br />
to a specific target to create products that can be disseminated to the customers. Different<br />
process models have been proposed to handle the complex tasks and issues involved in criminal<br />
network investigations (such as police investigations [53], intelligence analysis [40], and investigative<br />
journalism [136]). The three investigation types and related process models are described in<br />
Section 3.6.<br />
129
7.1. PROCESS MODEL CHAPTER 7. PROCESS MODEL AND TASKS<br />
Figure 7.1: Human-centered, target-centric criminal network investigation.<br />
<strong>Criminal</strong> network investigation models include the following overall knowledge management processes<br />
77 : acquiring the needed information (collection and processing), creating a model of the<br />
target (synthesis), extracting useful information from that model (sense-making), and finally creating<br />
a representation of the results (dissemination). Based on a specific target-centric model for<br />
intelligence analysis [40], we propose a generic model for target-centric criminal network investigation<br />
to embrace police investigations, intelligence analysis, and investigative journalism (Figure<br />
7.1).<br />
The customer requests information about a specific target. The investigators request information<br />
from the collectors (that may also be investigators). Information related to the target is acquired<br />
in disparate pieces over time. The investigators use the acquired information to build a model<br />
of the target (synthesis) and extract useful information from the model (sense-making). The<br />
extracted information results in changes to the model (synthesis). The sense-making - synthesis<br />
cycle is continued throughout the investigation as new information is acquired and extracted from<br />
the model. The investigators both work individually and cooperatively as a team. The results of<br />
the investigation are disseminated to the customer at the end of the investigation or at certain<br />
intervals (or deadlines).<br />
<strong>Investigation</strong> is a human-centered knowledge management process. Investigators (and collectors)<br />
rely heavily on their past experience (tacit knowledge) when conducting investigations. Hence,<br />
these processes cannot be fully automated and taken over by software tools. The philosophy is<br />
that the humans (in this case the investigators) are in charge of the criminal network investigation<br />
tasks and the software tools are there to support them [248]. The tools should be controlled by the<br />
investigators and should support the complex intellectual work (e.g., synthesis and sense-making)<br />
to allow the investigators to reach better results faster.<br />
CrimeFighter Investigator focuses on providing human-centered, target-centric support for criminal<br />
network investigation (acquisition, synthesis, sense-making, cooperation, and dissemination).<br />
Tool support for collection and processing is beyond the scope of this Ph.D. dissertation. The<br />
CrimeFighter Explorer tool focuses on this type of tool support (see Section 1.4). Tool support<br />
for advanced structural analysis and visualization of the generated target model is also beyond<br />
the scope of this Ph.D. dissertation. The CrimeFighter Assistant tool focuses on this type of tool<br />
support (see Section 1.4).<br />
130
CHAPTER 7. PROCESS MODEL AND TASKS 7.2. TASKS<br />
7.2 Tasks<br />
Based on cases and observations of investigative teams, contact with experienced end-users (investigators)<br />
from various communities, examination of existing process models and existing tools supporting<br />
criminal network investigation tasks (e.g., [2,5,7,19–21,25,39,40,53,83,84,101,136,178,254]<br />
and [6,201,212,252]), and our own ideas for investigative tool support, we maintain a list of investigation<br />
tasks divided into five processes: acquisition, synthesis, sense-making, dissemination, and<br />
cooperation. The list of tasks can be seen as a wish list of requirements for what an investigative<br />
tool should support; the list serves as the basis for our tool development efforts. So far our requirement<br />
generation and development efforts have primarily focused on tasks related to acquisition,<br />
synthesis, sense-making, and dissemination, while cooperation will be addressed in more detail in<br />
future work. The list is not exhaustive; we expect to uncover additional requirements for all five<br />
processes over time.<br />
7.2.1 Acquisition<br />
Acquisition. Some information may be available at the beginning of an investigation, but new<br />
information tends to dribble in over time in disparate pieces. Information arrives from various<br />
sources and should be easy to insert (import, drag-and-drop, cut-and-paste, etc.) into the investigation<br />
tool in a manner that is transparent to the investigator in order to keep trust in the<br />
information.<br />
Acquisition methods. Information arrives from various sources and should be easy to<br />
insert into the investigation tool using methods such as import, drag-and-drop, and cut-andpaste.<br />
Dynamic attributes are required to support acquisition of various data sets formatted<br />
using graph markup language (GraphML) or comma separated values (CSV).<br />
Attribute mapping. To support dynamic attributes it is necessary to map attributes in<br />
the acquired information to the investigation data model. For example mapping attributes<br />
to information element labels.<br />
7.2.2 Synthesis<br />
Synthesis tasks assist investigators in enhancing the target model:<br />
Creating, editing, and deleting entities. Investigators basically think in terms of people,<br />
places, things, and their relationships.<br />
Creating, editing, and deleting associations. The impact of association analysis on investigative<br />
tasks is crucial to the creation of the target model. Descriptive associations between<br />
entities helps discover similarities and ultimately solve investigation cases.<br />
Re-structuring. During an investigation, information structures are typically emerging<br />
and evolving, requiring continuous re-structuring of entities and their relations.<br />
Grouping. Investigators often group entities using symbols like color and co-location<br />
(weak), or they use labeled boxes (strong). Groupings can be used to highlight and emphasize<br />
particular entities and their relations.<br />
Collapsing and expanding information is essential since the space available for manipulating<br />
information is limited physically, perceptually, and cognitively. Zooming is a way to<br />
visually collapse or expand information in the space; however, depending on the zooming<br />
degree, it facilitates information overview at the expense of information clarity.<br />
131
7.2. TASKS CHAPTER 7. PROCESS MODEL AND TASKS<br />
Brainstorming is often used in the early phases of an investigation to get an initial overview<br />
of the target and the investigation at hand. Brainstorming is an example of a task that<br />
involves both synthesis and sense-making activities. Brainstorming is often supported by<br />
different types of mind mapping tools that allows the generated information elements to be<br />
organized in a hierarchical manner.<br />
Information types. Multimedia support is helpful when investigators want to add known<br />
positions of persons to a map or link persons to different segments within an audio file. This<br />
would support for example more intuitive storytelling.<br />
Emerging attributes are needed to support import of data sets and emerging attributes<br />
in investigations as well as imported algorithms.<br />
7.2.3 Sense-making<br />
Sense-making tasks assist investigators in extracting useful information from the synthesized<br />
target model:<br />
Retracing the steps. <strong>Criminal</strong> network investigators often retrace the steps of their investigation<br />
to see what might have been missed and where to direct resources in the continued<br />
investigation. Walking through an existing recorded investigation is used by new team members<br />
to understand the current status of the investigation and for training purposes.<br />
Creating hypotheses. Generating hypotheses and possibly competing hypotheses is a core<br />
task of investigation that involves making claims and finding supporting and opposing evidence.<br />
Investigators use both fact- and inference-based reasoning to rationalize about their<br />
beliefs either in a top-down or bottom up manner. This results in different interpretations of<br />
the information at hand (sequences of information, thought experiments, alternative stories,<br />
etc.).<br />
Adaptive modeling. Representing the expected structure of networks for pattern and<br />
missing link detection is a proactive sense-making task. Adaptive modeling embeds the tacit<br />
knowledge of investigators in network models for prediction and analysis.<br />
Prediction. The ability to determine the presence or absence of relationships between and<br />
groupings of people, places, and other entity types is invaluable when investigating a case.<br />
Alias detection. <strong>Network</strong> structures may contain duplicate or nearly duplicate entities.<br />
Alias detection can be used to identify multiple overlapping representations of the same real<br />
world object.<br />
Exploring perspectives. To reduce the cognitive biases associated with a particular mind<br />
set, exploring different perspectives (views) of the information is a key investigative task.<br />
Decision-making. During an investigation, decisions have to be made such as selecting<br />
among competing hypotheses and selecting among alternative interpretations of the information.<br />
Social network analysis. <strong>Network</strong> centrality measures such as degree, betweenness, closeness,<br />
and eigenvector can provide important investigation insights.<br />
Terrorist network analysis. A terrorist network is a special kind of social network with<br />
emphasis on both secrecy and efficiency (especially covert terrorist networks. Operational<br />
focus is on destabilization, and techniques include inference-based prediction, measures of<br />
link efficiency and secrecy to determine link importance, and community and key players<br />
detection.<br />
132
CHAPTER 7. PROCESS MODEL AND TASKS 7.3. SUMMARY<br />
7.2.4 Dissemination<br />
Dissemination tasks help the criminal network investigators to formulate their accumulated<br />
knowledge for the customer:<br />
Storytelling. Investigators ultimately “tell stories” in their presentations when disseminating<br />
their results. Organizing evidence by events and source documents are important tasks,<br />
so that the story behind the evidence can be represented.<br />
Report generation involves graphics, complete reports, subspaces, etc. Being able to<br />
produce reports fast is important in relation to time-critical environments and frequent<br />
briefing summaries.<br />
7.2.5 Cooperation<br />
Cooperation is a natural part of investigations. Cooperation leads to better synthesis and<br />
sense-making that is informed by more perspectives. In addition, more advanced communication,<br />
collaboration, and coordination support is necessary to support asynchronous and synchronous<br />
cooperation among team members, situations where investigators are distributed in time and<br />
space, as well as advanced investigation work flows.<br />
Shared information space. Sharing of the target model among team members is the<br />
starting point of cooperation.<br />
Discover emergent collaboration. The discovery of emergent collaboration, would help<br />
the coordination of resources by putting investigators analyzing similar or the same entities<br />
in touch with each other.<br />
Shared work flows. Sharing work flows, like sense-making work flows and custom algorithms<br />
or mining work flow patterns from the previous use of intelligence information.<br />
7.3 Summary of process model and tasks<br />
We have developed and presented a target-centric process model for criminal network investigation.<br />
We have also defined a list of investigation tasks based on our aggregated domain knowledge,<br />
for each of five processes in the model (acquisition, synthesis, sense-making, dissemination, and<br />
cooperation). The process model was developed as a response to the challenge that process poses<br />
to criminal network investigation, but it will also be used as a framework for our development of<br />
software tool support for criminal network investigation. Each process has a dedicated chapter<br />
(Chapters 9 to 13) where tasks for that process are further analyzed, designs for the implementation<br />
of each task are presented, and finally CrimeFighter support of those tasks is reviewed.<br />
We have primarily focused on synthesis and sense-making processes as they were found to be most<br />
central to our hypothesis and research focus requirements. Less focus has been on acquisition and<br />
dissemination, while cooperation has received only limited attention, and will be part of our future<br />
work. We will evaluate the process model and tasks by comparing the implemented support<br />
in CrimeFighter Investigator against the capabilities of similar commercial tools and research<br />
prototypes (see Section 15.3).<br />
133
7.3. SUMMARY CHAPTER 7. PROCESS MODEL AND TASKS<br />
134
CHAPTER 8<br />
Concepts, models, and components for CrimeFighter Investigator<br />
That which is over designed, too highly specific, anticipates outcome;<br />
the anticipation of outcome guarantees, if not failure, the absence of<br />
grace.<br />
[William Gibson]<br />
Perfection is reached not when there is no longer anything to add, but<br />
when there is no longer anything to take away.<br />
[Saint-Exupéry]<br />
Initially, we wanted to present an elaborate analysis, design, and implementation of a domainindependent<br />
framework for knowledge management, based on our research of and experience with<br />
criminal network investigation and other ill-structured problems, such as software development<br />
planning. However, we realized that it would be of much more importance and relevance to present<br />
the basic concepts we developed for criminal network investigation and the software components<br />
we built to support them. As Sifakis (2011) mentions in his review of computer science: “we<br />
should study principles in building correct systems from components” [202].<br />
In this chapter, we describe our developed conceptual and computational models (see Figure 8.1).<br />
An overview of mathematical models (or techniques) was given in Section 5.9, and examples<br />
of computational models for some of these techniques that CrimeFighter Investigator supports<br />
are explained in Chapter 11 covering criminal network sense-making. We have separated structural<br />
concerns from the default mathematical models 78 , since the mathematical models should be<br />
able to process or adapt to any structural model they are faced with and not only the traditional<br />
navigational structures. Frequently used structural models are reviewed in Section 5.1, and Crime-<br />
Fighter Investigator designs and support using these structural models are covered in Chapter 10<br />
on criminal network synthesis. In summary, we have, like others, weighed the trade offs between<br />
“representations designed for human perception and use, and those designed for computer manipulation”<br />
[95], and the result was an improved understanding of separated structural, mathematical,<br />
and computational models that supports both synthesis and sense-making, separately but more<br />
importantly combined for criminal network analysis (synthesis and sense-making), as shown in<br />
Figure 8.1.<br />
The remainder of this chapter is organized as follows: In Section 8.1 we describe our conceptual<br />
criminal network investigation model and how it was developed, followed by different aspects of our<br />
computational model in Section 8.2. Section 8.3 outlines basic concepts for information, process,<br />
135
8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS<br />
Figure 8.1: Conceptual, structural, mathematical and computational models for support of individual<br />
synthesis and sense-making processes, but more importantly also for criminal network<br />
analysis (both synthesis and sense-making).<br />
and human factors research focus requirements, and relates these to specific software components.<br />
Requirements for a selection of these components is given in Section 8.4 and their designs are<br />
presented in Section 8.5. Finally, we give a short introduction to the basic concepts supported by<br />
CrimeFighter Investigator in Section 8.6.<br />
8.1 Conceptual model<br />
The building blocks of criminal networks are information entities. The CrimeFighter Investigator<br />
conceptual model (Figure 3.1) defines three such entities, namely information elements (nodes),<br />
relations (links), and composites (groups), as shown in Figure 8.2 (and Figure 8.1). Information<br />
elements hold information about real-world objects. Investigators basically think in terms of<br />
people, places, things, and their relationships. For visual abstractions of the information element<br />
we use rectangular visual symbols for simplicity, but they could have any form (circles, triangles,<br />
etc.) to illustrate different types of real-world objects. Relations represent links of different types<br />
and weights that can associate information entities directly. We refer to the connecting ends<br />
of relations as endpoints. Links have two endpoints, they can be both directed and undirected,<br />
and they have different visual abstractions (see Figure 8.2, middle). Composites are used to<br />
organize entities in sub groups. We work with three types of composites: reference composites<br />
are used to group entities in the common information space, inclusion composites can collapse<br />
and expand information to let investigators work with subspaces, and relation composites, though<br />
technically an inclusion composite for relations instead of information elements (see also Chapter<br />
10 for analysis, design, and support of composites). The circles in Figure 8.2 indicate connection<br />
endpoints for each entity type.<br />
Previous research on criminal networks has to a large degree focused on making sense of nodes.<br />
Links are seldom first class objects in the terrorism domain models with the same properties as<br />
nodes. This is in contrast to the fact that the links between the nodes provide at least as much<br />
relevant information about the network as the nodes themselves [79]. The nodes and links of<br />
criminal networks are often laid out at the same level in the information space. Composites are first<br />
136
CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL<br />
Figure 8.2: Abstract conceptual model.<br />
Figure 8.3: CrimeFighter Investigator conceptual model - software components.<br />
class entities that add depth to the information space. Navigable structures and entities (including<br />
composites) are useful for investigative synthesis tasks such as manipulating, re-structuring, and<br />
grouping entities [174]. The way a criminal network breaks down into subgroups can reveal levels<br />
and concepts of organization and help us to understand how the network is structured [155].<br />
An information entity comprises several components. Each entity has a set of dynamic attribute(s)<br />
(meta data). Currently three types of attributes are supported: strings (single line of text), text<br />
areas (multiple lines of text), and enumerations (a defined set of allowed values). The visual<br />
abstraction of an entity is computed from it’s visual content and menu button(s). The visual<br />
content is used to create the default information elements available in CrimeFighter Investigator,<br />
which are all composed using geometric shapes (circles, lines, rectangles and polygons). A number<br />
of menu buttons can be added to entities to create a link to a specific functionality. The examples<br />
shown in Figure 8.3 are the delete button (X symbol) and the attributes button (A symbol).<br />
Below, we summarize information elements, relations, and composites we have come across in our<br />
studies of criminal networks, investigations thereof, and tool support therefor. See Chapter 3 on<br />
criminal network investigation, our review of theory and technology in Chapter 5, and related<br />
work on commercial tools and research prototypes for criminal network investigation in Chapter<br />
4. We focus on the functional and visual parts of entities that are consistently there, but might<br />
be positioned differently in relation to other elements/parts of the entities. Figure 8.5 shows some<br />
examples of the different kind of entities we came across in our analysis and will be used as the<br />
basis for our design below. But first a review of and our perspective on entity layers.<br />
8.1.1 Entity layers<br />
As previously mentioned, the basic entities of CrimeFighter Investigator are information elements,<br />
relations, and composites. These are placed in the information layer of the architecture for instantiations<br />
of the conceptual model, as shown in Figure 8.4. Instances of information elements,<br />
137
8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS<br />
Figure 8.4: CrimeFighter Investigator conceptual model entity layers.<br />
relations, and composites can be created to serve the domain-specific information analysis tasks,<br />
e.g. for criminal network analysis a person would be an obvious and often used information<br />
element.<br />
Information elements and relations are both associated with a set of entity specific attributes and<br />
rules. Information elements are also associated with an adaptive graphical abstraction. In Figure<br />
8.4 it is a stick man figure, but we also imagine a more detailed abstraction showing physical<br />
characteristics of a group of people or maybe a photograph of the specific person. Relations are<br />
associated with less adaptive graphical abstractions, only visual symbols such as color and line<br />
thickness can be edited. Composites can be outlined, and either have a solid background of some<br />
color, be transparent, or empty. Examples of visual abstractions can be seen in Figure 8.5.<br />
The associative semantics of information elements, relations, and composites are embedded in<br />
the structure layer. The structure layer is divided into two sub layers, the spatial and network<br />
layers. The semantics of the spatial layer is based on the physical co-location of information<br />
elements in the information analysis space. The semantics of the network layer is based on the<br />
relations connecting information elements. The presentation layer facilitates visualization of and<br />
the user’s interactions with the underlying layers. Interactions based on drag and drop gestures<br />
and direct manipulation of information element and relation content are key to mimicking physical<br />
cards-on-table information analysis.<br />
8.1.2 Information element designs<br />
We use the information element examples in Figure 8.5 as a point of reference. We summarize<br />
the ideas presented below (as well as for relations and composites), when we define requirements<br />
for the entity component in Section 8.4.1. Information elements represent different types of information<br />
about investigation entities such as persons, locations, organizations, etc. and about<br />
138
CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL<br />
Figure 8.5: Examples of entities that we have come across in our reviews and analyses.<br />
information entities such as emails, articles, notes, reports, etc. (see Figure 8.5). A number of<br />
default information elements should be default (i.e., some degree of domain-orientation assists the<br />
user [91]). If a criminal network investigation team needs additional types of information elements<br />
to better depict their case, new information elements should be easy to create and add to the<br />
default list. Information elements must be component-based to make them dynamic and flexible.<br />
A separation of content and human-computer interaction areas is preferred, as they have different<br />
functional purposes. A content space contains the visual abstraction (i.e., a combination of graphics<br />
and interactive areas with or without text). The menu space holds a number of menu buttons<br />
that can access specific interactions (e.g., delete), or the content of the information element (e.g.,<br />
attributes used for meta data). If we base the graphical abstractions of information elements are<br />
on geometric shapes such as circles, rectangles, and triangles, it will be possible to make human<br />
perception easier and faster, compared to more textual representations.<br />
8.1.3 Relation designs<br />
Again, we use the relation examples in Figure 8.5 as a point of reference. CrimeFighter Investigator<br />
relations must capture relationships between information elements [33]. A relation can hold textual<br />
information about the nature of the relation (e.g., “leader-of”, “lives-at”, etc.) as well as the<br />
direction of the relation (unidirectional or bidirectional), see Figure 8.5 for examples. Relations<br />
must be first class entities, just like information elements; this means that they will have attributes<br />
for holding meta data, investigators can interact with relations in the same manner as information<br />
elements, and finally, the visual semantics must be the same. If an information element linked with<br />
a relation is deleted, the relation itself cannot be deleted; the action performed on the information<br />
element was independent from the relation, and the relation should therefore not be affected,<br />
except for the fact that it can no longer be connected to that information element, obviously.<br />
If both endpoints are deleted, the relation should be movable in a fashion similar to that of<br />
information elements and composites. Functionally for reconnecting relations to other entities<br />
139
8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS<br />
must be supported, preferably using drag and drop.<br />
8.1.4 Composite designs<br />
As above, we use the composite examples in Figure 8.5 as a point of reference. CrimeFighter<br />
Investigator support of composites would be useful in terms of grouping information elements and<br />
relations in the information space [82]. Composites must be first class entities, just like information<br />
elements and relations. As an example, if two persons are considered to belong to either of two<br />
groups, but it is unclear which one, overlapping composites could be used to indicate that they<br />
are in both composites. It would be a way of representing what is known at that time in the<br />
investigation, which is what criminal network investigators often ask themselves: what do we<br />
know? [52]. Relation composite is another type of composite that would allow investigators to<br />
group multiple relations between two entities (such as multiple emails or phone calls between two<br />
persons) into a single visible entity (composite). Relation composites group relations by inclusion.<br />
A third type of composite could be useful for support of collapsing and expanding information.<br />
This type of composite would group all information elements by inclusion. It must be considered<br />
what to do with relations that are internal to the composite (i.e., have both endpoints inside),<br />
should be included or not, and whether or not external relations (one endpoint outside) are<br />
referenced or included. This type of composite would support the concept of a subspace, allowing<br />
the investigators to work in detail with a portion of the overall network. Ideally, a subspace would<br />
provide the same functionality as the space.<br />
8.2 Computational model<br />
Associations between entities is the basic input for computations. Here, we further enhance the<br />
computational model for criminal networks proposed in [244] to assist criminal network investigators<br />
searching for specific patterns in their gathered information. We furthermore propose the<br />
need to describe the nature of links and nodes, and thereby extend traditional social network<br />
analysis model: “without accounting for the content of communication, social network analysis<br />
runs into the pizza guy delivery problem: confusing regular contact with significant contact” [26].<br />
A person A can be related to a person B in a number of ways, and any subset of these relations<br />
can mean something within a certain context, and hence would be weighted differently according<br />
to their importance. The complete set of relations would constitute what is known about the<br />
relationship at that place in time.<br />
During target-centric criminal network investigations, the investigative team adds information<br />
pieces as they are discovered and step-by-step information structures emerge as entities are associated.<br />
We have observed that initially the information entities are placed randomly in an<br />
information space. If a new entity is somehow associated with an entity already in the shared<br />
information space, then it is positioned next to that entity (co-located). Later, some co-located entities<br />
are directly associated using link entities, because the investigators have learned the nature of<br />
the relationship between the entities. Depending on the level of time criticality (e.g., high security<br />
risk), a decision has to be made at some point. When the network is fragmented and incomplete<br />
such decision-making can be a challenging task due to the uncertainty. Sense-making algorithms<br />
are often applied to assist investigators in making these decisions and we discuss measures of<br />
centrality for individual network entities below.<br />
Information entity associations form information structures and centralities are computed based<br />
on these associations. Subsequently, associations impact the measures of centrality we want to<br />
calculate. <strong>Criminal</strong> network investigation has to a large degree so far focused on the direct association<br />
of nodes. Links are seldom first class objects in the terrorism domain models with the same<br />
properties as nodes. This is in contrast to the fact that the links between the nodes provide at least<br />
as much relevant information about the network as the nodes themselves [79]. The nodes and links<br />
of criminal networks are often laid out at the same level in the information space when the network<br />
140
CHAPTER 8. SOFTWARE COMPONENTS 8.2. COMPUTATIONAL MODEL<br />
is visualized. Composites (groups) are first class entities that add depth to the information space.<br />
For investigative purposes navigable structures and entities (including composites) are useful for<br />
synthesis tasks such as manipulating, re-structuring, and grouping entities. Our understanding of<br />
information links (relations) and groups (composites) is based on hypertext research [174].<br />
CrimeFighter Investigator supports two structure algorithm types: measures (e.g., entity centrality),<br />
transformative algorithms (e.g., prediction of entities). Combinations of these are referred<br />
to as custom algorithm types. Custom algorithms are templates of specific criminal network investigation<br />
work flows, e.g., understanding the secondary effects of entity removal or insertion.<br />
All algorithms implement the report interface, where an algorithms report elements and design is<br />
defined. Rules are used to describe entity-to-entity relations, attribute cross products etc. Each<br />
algorithm has a set of general settings and specific settings. Specific settings includes algorithm<br />
hooks, i.e., the entity attributes that algorithms base their computations on, and customizable<br />
algorithm parameters.<br />
8.2.1 Entity association design<br />
Based on the concepts of centrality and association, we outline a topology of associations between<br />
criminal network entities which impact the centrality of individual entities with varying degree.<br />
Our topology is divided into direct and semantic associations (see Figure 8.6 and 8.7). Direct<br />
associations are expressed using link entities. The link may be weak by weight (low value), by<br />
type (rumor, acquaintance, one-visit-to, etc.), or by evidence (uncorroborated, questionable news<br />
paper, etc.), but it is nonetheless interpreted as a direct association by sense-making algorithms<br />
and in visualizations. Semantic associations between criminal network entities are build incrementally<br />
based on the tacit knowledge of investigators and the investigation domain their target<br />
operates within. Initially, investigators express information “via visual or textual means and later<br />
formalize that [information] in the form of attributes, values, types, and relations” [197].<br />
The visual symbol for direct associations is a thick solid line, and thin solid circles indicate entity<br />
connection points in Figure 8.6 and 8.7. The visual symbol for semantic associations is a dashed<br />
line and dashed circles indicate connection points. We realize that some of these associations<br />
are more relevant than others, and it is exactly this relevance of alternative associations that we<br />
are investigating in this section. In Figure 8.6a to 8.6c, we show three classic associations: the<br />
node-link-node association is the most frequently used (8.6a), together with the less frequently<br />
used node-link-group (8.6b) and group-link-group (8.6c) associations.<br />
(a) node-node (b) node-group (c) group-group<br />
(d) link-link (e) empty endpoint I (f) node-sub node (g) empty endpoint II<br />
Figure 8.6: Direct associations in our topology includes classic associations (a-c) and novel associations<br />
in terms of centrality measures (d-g).<br />
141
8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS<br />
(a) clique I (b) clique II (c) meta data (d) sequential<br />
(e) group-subgroup (f) node-subnode (g) node below<br />
Figure 8.7: Semantic associations in our topology include spatial associations (a-d) and hierarchical<br />
associations (e-g).<br />
Figure 8.6d to 8.6g shows four examples of direct associations that occur in criminal network<br />
investigations, but are not included when entity centrality is computed. A link could be the<br />
target of an investigation, e.g., Daniel Pearl was investigating whether or not there was a link<br />
between Richard Reid (the shoe bomber) and the leader of a local radical Islamist group [162].<br />
Other examples include knowledge about the money transfer between two individuals or that<br />
one individual had seen them talk at the same location on numerous occasions (Figure 8.6d).<br />
The empty endpoint is another example of a direct association that occurs in criminal network<br />
investigations, but is not (directly) addressed by traditional centrality algorithms. The need to<br />
include empty endpoints in centrality is straightforward: if investigators know that someone is<br />
distributing drugs to three individuals, e.g., based on wire taps, but they don’t know who those<br />
individuals are, then an empty endpoint can be used until it is clear. This could be the case for<br />
both nodes and groups (see Figure 8.6e and 8.6g). Finally, direct associations between entities<br />
outside groups to entities inside groups are needed (both for reference and inclusion composites,<br />
see Figure 8.6f). When criminal network investigators start grouping entities, structures where<br />
entities outside the group are linked to entities inside the group might emerge. But the relation<br />
still has association to that entity in the subgroup.<br />
The semantic co-location association should be used carefully by investigators. If the investigators<br />
position entities near each other spatially because they are assumed to be related somehow, then<br />
it will make sense to use spatially based associations. But if not, then it will simply clutter the<br />
network with non-relevant relations. If entities are placed near each other or as overlapping entities<br />
it could mean that they are forming a sort of clique (Figure 8.7a and 8.7b). Also, as it is the case<br />
in the analyzed organized drug crime investigation board, position entities next to or around a<br />
(centered) entity could mean that the information entities are meta data about the centered entity<br />
(Figure 8.7c). Entities positioned next to each other horizontally or vertically, could mean that<br />
the entities represent a sequence (Figure 8.7d).<br />
Semantic hierarchical associations can occur either when composites are used or when information<br />
entities are positioned spatially in a manner that resembles that of a hierarchy. If a group contains<br />
single information entities and subgroups, the single entities must have some sort of relationship<br />
to the entities in the subgroups since their overall classification is the same (Figure 8.7e). Also<br />
it could be that a single entity is associated with a composite (group) and therefore might have<br />
142
CHAPTER 8. SOFTWARE COMPONENTS 8.3. CONCEPTS AND COMPONENTS<br />
some sort of relation with entities within that composite (Figure 8.7f). Finally, positioning entities<br />
in spatial hierarchies as shown in Figure 8.7g indicates entities below other entities represent sub<br />
entities.<br />
The topology of associations can be seen as a wish list of requirements for what a computational<br />
model for criminal network investigation should support in this regard. The topology is not exhaustive;<br />
we expect to uncover additional associations over time. Especially new semantic associations<br />
based on temporal distance (when individuals appear on an investigation time line together with<br />
other individuals and events etc.), distance between entities in the real world, distance in family<br />
ties, and so on.<br />
8.3 Concepts and components<br />
Based on the research focus requirements we listed in Chapter 6 for each of three criminal network<br />
investigation challenges (information, process, and human factors), we propose a list of<br />
generic knowledge management system and hypertext concepts and explain how they can support<br />
these research focus requirements. Based on the generic knowledge management requirements,<br />
we decompose these knowledge management system and hypertext concepts into actual software<br />
components (see Figure 8.8). Some concepts are supported by multiple components, while others<br />
have been directly mapped to an equivalent component.<br />
Figure 8.8: Concepts and components from research focus requirements.<br />
Below is a selection of the concepts in Figure 8.8, and what we mean by each one, and what<br />
individual research focus requirements they relate to (refer to Figure 8.8 for the name of research<br />
focus requirements). The list contains concepts mentioned when presenting the CrimeFighter<br />
toolbox, when reviewing hypertext structures,<br />
143
8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS<br />
1. Information A tool for criminal network investigation must encapsulate (pieces of) information,<br />
making it available for interaction and manipulation. The information concept relates<br />
to information #1 (emergent and fragile structures) and information #2 (integrating<br />
information sources).<br />
2. Structure domains To support different structuring domains and to be able to separate<br />
the structural models from the mathematical models, the structure domains have to be well<br />
defined. Hypertext provides us with such well defined structures. The structure domains<br />
concepts relates to information #1 (emergent and fragile structures) and process #4<br />
(integrating conceptual and computational models).<br />
3. Versioning. Supporting different versions of a criminal network investigation is essential,<br />
and the concept of versioning offers different approaches to such support. The versioning<br />
concepts relates to information #1, #2, and #4.<br />
4. Storage The information and knowledge generated during investigations has to be saved<br />
for later retrieval and continued investigation. Storage is a different kind of versioning, not<br />
having the same conceptual meanings as the versioning concept above. With a knowledge<br />
base in place, storage becomes a matter of being able to externalize or share (parts of)<br />
a criminal network investigation. We do not consider storage to be related to any of the<br />
research focus requirements.<br />
5. Interpretation The investigator interpretation of events, open questions, or other parts<br />
of an ongoing criminal network investigation. This concepts relates particularly to human<br />
factors #1 and human factors #4.<br />
6. Analysis refers to either the investigator organizing the available evidence in ways to make<br />
associations between information pieces more clear, or the use of algorithm-based tools for<br />
semi-automated analysis. The concept of analysis primarily relates to the research focus<br />
requirements information #3 and human factors #1, #2, and #4.<br />
It is tempting to start drawing lines between concepts and components in Figure 8.8, but it defeats<br />
the purpose of focusing on individual components instead of a complete framework; as long as the<br />
component interface is clearly defined (i.e., abstracted to a suitable level), there should be so<br />
many possible combinations of these components, that drawing lines becomes pointless. Instead,<br />
we present each mentioned software component and the knowledge management and hypertext<br />
system concepts these components are intended to support in a software tool for criminal network<br />
investigation. The components are listed according to their importance and focus for our Ph.D.<br />
project (see the next section for component requirements).<br />
1. Entity is the basic information component, a prerequisite for support of all concepts.<br />
2. History is a component for support of versioning.<br />
3. The algorithm component will support analysis.<br />
4. Datafile is a component for storage of criminal network investigations.<br />
8.4 Component requirements<br />
For each of the software concepts presented in Section 8.3, we define a list of component requirements,<br />
for each of the four components we chose to focus on in the previous section. First in<br />
Section 8.4.1, for the most basic concept Entity we list design requirements, followed by History<br />
(see Section 8.4.2), Algorithm (see Section 8.4.3) and Datafile (see Section 8.4.4).<br />
144
CHAPTER 8. SOFTWARE COMPONENTS 8.4. COMPONENT REQUIREMENTS<br />
8.4.1 Entity requirements<br />
First, for the most basic concept, we have created information entity requirements based on analysis<br />
done in this Ph.D. dissertation together with our previous work [165,170]. These requirements<br />
are presented below and will primarily support the research focus requirements information #1<br />
(emerging and fragile strucure), process #3 (simple tools ease-of-use), and process #4 (humantool<br />
synergy), but in general the entity will be the basic supporting element of all research focus<br />
requirements.<br />
1. Graphical abstractions. 2D graphical composites constructed using geometric shapes<br />
should be supported. Each geometric shape must be placed relatively to the information<br />
element’s (0,0) position, i.e. the position of the information elements upper left corner on<br />
the space.<br />
Our motivation is to provide a proper but easy comprehensible visual abstraction for usageoriented<br />
information elements. This would provide the spatial hypertext developer with an<br />
opportunity to setup some conceptual relationships, prior to the user getting system access.<br />
2. Interactive abstractions. All geometric shapes (e.g., circles and polygons) should be<br />
interactive in the sense that clicking them creates an event, on which the spatial hypertext<br />
can act. This also covers simple textual visualizations such as rectangular labels.<br />
This is partly due to our positive experience with a board-based approach using directmanipulation<br />
techniques, as opposed to the more obstructive form-based approach where all<br />
available fields has to be edited through a pop-up dialog box. Also it supports the creation<br />
of yet-to-be imagined visual abstractions representing information elements.<br />
3. Editable abstractions. The visual abstractions of pre-defined usage-oriented information<br />
elements should not be locked. They should be editable through an embedded abstraction<br />
editor (see next requirement). And also stored in a format which would allow them to be<br />
edited in a third party structural drawing application or used by other spatial hypertexts.<br />
4. Typed abstractions. To support automated and meaningful (i.e., usage-related) viewgeneration,<br />
all visual abstractions must allow type assignment.<br />
5. Visual cues. Textual cues like text alignment, font, font size, number of lines of text, text<br />
width. Graphic cues like background image, background/border color, transparency.<br />
6. Bidirectional mappings. The framework should support a graphical approach to bidirectional<br />
(two-way) mappings between visual representations and their underlying data<br />
stores. We propose to embed an information element editor within spatial hypertexts, offering<br />
drag-and-drop ‘entity attribute to visual abstraction’ mapping options. We propose<br />
a drag and drop approach where a data field is grabbed and dropped onto one shape in the<br />
drawing area. The mapping between the data field and the geometric shape is automatically<br />
generated.<br />
8.4.2 History requirements<br />
The aim of the history component is to provide support beyond traditional undo-redo, and we will<br />
list requirements that reflects this. Undo-redo can be realized using a linear history which records<br />
criminal network investigation delta’s, and we use this as a starting point. But should also support<br />
branched history, navigation of branched history, story telling etc. Our requirements are based<br />
on our own criminal network investigation domain knowledge and previous work on history and<br />
branched history [96,117,198]. A history component would support the requirements information<br />
#4 (versioning support) and to a certain degree process #2 (loss less data abstractions) and<br />
process #3 (make everybody stakeholders).<br />
145
8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS<br />
1. Event. The basic entities of criminal network investigation history are events. Events must<br />
encapsulate the investigators interaction with information in the common information space,<br />
as well as the tools interactions with that information (see algorithm requirements in Section<br />
8.4.3). Examples of criminal network investigator interactions are creating, deleting,<br />
and updating entities, and moving entities. It would be relevant to record sense-making<br />
interactions as well: the investigator requested betweenness centrality measures, the user<br />
made the following updates in the time line view. Such information might be relevant for future<br />
retracing the steps. Examples of tool interactions with information includes algorithms<br />
transforming the criminal network.<br />
2. Type of event. There are many type of basic history events, such as create, delete, move,<br />
update, etc. Sense-making event types might include applied measure algorithm or applied<br />
transformative algorithm. Such basic event types are required, to know what to do, when<br />
navigating the history event, whether it is navigation of a linear or branched history.<br />
3. Content of event. Some network content is associated with history events. If the type is<br />
create, then the content might be a single information element, relation, or composite. If<br />
the event is applied transformative algorithm, the content of the event might be a network<br />
structure of information elements, relations, and composites all together. Again, information<br />
about the content is required for navigating history.<br />
4. Visual symbols. The type of event and content of event would benefit from visual symbols,<br />
to be able to differentiate between them. Supporting user choice of symbol would be<br />
preferred.<br />
5. Editable. History must be editable. A fine grained history is often required to capture all<br />
events, but this is not suitable for dissemination to intelligence customers or fellow investigators.<br />
Grouping and annotation of events is therefore required.<br />
6. Parser. A parser that search for patterns in history, e.g., these three events where created<br />
within seconds of each other, and we therefore assume they are part of the same synthesis<br />
action. The history parser should ask the user to approve history editing patterns before<br />
applying them automatically to series of history events.<br />
7. Structure. The history should support structure domains. We imagine that taxonomic<br />
structure will be necessary to support a branched history [96, 117]. Navigational structures<br />
would be necessary to present jumps between events in different branches of history. This<br />
could be used for story telling, i.e. comparison of decisions made in different branches of<br />
investigation history.<br />
One particular parameter to consider related, is the amount of memory required to store the history<br />
supporting the requirements we have described above 79 , i.e., a fine grained, branched history,<br />
supporting the investigator’s interactions with information in a common information space.<br />
8.4.3 Algorithm requirements<br />
To ensure that algorithms do not become black box components in tools supporting criminal<br />
network investigation, we suggest to focus on providing the users with options for interaction with<br />
algorithms. The algorithm component requirements will primarily support the research focus<br />
requirements human factors #1, #2, and #4, focusing on augmentation of human intellect,<br />
transparency and ownership, and leveraging human-tool synergies.<br />
1. Types of algorithms. During analysis we have found a need to support three basic algorithm<br />
types, namely measuring algorithms, transformative algorithms, and custom algorithms.<br />
The measuring algorithms simply provide different measures for (parts of) criminal<br />
146
CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN<br />
network structures of entities. Transformative algorithms suggest an alteration of the network,<br />
either by adding or removing entities, changing attribute information, or visually<br />
updating (some selection of) entities somehow.<br />
2. Algorithm steps. Controlling the steps of an algorithm, requiring a separation of algorithm<br />
into steps, where each step has inputs and outputs. Guide the user through steps once they<br />
have been tailored, and the user have customized them.<br />
3. Input and output. Algorithms for criminal network investigation take criminal networks<br />
as input and outputs the same criminal network with the results of the algorithm augmented.<br />
Algorithms must in other words be able to parse the conceptual model (i.e., traverse hierarchies<br />
and follow associations) prior to or during computation.<br />
4. Customizable. Algorithms must have an interface for customization to the extent it is<br />
possible for individual algorithms. Typically customization would involve adjusting input<br />
and output variables, loading specific information for the algorithm etc. Visual customization<br />
is preferred to traditional graphical user interface input fields.<br />
5. Tailorable. Both individual algorithms and custom algorithms should be tailorable. Individual<br />
algorithms, in the sense that controlling the computational steps of the algorithm<br />
could become useful in some situations. An example could be, letting the investigator sort<br />
shortest paths between all vertice pairs, before running the remainder of the algorithm. For<br />
custom algorithms, comprising more than one algorithm, it must be possible to tailor in<br />
terms of the order of algorithms, as well as what to do with the output from one algorithm,<br />
before forwarding it to the next.<br />
8.4.4 Datafile requirements<br />
A datafile component will deal with mapping information to and from our conceptual model (information<br />
elements, relations, and composites). It needs to encapsulate both the proprietary saving<br />
and loading of criminal network investigation in CrimeFighter Investigator (serialized XML), as<br />
well as general data formats such as comma separated values (CSV), XML, and other formats<br />
used by other tools like social network analysis tools. The datafile component primarily supports<br />
the research focus requirements information #2 (integrating information sources) and to some<br />
extent information #4 (versioning support).<br />
1. Mapping to conceptual model. A datafile component must be able to map data to the<br />
conceptual model of a tool. In relation to criminal network investigation, this is entities<br />
(information elements, relations, composites).<br />
2. Import data formats. The datafile component must have an abstract interface for import<br />
of various data formats. This should ensure that the tool support remains open and<br />
extensible, in order to be able to accommodate new data formats.<br />
3. Export data types. The datafile component must also have an abstract interface for<br />
exporting to various data formats.<br />
8.5 Component design<br />
Here we present component designs of three of the four previously chosen components entity,<br />
history and algorithm. The datafile component was found to be sufficiently described by the<br />
component requirements in the previous section.<br />
147
8.5. COMPONENT DESIGN CHAPTER 8. SOFTWARE COMPONENTS<br />
8.5.1 Entity<br />
The design of the entity component is essential as the success or failure of all other components<br />
and hence features relies on it. The design is presented in Figure 8.9.<br />
Figure 8.9: Entity component design includes the component’s relations to the common information<br />
space (left), the interrelationship of basic component elements (middle), and other elements<br />
related to the component, but not directly part of it (right).<br />
Figure 8.9 reflects how all entities should have a fixed absolute position in the common information<br />
space. An entity has a number of visual elements, all positioned relatively to the absolute position.<br />
A visual abstraction is at the center. This is a symbol informing the user in an intuitive what<br />
the contents of the entity is. It will be encouraged to build the visual abstraction using geometric<br />
shapes such as rectangles, circles, and triangles, since that would make possible later association<br />
of specific semantics with individual areas of the visual abstraction. However, for criminal network<br />
investigations, it would also be useful to use a picture as visual abstraction. Our analysis showed<br />
that simple entity actions such as delete and edit should be visual elements positioned relatively<br />
to the entity. These sort of manipulations concerns the entity as a whole.<br />
Direct manipulation of content (or meta data, described below) is essential to keep interaction<br />
simple. Important meta data that are often edited for a specific entity should be available for<br />
direct manipulation as an visual element. Finally, an element that will allow both the resizing<br />
of an entity and provide connection points between entities is necessary. For a relation, for<br />
example, this element would be at either end of the relation. Initially empty, since the relation is<br />
not connected to any other entities, but then grabbing and dragging the element (endpoint) would<br />
resize the length of the relation (just as if an information element was connected to that end of<br />
the relation).<br />
Furthermore, the entity component must as a minimum include the following non visual elements:<br />
Meta data are essential, and will be formatted according to a type (text, number), name (what<br />
is this meta data called) and finally the actual value of the meta data. Some meta data will<br />
be static for an entity and others will be dynamic. It should be possible to add new meta data<br />
through out the life time of the entity. Included entities (or encapsulated entities) are required<br />
to represent hierarchical structures in investigations. These entities will be grouped or classified<br />
according to some parameters selected by the end user and they also have an entity to represent<br />
them at a higher level, the entity that encapsulates them. It will be necessary to denote the type<br />
of individual entities, in order to let the developers add functionality particularly developed for<br />
a specific type of entity, e.g., relation or composite. The set of entity types should of course be<br />
extensible.<br />
148
CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN<br />
8.5.2 History<br />
Our history component is designed with the intend to support versioning, which in turn will<br />
provide support for important criminal network investigation tasks based on versioning. The<br />
history component design is shown in Figure 8.10.<br />
Figure 8.10: History component design includes the component’s relations to the common information<br />
space (left), the interrelationship of basic component elements (middle), and other elements<br />
related to the component, but not directly part of it (right).<br />
A criminal network investigation event is the basic element of the history component. The event<br />
is created by some action in the common information space, either by the user (synthesis actions)<br />
or by the tool (on behalf of the user, an algorithm based sense-making action). An event can<br />
be of a specific type (create, delete, move, transform, etc.) and will have some information<br />
content. Visual abstractions for event types and content must be supported, illustrated by the<br />
link to geometrical shapes in Figure 8.10. Finally, events are to be stored either following an<br />
associative structure, a hierarchical structure, or a combination of these. Provided that<br />
storage is implemented in a suitable way, an editor can interact with the stored history events, to<br />
group events, annotate events, or interact and present the events in ways required for the specific<br />
criminal network investigation, intelligence customers, etc.<br />
8.5.3 Algorithm<br />
Our algorithm component is designed with the intend to support analysis (synthesis, sense-making,<br />
and synthesis and sense-making), which in turn will provide support for important criminal network<br />
investigation tasks depending on analysis support. The algorithm component design is shown<br />
in Figure 8.11.<br />
An algorithm is the central algorithm component element. This might be confusing, and requires<br />
further explanation. The terminology is used to encapsulate our intended support for single, yet<br />
customizable and tailorable, criminal network investigation techniques (e.g., see mathematical<br />
models in Section 5.9) and custom algorithms which might refer to a combination of multiple<br />
techniques or one or more techniques together with one or more custom algorithms. We will<br />
also refer to the latter as sense-making work flows. As mentioned, an algorithm is the central<br />
element, receiving its input from the common information space (i.e., criminal network entities<br />
or structures), and returning output to the common information space as well. An algorithm,<br />
whether custom or a single technique, will have a number of computational steps that must be<br />
tailorable by humans (investigators). There will also be some general settings for all algorithms<br />
149
8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS<br />
Figure 8.11: Algorithm component design includes the component’s relations to the common<br />
information space (left), the interrelationship of basic component elements (middle), and other<br />
elements related to the component, but not directly part of it (right).<br />
and some specific settings for the particular instantiation of the algorithm component, which<br />
must be customizable by investigators. Finally, all algorithms must implement a report interface<br />
to allow for the generation of reports based on the computational steps, customizations, inputs<br />
and outputs, etc., of algorithms. Letting the user tailor what to put in these reports using a<br />
report editor would be preferable.<br />
8.6 CrimeFighter Investigator concepts<br />
To summarize our work presented in this chapter, and as an introduction to Chapters 9 to 13,<br />
covering implemented support for criminal network investigation tasks based on the concepts and<br />
components discussed, we describe the basic concepts supported by CrimeFighter Investigator.<br />
CrimeFighter Investigator [169,173–176] is based on a number of concepts, adopted primarily from<br />
knowledge management and hypertext research and systems. Figure 8.12 shows an augmented<br />
screen shot of CrimeFighter Investigator, with the most basic and important concepts emphasized<br />
and labeled. At the center is a shared information space. Spatial hypertext research has inspired<br />
the features of the shared information space including the support of investigation history [174]<br />
(emphasized in the tool bar). The view concept provides investigators with different perspectives<br />
on the information in the space and provides alternative interaction options with information<br />
(hierarchical view to the left (top); satellite view to the left (bottom); spatial view at the center;<br />
algorithm output view to the right). Finally, a structural parser assists the investigators by relating<br />
otherwise unrelated information in different ways, either based on the entities themselves or by<br />
applying algorithms to analyze them (see the algorithm output view to the right).<br />
In the following chapters, central CrimeFighter Investigator concepts are designed and analyzed<br />
together with specific criminal network investigation tasks, before implementing support of these<br />
tasks based on the concepts.<br />
150
CHAPTER 8. SOFTWARE COMPONENTS 8.6. SUMMARY<br />
Figure 8.12: CrimeFighter Investigator screen shot with concept overlays.<br />
151
8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS<br />
152
CHAPTER 9<br />
Acquisition<br />
Intelligence gathering in the twenty first century is now less about<br />
James Bond and George Smiley than it is a Frankenstein composite<br />
of law enforcement, spies, and forensics.<br />
Hitz (2009) concluding on how “counter-terrorism and counter-proliferation intelligence gathering is<br />
following a new paradigm” [113]<br />
Some information may be available at the beginning of a criminal network investigation, but new<br />
information tends to dribble in over time in disparate pieces. Information arrives from various<br />
sources and should be easy to insert into the investigation tool in a manner that is transparent<br />
to the investigator. The remainder of this chapter is organized as follows: in Section 9.1 we<br />
will analyze the acquisition tasks outlined in Section 7.2.1 and related CrimeFighter Investigator<br />
concepts. In Section 9.2 we present the designs we have created for those tasks and concepts.<br />
Finally, Section 9.3 describes implementations of tasks and concepts in CrimeFighter Investigator,<br />
using tool and feature screen shots. Not all designs are implemented, and in general it should<br />
be noted that acquisition has received less attention, compared to synthesis and sense-making.<br />
We started out focusing on synthesis and sense-making, and later, following an agile and iterative<br />
approach to software development, we found a need to also focus on acquisition, to be able to<br />
ingest information.<br />
9.1 Analysis<br />
Based on cases and observations of criminal network acquisition, contact with experienced endusers<br />
from various investigation communities, examination of existing tools that support acquisition<br />
of criminal network entities and structures (see Chapter 4), and our own ideas for acquisition<br />
support, we maintain a list of acquisition tasks. Acquisition tasks primarily support the research<br />
focus requirements information #1 (emerging and fragile structure) and information #2 (integrating<br />
information sources).<br />
9.1.1 CONCEPT: Storage<br />
In order for investigations to be saved, they need to be stored somehow, preferably in a data<br />
base like structure. And when acquiring information, either to append it to an existing criminal<br />
153
9.1. ANALYSIS CHAPTER 9. ACQUISITION<br />
network investigation or to start a completely new investigation. See Chapter 8 for a requirements<br />
list (Section 8.4) for the datafile component.<br />
9.1.2 TASK: Acquisition methods<br />
Information arrives from various sources and should be easy to insert into the investigation tool<br />
using methods such as import, drag-and-drop, and copy-and-paste (see Figure 9.1).<br />
Figure 9.1: Methods for acquiring information includes import (left), drag-and-drop (middle), and<br />
copy-and-paste (right).<br />
Direct integration with other tools like for example CrimeFighter Explorer or Assistant would be<br />
a fast way to import already processed data and information into CrimeFighter Investigator [245].<br />
The research prototype POLESTAR supports direct import of text snippets using drag and drop<br />
from web sites into the application [178]. Methods such as drag-and-drop and copy-and-paste are<br />
especially relevant when working with open source intelligence (web sites, data bases, online news<br />
papers, etc.), especially considering that open source intelligence have been found to provide 80%<br />
of the value to criminal network investigations (see Section 5.8).<br />
9.1.3 TASK: Dynamic attributes<br />
Dynamic attributes are required to support acquisition of various data sets formatted using graph<br />
markup language (GraphML) or comma separated values (CSV) (see also mapping attributes<br />
below). The attributes are also relevant for synthesis, as new attributes will be added and the<br />
names of existing ones will be changed, as new information continue to dribble in over time (see<br />
Figure 9.2).<br />
Figure 9.2: Dynamic attributes.<br />
Having to match the newly acquired information (intelligence) into an existing data model (conceptual<br />
model) could potentially inhibit creativity and the desire to use software tools for criminal<br />
154
CHAPTER 9. ACQUISITION 9.2. DESIGNS<br />
network investigation. Supporting dynamic attributes is one step on the way, but then intuitive<br />
interaction with attributes for easier restructuring is necessary. In the Daniel Pearl investigation<br />
we saw how there are initially only the names of individuals, but then gradually new meta data<br />
(attributes) are added, such as telephone numbers and pictures [162]. See Section 3.5.1 for a<br />
review of the Daniel Pearl kidnapping and murder.<br />
9.1.4 TASK: Attribute mapping<br />
To support dynamic attributes it is necessary to map attributes in the acquired information to<br />
the investigation data model. For example mapping attributes to information element labels (see<br />
Figure 9.3).<br />
Figure 9.3: Attribute to data model mapping (left) and attribute to algorithm mapping (right).<br />
There are many examples where the attributes of imported entities do not match the entities in<br />
the investigation’s conceptual model. In Sageman’s 2003 al-Qaeda data set 80 , there are only short-<br />
Name and fullName attributes (see the al-Qaeda related deployment of CrimeFighter Investigator<br />
in Section 14.3 and development of measures of performance in Section 15.4, for more information<br />
about the data set).<br />
9.2 Designs<br />
In this section we present designs for some of the acquisition tasks analyzed in the previous section.<br />
9.2.1 TASK: Acquisition methods<br />
As the purpose of this task is to ensure that tools for criminal network investigation have multiple<br />
methods for acquiring data and information, it is difficult to frame a design. What we can do is to<br />
present designs for what should happen once the data and information has re-entered the system,<br />
and needs to be mapped to the conceptual model, like support of dynamic attributes through<br />
mapping of attributes. The designs of these two acquisition tasks are described below.<br />
9.2.2 TASK: Dynamic attributes<br />
We design a drag-and-drop approach to editing the attributes of entities. Figure 9.4 shows our<br />
design for visual abstractions and attribute editor. The attribute related parts has options for<br />
adding new attributes and mapping available attributes to visual abstraction labels.<br />
155
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION<br />
Figure 9.4: Entity visual abstractions and attribute editor - Options for editing the visual graphics<br />
abstractions of entities, adding new attributes, mapping available attributes to visual abstraction<br />
labels and deciding the order and positioning of menu buttons.<br />
9.2.3 TASK: Attribute mapping<br />
Our design for attribute mapping is simply to arrange all the attributes for entities in the acquired<br />
information and then support the users mapping of these attributes to the current attributes of<br />
entities in CrimeFighter Investigator.<br />
9.3 CrimeFighter Investigator<br />
Support of acquisition tasks is limited. However, to enable our development of measures of performance<br />
we have implemented support of import of various file types. Also, the option of saving<br />
investigations in the CrimeFighter Investigator format permits sharing the common information<br />
space for collaborative purposes.<br />
9.3.1 TASK: Acquisition methods<br />
As mentioned above, we have implemented support for file import. CrimeFighter Investigator supports<br />
import of network information formatted as comma separated values (CSV files). Relations<br />
are imported as either an adjancy matrix or a list of information element pairs (large criminal<br />
networks).<br />
An import dialog (see Figure 9.5) is available from the Session menu. The import feature has<br />
options for importing either information element entities, or all three types of entities (information<br />
elements, relations, and composites). When importing all three types of entities from one file, the<br />
import dialog has the option of importing relations as an adjancy matrix or as a list of < id, id ><br />
indicating from and to id’s of the entities that each relation connects. Using lists of from and to<br />
id’s becomes the preferred solution, when a data set has more relations than it is the case for the<br />
samples shown in Figure 9.5 (right). When the data are imported, the user is prompted to map<br />
attributes of imported entities to the conceptual and computational models of the investigation<br />
156
CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 9.5: The CrimeFighter Investigator import dialog with options for importing just information<br />
elements, or information elements, relations and composites.<br />
(see below, Section 9.3.3)<br />
9.3.2 TASK: Dynamic attributes<br />
The CrimeFighter Investigator information element editor has partial support of the design described<br />
in Section 9.2.2. A screen shot of the current implementation of the information element<br />
editor is shown in Figure 9.6: The drop down box at the top (A) lets the user select the entity<br />
for editing. Possible visible settings are selecting which visual abstraction is to be shown when<br />
creating new entities of the given type (B). Four categories have been created; maybe when there<br />
are not many entities in the space, it is nice to use the a large visual abstraction, because it is<br />
more descriptive, and then when the number of entities increases it could be beneficial to sacrifice<br />
some description for a small visual abstraction. Two other visual abstraction types that<br />
can be useful depending on the investigation are the circle and label abstractions. Typically, if a<br />
single attribute has been selected to represent the entity, then these abstractions can be useful.<br />
Information about the currently selected visual abstraction is shown in the view to the left (C).<br />
It indicates how the entity will appear in the common information space, and the placement of<br />
different internal components. Refer to Section 8.4.1 and 8.5.1 for a more detailed description of<br />
the entity component. Support for editing the visual abstraction is not implemented (D), but a<br />
design of the intended feature is shown in Figure 9.2.2 (acquisition design, Section 9.2.2). At the<br />
bottom the entity’s current attributes are shown in a table (E) and the input fields for adding new<br />
attributes are just below the table (F). Attributes are deleted by deleting them from the table,<br />
which is of course a cumbersome way to do it, and also not according to the intended design.<br />
157
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION<br />
Figure 9.6: CrimeFighter Investigator information element editor - options for adding new attributes<br />
and deleting existing ones, as well as selecting between pre-defined visual abstractions for<br />
entities.<br />
9.3.3 TASK: Attribute mapping<br />
We have implemented support of the attribute mapping task for data file import and sense-making<br />
work flows (see Section 11.3). Here we focus attribute mapping for import. When importing<br />
criminal network information into investigations, it is necessary to map all network dependent<br />
variables of the existing data model to attributes of the imported entities. Figure 9.7 shows the<br />
entity attributes for a data set containing person information elements. The visual abstraction of<br />
person information elements has a label that links to one specific attribute and is displayed below<br />
the graphical abstraction. When importing data, the user is requested to select the attribute to<br />
link to that label by dragging the desired attribute to the label reference area.<br />
158
CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 9.7: (semi mock-up) Mapping information attribute to data person information element<br />
label.<br />
159
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION<br />
160
CHAPTER 10<br />
Synthesis<br />
By gathering the myriad of information that is available I hoped to<br />
each a portrait of that which is unknown, the way negative space can<br />
define an object.<br />
Bernard-Henry Lévy in [128].<br />
<strong>Criminal</strong> network investigators move pieces of information around, they stop to look for patterns<br />
that can help them relate the information pieces, they add new pieces of information and iteration<br />
after iteration the information becomes increasingly structured and valuable. Synthesizing<br />
emerging and evolving information structures is a creative and cognitive process best performed<br />
by humans. The nature of modeling something as complex and diverse as crime is an ongoing and<br />
potentially open-ended process that demands for an interactive modeling approach [30]. What<br />
complicates everything is that the picture constantly changes. With every interaction, people<br />
change, group dynamics change, and social dynamics change [28]. If we are to think seriously<br />
about this sort of complexity, and reason effectively about it, some sort of simplified map of<br />
reality, some theory, concept, model, paradigm, is necessary [102]. The CrimeFighter Investigator<br />
approach to synthesis is based on three first class entities, which, combined with hypertext<br />
structure domains (see Section 5.1) are used to support a set of synthesis tasks.<br />
<strong>Criminal</strong> network investigators working in teams merge and organize pieces of information from<br />
different sources in order to reason about them and support their decision making process. The<br />
structure of the relationships between these pieces of information is fragile by nature, since new<br />
information may change it substantially. Besides supporting the emergent nature of incoming<br />
information, such structures should also be an appropriate medium for communicating with others<br />
(see our introduction to dissemination in Chapter 12). Their presentation should foster awareness<br />
and permit notification services that inform the investigator about potential unseen and non<br />
obvious connections beyond the borders of individual information sources [20] (the synthesized<br />
information should support sense-making, see Chapter 11).<br />
The remainder of this chapter is organized as follows: analysis (Section 10.1) and design (Section<br />
10.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 10.3) is<br />
explained below.<br />
161
10.1. ANALYSIS CHAPTER 10. SYNTHESIS<br />
10.1 Analysis<br />
Based on cases and observations of criminal network synthesis, contact with experienced end-users<br />
from various investigation communities, examination of existing tools for synthesis of criminal networks,<br />
and our own ideas for synthesis support, we maintain a list of synthesis tasks. Synthesis<br />
tasks assist criminal network investigators in enhancing the target model. The concepts of perspectives<br />
and versioning and their related component view and history support synthesis tasks<br />
and are therefore analyzed first, followed by the synthesis tasks. Our analysis of synthesis tasks<br />
is primarily based on criminal network investigation cases where simple physical tools (human<br />
factors #3) are used such as the whiteboard in the Daniel Pearl investigations, and the boards<br />
used in many investigations with paper based evidence, such as paper clippings, Polaroids, and<br />
text cards etc. together with related work tools or prototypes who support the synthesis task in<br />
a manner addressing our research focus requirements.<br />
10.1.1 CONCEPT: View<br />
The view concept plays an important role for synthesis, in terms of providing more perspectives<br />
on the synthesized criminal network information. As long as the entities are laid out at the same<br />
level in the common information space (spatial view), then no other views are required. However,<br />
once groups are being added, entities associated to groups by inclusion, and the groups are then<br />
collapsed, it becomes important with for example a hierarchical view (taxonomic view) of the<br />
information since it is now being organized into hierarchies.<br />
Taxonomic view<br />
A taxonomic view for criminal network investigation has two main objectives. First of all, the<br />
taxonomic view must visualize the created hierarchical structure as synthesized by the user using<br />
composites with reference relations to information elements, or traditional sub-spaces attached<br />
to single information elements accessed using expand and collapse functionality. Secondly, a<br />
taxonomic view must support manipulation of the existing hierarchical structure, allowing for the<br />
user to move information elements between composites, i.e. the spaces and sub-spaces that the<br />
composites represent.<br />
10.1.2 CONCEPT: History<br />
The recording of synthesis tasks is essential for later sense-making (see Chapter 11 and dissemination<br />
(see Chapter 12). Navigable history (inspired by the feature in VKB [96,117]), can provide<br />
a new time dimension for an investigation, that of its construction. Investigators can navigate<br />
through the history, perceiving the constructive events of the space, by moving between current<br />
and prior states. Navigable history supports learning and interpreting investigators work practices,<br />
recognizing patterns of activity in the space, and disambiguating specific actions and content. Furthermore,<br />
it allows the criminal network investigation team to review the path or progress of their<br />
investigation or to reclaim information that previously had been deemed irrelevant or deleted, but<br />
then found to have greater significance due to new incoming information.<br />
10.1.3 TASK: Create, delete, and edit entities<br />
Here we focus on the abstraction over these three entities, the entity. Investigators basically think<br />
in terms of people, places, things, and their relationships. All these different types of information<br />
can be encapsulated by criminal network investigation entities, which can be created in a number<br />
of different ways as shown in Figure 10.1.<br />
162
CHAPTER 10. SYNTHESIS 10.1. ANALYSIS<br />
Figure 10.1: Creating entities can be done in multiple ways: information entities are created using<br />
dragging gestures in the tool, drag-and-drop from other applications, clicks, import (all left), links<br />
based on entity selection (middle), or grouping (right).<br />
Creating entities can be done in multiple ways: information entities are created using dragging<br />
gestures, drag-and-drop from other applications, clicks, or import of information from files. Linking<br />
entities could happen using a dragging gesture, or selecting the two entities that are going to linked<br />
and then activating linking functionality. Creating groups can be done by collapsing information<br />
or using visual symbols (see Section 10.1.6 for analysis of grouping). Creating entities in the space<br />
using a drag gesture or a click requires the user to first select the entity to create (if not already<br />
selected), while drag and drop from another application would create the entity immediately, at<br />
least with some initial entity encapsulation.<br />
In the Daniel Pearl investigation new information pieces (entities) are added to a whiteboard by<br />
drawing on it (see Section 3.5.1, resembling a dragging gesture. Police detectives often use boards<br />
on which they pin evidence, typically written or printed on paper (see Section 3.5.4). In that case<br />
new information pieces are created away from the board, resembling a drag-and-drop gesture from<br />
somewhere else or a simple import of a few entities.<br />
Figure 10.2: Delete entities - .<br />
In the Daniel Pearl investigation, entities are deleted from the board by wiping (gesture) and in<br />
the board-based police investigations pieces of paper with evidence are simply removed from the<br />
board and thrown to the trash can (drag-and-drop).<br />
There are typically two ways to editing entities, either in terms of using a form-based approach<br />
such as a object inspector, listing the attributes and other adjustable meta data of the entity in<br />
a tabular way, or alternative some meta data might be editable through direct manipulation in<br />
the common information space. On a white board, like in the Daniel Pearl investigation, person<br />
names are easily updated, a telephone number added, or a picture used as visual abstraction, in<br />
a direct manipulation fashion.<br />
163
10.1. ANALYSIS CHAPTER 10. SYNTHESIS<br />
10.1.4 TASK: Create, delete, and edit associations<br />
The impact of association analysis on investigative tasks is crucial to the creation of the target<br />
model. Descriptive relations between entities helps discover similarities and ultimately solve investigation<br />
cases. Associations between entities can be created, deleted, and edited using for example<br />
the link entity, visual symbols, co-location or based on the value of specific attributes (see Figure<br />
10.3).<br />
Figure 10.3: Associations between entities can be created, deleted, and edited using links, visual<br />
symbols, co-location or attribute similarities.<br />
Using spatial hypertext technology for information analysis, one can define relationships between<br />
information elements, simply through the proximity and location of information elements. But<br />
since relations within terrorist networks are much more complex than the simple indication of<br />
belonging to a certain group, these relations must be weighted to match that complexity appropriately.<br />
We suggest that providing a structured language to describe the inner complexity of these<br />
weights, a language that is interpretable by both humans and computer algorithms.<br />
There is a need to describe the nature of links and nodes, since “Without accounting for the<br />
content of communication, social network analysis runs into the “pizza guy delivery problem”:<br />
confusing regular contact with significant contact” [26]. A person A can be related to a person<br />
B in a number of ways, and any subset of these relations can mean something within a certain<br />
context, and hence would be weighted differently according to their importance. The complete set<br />
of relations would constitute what is known about the relationship at that place in time.<br />
10.1.5 TASK: Restructuring<br />
During an investigation, information structures are typically emerging and evolving, requiring<br />
continuous re-structuring of entities and their relations. Besides creating and deleting entities,<br />
restructuring involves tasks such as move entity, reconnect link, merge entities, and group entities,<br />
etc. (see Figure 10.4).<br />
Figure 10.4: Restructuring involves synthesis actions such as move entity, reconnect link, merge<br />
entities, and group entities.<br />
164
CHAPTER 10. SYNTHESIS 10.1. ANALYSIS<br />
Restructuring of information structures happens during all criminal network investigations, except<br />
maybe for the simplest of cases (e.g., the homicide dunkers described by Simon (1991) [204]).<br />
10.1.6 TASK: Grouping<br />
Investigators often group entities using symbols like color and co-location (weak), or they use<br />
labeled boxes (strong). Groupings can be used to highlight and emphasize particular entities and<br />
their relations (see Figure 10.5 and also Section 10.1.4 that analyzes associations).<br />
Figure 10.5: Entities are often grouped either semantically by reference (left), or hierarchically by<br />
inclusion of either nodes (middle) or links (right).<br />
Often reference grouping is used, when the affiliations of entities with a certain group is not certain.<br />
Then later when (maybe) more evidence backs up the grouping, the entities (nodes and/or links)<br />
are grouped by inclusion.<br />
10.1.7 TASK: Collapsing and expanding<br />
Collapsing and expanding information is essential since the space available for manipulating information<br />
is limited physically, perceptually, and cognitively. Zooming is a way to visually collapse<br />
or expand information in the space; however, depending on the zooming degree, it facilitates<br />
information overview at the expense of information clarity.<br />
For collapsed information it is necessary to consider what the abstraction should be. Maybe it<br />
makes to represent with graphical abstraction indicating that the underlying entities are all related<br />
to a specific group, a company, or a meeting. Alternatively, it just be label or some of the other<br />
abstractions for information entities that we discussed in Chapter 8. Another requirement would<br />
be to support an intelligent expansion of collapsed information in the space. Other entities might<br />
have been added to the space that the collapsed information was located in before, and more<br />
entities have been added to the new sub space that the collapsed entities are synthesized within,<br />
meaning that they will take up more space once they are expanded.<br />
Typically collapsing information is used if a set of information entities becomes of second priority,<br />
because of new leads, or if the set of entities can be abstracted to a single entity, which makes<br />
mores sense, but the investigators would still like to keep the information that the abstraction was<br />
based on in the investigation. On a white board it is impossible to collapse information without<br />
loosing it; only the entity abstracted from the collapsed information remains. On a board that<br />
information is pinned to, multiple pieces of paper could be pinned together, only the piece of paper<br />
at the top being visible. The same would be the case with arranging documents on a table, where<br />
they can be stacked according to some classification (see Atzenbeck (2006) [18]).<br />
165
10.2. DESIGNS CHAPTER 10. SYNTHESIS<br />
10.1.8 TASK: Information types<br />
Multimedia support is helpful when investigators want to add known positions of persons to a<br />
map or link persons to different segments within an audio file. This would support for example<br />
more intuitive storytelling. Information types includes text, maps, images, audio, and video (see<br />
Figure 10.6.<br />
Figure 10.6: Information types includes text, maps, images, audio, and video.<br />
When previous Secretary of State Colin Powell presented the United States case on Saddam<br />
Hussein’s alleged weapons of mass destruction to the United Nations in 2003 the evidence included<br />
intercepted phone calls, augmented satellite photos, 3D sketches, etc. Tools and research<br />
prototypes reviewed in Chapter 4 supports many different kinds information, e.g., Mindmeister,<br />
an investigative journalism tool that supports embedding pictures and video in mind maps (see<br />
Section 4.3.2).<br />
10.2 Designs<br />
We present our designs of key synthesis concepts and tasks. The designs that have not been<br />
implemented support for are considered important areas of future work.<br />
10.2.1 CONCEPT: View<br />
A tool for criminal network investigation requires two types of support for hierarchical structuring:<br />
creating groups in the same space and hierarchies using sub spaces. Example is given in Figure<br />
10.7. Sub spaces are expanded or collapsed into the shared information space.<br />
10.2.2 CONCEPT: History<br />
A design of history support is presented in Chapter 8 on concepts, models, and components for<br />
criminal network investigation.<br />
10.2.3 TASK: Create, delete, and edit entities<br />
We do not discuss the actual design of individual entities here, elaborate designs of the information<br />
element, relation and composite entities are given in Section 8.1. We focus on how those designs<br />
can be utilized to create, delete, and edit entities. Later we will demonstrate how these designs<br />
have been implemented in CrimeFighter investigator.<br />
In general, we want entities to be created using a drag gesture, this way the user can create an<br />
entity and position it in the space, in the same way. The dragging gesture can then also be used<br />
166
CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 10.7: Hierarchical structuring types.<br />
to decide the size of the relation and composite entities. For editing, we want to support direct<br />
manipulation of often accessed meta data, alternatively editing using a form which is accessed by<br />
a menu icon attached to the entity positioned at its outline. Deletion should be possible using<br />
direct manipulation, i.e. direct interaction with therefore designated areas.<br />
10.3 CrimeFighter Investigator<br />
In this section, we present our implemented tool support for criminal network investigation synthesis<br />
tasks, which we analyzed in Section 10.1 and created designs for in Section 10.2.<br />
10.3.1 CONCEPT: View<br />
View is a well-known concept for providing different perspectives on information.<br />
Taxonomic view<br />
The taxonomic view (left hand in Figure 8.12) provides a hierarchical overview of the organization<br />
of entities. The tree root reflects the name of the investigation, nodes in the tree are composites<br />
and leafs in the tree are information elements. The taxonomic view and the spatial view are<br />
synchronized in the sense that changes made in one view are instantly reflected in the other view.<br />
There are no limitations to the number of nested hierarchies. The two views are separated by<br />
a divider that can be moved left or right to expand/minimize the views depending on the users’<br />
preference. Icons reflecting their space equivalents are used to make it easier for the investigators<br />
to recognize the entities from the space in the taxonomic view. It is still the same information,<br />
although offering a different perspective. A spatial parser algorithm is used to parse the entities<br />
in the space and then create the structure shown in the taxonomic view.<br />
An example of reference composite support is shown in Figure 10.9. In Figure 10.9a, Mr. X is<br />
part of both Composite 1 (C1) and Composite 2 (C2). In Figure 10.9b, C2 is moved away and<br />
now Mr. X is no longer part of C2, and this change is reflected in the taxonomic view to the left.<br />
10.3.2 CONCEPT: History<br />
The user interface of the navigable history feature is embedded in the tool bar (see Figure 8.12).<br />
It records everything that happens in the space. It has back and forth buttons for navigating<br />
the recorded events, and the current event displayed in the space is visualized using a slider as<br />
well as a label showing both the current event and the total number of events (e.g., 48/48). The<br />
167
10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS<br />
Figure 10.8: Screen shot<br />
of taxonomic view from the<br />
Daniel Pearl investigation.<br />
(a) Reference composite example - non-overlapping reference composites.<br />
(b) Reference composite example - non-overlapping reference composites.<br />
Figure 10.9: History trees and navigation view.<br />
history feature records all the interactions that investigators have with entities in the space as<br />
events, e.g., “create information element”, “resize composite”, “move information element”, and<br />
so on. Each event is given a time stamp and added to the sequential history. If the history bar is<br />
not positioned at the end of the history when an investigator causes an event, the investigator is<br />
prompted whether or not to delete all events after the current event, or canceling whatever action<br />
that caused the event to happen.<br />
10.3.3 TASK: Create, delete, and edit entities<br />
Creating, editing and deleting entities is done using well-known interaction metaphors. Information<br />
elements are created using a simple mouse drag gesture within the investigation space.<br />
Once created, delete and edit functionalities are available from a menu attached to the information<br />
element as shown in Figure 8.12. Connected relations are created by selection of two information<br />
elements (using the ctrl-button). Subsequently, the direction and the label of the relation can<br />
be edited by clicking the relation label. Relations are, like information elements, deleted using<br />
a menu button positioned relatively to the relation label. Composites are created, edited and<br />
deleted in the same way as information elements. They have an interactive label and the color of<br />
the composite can be set before and after its creation (Figure 8.12, top).<br />
10.3.4 TASK: Restructuring<br />
Restructuring is supported by the concept that all entities are first class. When an information<br />
element with several relations is deleted, the relation endpoints are considered empty and can be<br />
moved freely in the space and the investigator can connect them to other entities if desired using a<br />
drag and drop gesture. The hierarchical view (Figure 8.12, left) is used for classification by moving<br />
168
CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR<br />
information elements in the hierarchically displayed structure (see example in Figure 10.10).<br />
Figure 10.10: An example of supported restructuring where a relation is reconnected to a new<br />
information element, after the previous one was deleted.<br />
10.3.5 TASK: Grouping<br />
Different types of composites can be used to group information. The inclusion composite is one<br />
example, and CrimeFighter Investigator support of another was discussed in an example using a<br />
reference composite (Section 10.3.1). The relation composite allows investigators to group multiple<br />
relations between two entities (such as multiple emails or phone calls between two persons) into a<br />
single visible entity (composite). Relation composites group relations by inclusion. Another type<br />
of composite supports collapsing and expanding.<br />
169
10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS<br />
170
CHAPTER 11<br />
Sense-making<br />
Analysis is the key to successful use of information; it transforms<br />
raw data into intelligence. Without the ability to perform effective<br />
and useful analysis, the intelligence process is reduced to a simple<br />
storage and retrieval system for effectively unrelated data.<br />
Intelligence analysts training manual of the metropolitan police (Scotland Yard, London)<br />
After all, no one has yet linked failure of intelligence to the fact that<br />
the opponent had better equations.<br />
Wirtz (2006) in his review [251] of Robert M. Clark’s book intelligence analysis: a target-centric<br />
approach [40]<br />
<strong>Criminal</strong> network sense-making is tightly coupled with criminal network synthesis as described in<br />
the previous chapter; synthesis and sense-making are core analysis tasks. Synthesizing emerging<br />
and evolving information structures is a creative and cognitive process best performed by humans.<br />
Making sense of synthesized information structures (i.e., searching for patterns) is a more<br />
logic-based process where computers outperform humans as information volume and complexity<br />
increases. CrimeFighter Investigator supports sense-making tasks through the application of<br />
advanced software technologies such as hypertext, semantic web, well-known human-computer interaction<br />
metaphors, and a tailorable computational model rooted in a conceptual model defining<br />
first class entities that enable separation of structural and mathematical models (see Chapter 8).<br />
Therefore, our modeling approach must embrace frequent customization and extension through<br />
robustness and scalability of the underlying mathematical framework [30]. At the beginning of<br />
an investigation it is not clear what sense-making approach will be required to understand and<br />
reason about a certain criminal network. Sometimes more than one measure has to be calculated<br />
for the criminal network or maybe some measures are used as input for an algorithm providing yet<br />
another measure. It is impossible to know beforehand what information attributes (meta data)<br />
will be the deciding factors for a criminal network investigation. First of all, information attributes<br />
are emerging over time, just like the information entities. Second, investigators have to decide<br />
if they will try to predict missing information entities in the network based on for example an<br />
individual’s record of supplying weapons or a measure of each individual’s centrality in a criminal<br />
network.<br />
Taking a computational approach to criminal network sense-making, claiming that investigators<br />
will benefit from the information provided, raises concerns about user acceptance of this com-<br />
171
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING<br />
puted information 81 . Experienced investigators with the skills to manually derive the computed<br />
information (given more time) might question how exactly the information has been automatically<br />
computed and they might be inclined not to trust this computed information enough to base<br />
their decisions on it [193]. For computational sense-making to be effective, decision makers must<br />
consider the information provided by such systems to be trustworthy, reliable [144], and credible.<br />
The calculations are not the hard part; the challenge is to find a good way to use the data and<br />
understand them. This is very well described by the following story by Stoll (1995) [217]:<br />
Computer security expert Clifford Stoll spent a year studying at a Chinese observatory<br />
with Professor Li Fang. Li studied star observations and used a Fourier transform, the<br />
standard tool of astronomers everywhere, to hunt for periodic motions. Li, however, did<br />
the Fourier transform completely by hand! Stoll decided to show Li how his new Hewlett<br />
Packard HP-85 could be used to calculate some 50 coefficients for the polar wandering<br />
in under a minute. The task had taken Professor Li 5 months. When presented to the<br />
computer’s results, Li smiled and said: “When I compare the computer’s results to my<br />
own, I see that an error has crept in. I suspect it is from the computers assumption<br />
that our data is perfectly sampled throughout history. Such is not the case and it may<br />
be that we need to analyze the data in a slightly different manner”. Stoll realized that Li<br />
had not spent 5 months doing rote mechanical calculations. Instead, he had developed a<br />
complex method for analyzing the data that took into account the accuracy of different<br />
observers and ambiguities in the historical record.<br />
Simply by turning to the computer when confronted with a problem, we limit our ability to<br />
understand other solutions. The tendency to ignore such limitations undermines the ability of<br />
non-experts to trust computing techniques and applications [193] and experienced investigators<br />
would be reluctant to adopt them.<br />
In this chapter, we focus on criminal network sense-making and how tailoring can leverage transparency<br />
and ownership, increasing trust in information provided by sense-making algorithms.<br />
CrimeFighter Investigator [169, 173, 174] is based on a number of sense-making related concepts<br />
(see Figure 11.1). At the center is a shared information space. Spatial hypertext research has<br />
inspired the features of the shared information space including the support of investigation history<br />
[174]. The view concept provides investigators with different perspectives on the information<br />
in the space and provides alternative interaction options with information (hierarchical view to<br />
the left (top); satellite view to the left (bottom); spatial view at the center; algorithm output view<br />
to the right). Finally, a structural parser assists the investigators by relating otherwise unrelated<br />
information in different ways, either based on the entities themselves or by applying algorithms to<br />
analyze them (see the algorithm output view to the right). In the following, central CrimeFighter<br />
Investigator sense-making concepts and tasks are presented.<br />
11.1 Analysis<br />
Based on cases and observations of criminal network sense-making, contact with experienced endusers<br />
from various investigation communities (intelligence, police, and journalism), examination<br />
of existing process models and existing tools for making sense of criminal networks (e.g., [7,20,21,<br />
25, 35, 40, 53, 59, 110, 116, 128, 152, 162, 212, 244]), and our own ideas for sense-making support, we<br />
maintain a list of sense-making tasks. The list of tasks can be seen as a wish list of requirements<br />
which the sense-making part of a tool for criminal network investigation should support; the list<br />
serves as the basis for our tool development efforts. The list is not exhaustive; we expect to uncover<br />
additional sense-making requirements over time. We provide examples for each sense-making task<br />
to emphasize the many different applications. Sense-making tasks assist investigators in extracting<br />
useful information from the synthesized target model [175].<br />
172
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS<br />
Figure 11.1: CrimeFighter Investigator screen shot with sense-making overlays.<br />
11.1.1 CONCEPT: Algorithm<br />
The algorithm plays an important role for criminal network sense-making. At the same time,<br />
supporting algorithms for sense-making is a great challenge, which our analysis in the beginning<br />
of this chapter emphasized: an algorithms computational approach to analysis is a rather rigid<br />
contraption, taking an input and producing an output, representing a sort of black box magic<br />
to the inexperienced investigator. But criminal network investigation is an open ended creative<br />
process requiring different sense-making for different investigations. The tailoring of algorithms<br />
would be a way to bridge the rigidness and black box feeling of algorithms with the cognitive<br />
sense-making tasks that criminal network investigators perform. We define three distinct types<br />
of algorithms: structural measure algorithms, structural transformation algorithms, and custommade<br />
algorithms (often a mix of the two other types, see Figure 11.2).<br />
Figure 11.2: Algorithm types for sense-making, includes measure algorithms providing metrics for<br />
entities such as links and nodes (left); transformation algorithms alter the structure of criminal<br />
networks by either adding or removing entities (middle); custom-made algorithms encapsulate<br />
multiple measure and transformation algorithms (right).<br />
Measure algorithms provide metrics for entities such as links and nodes, and examples includes<br />
centrality measures from social network analysis [155,195,240] and link importance from terrorist<br />
network analysis [80, 245]. Transformation algorithms alter the structure of criminal networks by<br />
173
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING<br />
either adding or removing entities. Prediction techniques [183, 184] transform criminal networks<br />
by predicting missing links or covert structure (nodes and links). Finally, custom-made algorithms<br />
encapsulate multiple measure and transformation algorithms to represent tailored algorithms for<br />
more complex sense-making tasks, such as node removal in criminal networks [169] (see analysis<br />
of sense-making work flows below).<br />
Sense-making work flows<br />
We outline the typical work flow of applying algorithm-based sense-making to a criminal network<br />
as described below. The steps are at the same time the requirements for software support of such<br />
work flows:<br />
1. Work flow input. The input for a sense-making work flow is a criminal network of entities<br />
(information elements, relations, and composites) forming structures through associations.<br />
2. Need for sense-making. (e.g., [168,169,175]) The investigator wants to ask some question<br />
about the criminal network, such as ‘what if’ questions or questions related to a network<br />
measure, i.e. ‘measure’ questions. An example of a ‘what if’ question could be: What will<br />
happen if we remove these two nodes from the network? Followup questions could be are any<br />
new relations between remaining nodes forming? or are other information elements going<br />
to take the place of the removed ones? Questions related to measures could be: who control<br />
communication in this network? or what individuals in the network are connecting to the<br />
key individuals in the network?. The purpose of such questions is typically to determine<br />
weak points in a network, where infiltration would be feasible.<br />
3. Tailoring desired sense-making work flow. Tailoring a desired work flow for a specific<br />
sense-making task has many steps: (a) involves selecting what algorithms to run to match<br />
the desired questions. (b) When running multiple algorithms in a work flow it should be<br />
possible to decide the order they run if sequential. If the algorithms on the other hand are<br />
set to run parallel then order does not matter. (c) Customizing each individual algorithm<br />
according to visual symbols, associations, reports, etc. (d) Deciding the input and output<br />
of each individual algorithm. The output of the final algorithm will be the output of the<br />
sense-making work flow.<br />
4. Run the sense-making work flow Starting the sense-making work flow must also be a<br />
user controlled process. If the work flow produces one or several network measures as output,<br />
the measure can be computed on every event that occurs in the common information space.<br />
But the system should also consider another type of algorithm, which changes the structure<br />
of entities (editing, adding, or removing).<br />
5. Results. Deciding what to do with the results, should they be discarded from or appended<br />
to the investigation. Typically a lot of sense-making synthesis are required to reach a certain<br />
point of clarity. The importance of keeping a record (history) of such discard and<br />
append actions (events) is illustrated by investigators often needing to retrace the steps of<br />
investigations to see if something was missed [128, 162, 204].<br />
6. Retrieve a report. If interesting results are yielded, the end user can decide to retrieve a<br />
report with the information, analysis, and results aggregated.<br />
7. Save sense-making work flow. Finally, the user could want to save a work flow, if it<br />
might be useful for future investigations, or if it is to be shared with other investigators.<br />
The application of standardized sense-making algorithms (such as measures of centrality) and<br />
custom-made algorithms (e.g., node removal), requires a great deal of abstraction and interpretation<br />
by the user. When an algorithm anticipates certain information element and relation types, it<br />
will be up to the user to map the results back into the domain of their criminal network. If, on the<br />
174
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS<br />
other hand, the user can tailor the algorithm to the available data and customize the generation of<br />
a specific output structure for results, then the user is controlling the algorithm, and the algorithm<br />
is merely assisting the investigator, functioning as a tool. The algorithm is not in control of the<br />
sense-making work flow, forcing the investigator to do additional conversions of the output to be<br />
useful for an intended analysis.<br />
11.1.2 CONCEPT: Structural parser<br />
A separate tool is required to tailor and customize the three algorithm types (and their many<br />
instantiations) discussed above and control the creation and execution of sense-making work flows<br />
according to investigator’s intended application. The structural parser is such a tool. The parser<br />
is a concept we have adopted from hypertext, generally used for particular structure domains, i.e.,<br />
spatial parser, taxonomic parser, etc. We have decided to use the more generic term structural,<br />
to decouple the structural parser from knowing what structure domain the algorithms it supports<br />
will require parsing of (see Figure 11.3).<br />
Figure 11.3: A structural parser must be able to: tailor algorithms of different types (e.g., the<br />
order of algorithms - see left); customize the settings and inputs for algorithms (middle); and<br />
create new algorithms by combining the existing ones (right).<br />
Examples of parsers responsible for specific tasks within a certain structure domain, includes<br />
the spatial parsers in VKB [198] and ASAP [170]. The social network analysis tabbed pane in<br />
Analyst’s Notebook [2] (see Section 4.1.1) has an ‘Options’ tab for customization, where the user<br />
can tick off the centrality measures they want to include, together with other options such as<br />
normalization of results and whether or not to use the directions of links [107].<br />
11.1.3 CONCEPT: History<br />
History is not just an important concept for synthesis; it is equally important, if not more, for<br />
sense-making tasks. Just like history must keep track of synthesis events, it should also keep a<br />
record of sense-making events, such as ‘calculate centrality measure’, ‘predicted 2 new entities’,<br />
etc. And the recorded history events themselves can be used for sense-making, e.g., retracing the<br />
steps (see Section 11.3.4 below).<br />
11.1.4 TASK: Retracing the steps<br />
<strong>Criminal</strong> network investigators often retrace the steps of their investigation to see what might<br />
have been missed and where to direct resources in the continued investigation. Walking through<br />
an existing recorded investigation is used by new team members to understand the current status<br />
of the investigation and for training purposes.<br />
Homicide detectives retrace through all the evidence on their unsolved genuine mystery investigations:<br />
“It is a bastard of a case, and again Landsman asks himself: what are we missing?<br />
175
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING<br />
Figure 11.4: To be able to utilize history for sense-making purposes, the history of user actions<br />
must be recorded (left), it should be possible to navigate the history (middle), and editing the<br />
history is essential (right).<br />
Figure 11.5: Retracing the steps of investigations is often used when an investigation has stalled<br />
(i.e., no new leads are generated) or for training or explanatory purposes (see Section 12.1.1 in<br />
the chapter on dissemination).<br />
Maneuvering through the evening traffic on Liberty Road, he runs two weeks of investigation<br />
through his mind” [204].<br />
11.1.5 TASK: Creating hypotheses<br />
Generating hypotheses and competing hypotheses is a core task of investigation that involves<br />
making claims and finding supporting and opposing evidence. Investigators often retrace the<br />
steps of their investigation to see what might have been missed to evolve an existing hypothesis<br />
or start a new one (see Figure 11.6).<br />
Figure 11.6: Creating new hypotheses using argumentation and alternatives, or retracing the steps<br />
of existing hypotheses.<br />
Journalist Daniel Pearl was kidnapped in Karachi in early 2002 and the criminal network investigators<br />
followed the hypothesis that the leader of a radical islamist group, Shaikh Gilani,<br />
masterminded the kidnapping, since Pearl was scheduled to meet him on the day of his disappearance.<br />
One day the investigative team receives an email, profiling a shadowy character suspected<br />
176
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS<br />
of having bankrolled the 9/11 attacks, Omar Saeed Sheikh: “Omar has a particular specialty: he<br />
kidnaps Westerners”. But the team finds nothing linking Omar to Daniel’s disappearance (besides<br />
this specialty), and the current state of their hypothesis has a lot more supporting arguments<br />
pointing towards Gilani. [128, 162, 227]<br />
On February 5, 2003, secretary of state (Colin Powell) presented to the United Nations council the<br />
US hypothesis on Saddam Hussein’s weapons of mass destruction program. The supporting arguments<br />
were primarily based on one human intelligence source, an Iraqi defector who manufactured<br />
a story based on open source United Nations reports and his work as a chemical engineer. [59,242]<br />
11.1.6 TASK: Adaptive modeling<br />
Representing the expected structure of networks for pattern and missing information entity detection<br />
is a proactive sense-making task. Adaptive modeling embeds the tacit knowledge of investigators<br />
in network models for prediction and analysis (see Figure 11.7).<br />
Figure 11.7: Extracting a model from a criminal network investigation, adapting the model to a<br />
new situation, and then applying the model to the same or another criminal network.<br />
Several studies have described the structural evolution of terrorist networks and cells related to al-<br />
Qaeda and affiliated movements (AQAM), and plotting to hit targets in Europe. This structural<br />
evolution has gone through four phases. Vidino 2011 outlines the evolution of these European<br />
networks during the first three phases, and provides a detailed description of the fourth phase<br />
including characteristics in terrorism related to AQAM [236] and resembling a model. Sageman<br />
(2004) found in his work on structural patterns in “terror networks” [188] that people had joined<br />
the jihad in small groups (called cliques, where every node is connected to every other node).<br />
Several individuals lived together for a while and had intense discussions about the jihad. When<br />
one of the friends were able to find a bridge to the jihad, they often went as a group to train<br />
in Afghanistan. Nesser (2006) models the structures of jihadist terrorist cells in the UK and<br />
Europe [154]. Nesser identified a distinct set of profiles: a typical cell includes an entrepreneur,<br />
his protege, misfits and drifters which also explains the Sageman 2004 concepts of cliques (network<br />
cells), bridges and hubs (the entrepreneur). The relations among cell profiles as well as meta data<br />
characteristics for each profile (e.g., education, marital status, children, age) are described.<br />
11.1.7 TASK: Prediction<br />
The ability to determine the presence or absence of relationships between and groupings of people,<br />
places, and other entity types is invaluable when investigating a case. Prediction based on different<br />
information entities, i.e., information elements, relations, composites, and their attributes is<br />
preferable (see Figure 11.8).<br />
“The value of a prediction lies in the assessment of the forces that will shape future events and the<br />
state of the target model” [40]. “Determining the pattern of links within a large social network<br />
is often problematic due to the labor-intensive nature of the data collection and analysis process”<br />
[183]. After Operation Crevice a list with 55 suspects linked to the case was created, but MI5<br />
did not have enough resources for surveillance of everybody on the list. They selected (predicted)<br />
177
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING<br />
Figure 11.8: Predicting missing information entities: links, structures, key players, and subgroups.<br />
the 15 individuals they thought were a threat to national security, missing key individuals behind<br />
the July 7th bombings [110]. The links between Operation Crevice and the July 7th bombings is<br />
something that is still investigated by the British Home Office [167].<br />
In an 2011 interview, Alex Strick van Linschoten [134] suggested prediction of missing links between<br />
Afghan Taliban members based on knowledge about their andiwali 1 system, “where groups tend<br />
to gather based on prior connections. Young men from the same village could group together in<br />
one cell; madrassas also allow young men to form ties. Some groups may have blood relations that<br />
bring them together in a group of andiwali” [137, 166].<br />
11.1.8 TASK: Alias detection<br />
<strong>Network</strong> structures may contain duplicate or nearly duplicate entities. Alias detection can be<br />
used to identify multiple overlapping representations of the same real world object. Semantic<br />
and orthographic aliases are two types of aliases that relevant for criminal network investigation.<br />
Semantic aliases could be intentional (using different names in different contexts) or overlapping<br />
(two persons use the same alias in the same context). Orthographic aliases typically refers to<br />
different spellings of the same name because the language (writing system) is different, but it<br />
could also mean simple mis-spellings such as typos, etc. (see Figure 11.9).<br />
Figure 11.9: Detecting semantic and orthographic aliases to analyze if two entities are in fact the<br />
same, or if a single entity was in fact two different entities.<br />
An extreme example is the mastermind behind the kidnapping of journalist Daniel Pearl, Omar<br />
Saeed Sheikh, who used up to 17 aliases [128]: “You run up against the eternal problem of any<br />
investigation into Islamist groups or al-Qaeda in particular: the extreme difficulty of identifying,<br />
just identifying, these masters of disguise, one of whose techniques is to multiply names, false<br />
identities, and faces”. Khalid Sheikh Muhammad used more than two dozen aliases [146]. In<br />
the UK investigation of whether or not the July 7th bombings in London 2005 could have been<br />
prevented based on information from the prior Operation Crevice, MI5 had come across different<br />
variations of the name “S. KHAN” (the name of the plot ringleader, Mohammed Siddique Khan).<br />
They consequently believed the name could have been an alias “due to a combination of both the<br />
multiple spellings and lack of traces on databases” [110]. Aliases are inherently also a problem<br />
when analyzing on line violent radical milieu’s: “the Internet allows for the virtual construction<br />
1 “Andiwal” is the Pashto (Afghani language) word for “friend”.<br />
178
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS<br />
and projection of personalities that may or may not be accurate reflections of the physical lives<br />
controlling those avatars” [29].<br />
11.1.9 TASK: Exploring perspectives<br />
To reduce the cognitive biases associated with a particular mind set, the exploration of different<br />
perspectives (views) of the information is a key criminal network investigation task (see Figure<br />
11.10).<br />
Figure 11.10: Alternatives to the often used navigational (link) perspective are the spatial, taxonomic,<br />
time line, map, and audio perspectives.<br />
During the Daniel Pearl investigation a chronology of events (time line) is created simultaneously<br />
with the criminal network (link chart) of involved individuals who were potentially linked to the<br />
crime [162]. A time line perspective could also be used for temporal organization of previous<br />
investigations, e.g. terrorism plots in the European Union [236] (see also Figure 14.10).<br />
When Colin Powell presented United States’ hypothesis on Saddam Hussein’s weapons of mass<br />
destruction program, he used both augmented satellite photos (images/maps) and recordings of<br />
intercepted phone calls (audio) with subtitles [238, 257].<br />
11.1.10 TASK: Decision-making<br />
During an investigation, decisions have to be made such as selecting among competing hypotheses.<br />
Auto-generated reports and storytelling can also be used for higher-level decision-making (see<br />
Figure 11.11).<br />
Figure 11.11: Decision-making is typically done by selecting arguments and alternatives, or it is<br />
based on reports and storytelling.<br />
As mentioned, a list with 55 individuals was created after Operation Crevice, and it had to be<br />
decided how to focus limited resources [110, 252]. In the case of CIA’s investigation into possible<br />
weapons of mass destruction in Iraq, the CIA based their decision on uncorroborated evidence<br />
(arguments) [59, 242]. The team investigating the kidnapping of Daniel Pearl decides to focus<br />
resources on the alleged mastermind Sheikh Gilani, the man who Pearl was scheduled to interview<br />
on the day of his disappearance [128, 162, 227].<br />
179
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING<br />
11.1.11 TASK: Social network analysis<br />
Social network analysis measures such as degree, betweenness, closeness, and eigenvector can<br />
provide important criminal network insights (see Figure 11.12). These and similar measures are<br />
often used as input for other more advanced and specialized sense-making algorithms, either<br />
producing new measures or transforming the network.<br />
Figure 11.12: Degree, betweenness, closeness, and eigenvector measures of centrality.<br />
Slate reporter Chris Wilson has described how the US military used social network analysis to<br />
capture Saddam Hussein [250]: “In Tikrit, players were captured, killed, and replaced at a low<br />
enough rate that the network was able to cohere. The churn rate is likely much higher in an<br />
extremist group like al-Qaeda”. In one assessment of destabilization tactics for dynamic covert<br />
criminal networks, it is pointed out that in standard social network analysis node changes are the<br />
standard approach to network destabilization [35].<br />
“MI5 [. . . ] decided not to continue surveillance of Khan and Tanweer because the quantity of<br />
Khan and Tanweer’s links to the fertilizer bomb plotters targeted in Operation Crevice were less<br />
than 0.1 percent of the total links. Their argument failed to take into account the betweenness<br />
centrality of Khyam. Betweenness centrality refers to relationships where one individual provides<br />
the most direct connection between two or more groups. These individuals bridge networks, or<br />
subnetworks. In the case of Khan and Tanweer, Khyam was likely serving a liaison role rather<br />
than a broker role, meaning his betweenness was not likely critical to their plot but was indicative<br />
of Khan and Tanweer’s intelligence value” [111].<br />
11.1.12 TASK: Terrorist network analysis<br />
Sense-making measures specifically developed for terrorist networks such as level of secrecy (covertness)<br />
and efficiency can provide more focused insights due to their domain focus. Terrorist network<br />
measures are used to understand and subsequently destabilize networks (e.g., to reduce the flow<br />
of information through the network or to diminish the network’s ability to reach consensus as<br />
a decision-making body) or to search for specific entities or patterns in the network (e.g., key<br />
players). Examples are shown in Figure 11.13.<br />
Figure 11.13: Terrorist network measures includes secrecy and efficiency for measuring link importance,<br />
and detection of key players and communities (subgroups). Terrorist network destabilization<br />
criteria are often used to determine the success or failure of such measures.<br />
180
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS<br />
The link importance measure has been shown to offer new insights into the 9/11 and Bali bombing<br />
terrorist networks by pointing out links that are important to the network [244]. Community<br />
(subgroup) detection has been applied to a network of 60 criminals dealing with drugs [255] and<br />
prediction of missing key players has been tested on the Greek terrorist network November 17 [182].<br />
11.2 Designs<br />
In this section, we present designs for criminal network sense-making tasks supported by Crime-<br />
Fighter Investigator but also ideas that remained ideas, yet found useful by criminal network<br />
investigators we have discussed them with or through investigations of our own.<br />
11.2.1 CONCEPT: Algorithm (sense-making work flows)<br />
Custom-made algorithm design is exemplified by the design of our node removal algorithm below,<br />
followed by designs of our sense-making work flows. Please refer to Section 11.2.6 on social network<br />
analysis for designs of measure algorithms such as traditional and extended entity centralities.<br />
CUSTOM-MADE ALGORITHM (NODE REMOVAL)<br />
Based on literature reviews (e.g., [35,36,40,174,183]), feedback from intelligence analysts and our<br />
own ideas, we propose a node removal algorithm involving the following eight steps. The two<br />
perspectives (steps 5 and 6) are exchangeable and adaptive by adjustment of their settings:<br />
1. Define ‘what if’ question(s), thereby focusing on specific secondary effects of node removal.<br />
Investigators typically frame these ‘what if’ questions that they want to ask using natural<br />
language, for example: “what network paths with a change in distance from 2 to 1 will<br />
emerge when the node is removed”. This could point out individuals gaining direct access<br />
to key individuals after node removal, if the investigators have prior knowledge about who<br />
these key individuals are. The ‘what if’ questions are framed by the investigators.<br />
2. Select nodes of interest. All nodes are not necessarily relevant for the defined ‘what if’<br />
question(s). The investigators will decide which individuals it would make sense to include<br />
based on their tacit knowledge and other preconceived notions or experience.<br />
3. Select node to remove. Although the algorithm lets the investigator see the probable effect<br />
of removing any node from the criminal network, network information such as social network<br />
measures, predicted future states, and destabilization criteria are considered when selecting<br />
which node to remove.<br />
4. Remove selected node and all associated links. Removing a node with more than a few links<br />
can be a cumbersome synthesis task to perform manually, i.e., removing the links one by<br />
one without accidentally deleting other individuals’ links.<br />
5. Perspective 1: predict new links. Prediction of new probable links between the remaining<br />
individuals in the network based on for example open source information and the tacit<br />
knowledge of the investigators. The predicted links are input data for the processing of<br />
‘what if’ questions.<br />
6. Perspective 2: changing degree centrality. Displaying the changing degree centrality of each<br />
node will disclose changes in node importance to the investigator.<br />
7. Discard or append new links. The investigator might want to follow some leads based on<br />
the links predicted after the node removal. Or maybe some settings need to be adjusted,<br />
and the investigator will discard the results.<br />
181
11.2. DESIGNS CHAPTER 11. SENSE-MAKING<br />
8. Dissemination of secondary effects. Before the algorithm results are appended or discarded,<br />
a report which outlines the secondary effects of the node removal, listing the current setting<br />
and how the algorithm reached its conclusions would be helpful for (easy) dissemination to<br />
intelligence customers or other investigative team members who did not participate in the<br />
reasoning session.<br />
We present a node removal scenario in Section 14.2 describing how the CrimeFighter Investigator<br />
supports the above defined algorithm steps.<br />
SENSE-MAKING WORK FLOW<br />
The list below outlines our design for how we believe criminal network investigators should be<br />
able to work with algorithms, to define so-called work flows. The design of the CrimeFighter<br />
Investigator Algorithm component is described in greater detail in Section 8.5.3. Here we describe<br />
the design for each of the steps for creating sense-making work flows, as outlined in Section 11.1.1<br />
(analysis):<br />
1. Work flow input. Input is either based on a series of synthesis and sense-making iterations<br />
or imported from a previous investigation. A design is therefore not created for this step.<br />
2. Need for sense-making. This is a decision made by the investigator based in the current<br />
state of the criminal network in the common information space. The need for sense-making<br />
cannot be decided by software.<br />
3. Run the sense-making work flow. There is a need to differentiate between transformative<br />
algorithms and measures. The created work flow(s) should be added to a list that is<br />
available from the common information space. That is, (parts of) the network must be visible,<br />
simultaneously with the list of created sense-making work flows. We suggest to embed<br />
a view for algorithms in the common information space.<br />
4. Results. As described in the analysis, there is only a need for deciding what to do with<br />
results produced by algorithms that transform the network. A pop-up should ask the user<br />
whether or not to deal with all results at once or each individual result (i.e., each predicted<br />
link or information element). If all results is selected, then all entities related to the transformation<br />
are highlighted, to inform the user what entities precisely the decision to discard<br />
or append those results concerns. If possible, display additional information about the results,<br />
e.g., number of information elements, relations, and composites, or perhaps the link<br />
importance measure for all relations should be displayed. Whether the results are appended<br />
or discarded, the action (event) should be appended to the criminal network investigation<br />
history.<br />
Alternatively, if individual results is selected, iterate through each result action and perform<br />
the following for each one: highlight the entity related to the transformation, to inform<br />
the user what precisely the decision to discard or append that entity concerns. If possible,<br />
display additional information about the entity, e.g., what caused the entity to be predicted,<br />
what is the centrality of the entity, or general meta data information about the entity such<br />
as attributes or the entity’s visual abstraction. This could be displayed in a so-called object<br />
inspector, or in the specialized sense-making view. Again, the append or discard action<br />
(event) should be appended to the criminal network investigation history.<br />
5. Retrieving a report. When a sense-making work flow has been executed, this should be<br />
indicated somehow in the specialized sense-making view. It should also be indicated whether<br />
or not the execution produced any results. If a sense-making work flow is marked as executed<br />
and the work flow produced results, then a selection of that button should make available a<br />
button that the user can push to extract the report (if multiple reports are available, then<br />
the user should be given the choice between these options). The analysis and design of the<br />
actual report generation process is described in Section 12.1.2 and Section 12.2.2.<br />
182
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS<br />
6. Save sense-making work flow. Option to save the sense-making work flow must be<br />
available through the specialized sense-making view. Another option could have been the<br />
spatial parser, but since it is unclear at the point of customization of the algorithm, this<br />
could potentially inhibit the creativity involved in tailoring an algorithm. The process of<br />
saving the work flow will be controlled by a dialog, asking for various information about the<br />
work flow. Minimally a name, but a description of the type of criminal network sense-making<br />
that the work flow is suitable for could also be relevant.<br />
11.2.2 TASK: Creating hypotheses<br />
We divide our design of the creating hypothesis task into reasoning using issue-based argumentation<br />
and reasoning by creation of alternated interpretations using structural capabilities to create<br />
e.g., branched information structures (lines of reasoning or thinking).<br />
TASK: Issue-based argumentation<br />
Investigators use evidence (i.e., facts) or inferential judgments to reason about the issues they<br />
come across in their work. Inferential judgments typically require detailed reasoning involving<br />
several positions and even more “pro” and “con” arguments, while fact-based reasoning typically<br />
is done by creating relations to pieces of evidence in the space. Algorithms for machine inferential<br />
judgments exist; such functionality would be helpful for investigators.<br />
Besides creating the link chart and a chronology of events, the Daniel Pearl investigative team also<br />
continuously updates the thoughts and evidence about “Who kidnapped Daniel Pearl?” (i.e., who<br />
are the master mind(s) behind the kidnapping). The most wicked problem of an investigation is<br />
always “Who did it?” or “Who are going to do it?” - and part of that problem is the acknowledgment<br />
of “Who didn’t do it.”, as a result of listing pros and cons regarding the suspects. A sketch<br />
of the intended issue-based argumentation interface is shown in Figure 11.14.<br />
Figure 11.14: A design sketch of our intended issue-based argumentation interface.<br />
183
11.2. DESIGNS CHAPTER 11. SENSE-MAKING<br />
11.2.3 TASK: Adaptive modeling<br />
The goal of adaptive modeling is to enhance criminal network synthesis tasks with the option to<br />
build adaptive rule-based models of re-occurring criminal network structures. We have reviewed<br />
literature on terrorist profiling that provides arguments for focusing on the modeling of relational<br />
and biographical profile characteristics. The entities of the models (information elements, relations,<br />
and composites) are related to each other based on their individual attributes. This allows the<br />
investigators to embed their skill, expertise and experience into the system, facilitating a teamoriented<br />
criminal network investigation. We propose the following design for adaptive modeling:<br />
1. Synthesis of models. It is necessary to build models of criminal network structures based<br />
on profiles of persons and other information entities, who are related to each other by specific<br />
attributes (e.g. age, home country, education, family ties, sub group, etc.).<br />
If rules can be created based on natural language instead of mathematical models (but<br />
still representing the same semantics), it will provide criminal network investigation teams<br />
with a more intuitive approach to describe the world in a more detailed way than simply<br />
using node and relation weights. Modeling profile characteristics (a): selecting profile<br />
characteristics suitable for rule-based modeling is a complex task, although the psychological<br />
parts of profiles are being disregarded. And not all biographical or relational characteristics<br />
are straightforward to model using language based rules. Rule format and parameters<br />
(b). It is important to keep the rule format simple in order to follow the natural language<br />
strategy. Relational and biographical characteristics (c) can be modeled using natural<br />
languages, and computational rules can be defined to encapsulate them.<br />
2. Adaptable models. These models of criminal network structures must be adaptable to<br />
changes in the associations between entities, or parts of existing models can be used to create<br />
new models.<br />
We believe that the following interaction requirements will provide investigators with a<br />
way to embed their personal knowledge and experience into adaptive rule-based models of<br />
criminal network structures. All stakeholders of the intelligence cycle followed by a criminal<br />
network investigation team should be able to use these tools. Each of the following design<br />
requirements are deducted from these paradigms, and desired functional requirements are<br />
listed to underpin each one.<br />
Team-orientation through adaptation is essential for criminal network investigation team,<br />
i.e., adapting the data model of their investigation tool to match the team member’s view of<br />
the world. Attribute adaption (a), includes editing (renaming, adding, deleting etc.) the<br />
attributes of information elements such as persons, city, organizations and their relations.<br />
Rule adaption (b) as the world changes or new information about profile characteristics<br />
emerges is essential. If a set of rules are locked and cannot be altered it would prevent the<br />
improvement and sophistication of models.<br />
Intuitive gesture-based interactions: this applies to information analysis but also the creation<br />
of rules between the individual attributes of information elements. Drag-and-drop features<br />
would facilitate a more visual approach to rule building and hence aid the user. Clear and<br />
simple graphical user interfaces combined with gesture guided interactions to access the<br />
information on which rules are based would also be a benefit in building rules.<br />
3. Models as input for sense-making. Profiles of individuals based only on relational and<br />
biographical data (that is disregarding the psychological part of their profile), can be connected<br />
together in networks representing expected cell structures (like Nesser did in [154]), and then<br />
re-used for sense-making in other criminal network investigations.<br />
Our design for support of computations over adaptive network structure is as follows: a<br />
parser must be implemented to handle the processing of rules, running against the complete<br />
network structure. The network structure analyzer and parser must be able to cooperate<br />
184
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS<br />
with a parser analyzing spatial structures in order to create a combined presentation and<br />
analysis within the criminal network investigation tool.<br />
Rule design<br />
Since rules are the conditional logic of adaptive models, we will focus the design in this section<br />
on those rules. It is important to distinguish semantically between information element, relation,<br />
and composite rules. Information element rules are used to described attributes that applies to<br />
profiles of individual persons, locations or organizations etc. Relation rules associate information<br />
elements, forming the criminal network structure of the model. In this section, we will discuss<br />
some observed general characteristics of the intended CrimeFighter Investigator rules and then<br />
give examples of both information element and relation rules.<br />
The general rule format used for both information element and relation rules is given in Figure<br />
11.15. Attribute name indicates which information element or relation attribute (Figure 11.16)<br />
this rule is targeted at. Attribute type is information about the type of the attribute content,<br />
i.e. is it an integer number, a text string or an array of text strings. The rule operators function<br />
is to provide the conditional logic that will decide if a rule is evaluated true or false based on<br />
the rule attribute name and the provided rule parameters if any. A criminal network investigator<br />
must offer a number of both boolean operators (SmallerThan, BiggerThan, EqualTo etc.) and text<br />
string operators (EqualsIgnoreCase, SubStringOf, MinimumOccurences(#) etc.). Rule parameters<br />
is an option to add some additional parameters to be included in the rule evaluation. It could<br />
be an integer number, text string or an array of text strings. It could also another attribute of<br />
the information element that this rule is attached to. And finally, it could be a classification<br />
(or taxonomy) on a certain topic as described by the criminal network investigation team or an<br />
individual team member. As an example, if the team builds a taxonomy of militant religious<br />
groups, it would be possible to use classes of that taxonomy as a parameter for rules.<br />
Figure 11.15: Design of general rule characteristics.<br />
Before giving rule examples, we would like to discuss the attributes associated with person information<br />
elements and person-to-person relations by the Investigator tool (Figure 11.16). The<br />
list of attributes is partly based on (Gniadek 2010) [80] and partly our own experiences gained<br />
from studying Nesser’s 2006 model (see Section 14.1.1) together with our analysis of the criminal<br />
network involved in Daniel Pearls kidnapping (see Section 3.5.1 and Section 14.1). General<br />
attributes like ‘Source of information’, ‘Time of entering data’, ‘Source reliability’ and ‘Date of<br />
relation creation’ etc. have been disregarded for the sake of simplicity, but are of course important<br />
steps of the intelligence gathering process.<br />
As described in Section 14.1.1, it was part of the profile of jihadist terrorist cell leaders in the<br />
UK and Europe that they typically have participated in jihad in their original home country (or<br />
Afghanistan, Pakistan, Chechnya, Bosnia). A prerequisite of participating in jihad in a country<br />
must be to have visited that country, and it could also be useful information even though the ‘participation<br />
in jihad’ might not show any matches. Aiming at analyzing large amounts of data, we<br />
cannot know if a persons home country is part of the list {Afghanistan, P akistan, Chechnya, Bosnia}<br />
and we have to make two rules in order to be sure (shown below).<br />
1: <br />
2:
11.2. DESIGNS CHAPTER 11. SENSE-MAKING<br />
Figure 11.16: Information element and relation attributes.<br />
{Afghanistan, Pakistan, Chechnya, Bosnia}><br />
Figure 11.17 shows an example of a person-to-person relation rule, where the aim is to determine<br />
whether or not the person on the left is older than the person on the right. The direction of<br />
a relation plays a key role when defining relation rules, since it indicates how the comparisonoperator<br />
is applied. The algorithm parsing this rule simply takes the age of the person attached<br />
to the left side of the relation. If one end of the relation is not connected to an information<br />
element, (or if the information element does have the requested attribute) that specific rule should<br />
be disregarded during analysis, but will be invoked immediately when relation endpoints become<br />
connected again. Please note that in the example given in Figure 11.17, the rule parameters are<br />
not used and therefore set to null.<br />
11.2.4 TASK: Alias detection<br />
Figure 11.17: Relation rule example.<br />
If a person deliberately uses different names in different contexts it can be very confusing for criminal<br />
network investigators because it complicates the sense-making process. Algorithms that can<br />
detect the relations between aliases, and then indicate the probability that these two individuals<br />
are actually the same person could solve this problem (see example shown in Figure 11.19a). If,<br />
at the same time, the inferences made by such a detection technique is made available, it would<br />
be a helpful decision-making tool for criminal network investigators (see Figure 11.18). The investigator<br />
should be offered the option to merge the two entities representing the individuals, the<br />
result of which is shown in Figure 11.19b.<br />
Levy (2003) describes how confusing it can be if two persons use the same alias, using an example<br />
of individuals involved in Daniel Pearls kidnapping and murder (see Section 3.5.1 for more details):<br />
“Sometimes you think you’re dealing with two men when, in reality, there are two using one name.<br />
Asif Ramzi for example, is also the pseudonym of another terrorist, a resident of Muhammad Nagar<br />
186
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS<br />
Figure 11.18: Imagined visualization of detected<br />
aliases, either deliberate aliases (one person)<br />
or same alias (two persons). An indication<br />
of the probability that the two linked individuals<br />
are in fact the same person or two different<br />
persons is also shown.<br />
(a) An example where a person is using his real name in<br />
one context and an alias in another.<br />
(b) A person who appeared twice in a network has been<br />
merged to one entity.<br />
Figure 11.19: Example of how the detection<br />
of an alias can help reduce the complexity of<br />
criminal networks, by merging two entities.<br />
in Karachi, who is also known as Hafiz or Chotto, Chotto being one of the pseudonyms of Mazhurul<br />
Islam as well, the latter also known as Dhobi.” (see Figure 11.20).<br />
Figure 11.20: It can also complicate an investigation significantly, if two persons are using the<br />
same alias. In this case Muhammad Nagar and Mazhurul Islam both use the alias Chotto.<br />
187
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
11.2.5 TASK: Exploring perspectives<br />
The hierarchical (taxonomic) view is essential for both synthesis and sense-making, as some criminal<br />
network investigations might make more sense looking at the network ordered hierarchically<br />
(see design in the chapter on synthesis Section 10.2.1). Issue-based argumentation is designed to<br />
exist in a separate view (see Section 11.2.2).<br />
11.2.6 TASK: Social network analysis<br />
The classic centrality algorithms have been extended by adding some analysis prior to the existing<br />
steps, which alter the criminal network depending on entity associations added by the user.<br />
Our implemented betweenness algorithm (described in [169]) with the extra step for the selected<br />
centrality extension(s) works as follows:<br />
1. Pre-analysis; In this step the algorithm analyzes whether or not the included association<br />
types appear in the criminal network. If they do then changes are temporarily made to the<br />
network accordingly.<br />
2. List all entity pairs; This step creates a list of all entity pairs that exists in the network,<br />
again based on the included associations. This means that if the direct node-group association<br />
is included, then all entities that are directly or indirectly (by association through<br />
intermediary entities) associated to the group with links are added to the list of entity pairs.<br />
3. List all shortest path(s) for each entity pair; We calculate the shortest path(s) for all<br />
entity pairs without considering the cost-efficiency of our algorithm: we take a breadth first,<br />
brute-force approach [207], visiting all nodes at depth d before visiting nodes at depth d +<br />
1, removing all loops and all paths to the destination node longer than the shortest path(s)<br />
in the set, until only the shortest path(s) remain.<br />
4. Node occurrence; We calculate the ratio by which each node in the network appear in the<br />
accumulated set of shortest path(s).<br />
5. Bubble sort; The results are sorted according to the user’s choice, usually descending with<br />
the highest centrality first.<br />
6. Generate report; If the user requests it, a pdf report is generated for easy dissemination of<br />
the results of the centrality measure. The user can decide what report elements to include.<br />
Pre-analysis is the algorithm step of primary interest to the work presented here. For the direct<br />
empty endpoint association, pre-analysis involves adding temporary information elements as<br />
placeholders of empty endpoints. For the semantic co-location association, we create a temporary<br />
relation between two entities if they are not already related and they are within the user-defined<br />
boundaries of each other (see Figure 11.21).<br />
11.3 CrimeFighter Investigator<br />
In this section we present our implemented support of software tool concepts and criminal network<br />
investigation tasks, which we analyzed in Section 11.1 and created designs for in Section 11.2.<br />
11.3.1 CONCEPT: Algorithm<br />
CrimeFighter Investigator supports three structure algorithm types: measures (e.g., entity centrality),<br />
transformative algorithms (e.g., entity prediction), and combinations of these. Custom<br />
algorithms are templates of specific criminal network investigation work flow, e.g., understanding<br />
188
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR<br />
the secondary effects of entity removal or insertion. All algorithms implement the report interface,<br />
where an algorithms’ report elements and design is defined. Rules are used to describe entity-toentity<br />
relations, attribute cross products, etc. Each algorithm has a set of general settings and<br />
specific settings. Specific settings include algorithm hooks, i.e., the entity attributes that algorithms<br />
base their computations on, and customizable algorithm parameters.<br />
We refer to Section 11.3.2 (structural parser) for the descriptions of how to use different algorithms,<br />
since it is the role of the structural parser to tailor, customize, and run sense-making algorithms.<br />
Furthermore, Chapter 14 describes three different deployments of CrimeFighter Investigator where<br />
a variety of the discussed algorithms are used.<br />
11.3.2 CONCEPT: Structural parser<br />
CrimeFighter Investigator algorithms are managed by a structural parser (Figure 11.22), where<br />
investigators can select different algorithms to run and control the order in which they are applied,<br />
for example either simultaneously or sequentially.<br />
Figure 11.22 (left, top-frame) shows tabs for different algorithm types. The SNA tab covers social<br />
network analysis measures such as degree, closeness, and betweenness [111, 240]. The terrorist<br />
network analysis measures on the TNA tab are part of our future work, supporting integration<br />
with the CrimeFighter Assistant [244, 245]. The default prediction algorithms include predict<br />
covert network structure and predict missing links [183, 184]. Figure 11.22 (left, bottom-frame)<br />
shows the algorithms selected by the investigators to run. The structural parser will indicate if<br />
there is a potential conflict between the selected algorithms. If a prediction algorithm is selected<br />
to run on every network event, it could create a loop (since it is transformative). Similarly, if<br />
algorithms are running sequentially the position of an entity centrality measure before or after a<br />
transformative algorithm is quite important.<br />
Algorithm settings, both general and specific, are accessed by clicking on the options button shown<br />
in Figure 11.22 (left, top-frame). The predict missing links customization window is also shown in<br />
Figure 11.22 (on the right). Algorithms can run on every system event or when the investigator<br />
requests it (Figure 11.22, top right).<br />
Tailoring prediction of missing links<br />
The user can customize when and how often a prediction algorithm should compute (Figure<br />
11.22a). One option is to automatically run the algorithm every time a change is made to the<br />
criminal network. But the predict missing links algorithm is a transformative algorithm, and<br />
would continue to predict missing links, since each transformation of the network would start the<br />
(a) without (b) with (c) without (d) with<br />
Figure 11.21: The two implemented algorithm extensions, the empty endpoint association and<br />
the co-location association are explained. Without the empty endpoint association, the link from<br />
the empty endpoint to the connected entity is not included in measures of betweenness centrality<br />
and degree centrality is not calculated for the empty endpoint (a) and with that association the<br />
link is included (b). Without the co-location association entities positioned near each other in<br />
the information space are not included in measures of centrality (c), but if entities fall within the<br />
boundaries defined by the investigators and the association is included, then those entities are<br />
included in measures of centrality (d).<br />
189
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
Figure 11.22: The structural parser (left) and the predict missing links algorithm customization<br />
window (right).<br />
algorithm again. Therefore, an option to run algorithms when clicking a button has been added<br />
(see Figure 11.1, right side).<br />
Next is the selection of algorithm hooks (Figure 11.22c). A special drag and drop view is used<br />
for this task (Figure 11.23). Both entity attributes and centrality measures can be selected as<br />
algorithm hooks.<br />
Numerical algorithm variables are customized using standard input fields such as text fields (any<br />
number or text), sliders (bounded numbers), and drop down boxes (enumerated values) as shown<br />
in Figure 11.22d. <strong>Network</strong> information (evidence) is what the prediction algorithms base their<br />
inferences on (Figure 11.22e). For predict missing links, it will be all entities currently in the<br />
network.<br />
The network layout drop down box (Figure 11.22f) can be used to select one of several default<br />
layout algorithms that will be applied after the prediction. Finally, the investigators can customize<br />
what visual symbols (color, thickness, etc.) to apply to the predicted links (Figure 11.22g).<br />
Tailoring measure of betweenness centrality<br />
The interface for customizing measures of centrality is structured in the same way as the interface<br />
for transformative algorithms described above (Figure 11.24). There are however a couple<br />
of important differences which we would like to emphasize, using betweenness centrality as an<br />
example:<br />
Entities? The investigator should decide which entities to include for the calculation of<br />
betweenness centrality, all or only selected entities (e.g., persons)? If not all entities are<br />
included, what should the algorithm do if it encounters a non-included entity when tracing<br />
shortest paths? Should it skip the entity and then continue on the other side if the path<br />
190
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 11.23: Selecting algorithm hooks for the predict missing links algorithm.<br />
continues, or simply not count the path?<br />
Associations? The investigator has to decide how to deal with for example empty relation<br />
endpoints in terms of calculating betweenness centrality. If a relation endpoint is expected<br />
to contain a person-entity, but it is not yet known who, then it might be relevant to include<br />
that empty endpoint in the measure of centrality anyway.<br />
Results? Often it is an advantage to normalize the measure of betweenness centrality for<br />
all entities for comparison purposes, but not always. Also, in some situations it might be<br />
relevant to only list the first 10 or 20 results and in other situations all measures are required<br />
for further sense-making. Finally, it could be useful to emphasize the entity (or entities) with<br />
the highest degree centrality, using color, relative size, or other forms of visual symbols in<br />
the information space.<br />
Figure 11.24 shows the interface for customizing SNA measures of centrality (left) and the subinterface<br />
for setting up visual symbols for visualization of results in the information space (right).<br />
Tailoring extended centrality work flows<br />
CrimeFighter Investigator algorithms are managed using a structural parser, where investigators<br />
can select different algorithms to run and control the order in which they are executed, for example<br />
either simultaneously or sequentially. Figure 11.25 (left) shows how individual centrality<br />
algorithms can be customized by the user. The user must decide how to run an algorithm (Figure<br />
11.25a) and what entities to include for the respective centrality algorithm (Figure 11.25b). This<br />
is done using drag and drop between two defined areas as shown in Figure 11.25 (right, top frame).<br />
For included entities the user can set a weight (maybe a location counts less than a person for a<br />
measure of betweenness centrality) and for excluded entities the user how the algorithm should<br />
deal with it, e.g., when tracing a shortest path. Should it not include the shortest path or simply<br />
ignore this entity and continue along the path? Direct and semantic associations are included<br />
or excluded using the same drag and drop approach as for entities (see Figure 11.25c and 11.25d).<br />
Again, weights can be setup for included associations and the algorithms action(s) for excluded<br />
associations. Finally, we imagine many settings for how to format and list results (Figure 11.25e).<br />
Typically, normalization is important for comparison of results. If an investigation has many of the<br />
included entities it can be useful only to display for example 10 results based on some parameter,<br />
e.g., highest centrality.<br />
191
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
Figure 11.24: The user can customize which entities and associations to include, how to display<br />
results, and the visual symbols for betweenness centrality.<br />
192
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 11.25: Setting up centrality algorithms using structural parser windows: the centrality<br />
algorithm settings window is shown on the left, and the window for inclusion and exclusion of<br />
entities together with specific settings for each of those entities is shown on the right.<br />
It is currently possible to set the visual symbols for the information space and the algorithm view<br />
(see Figure 11.25f). For the information space the user can decide whether or not to overlay<br />
entities with a geometric shape (circle, square, or rectangle) containing the calculated centrality<br />
(instead of just showing the results in the algorithm view). The color, size and outline of the shape<br />
can be decided together with the font and font size of the printed centrality. For the algorithm<br />
view it can be decided how to display the results textually in a list. Maybe a certain attribute<br />
should be printed (e.g., person ’name’ or email ’date’). And the font (type, size and color) can be<br />
set.<br />
Tailoring node removal work flows<br />
CrimeFighter Investigator supports a node removal approach with two perspectives: an inferencebased<br />
prediction of new probable links and changes in standard social network degree centrality.<br />
In this section we demonstrate how to tailor node removal work flows. In Chapter 14 we go<br />
through such a node removal work flow and test the tailored algorithm on a criminal network<br />
aggregated from open source reports, creating hypotheses based on path distance and degree<br />
193
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
Figure 11.26: Structural parser settings and information.<br />
Figure 11.27: Node removal algorithm settings.<br />
centrality changes. Figure 11.26 (right) shows the algorithms selected by the investigators to run,<br />
in this case ‘CustomNodeRemoval’ and ‘DegreeCentrality’. As mentioned above, the structural<br />
parser will indicate if there is a potential conflict between the selected algorithms. Algorithm<br />
settings, both general and specific, are accessed by clicking on the ’options’ button shown in<br />
Figure 11.26 (left). Selected parts of the node removal window are shown in Figure 11.27. Specific<br />
visual symbols can be added and edited, in the case of node removal visual symbols are associated<br />
with the different ‘what if’ questions.<br />
The ‘what if’ question editor is shown in Figure 14.7, with the settings for the following question:<br />
“what if individuals who didn’t interact directly before the node removal start to interact<br />
afterwards?”. In order to visualize the links that match the ‘what if’ question constraints, the<br />
question has been setup as follows: the question is focused on Relation entities (links), and will<br />
run computations between all combinations of connected nodes (individuals) in the given criminal<br />
network. The before constraint that has to be fulfilled, is that path distances between individuals<br />
should be of length greater than 1 and the post prediction constraint is that path-length should<br />
now be exactly 1. If these conditions are fulfilled, then those links will be colored red.<br />
11.3.3 CONCEPT: History<br />
The history editor provides the investigative team with an option to edit the history and basic<br />
space-level events, typically simplifying it or making it more intuitive/descriptive. The sequential<br />
list of history events is presented in a tree view, where nodes are events grouped by the investigator<br />
(explained below) and leafs are basic events raised by the users interactions with the common<br />
information space. The investigative team can use the history editor to group, annotate, delete,<br />
and move events up or down in the history. Storytelling is an example of how editing history<br />
events can be used for information sharing. Creating stories based on events is a matter of<br />
194
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 11.28: The ‘what if’ question editor.<br />
grouping the space-level events into the steps telling the story. This will allow the investigator to<br />
disseminate only the most important points to the customer (see Chapter 12 on dissemination).<br />
Simply replaying all the space-level events could be very confusing to the customer, if there are<br />
many.<br />
11.3.4 TASK: Retracing the steps<br />
Retracing the steps of criminal network investigations is facilitated by a history feature. Recording<br />
investigation history allows the investigative team to review the path or progress of their investigation<br />
or to reclaim information that previously had been deemed irrelevant or deleted, but<br />
then found to have greater significance due to new incoming information. The user interface of the<br />
navigable investigation history feature is embedded in the tool bar (see Figure 11.1, at the top).<br />
It has buttons for navigating the recorded events, and the current event displayed in the space is<br />
visualized using a slider as well as a label showing the total number of events (e.g., 59/59). The<br />
history feature records all the interactions that investigators have with entities in the space as<br />
events, e.g., “create information element”, “resize composite”, “move information element”, and<br />
so on. Each event is given a time stamp and added to the sequential history.<br />
11.3.5 TASK: Creating hypotheses<br />
CrimeFighter Investigator supports two types of hypotheses supported by issue-based argumentation<br />
technology and the option to create branched information structures.<br />
TASK: Issue-based argumentation<br />
Reasoning can be done using the issue-based argumentation feature of CrimeFighter Investigator.<br />
The example presented in Figure 11.29 is based on what is known 60 hours into the Daniel Pearl<br />
investigation, when the team receives an email from a colleague at the Wall Street Journal London<br />
bureau, which the bureau received from Andrea Gerlin of the Philadelphia Inquirer. Attached to<br />
the email is an article from the January 24 Independent, profiling a shadowy character suspected<br />
of having bankrolled the 9/11 attacks, Omar Saeed Sheikh. But what disturbs Andrea is that<br />
“Omar has a particular specialty: he kidnaps Westerners”. However, the team finds nothing<br />
linking Omar to Daniel’s disappearance (besides this specialty), and given the current state of the<br />
issue chart where a lot more ‘Pro’-arrows (i.e., supporting arguments) are pointing towards Gilani<br />
(the person that Daniel was supposed to meet on the evening of his kidnapping).<br />
Reasoning can be attached to any entity in the criminal network. A small hexagon icon with the<br />
195
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
text “IPA” is used to show that reasoning is attached, and clicking the icon opens the issue-based<br />
argumentation view. Reasoning can be used for several purposes: (1) to capture and visualize<br />
disagreement in an analysis situation, ensuring that all positions and arguments are heard; (2) to<br />
reason argumentatively during storytelling (e.g., a senior police officer is creating a briefing based<br />
on an investigation); and (3) to create and explore (competing) hypotheses. According to the IBIS<br />
model [47], we have adopted the following predefined relations: is-suggested-by (←), responds-to<br />
(→), supports (+), objects-to (−), questions (?), and generalizes or specializes (○). The relation<br />
direction can be both ways in all cases. These predefined relations aids the investigative team in<br />
controlling the mapping of their dialog about issues, positions, and arguments.<br />
Figure 11.29: CrimeFighter Investigator - Issue-based argumentation view from the Daniel Pearl<br />
investigation.<br />
11.3.6 TASK: Adaptive modeling<br />
The developed rule editor for adding, deleting and updating rules is shown in Figure 11.30. The<br />
editor is divided into three panels, from top to bottom they are: Information panel, rule editing<br />
panel and existing rules panel. The information panel shows information about the information<br />
element or one relation and two information elements depending on the type of rule being edited.<br />
The rule editing panel handles update and creation of individual rule parameters, and the existing<br />
rules panel provides an overview of the rules association with the information element or relation.<br />
11.3.7 TASK: Prediction<br />
CrimeFighter Investigator has support implemented for two Bayesian inference algorithms. Prediction<br />
of covert network structure and prediction of missing links are both described below.<br />
Predict covert network structure<br />
The predict covert network structure algorithm works computationally like the predict missing<br />
links algorithm, the main difference being the inclusion of individuals in the (Bayesian) evidence,<br />
not already in the criminal network.<br />
196
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 11.30: CrimeFighter Investigator rule editor for creating and updating rules.<br />
Predict missing links<br />
In the following example, we describe CrimeFighter Investigator support of the Bayesian inference<br />
method described in [183]. As discussed in analysis, the network nodes and attributes used in<br />
this example are inspired by the Greek criminal network November 17 (see [183] for more details).<br />
The major steps involved in the calculation are shown in Algorithm 1 and the network we predict<br />
missing links for, is shown in Figure 11.31. The network has six nodes and seven (positive) links.<br />
Part of the customization of this algorithm (see Section 11.3.2) is to select the entity attributes<br />
(algorithm hooks) for the prediction algorithm. Only enumerated attributes are accepted as<br />
algorithm hooks, i.e., name is not eligible since it can have basically any value.<br />
The first step of the algorithm (line 1), is to calculate the contingency table for each of the selected<br />
algorithm hooks. We will explain how to calculate the contingency table for a role hook which<br />
can have one of two enumerated values: leader (L) or operational (O). The faction can have one<br />
of three enumerated values (G, S, or K), each named after an individual within that respective<br />
faction. The contingency table records the relation between positive and negative links in the gold<br />
standard (purple nodes in Figure 11.31).<br />
197
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
Figure 11.31: A predict missing links example.<br />
Algorithm 1: Predict missing links<br />
input : A criminal network investigation (gold standard)<br />
output: A list of missing links<br />
hookRules ← InitHookRules();<br />
hookProductRules ← InitHookProductRules();<br />
bayesianEvidence ← GetAlgorithmSettings().GetBayesianEvidence();<br />
1 foreach Hook h in Hooks do CalcContingencyTable(h);<br />
;<br />
2 productRuleResults ← CalcHookProducts();<br />
3 predictedLinks ← PredictLinks(productRuleResults, bayesianEvidence);<br />
4 missingLinks ← GetMissingLinks();<br />
The second step is to calculate the products of different hook relations if more than one hook is<br />
added to the inference. Only the products above a cut-off value of 2,14 are included. The cut-off<br />
value is calculated as the total possible links in the gold standard divided by the existing links<br />
(see line 2):<br />
L − L × G − S = 3, 00 × 1, 14 = 3, 42<br />
L − L × S − K = 3, 00 × 3, 43 = 10, 29<br />
O − L × S − K = 0, 75 × 3, 43 = 2, 57<br />
O − O × S − K = 0, 75 × 3, 43 = 2, 57<br />
The third step is the actual prediction of missing links based on the likelihood products calculated<br />
above together with the likelihoods for individual algorithm hooks (line 3). The second input to<br />
the prediction of links is the evidence, that is the attributes and their values for all individuals<br />
in the network. If we chose to apply the predict covert network structure algorithm then the<br />
evidence could also be information about individuals not in the network. These individuals would<br />
be added if a link (relation) to them is predicted from within the gold standard network. From<br />
the likelihoods we see that L − L and S − K relations are above the cut-off value, together with<br />
the products mentioned under the second step above. We see that entities sharing both L − L and<br />
S − K relations are especially likely to be connected, hence the thicker red line between C and H<br />
in Figure 11.31.<br />
198
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR<br />
The fourth step is a simple clean-up function which will remove those links already in the network<br />
prior to the prediction, leaving only new (missing) links (line 4).<br />
The result of a missing links prediction on a sampled version of 20 individuals from the al-Qaeda<br />
network is shown in Figure 11.32. The investigator can decide to append the predictions to the<br />
network or simply discard them.<br />
Figure 11.32: The result of a missing links prediction<br />
on a sampled version of 20 individuals from<br />
al-Qaeda central staff [188]. Blue solid lines are<br />
true positives while green dashed lines indicate<br />
false positives.<br />
11.3.8 TASK: Decision-making<br />
Figure 11.33: Betweenness centrality for the individuals<br />
in Figure 11.32, with 4 added links (thick<br />
blue).<br />
Decision-making is currently supported in the issue-based argumentation view (see Section 11.3.5).<br />
A decision is one position, the issue it responds to and associated arguments.<br />
11.3.9 TASK: Social network analysis<br />
CrimeFighter Investigator supports dangling endpoints during synthesis (empty relation endpoints),<br />
and the social network analysis algorithms are therefore extended to include this aspect<br />
in calculations if it is found necessary for the investigation. We focus on betweenness centrality<br />
and describe how this centrality measure is implemented (see Algorithm 2). How the algorithm is<br />
customized to suit different needs is also described.<br />
Algorithm 2: Betweenness centrality<br />
input : A criminal network investigation<br />
output: A measure of betweenness centrality for individual entities<br />
1 allEntityPairs ← GetAllEntityPairs();<br />
2 foreach entityPair in allEntityPairs do shortestPaths;<br />
← GetShortestPaths(entityPair, relations);<br />
3 foreach shortestPath in shortestPaths do snaResults;<br />
← GetNodesOccurenceFraction(shortestPath);<br />
4 snaResults ← BubbleSort(snaResults);<br />
The betweenness algorithm starts by creating a set of all entity pairs in the criminal network (line<br />
1). Then the shortest path between each pair of entities is calculated (line 2). For each entity pair,<br />
199
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING<br />
we determine the fraction of shortest paths that pass through each entity on those paths (line 3).<br />
The betweenness of each entity is the sum of all these fractions across the entire network. The<br />
results are bubble sorted with for example highest centrality first before it is presented to the user<br />
(line 4).<br />
The betweenness centralities of a sampled version of 20 individuals from Sagemans al-Qaeda<br />
network [188] are shown in Figure 11.33. The investigator has decided to append the predicted<br />
links shown in Figure 11.32 to the network before calculating the centralities.<br />
200
CHAPTER 12<br />
Dissemination<br />
Dissemination tasks help the criminal network investigators to formulate their accumulated knowledge<br />
for the customer. As previously mentioned, dissemination has not received the same amount<br />
of attention as synthesis and sense-making.<br />
The remainder of this chapter is organized as follows: analysis (Section 12.1) and design (Section<br />
12.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 12.3) is<br />
explained below.<br />
12.1 Analysis<br />
Based on cases and observations of criminal network dissemination, contact with experienced<br />
end-users from various investigation communities, examination of existing tools supporting dissemination<br />
of criminal network investigations or parts thereof, and our own ideas for dissemination<br />
support, we maintain a list of dissemination tasks.<br />
12.1.1 Storytelling<br />
Investigators ultimately “tell stories” in their presentations when disseminating their results. Organizing<br />
evidence by events and source documents are important tasks, so that the story behind<br />
the evidence can be represented. Storytelling can be useful for different purposes such as briefings,<br />
learning, and training.<br />
12.1.2 Report generation<br />
Report generation involves graphics, complete reports, subspaces, etc. Being able to produce<br />
reports fast is important in relation to time-critical environments and frequent briefing summaries.<br />
It will be necessary to support the generation of reports for complete investigations, algorithms,<br />
and sense-making work flows.<br />
201
12.2. DESIGNS CHAPTER 12. DISSEMINATION<br />
Figure 12.1: Mock-up showing algorithm report elements, that can be dragged to report template<br />
(right).<br />
12.2 Designs<br />
Our designs for story telling and report generation are outlined below.<br />
12.2.1 Storytelling<br />
Storytelling is based on versioning concepts and the history component, which we presented a<br />
design for in Chapter 8. The intended support for storytelling is an editor of history events inspired<br />
by the one supported by visual knowledge builder (VKB) [198], a spatial hypertext system. Once<br />
the history events have been edited, the story can be told using navigable history.<br />
12.2.2 Report generation<br />
Report generation should be based basic report elements, that can be added and removed from<br />
report templates, as the user prefers. The intended support for adding and removing report<br />
elements to and from reports is shown in Figure 12.1. The report elements in the example are<br />
based on an predict missing links technique, illustrating that report elements will be different from<br />
algorithm to algorithm.<br />
12.3 CrimeFighter Investigator<br />
In this section, we present our implemented tool support for criminal network investigation dissemination<br />
tasks.<br />
12.3.1 Storytelling<br />
Storytelling is done using the History Editor (Figure 12.2). The granularity of system level history<br />
events is often too fine grained for telling a story. The history editor allows the investigators to<br />
group history events that are relevant for the story individually, but when grouped together they<br />
explain one important step of the investigation. The investigators can delete events (if an entity<br />
was created by mistake and then deleted), they can annotate events or groups of events if they feel<br />
that the system generated description is not sufficient, and finally events can be moved up and<br />
down in order to match a time line of events (a person’s association with a group in a criminal<br />
network investigation can easily be different from when that person became associated with the<br />
group in real time).<br />
202
CHAPTER 12. DISSEMINATION 12.3. CRIMEFIGHTER INVESTIGATOR<br />
Figure 12.2: History editor, annotating a grouping of four events.<br />
12.3.2 Report generation<br />
Report generation is not only available for complete criminal network investigations. All Crime-<br />
Fighter Investigator features implement a report-interface that facilitates the addition or removal<br />
of individual report elements. The order in which elements are added to the report is also dynamic.<br />
This makes it easier to create reports targeting specific usages (briefing on specific subject). For<br />
example, after a prediction is done, a pdf report with the detailed calculations is available and<br />
can be retrieved using the algorithm view (see Figure 8.12, right hand side).<br />
203
12.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 12. DISSEMINATION<br />
204
CHAPTER 13<br />
Cooperation<br />
They begin to order the network. They have stepped out of normality<br />
and into the exciting world of counterterrorism.<br />
Television and terror: conflicting times and the crisis of news discourse [94]<br />
Cooperation is a natural part of investigations. Cooperation leads to better synthesis and sensemaking<br />
that is informed by more perspectives. Sharing of the target model among criminal network<br />
investigators is the starting point for such cooperation, and is possible with the current setup. But<br />
for further support, the CrimeFighter toolbox knowledge base mentioned in Section 1.4 will be key<br />
to cooperation support. Assuming that such a knowledge base is in place, we will analyze the<br />
cooperation tasks defined in Chapter 7.<br />
13.1 Analysis<br />
Sharing of the target model among collaborating criminal network investigators or colleagues<br />
in other organizations, who might be interested in the particular target or entities related to<br />
it, is the starting point of cooperation. Sharing work flows, like sense-making work flows and<br />
custom algorithms, or mining work flow patterns from the previous use of intelligence information<br />
(history), would lead to shared knowledge and potentially also cooperation. The discovery of<br />
emergent collaboration, would help the coordination of resources by putting investigators analyzing<br />
similar or the same entities in touch with each other. Such cooperation requires support of a<br />
common knowledge base (see Figure 13.1).<br />
Investigators often share their findings with colleagues or other organizations (agencies, services, or<br />
departments), who might have an interest in the findings. Prior to the terrorist attacks on Norway<br />
22/7 (2011), the Norwegian customs directorate and the postal service had shared findings related<br />
to, what they found to be, suspicious purchases of chemicals in Poland. They forwarded their email<br />
correspondence to the liaison at the Norwegian police security service (PST), who unfortunately<br />
took a long time to assign that particular lead to a specific section [153]. Based on the interrogations<br />
of the Iraqi defector Curveball, information was shared between many agencies, services, and<br />
departments, but the original information was not shared, only selected parts, translations, and<br />
interpretations [59]. Finally, in criminal network investigation environments, work flow sharing often<br />
occurs in the sense that experienced investigators might educate less experiences investigators<br />
how to do certain work [204].<br />
205
13.2. CRIMEFIGHTER INVESTIGATOR CHAPTER 13. COOPERATION<br />
Figure 13.1: Supporting cooperation by sharing the information space (criminal network) (left) or<br />
sharing work flows, e.g. sense-making work flows such as node removal (right), and discovery of<br />
emerging collaboration based on a common knowledge base (middle).<br />
We did not find specific examples of emerging collaboration notifications within the same organization<br />
(agency, service, or department), places where it would be reasonable to have established<br />
a common knowledge base, like the one described for the CrimeFighter toolbox in Section 1.4.<br />
The examples described above for sharing of findings and work, could to a certain degree be considered<br />
emerging collaboration. To establish tool support, it would be necessary to define the<br />
levels of awareness and notifications, i.e. how fine grained notifications do we want to send to the<br />
investigators. If too many notifications are sent out, it might become an annoying feature for the<br />
investigators and there could be a risk they would turn it off. If too few notifications are sent important<br />
emergent collaborations could be missed. Emergent collaboration notifications might be<br />
a way to break down the wall of secrecy discussed throughout this dissertation. If an investigator<br />
he receives a notification that a colleague in a different section of the secret service is actually<br />
investigating the same individuals, but has some other information as well, the investigator might<br />
be more willing to approach the colleague to start a collaboration, rather than asking around at<br />
meeting or conferences, if anybody else are looking at the same things.<br />
13.2 CrimeFighter Investigator<br />
CrimeFighter Investigator supports sharing of the information space, in the sense that investigators<br />
can save their complete investigation in the original CrimeFighter Investigator format and then<br />
send it to other investigators, who can load it into their CrimeFighter Investigator tool.<br />
206
CHAPTER 14<br />
Testing the hypothesis:<br />
support of criminal network investigation work flows<br />
A history in which every particular incident may be true may on the<br />
whole be false.<br />
Thomas Babington Macaulay [134]<br />
In this chapter, we demonstrate that the premise for testing (evaluating) our main hypothesis (i.e.,<br />
a software tool “that is useful for criminal network investigators in their work”) is in place. In<br />
Chapters 9 to 13 we focused on support of individual criminal network investigation tasks. Here<br />
we describe three deployments of CrimeFighter Investigator supporting a specific work flow. We<br />
define a work flow to be a process that involves multiple criminal network investigation tasks,<br />
processes, and techniques (but not all of them). Our descriptions of work flow support are based<br />
on relevant criminal network investigation scenarios, sometimes using mock-up figures indicating<br />
how we suggest the implementation of the intended feature. This could indicate a need to place it<br />
in design sections of previous process chapters. However, we find it is necessary to first describe<br />
the intended work flow, to be able to find out how to design experiments that could be used to<br />
evaluate the individual tasks within each work flow.<br />
We have deployed CrimeFighter Investigator in the following work flow settings: An example of<br />
adaptive modeling of Omar Saeed Sheikh and his kidnapping network is given in Section 14.1. A<br />
complete work flow for how to apply the implemented node removal algorithm to a criminal network<br />
is given in Section 14.2. Finally, we demonstrate the deployment of CrimeFighter Investigator<br />
in a setting where a team of investigators are interested to know whether domestic (Danish)<br />
fundamental Islamists are linked up with global al-Qaeda and affiliated movements (see Section<br />
14.3). Section 14.4 summarizes the conclusions and suggestions of future work that the deployment<br />
sections have introduced.<br />
14.1 Adapting existing model of Omar Saeed Shaikh and<br />
his kidnapping network<br />
A typical work flow for adapting an existing model to a new usage involves the following steps:<br />
(1) acquiring the model, either (a) through several synthesis and sense-making iterations or (b)<br />
by importing a work flow from a previous investigation; (2) adapting the model to the new investigation<br />
and the change in tendencies observed there; (3) apply the model to the criminal network<br />
207
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT<br />
investigation, for customized sense-making controlled by a structural parser. Refer to Section<br />
11.1.6 for an analysis of adaptive modeling.<br />
In this section, we will test if the relational and biographical characteristics of text-based profiles<br />
can be modeled and used for criminal network analysis. We will use a model of jihadist terrorist<br />
cells in the UK and Europe by Nesser (2006) [154] as our starting point. Later, we will compare<br />
a specific profile of this model with the characteristics of Omar Saeed Shaikh (see Section 5.7)<br />
the mastermind behind the kidnapping of The Wall Street Journal reporter Daniel Pearl case we<br />
described in Section 3.5.1.<br />
Based on the comparison of characteristics we will adapt the rules used to describe Nesser’s profile,<br />
to evaluate how easy it is to adapt these rule-based models to changes in the profile characteristics.<br />
We adapt parts of the entrepreneur profile to match with the profile of Omar Saeed Shaikh and<br />
his role in the kidnapping plot. We find that the adapted model, as well as Nesser’s original<br />
model, are examples that could be used for criminal network analysis to alert investigators of e.g.<br />
potential terrorist cells forming.<br />
For the kidnapping of Daniel Pearl on January 23, 2002, Omar used four cells as depicted in<br />
Figure 14.1 (not counting the cells responsible for distributing the murder video and baiting<br />
Daniel Pearl [227]). Besides being the mastermind of the plot he was himself member of the<br />
initially established cell, the contact cell. The assignment of the contact cell, was to arouse the<br />
journalist’s professional curiosity and, on the pretext of leading him to a person linked to a case<br />
he was investigating, persuade him to come to the place of the kidnapping. The second cell was<br />
responsible for external relations, e.g. sending emails to the media with demands etc. The third<br />
cell (the jailers) was at the kidnapping rendezvous and stayed with Danny right up until his<br />
execution. And finally, the (initially) mysterious fourth cell (the executioners), later known to be<br />
Khalid Sheikh Mohammed and his two nephews, who decapitated Daniel Pearl and recorded a<br />
video of the murder later circulated to the media [128, 146, 162, 227].<br />
Figure 14.1: Omar Saeed Shaikh and four of the cells involved in the kidnapping and murder of<br />
Daniel Pearl Nomani et al. (2011) describes two more cells, responsible for distributing the murder<br />
video and baiting Pearl [227].<br />
208
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING<br />
14.1.1 Modeling jihadist terrorist cells in the UK and Europe<br />
As mentioned earlier, a criminal network model is sometimes evolved from scratch, and some times<br />
a model from a previous investigation can be adapted and reused. We use Nesser’s (2006) model of<br />
jihadist terrorist cells in the UK and Europe as our starting point. The model is based on a survey<br />
of “a number of al-Qaida associated or al-Qaida inspired terrorist cells that planned, prepared, and<br />
in three instances managed to launch attacks in European countries in the period 1998 until the<br />
present” [154]. Firstly, Nesser’s survey points to a crucial role for socially and politically motivated<br />
activists and idealists, defying stereotypical perceptions of Islamist extremists. Secondly, there are<br />
different roads into, and different motivations for joining terrorist networks. Finally, the activists<br />
need to connect to and interact with the jihadist infrastructure (local jihadists, training camps<br />
and media influence) in order to translate activism and grievances into terrorist acts 82 .<br />
A distinct set of profiles among those involved that recurred across the cases was also identified.<br />
A typical cell included an entrepreneur, his protégé, misfits and drifters as visualized in Figure<br />
14.2. The profiles are explained in more detail below, and selected relational and biographical<br />
characteristics of the three main profiles are listed in Table 14.1, 14.2 and 14.3. In Section 14.1.2<br />
we present parts of a CrimeFighter Investigator model of these profiles and their relations, as well<br />
as the rules used to model the profiles.<br />
Figure 14.2: Outline of Nessers Model.<br />
The entrepreneur is the crucial profile; he is the person who makes things happen. No jihadist<br />
cell forms without him. The entrepreneur has an “activist mindset”, being driven by ideas rather<br />
than personal grievances. He is interested in and committed to social issues and politics, he<br />
demands respect from his surroundings and he has a strong sense of justice. Table 14.1 shows<br />
biographical and relational characteristics of the entrepreneur profile that we have found most<br />
suitable for modeling. As our understanding of the modeling technique is further developed we<br />
believe more complex relational and biographical characteristics could be added.<br />
The ‘Links to’ column indicates where information about this characteristic could be found, e.g.<br />
deciding whether or not a person is a senior compared to the other operatives of a terrorist cell<br />
would be based on a comparison of age. The ‘Bio/rel’ column indicates the nature of the profile<br />
characteristic: Is it relational, biographical or a combination? This classification can be quite dis<br />
ambiguous, since, e.g., a persons record of failed ambitions (characteristic #3) would be related<br />
to projects he or she failed to succeed with, but in terms of an ongoing investigation it would be<br />
background information, hence biographical information (e.g., “the individual had the role of [role]<br />
in project [project], back in [year]”). That being said, considering our network approach, other<br />
persons associated with those past projects could very well be playing a key role in the current<br />
investigation as well, but if the link charts of those projects does not exist 83 , the incident reports<br />
209
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT<br />
would be of a biographical nature. Finally, the ‘Rule input’ column indicates the type of the rule<br />
parameters used to search for the information indicated in the ‘Links To’ column (see Section<br />
14.1.2 for rule examples). When the profile characteristic is of a relational nature, we could argue<br />
that the rule parameter type would be an information element (e.g., a person or a group) to allow<br />
for more sophisticated rules. But to keep things simple we have decided to use text strings as the<br />
most advanced input parameter type for rules.<br />
# Characteristic Links to Bio/rel Rule input<br />
1 Typically a senior in the cell. Age Bio Integer<br />
2 NGO Activity Organizations Rel Text Strings<br />
3 A record of failed ambitions Projects Bio Text Strings<br />
4 Becomes affiliated with militant groups Organizations, Per- Rel Text Strings<br />
and individuals<br />
sons<br />
5 In charge of the cells external relations Organizations, Per- Rel Text Strings<br />
with the jihadist infrastructure sons<br />
6 Maybe educated and employed or on<br />
welfare<br />
Education, Job(s) Bio/Rel Text Strings<br />
7 Inspired, supported and guided by his<br />
mentors<br />
Persons Rel Text Strings<br />
8 Married Marital Status Bio/Rel Text Strings<br />
9 Children Children Bio/Rel Text Strings<br />
10 Participation in jihad in original home Visited Countries Rel/Bio Text Strings<br />
country (or Afghanistan, Pakistan,<br />
Chechnya, Bosnia)<br />
Table 14.1: Selected characteristics of the entrepreneur Profile.<br />
The protégé profile appears to hold a special position vis-á-vis the cell leader (i.e. the entrepreneur).<br />
The protégé is someone the leader respects and trusts with important tasks. He<br />
admires and looks up to the leader. The presence of such a character in the cell tells us something<br />
about the sophistication of the entrepreneur and the ideology that he offers his young accomplices.<br />
It means that jihadism appeals to highly intelligent, socially skilled and well-off people,<br />
social segments that, according to rational choice arguments, would have much to lose by engaging<br />
in terrorist activity. The misfit is someone who performs less well socially, and often has<br />
a troubled background as well as a criminal record. He differs from the entrepreneur and the<br />
protégé because he is not an idealist, appearing to have a somehow “weaker” and more hesitant<br />
personality. The drifter is not a clear-cut profile. He tends to be someone who is ‘going with the<br />
flow’ rather unconsciously. He does not appear to be very ideologically committed when he joins<br />
the jihadist group. He becomes part of the cell by being in the wrong place at the wrong time, or<br />
having social ties with the wrong people. Since drifter characteristics are not easy to define, we<br />
have decided to exclude this profile from further modeling considerations, except for the possible<br />
relation with the misfit profile.<br />
As mentioned above, it is relation rules that glue together the information elements (and each<br />
information element’s rules) to form criminal network structures. The rules representing Nesser’s<br />
structure of profiles as modeled using CrimeFighter Investigator are reviewed in the next section.<br />
Our rule design is described in Section 11.2.3 and the CrimeFighter Investigator rule editor<br />
approach to creating the rules is discussed in Section 11.3.6.<br />
14.1.2 CrimeFighter Investigator model and rules<br />
A CrimeFighter Investigator model and selected adaptive rules based on Nesser’s model are the<br />
results of the first deployment. A visualization of the model is shown in 14.3. Only information<br />
about the relations between the profiles can be deducted from this presentation, i.e. the stronger<br />
210
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING<br />
# Characteristic Links To Bio/Rel Rule Input<br />
1 Holds a special position vis-á-vis the<br />
cell leader.<br />
Persons Rel Text Strings<br />
2 Most gifted and intelligent of the young<br />
terrorists<br />
Education, Skills Bio Text Strings<br />
3 Excels professionally Employment Bio/Rel Text Strings<br />
4 Excels academically Education Bio/Rel Text Strings<br />
5 Excels socially Friends Rel Text Strings<br />
6 Provides the cell with needed expertise Education, Internet Bio/Rel Text Strings<br />
(bomb making skills, IT skills) Activities, Skills<br />
7 Young and inexperienced Age Bio Number<br />
8 Well-off Family, Finances Rel/Bio Text<br />
Number<br />
Strings,<br />
Table 14.2: The protégé profile.<br />
# Characteristic Links To Bio/Rel Rule Input<br />
1 Troubled background Education, Family,<br />
Crimininal record<br />
Bio/Rel Text Strings<br />
2 <strong>Criminal</strong> record <strong>Criminal</strong> record Bio Text Strings<br />
3 Recruited in prison Persons, Meetings Rel Text Strings<br />
4 Might meet militants in the criminal<br />
underworld<br />
<strong>Criminal</strong> record Rel Text Strings<br />
5 Seldom educated Education Bio Text Strings<br />
6 Physically fit Organizations Rel Text Strings<br />
7 Into sports, some very talented Organizations,<br />
Prizes<br />
Rel/Bio Text Strings<br />
8 Age varies, but younger than en- Age Bio Integer<br />
9<br />
trepreneur<br />
Might be a friend or acquaintance of the<br />
cell leader or one of the other members.<br />
Persons, Friends Rel Text Strings<br />
10 Some have violent tendencies, and some<br />
have been convicted for acts of violence<br />
in the past<br />
<strong>Criminal</strong> Record Bio Text Strings<br />
11 In charge of acquiring weapons and Purchases, Crimi- Rel Text Strings<br />
bomb making materials<br />
nal Record, Persons<br />
Table 14.3: The misfit profile.<br />
relation between the entrepreneur and the protégé is symbolized by a thicker line. Based on the<br />
number of relations it is actually not possible to say who is the cell leader and who are the foot<br />
soldiers, it can however be deducted based on the profile names.<br />
We have listed the relations found suitable, in terms of the abstractions embedded in our current<br />
rule design (see Section 11.2.3), to be described using relation rules in Figure 14.4 (disregarding<br />
relation 4 between the misfit and the drifter). We found seven relations to be suitable for modeling.<br />
And only the ‘recruited’ relations would have the potential to distinguish any average group of<br />
friends from the jihadist terrorist cells described by Nesser.<br />
In order to make such a differentiation it is clear that the relation rules must be combined with<br />
information element rules describing the individual profiles of the model. A set of information<br />
element rules, corresponding to the 10 characteristics of the entrepreneur listed in Table 14.1 are<br />
shown in Figure 14.5.<br />
211
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT<br />
Figure 14.3: Nesser’s jihadist cell structure modeled using CrimeFighter Investigator (screen shot<br />
from early version of tool).<br />
Figure 14.4: (semi-mockup) CrimeFighter Investigator with Nesser model relation rules.<br />
Figure 14.5: The list of entrepreneur profile rules.<br />
14.1.3 Demonstrating the need for rule-based model adaption<br />
In this section, we focus on adopting the entrepreneur profile to that of Omar Saeed Shaikh, and<br />
the entrepreneurial role he played in the kidnapping of Daniel Pearl, ignoring that the events<br />
took place ten years ago (and four years prior to Nesser’s model). By comparing part of Nesser’s<br />
entrepreneur profile with the relational and biographical characteristics of Omar Saeed Shaikh we<br />
have noticed a number of differences as shown in Figure 14.6.<br />
The entrepreneur profile characteristics ‘Senior to other operatives’, ‘Central to the recruitment<br />
of other cell members’, ‘Central to the radicalization of other cell members’, and ‘In charge of the<br />
cells external relations with the jihadist infrastructure’ do not match with characteristics of Omar<br />
Saeed Shaikh, while the remaining characteristics are found to match. Adapting the model of the<br />
212
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING<br />
Figure 14.6: Mapping part of the entrepreneur profile to Omar Saaed Shaikh.<br />
entrepreneur profile in this case would be a matter of deleting the rules associated with these four<br />
characteristics, and potentially add new ones. But again, during a real investigation these changes<br />
would not have been made before this “new trend” had occurred in more cases.<br />
14.1.4 Discussion<br />
Our first deployment demonstrated difficulties with modeling some characteristics, initially thought<br />
to be suitable for modeling. It became clear that a lot the rule complexity was embedded in the<br />
operator part of rules, when attempting to describe more complex relational or biographical characteristics.<br />
However the complexity could be decreased by dividing profile characteristics into a<br />
number of sub-characteristics and then describe each of these using the rules. Another option<br />
would be to allow for a combination of multiple boolean and text string operators within one<br />
single rule. But that would go against the system requirement stating that the building blocks of<br />
rules should be based on natural language, as we expect more math-based rules would be created,<br />
if multiple operators are supported for rules. The rules would over time become interpretable only<br />
by the investigator who initially created them not adhering to the principles of simplicity and<br />
transparency (human factors #2 and human factors #3).<br />
Since rules are associated with specific characteristics and relations they can be adapted independently<br />
without affecting the remaining part of a model. The separation of rules and target-model<br />
synthesis is convenient as they can then be developed independent, but in the shared information<br />
space. A single rule (or a set of rules) can be updated or deleted using the CrimeFighter Investigator<br />
rule editor (see Section 11.3.6). And new rules can be added using the same rule editor, if<br />
new profile characteristics or relations are discovered.<br />
213
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT<br />
14.1.5 Conclusions and future work<br />
We have presented support of a work flow, a novel rule-based criminal network analysis technique,<br />
adaptive modeling, involving synthesis tasks to create input for sense-making tasks. This technique<br />
was implemented in CrimeFighter Investigator, in order to assist criminal network investigators in<br />
embedding their experience and knowledge in models, thereby customizing them for their particular<br />
domains. We focused on modeling the relational and biographical characteristics of terrorist<br />
profiles organized in cell structures, and found this to be a rather complex task. To summarize,<br />
our demonstration of this work flow has presented the following contributions to criminal network<br />
investigation tools:<br />
1. We have described first results with converting textual descriptions of terrorist profiles into<br />
computerized models based on relational and biographical characteristics. We have visualized<br />
how relation rules can be used to glue the terrorist profiles together to form network<br />
structures which can be processed by computer algorithms.<br />
2. We have demonstrated support of 2 steps out of 3, for an adaptive modeling work flow:<br />
(1) acquiring a model and (2) adapting the model. Application of the model to a criminal<br />
network for analysis (step 3), is still not implemented, and will be the subject of future work.<br />
We plan to investigate the following topics in relation to the further development of CrimeFighter<br />
Investigator support for adaptive modeling work flows:<br />
1. Proper test data. In order to appropriately evaluate the usefulness of rule-based criminal<br />
network analysis, we need proper test data. It would be highly relevant to follow ongoing<br />
investigations, and create models of expected targets and emerging cells based on previous<br />
cases as well as the investigation teams experience and ideas.<br />
2. Extending rule-based criminal network analysis with weights. The concept of rulebased<br />
terrorist network analysis could be improved on a number of parameters. First of<br />
all, in order to determine more accurately whether or not a relation exists, it is necessary<br />
to have individual rule weights. When editing and creating rules in the relation rule editor<br />
visual weights should be applied (similar to adjusting the thickness of relations, depending<br />
on how important, specific, verified the relation is). A semantic weight could also be added<br />
in terms of a number (e.g. 1-10). Rule weights should be used to indicate the importance<br />
of each individual rule in terms of deciding whether or not the relation (as described by the<br />
rules) exists or not.<br />
3. Coupling with CrimeFighter Assistant. We would like to connect CrimeFighter Investigator<br />
with CrimeFighter Assistant in the future, working toward the CrimeFighter toolbox<br />
architecture. It would be essential in order to provide a second criminal network analysis<br />
technique (link importance [244]), which would strengthen the reliability of analysis results<br />
if applied as intended by the investigators.<br />
4. Missing model structure detection. The described rule format can be used to model<br />
relational and biographical characteristics of profiles. CrimeFighter Investigator implements<br />
a structural parser that can handle the comparison of the rules with a criminal network,<br />
but the options are many. If for example 75% of a criminal network cell model is matched<br />
with some criminal network information by the structural parser, then it could be useful to<br />
inform the investigator about this. We imagine using a visual approach, where the already<br />
confirmed information elements and relations are shown in their normal colors, and the<br />
missing parts would be shown using for example a gray color. It would then be possible for<br />
the investigator to determine whether or not this could be a forming criminal network cell,<br />
and if it is, what individuals (according to profiles) are still missing from cell.<br />
214
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL<br />
14.2 Node removal in the November 17 criminal network<br />
A criminal network is a special kind of social network with emphasis on both secrecy and efficiency.<br />
Such networks are intentionally structured to ensure efficient communication between members<br />
without being detected. A criminal network can be modeled as a generalized network (graph)<br />
consisting of nodes and links. Nodes are entities (people, places, events, etc.) and links are relationships<br />
between the entities [245]. Node removal is a well known technique for destabilization<br />
of criminal networks [35, 36]. Deciding which node or group of nodes to remove is dependent on<br />
available intelligence and the topology of the criminal network (hierarchical, cellular, etc.), complicating<br />
the prediction of secondary effects following a node removal. Inference-based prediction and<br />
social network analysis provides different perspectives on criminal networks, thereby assisting investigators<br />
in their decision making by answering the ‘what if’ questions they inherently would like<br />
to ask. We consider prediction to be one of many investigative work flows that criminal network<br />
investigation teams use to analyze criminal networks; a work flow involving both synthesis and<br />
sense-making tasks. The ability to determine the presence or absence of relationships between<br />
groupings of people, places, and other entity types is invaluable when investigating a criminal<br />
case. Standard social network analysis is another investigative task, providing investigators with<br />
information about the centrality of individual nodes in criminal networks.<br />
CrimeFighter Investigator supports a custom made node removal algorithm assisting criminal<br />
network investigators with two perspectives on the changes following node removal: an inferencebased<br />
prediction of new probable links and changes in standard social network degree centrality.<br />
Many interventions against criminal (and other covert) networks often take place in the context<br />
of a multi-agency effects-based operations doctrine [211]. Consequently, it is imperative that tools<br />
are developed to assist analysts and investigators in assessing the likely impact and consequences<br />
of interventions against proposed targets in complex socio-technical systems.<br />
In an assessment of destabilization tactics for dynamic covert criminal networks, Carley (2003)<br />
points out that from an adaptation perspective node changes (e.g., node removal or insertion) can<br />
be more devastating than relationship changes and of the node changes those involving change<br />
in personnel are the most devastating. Carley further argues “that the removal or isolation of<br />
personnel is more practical, in the short term, than adding personnel, as the latter, particularly<br />
in covert networks, requires infiltration” and notes that in standard social network analysis node<br />
changes are also the preferred approach to network destabilization [35].<br />
Measures and techniques for analysis of secondary effects<br />
We review this theory here, as it is important for understanding the aspects involved in the work<br />
flow. As a consequence of the complexity of criminal networks, investigators need more than one<br />
perspective to assist them when asking ’what if’ questions about the probable secondary effects<br />
of removing a node from a criminal network. Many analysis measures and techniques can provide<br />
such relevant perspectives, including:<br />
<strong>Network</strong> node and link measures [240,245,248] are used to analyze and make sense of criminal<br />
networks. Standard social network centrality measures are useful for node analysis of complete<br />
static social networks and can indicate the importance of individual nodes in the network. Social<br />
network measures include degree, closeness, betweenness, and eigenvector centrality (see Section<br />
5.9 for more details). Eigenvector centrality is particular interesting in the context of this work<br />
flow, since a node is considered central to the extent that the node is connected to other nodes<br />
that are central (i.e., high degree centrality). For link analysis, measures such as link betweenness<br />
and link importance have been suggested. Link importance measures how important a particular<br />
link is in a criminal network by measuring how the removal of the link will affect the performance<br />
of the network.<br />
Prediction techniques [40, 182–184] include extrapolation, projection, and forecasting based<br />
on past and current states of a criminal network. These three predictive techniques follow the<br />
215
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT<br />
approach of assessing forces that act on an entity. The value of prediction lies in the assessment<br />
of the forces that will shape future events and the state of the criminal network. An extrapolation<br />
assumes that those forces do not change between the present and future states; a projection<br />
assumes that they do change; and a forecast assumes that they change and that new forces<br />
are added. Bayesian inference is a (forecasting) prediction technique based on meta data about<br />
individuals in criminal networks. A statistical procedure that is based on Bayes’ theorem can be<br />
used to infer the presence of missing links in networks (see Section 11.3.7 for more details). The<br />
process of inferring is based on a comparison of the evidence gathered by investigators against a<br />
known sample of positive (and negative) links in the network, where positive links are those links<br />
that connect any two individuals in the network whereas negative links are simply the absence of<br />
a link. The objective is often to assess where links may be present that have not been captured<br />
in the collected and processed criminal network information.<br />
Destabilization criteria [35,36] are established by investigators to have a measure of the success<br />
or failure of an operation involving destabilization. Criteria includes ’the rate of information flow<br />
through the network has been reduced (perhaps to zero)’, ’the network, as a decision making<br />
body, cannot reach a consensus’, and ’the ability of the network to accomplish tasks is impaired’.<br />
These destabilization criteria could provide useful perspectives on the secondary effects of node<br />
removal. Although they seem eligible for framing as ’what if’ questions, we have focused on<br />
analysis measures and prediction techniques in this work.<br />
Scenario: custom-made node removal<br />
In this section, we describe a CrimeFighter Investigator usage-scenario following the steps presented<br />
in Section 11.2.1. The ‘what if’-question the investigators want to follow in this scenario is:<br />
“what if individuals who didn’t interact directly before the node removal start to interact afterwards?”<br />
(step 1 ). The ‘what if’ question editor setting for this question is shown in Figure 14.7. In<br />
order to visualize the links matching the ‘what if’ question constraints described above, we setup<br />
the question as follows: the question is focused on relation entities (links), and will run computations<br />
between all combinations of connected nodes (individuals) in the given criminal network.<br />
The before constraint that has to be fulfilled is that path distances between individuals should<br />
be of length greater than 1 and the post prediction constraint is that path-length should now be<br />
exactly 1. If these conditions are fulfilled then those links will be colored red. For testing purposes<br />
we have inserted a second ‘what if’ question asking the algorithm to color the true-positive links<br />
green, i.e., links occurring in the full N17 network but not in the sampled N17 network currently<br />
being investigated.<br />
The investigators are prompted to select which nodes (individuals) they find relevant for the node<br />
removal (step 2 ). They have three choices: include all nodes, select the nodes individually by<br />
clicking on individuals, or drag a square to select a subset of nodes (useful if the criminal network<br />
is large with many nodes). Then the investigator is requested to select the node to remove (step<br />
3 ). We base this decision solely on degree centrality within the partially observed N17 network<br />
as shown in Figure 14.9; we choose Pavlos Serifis, since he is observed to have the highest degree<br />
centrality (Table 14.4, second column). In reality, more analytical techniques are needed to make<br />
a decision about a networks’ vulnerabilities [35, 36]. After the removal of Pavlos Serifis and his<br />
links (step 4 ) the updated degree centralities are as described in Table 14.4 (third column).<br />
The node removal algorithm starts predicting missing links [183] based on the new network structure<br />
following the node removal (step 5 ). The likelihood of a link being present between all pairs<br />
in the network is calculated based on the attribute data of the remaining individuals. Links that<br />
are higher than a pre-determined likelihood level (calculated from the product of individual attribute<br />
likelihoods) are accepted as representing predictions of new links [183]. Constraints on how<br />
to visualize the predicted links are used to emphasize paths, previously reaching the leadership<br />
figures through Pavlos Serifis and predicted links not directly related to the removal of Pavlos<br />
Serifis. The evidence that the inferences are based on includes all the individuals in the sampled<br />
network as well as other individuals that the investigators might think could be related to N17,<br />
216
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL<br />
Figure 14.7: The ‘what if’ question editor.<br />
but are not sure how and who specifically are related to.<br />
When the predicted links are shown, the investigators will evaluate whether or not this was a<br />
useful result. The evaluations is based on the change in degree centralities (step 6 ) and their<br />
general observation of changes. The investigators are prompted to either append the predicted<br />
links to the network or simply discard the results as shown in Figure 14.8 (step 7 ). If satisfied<br />
with the result, the investigators can retrieve a pdf report from system, as documentation of their<br />
work and as background for dissemination of the results (step 8 ).<br />
The Greek terrorist group November 17<br />
To demonstrate the implementation of the developed algorithm, we use a criminal network of the<br />
(believed defunct) Greek terrorist group November 17 (N17) that was derived from open source<br />
reporting [112]. The N17 group was a small close knit organization of 22 individuals with 63<br />
links out of a potential 231 links. There were three main factions within the organization; 1st<br />
Generation Founders faction, the Sardanopoulos faction, and the Koufontinas faction. The links<br />
of the dataset indicate that open source reporting has demonstrated some connection between the<br />
two individuals at some point in the past, but no specific weightings of the links are indicated.<br />
We use a sampled version of the N17 network in which 50 percent of the links are removed (Figure<br />
14.9). Relevant hindsight about N17 is that Nikitas, Alexandros Giotopoulos, and Anna were<br />
leaders and key individuals within the 1st Generation Founders faction. We want to test if individuals<br />
connected to key individuals through one or more go-betweens will be directly connected<br />
after removal of the go-between node(s). Figure 14.9 shows three individuals indirectly connected<br />
with the three key leaders.<br />
The attribute data for each individual is presented in [184]; the missing links algorithm [183] has<br />
been extended by the addition of a degree centrality attribute. This additional attribute is a<br />
measure of how many links each individual node in the network has. Individuals are classified<br />
according to their level of degree centrality (high, medium, or low).<br />
Results<br />
The removal of Pavlos Serifis from the partially observed N17 network resulted in the criminal<br />
network shown in Figure 14.8. Red lines indicate predicted links that previously were indirect<br />
(length 2), with Pavlos Serifis as the go-between. In this case only two of them are present in<br />
the complete N17 network (see [184]) and could indicate a change in the network structure where<br />
Anna plays a more important role: Anna is now directly connected with five additional individuals<br />
(L = leader, O = operational): Nikitas (L), Dimitris Koufontinas (L), Christodoulos Xiros (L),<br />
217
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT<br />
Figure 14.8: Secondary effects and new degree centralities caused by the removal of Pavlos Serifis<br />
from the N17 network.<br />
Figure 14.9: Annotated, partially observed N17 network [183].<br />
218
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL<br />
Constantinos Karatsolis (O) and Sardanopoulos (L). Constantinos Karatsolis is connected to three<br />
more individuals: Sardanopoulos (L), Patroclos Tselentis (O), and Anna (L). Green links are true<br />
positives according to the full N17 network and we therefore consider these links unrelated to the<br />
removal of Pavlos Serifis. However, the true positives have an impact on the degree centrality of<br />
the nodes they connect and they could be valuable as potential new leads.<br />
The degree centrality of each node is displayed in the algorithm view on the right in Figure 14.8 -<br />
initially to decide which node to remove and later to show the change in degree centrality of each<br />
node after node removal. The evolution of degree centrality for each node is shown in Table 14.4.<br />
The red square indicates the individual with the highest degree centrality at network changing<br />
steps of the node removal algorithm, including that of the full N17 network, from which the<br />
sampled version used in this paper, was created.<br />
Table 14.4: Degree centrality of each node after network changing steps of the node removal<br />
algorithm.<br />
Creating hypothesis based on interpretation of results (secondary effects)<br />
Generating hypotheses and possibly competing hypotheses is a core task of criminal network investigation<br />
that involves making claims and finding supporting and opposing evidence [174]. In<br />
the presented scenario, we were interested in individuals who utilized one go-between to connect to<br />
leadership individuals, but after removal of the go-between node they would be directly connected.<br />
Without considering the hindsight information about the leadership individuals, we create a hypothesis<br />
based on our interpretation of the centralities presented in Table 14.4 and the probable<br />
new links in Figure 14.8.<br />
Constantinos Karatsolis achieves the third highest centrality, and inherits three of Pavlos Serifis’<br />
previous links significantly increasing his importance within the network and he could potentially<br />
be upgraded from an operational member of N17 (his original role) to leadership member (maybe<br />
inherited after Pavlos Serifis). Anna’s degree centrality changes from the second lowest (2) to the<br />
second highest (7), and she apparently inherits four of Pavlos Serifis’ previous leadership links<br />
as well as one inferred link to an operational individual. We conclude that Anna is part of the<br />
highest ranking leadership individuals as compared to the partially observed N17 network where<br />
she might be considered a simple operational person, if no other information than the criminal<br />
network is available.<br />
219
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT<br />
To summarize, Anna and Constantinos Karatsolis are two individuals we would subject to further<br />
surveillance after removing Pavlos Serifis. As mentioned earlier, decision-making with the severity<br />
and impact of removing an individual will not be made based on for example a single centrality<br />
measure. However, the purpose of this work was to demonstrate CrimeFighter Investigator support<br />
of investigators asking ‘what if’ questions about node removal in criminal networks.<br />
Discussion<br />
A number of problems related to the current approach need to be discussed. First of all, the<br />
N17 criminal network data is more or less complete (only three attribute values are missing).<br />
Feedback from intelligence analysts working with ongoing investigations informs us that attribute<br />
information is typically much sparser (see end user interviews in Section 15.2) and the overall<br />
number of attributes is lower than for the N17 criminal network. We are making a prediction<br />
that we currently cannot test or validate against any (open source) ground truth data. Currently,<br />
we have no assessment of the performance of the custom node removal algorithm 84 . Whilst the<br />
results are plausible, and the prediction part of the algorithm has produced good results in other<br />
contexts [183,184], a direct measure of the veracity of the node removal predictions is lacking. The<br />
issue of scalability is particularly relevant for the open source intelligence community where larger<br />
networks are often the consequence of web harvested data sets. Larger networks present different<br />
challenges. The number of individuals, links between them and attributes are much larger. The<br />
prediction algorithm is scalable, but there will be additional difficulties arising from visualizing<br />
the results of computations on larger networks than the example in this work flow.<br />
This work on node removal is based on bits and pieces of other work and it would be fair to ask<br />
the following question: “What are the benefits of a node removal algorithm versus predicting new<br />
links when analyzing criminal networks?” The main difference is the specification and management<br />
of criminal network investigation work flows using the question editor. The custom made node<br />
removal algorithm represents a more specialized work flow compared to the prediction algorithms.<br />
The option to select the specific nodes that the investigator wants to include in the analysis of<br />
secondary effects is an example of this. Furthermore, we consider the work with node removal<br />
the first steps toward combining existing algorithms into new custom made algorithms, which is<br />
an important criminal network investigation task assisting criminal network investigators to build<br />
support for more specialized work flows themselves.<br />
14.2.1 Conclusions and future work<br />
We have presented a knowledge management and hypertext based approach to visualization of<br />
probable secondary effects after node removal by providing investigators with an option to ask<br />
‘what if’ questions about criminal networks. We consider this work a first step toward support<br />
of custom made algorithms for criminal network analysis. A node removal algorithm has been<br />
proposed together with partial support of the algorithm based on the following building blocks:<br />
A ‘what if’ question editor lets investigators manage the constraints (e.g., specific changes in<br />
path distance), visual symbols (e.g., color and link thickness) and other question settings. The<br />
automation of criminal network synthesis tasks, facilitating intuitive and fast removal of a node<br />
and associated links, and two perspectives: inference-based prediction to detect new probable links<br />
between nodes and social network centrality measures to observe changes in node importance.<br />
Currently the node removal algorithm steps 1, 3, 4, and 7 are fully supported. Furthermore, we<br />
provide 2 perspectives supporting the exchangeable part of the algorithm (step 5 and 6). Selection<br />
of the nodes of interest (step 2) and dissemination of results (step 8) are not supported. In our<br />
future work, we will address the following functional requirements to achieve full support of the<br />
proposed node removal algorithm:<br />
Link weights. All links are not equally important and with weights investigators could<br />
discuss “broader theories as to the impact of culture on social relationships, and narrow<br />
220
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE<br />
theories concerning the definitions of specific relationship indicators, like what should be<br />
weighted more; relations based on common economy between two actors or common blood”,<br />
as one reviewer of our node removal support noted.<br />
Missing key players. An algorithm, to predict the presence of missing key players has<br />
been proposed by Rhodes (2011) [182]. It is planned to include this in a future version of<br />
CrimeFighter Investigator.<br />
Removing multiple nodes. Supporting the removal of node groups would be an interesting<br />
and relevant feature. In larger networks it may be desirable to focus attention on a<br />
larger number of specified individuals in sub-networks or communities.<br />
Report generation. Generation of a report with all node removal results and calculations<br />
is required to support step 8 of the proposed node removal algorithm (dissemination of<br />
results).<br />
Furthermore, requirements for evaluation of the node removal algorithm will also be addressed in<br />
future:<br />
Scalability. In order to evaluate the relevance of this work for the open source intelligence<br />
community, we have to test scalability of the proposed method. With its 22 nodes, the N17<br />
network is far from the sizes that are to be expected.<br />
Datasets. We will test node removal on more realistic versions of the N17 dataset as well as<br />
other open-source datasets with varying attributes, size (in terms of nodes and links), and<br />
other complexity (such as aliases, etc.<br />
Human-computer interface. CrimeFighter toolbox philosophy [14] and our research focus<br />
requirements dictate that humans (investigators) must control the tools. Adhering to this<br />
philosophy, we will improve the interface of the ‘what if’ question editor by adopting the<br />
spatial drag-and-drop approach normally utilized by CrimeFighter Investigator.<br />
14.3 Combining prediction and social network analysis for<br />
investigation of linkage between DNRI and AQAM<br />
The purpose of this work flow scenario, besides testing our main hypothesis, is to demonstrate how<br />
the calculations are not the hard part of criminal network analysis; the challenge is to find a good<br />
way to use the data and understand it. The scenario is inspired by previous criminal network sensemaking<br />
work (e.g., see [169]) and describes a proactive investigation into potential linkage between<br />
aspiring extremists in a fabricated Danish network of radical Islamists (DNRI) and al-Qaeda and<br />
affiliated movements (AQAM). The scenario is centered around AQAM’s role in plots in Europe<br />
[65–67,92,111,154,188,189,219,235,236], and various aspects of violent Islamist radicalization such<br />
as radicalization phases, root causes, and violent online radicalization [29,48,49,203,234,236,241].<br />
The DNRI network is based on open sources about violent radical Islamists in Denmark and<br />
especially the younger individuals aspiring to join their cause, and in some cases were very close<br />
to do so [208]. Another source of information were newspaper articles about the recently thwarted<br />
terrorism plots in London [126, 231] (September 2010), Norway [12, 135] (December 2010), and<br />
Denmark [196] (December 2010). The DNRI network is based on the assumption that the Danish<br />
intelligence services (both foreign and domestic) are monitoring individuals inside Denmark who fit<br />
this description, or Danish citizens traveling to other parts of the world participating in activities<br />
that could lead to further radicalization. A total of 52 individuals and 170 relations have been<br />
fabricated. The fabricated part of the DNRI network is divided into three bridges, while a fourth<br />
bridge with the personal relations of violent radical Islamists (family, friends, colleagues, etc.) is<br />
left empty.<br />
221
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT<br />
The AQAM data set contains elaborate meta data information on 366 individuals. It is a 2003<br />
snap shot of AQAM and is not updated according to the time of the scenario (January 2011). The<br />
network information was gathered from public domain sources: “documents and transcripts of legal<br />
proceedings involving global Salafi mujahedin and their organizations, government documents,<br />
press and scholarly articles, and Internet articles” [188]. We have included acquaintance, friend,<br />
and post joining jihad relations, all with the same weight. In total, the AQAM network used has<br />
999 links.<br />
It is important to note that the vast majority of EU-wide terrorist attacks in 2010 were carried<br />
out by traditional separatist terrorists and not violent radical Islamists [49]. More precisely, three<br />
Islamist terrorist attacks were carried out within the European Union. However, 249 terrorist<br />
attacks in total were reported, and of 611 arrests for terrorism-related offenses, 89 individuals<br />
were arrested for the preparation of attacks. Islamist terrorists continue to undertake attack<br />
planning against member states, as Europol concludes in their EU Terrorism Situation and Trend<br />
Report 2011 [67].<br />
14.3.1 The work flow scenario<br />
It is January 2011, and Mark enters the office as usual. He has been working for the al-Qaeda<br />
section of the Danish counterterrorism unit (Danish CTU) 85 since late 2000. The section is daily<br />
assessing the risk that al-Qaeda associated or affiliated movements (AQAM) will strike the Danish<br />
homeland and they use CrimeFighter Investigator for different work tasks.<br />
Mark and his fellow investigators have been synthesizing a chronology of AQAM related terrorism<br />
plots in selected European countries. The time line provides them with an interactive overview of<br />
all the plots (entities). Clicking one entity will open the corresponding CrimeFighter Investigator<br />
information space, showing the networked information related to the case. They can organize<br />
the entities spatially, and filtering is applied to only show the desired information (date, name,<br />
country, and type) and highlight Danish plots with a red color. The time line is shown in Figure<br />
14.10.<br />
Mark’s area of expertise is terrorism information structures and how they evolve over time. He<br />
has studied existing literature on AQAM structure and organization primarily in Europe. From<br />
Sageman (2004) describing the global violent radical Islamism (phase 1-2) [188] and how European<br />
terrorist networks are radicalized and associated with AQAM, over Nesser’s profile of AQAM<br />
terrorist networks in Europe [154] to the most recent fourth phase of plots and attacks [236].<br />
The fourth phase of terrorism plots in Europe (from about 2006 to present) is characterized by a<br />
bottom-up approach defined as linkage, in which terrorist networks get associated with AQAM in<br />
different ways. They are not recruited by AQAM or other transnational networks. However, in<br />
the majority of plots (about 75%) the plotters worked independently (and amateurishly), while<br />
about one third were hybrid plots connecting to AQAM. But the hybrid plots pose a higher<br />
security risk and they represent about 50% of the most lethal plots. Other characteristics of<br />
the homegrown fourth phase jihadist networks and individuals include: a much higher degree of<br />
violent online radicalization (e.g., YouTube, Facebook, and Twitter, forums, and blogs) or printed<br />
media (e.g., Inspire magazine published by al-Qaeda), and lack of uniformity in the attributes of<br />
the networks operating on the ground. The novelty of the fourth phase is the increased linkage<br />
from European terrorist networks to AQAM. Finally, these characteristics of terrorist networks<br />
also differ significantly from country to country and, in many cases, within each country from<br />
region to region and from city to city. Marks analysis of the evolution of terrorist network cells in<br />
Europe is outlined in Figure 14.11.<br />
The recent arrests in September and December 2010 just confirmed Mark’s analysis of 4 th phase<br />
plots: the London Stock Exchange plot, the Oslo plot, and the Denmark/Sweden Jyllands-Posten<br />
plot. Mark believes strongly in the bridging concept (connecting two network clusters) and the<br />
novel observation of bottom-up linkage in European terrorist networks as opposed to top-down<br />
recruitment. Mark is certain that if a radicalized individual has a large network of close and<br />
222
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE<br />
Figure 14.10: (mock-up) CrimeFighter Investigator timeline view with all plots against targets<br />
inside Denmark, Sweden, Norway, United Kingdom, and Germany from January 1, 2006, to<br />
December 31, 2010 [236].<br />
Figure 14.11: Evolution of terrorist networks in Europe from 1990 to 2011.<br />
223
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT<br />
likely-minded friends and relatives, other members for a future network cell could come from that<br />
group of people. Mark decides to use a measure of betweenness centrality as an extra condition<br />
for predicting links between two individuals in adjacent bridges. He thinks that if an individual<br />
is peripheral to a network in terms of betweenness centrality, the probability of linkage from this<br />
individual to an individual in the bridge above is low.<br />
Mark starts creating his prediction model by first dividing the violent radical part of the DNRI<br />
network under surveillance into three bridges. He places the relations (who are not known to be<br />
violent radicals) of these individuals in a fourth bridge. Mark thinks there is a potential for topdown<br />
recruitment, where violent radical Islamists could radicalize family, friends, or colleagues in<br />
Bridge 4 because of their close ties. Mark’s classification of individuals in Bridge 1 to 3 is shown<br />
below.<br />
Bridge 1 contains individuals that can provide ideological approval of violent radical Islamism<br />
and linkage to AQAM. Mark places known radical Islamic scholars in this bridge.<br />
Retired violent radicals and other individuals who received operational training could provide<br />
linkage to AQAM because of their skills or knowledge about previous operations. Established<br />
al-Qaeda media individuals are also placed in Bridge 1.<br />
Bridge 2 is the radical violent milieu in Denmark - self-proclaimed imams, online “celebrity<br />
shayks” who preach violent radical Islamism, and individuals who sell radical Islamist propaganda<br />
like books, magazines, CDs, and DVDs etc. Finally, self-established online recruiters<br />
are also made members of this bridge.<br />
Bridge 3 is by volume the largest. Individuals aspiring to become violent radical Islamists<br />
are placed here. This aspiration may have been externalized through online expression of<br />
desire to contribute violently. It could be individuals somehow alienated from society or<br />
otherwise non-integrated (e.g., a group of young individuals living together or meeting in<br />
an apartment). Bridge 3 individuals are often rather entrepreneurial in their approach.<br />
They might be consumers of violent radical online and printed propaganda, or they might<br />
be creating such propaganda themselves, pretending to be an established al-Qaeda media<br />
organization.<br />
AQAM and the four bridges in the DNRI network constitute four sub-networks each containing two<br />
bridges: the ‘Bridge 1 → AQAM’, ‘Bridge 2 → Bridge 1’, ‘Bridge 3 → Bridge 2’, and ‘Bridge 3 →<br />
Bridge 4’ networks. The four networks are encapsulated in collapsed composites. For each of these<br />
sub-networks Mark defines a set of attributes he believes could enable linkage from individuals in<br />
the lower bridge to individuals in the upper bridge:<br />
Bridge 1 → AQAM: Information about previous operations is a relevant linkage attribute<br />
for this bridge, since Bridge 1 individuals might have participated in the same militant<br />
operations in the past. Information about operational training may very well overlap with<br />
the previous operations, but also covers training camps and similar. A school attribute could<br />
indicate that the same madrassas, universities, or other schools have been attended at the<br />
same time. A weapons attribute would cover similar skills in use of weapons; guns, explosives<br />
etc. andiwaal group, albeit an Afghan concept [137,166], it applies to many societies (tribal,<br />
western, asian, etc.) that if you were part of a group in your teens, you will have strong<br />
relations to those individuals the rest of your life.<br />
Bridge 2 → Bridge 1: Mark decides that family, friend, and school information are linkage<br />
attributes from Bridge 2 to Bridge 1.<br />
Bridge 3 → Bridge 2: Key linkage attributes from Bridge 3 to Bridge 2 are: Local area<br />
in which random meetings could happen, online violent radical milieu meaning what forum,<br />
chat room or social network site the Bridge 3 individual reads and posts comments to, and<br />
who reads it from Bridge 2. Mosque and Sunday school could be other places for random<br />
meetings or radicalizing preachings.<br />
224
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE<br />
Figure 14.12: Mark’s prediction model: the DNRI bridges with linkage and recruitment attributes<br />
in between adjacent bridges.<br />
Bridge 3 → Bridge 4: Mark defines key recruitment attributes from Bridge 3 to Bridge<br />
4 to be: school, hobby, workplace, mosque, and current residence. Mark’s argument is that<br />
the aspiring violent radical Islamists might meet and influence individuals at these places.<br />
Mark decides to use the Oslo, London, and Denmark/Sweden networks, whose plots were thwarted<br />
in late 2010, as the gold standard for his predictions. After feeding these networks to his prediction<br />
model, he predicts missing links for each of the four sub networks, and asks CrimeFighter<br />
Investigator to merge individuals with the same names to see if there is probable linkage which<br />
forms networks spanning all bridges. A mock-up of predicted links between the four collapsed<br />
bridges is shown in Figure 14.13.<br />
Mark’s prediction model computes four cells (the second cell is shown in Figure 14.14) to have<br />
linkage potential with AQAM. Before retrieving a pdf report with the information he has requested,<br />
he marks the second cell as being of particular interest, since the predicted links here have the<br />
highest likelihoods of linkage. Plus, the individuals in the network seem to have skills necessary to<br />
carry out a small scale attack. Mark summarizes his findings in an email to his decision-making<br />
superiors and attaches the computed pdf report.<br />
14.3.2 Summary<br />
Mark used his knowledge about terrorist networks in Europe to design a prediction model that<br />
could solve the specific problem at hand. Later, he tailored existing CrimeFighter Investigator<br />
functionality to actually apply his sense-making approach to a network of established and aspiring<br />
violent radical Islamists living in Denmark from which future (terrorist) networks could form and<br />
pose a threat to Danish society.<br />
Mark’s first step towards applying his understanding of these networks was to use CrimeFighter<br />
Investigator synthesis functionality to divide the DNRI network and related individuals into four<br />
bridges, that he believed were actually functioning as linkage bridges. The CrimeFighter Investigator<br />
tool helped Mark apply prediction to two bridges at a time, and then compare a centrality<br />
measure of betweenness for each individual in the (possibly) transformed network and in the<br />
original DNRI network.<br />
To disseminate his findings according to his prediction mode, Mark used the CrimeFighter Investigator<br />
report generation feature to create documentation of relevant parts of the sense-making<br />
process and the computed information.<br />
225
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT<br />
Figure 14.13: (semi mock-up) CrimeFighter Investigator showing the AQAM and DNRI bridges<br />
and predicted links between them.<br />
Figure 14.14: (mock-up) One of the predicted network structures as shown in the report generated<br />
based on the prediction model.<br />
226
CHAPTER 14. WORK FLOW SUPPORT 14.4. SUMMARY OF DEPLOYMENTS<br />
14.3.3 Conclusions and future work<br />
Based on the presented work flow scenario and our previous work on criminal network synthesis<br />
and sense-making ( [168, 169, 174–176], we found that:<br />
1. The sense-making algorithms supported by CrimeFighter Investigator are applicable to criminal<br />
networks that are synthesized using multiple structure domains. In other words, our<br />
developed computational model, that separates structural models from mathematical models<br />
and is based on a conceptual model of first class entities, works.<br />
2. CrimeFighter Investigator supports both transformative and measuring sense-making algorithms.<br />
To achieve this, a structural parser was implemented to provide an interface to these<br />
algorithms.<br />
The novelty of the CrimeFighter Investigator approach to criminal network analysis (synthesis<br />
and sense-making) is the underlying tailorable computational model. Tailorability was (partially)<br />
achieved with a structural parser that provides the user with an interface to customize and combine<br />
sense-making algorithms. The approach introduces transparency of the sense-making process<br />
and ownership of the computed information. In our comparison of state-of-the-art commercial<br />
tools and research prototypes and the models they support in Section 15.3, we find that Crime-<br />
Fighter Investigator has better support of first class entities (conceptual model), structure domains<br />
(structural models), and transformative and measuring algorithms (mathematical models).<br />
14.4 Summary of deployments<br />
To test our main hypothesis, we presented three different criminal network investigation work<br />
flows involving multiple acquisition, synthesis, sense-making, and cooperation tasks. We found<br />
that CrimeFighter Investigator, and the concepts, models, and components on which the tool is<br />
based, provides supports for such work flows, and hence support for the premise of our hypothesis.<br />
227
14.4. SUMMARY OF DEPLOYMENTS CHAPTER 14. WORK FLOW SUPPORT<br />
228
Part IV<br />
Evaluation and conclusion<br />
229
CHAPTER 15<br />
Evaluation and discussion<br />
Dr. John McKittrick: “I think we ought to take the men out of loop.”<br />
General Beringer: “Mr. McKittrick, you are out of line Sir!”<br />
WarGames (1983)<br />
Look after the customer and the business will take care of itself.<br />
Ray Kroc, founder of McDonald’s.<br />
We have used three methods for our evaluation: first method is capability comparisons of criminal<br />
network investigation task support and support of conceptual, structural, and mathematical models.<br />
The second method is interviews with potential end users providing feedback on relevance of<br />
tasks (usability for their particular work), and the third method is measures of performance for<br />
our developed techniques.<br />
To understand how we have evaluated our developed processes, tools, and techniques for criminal<br />
network investigation, it is necessary to first understand the relations between criminal network investigation<br />
challenges, our main hypothesis, the research focus requirements, the criminal network<br />
investigation tasks, and the evaluation methods. The relation between challenges, hypothesis, and<br />
requirements is straight forward: we chose three criminal network investigation challenges, based<br />
on which we framed our hypothesis. For each of the three challenges we defined a set of requirements<br />
to guide our research - if those requirements are met, the problems associated with each<br />
individual challenge would be met, and ultimately the impact of the related challenge on criminal<br />
network investigation would be reduced. Now, some of our evaluation methods evaluate support<br />
of criminal network investigation tasks and others evaluate support of research focus requirements<br />
(explained below). We therefore need a mapping between the tasks and the requirements, since we<br />
would like to summarize all three evaluation methods according to their support of the research<br />
focus requirements. Our task to requirement mapping is presented in Figure 15.1, where a line<br />
between a task and a requirement indicates that support of the task is equal to support of the<br />
requirement. It should be noted, that support from more than one task is typically required to<br />
achieve the desired support of the research focus requirement.<br />
As mentioned, the evaluation methods evaluate either criminal network investigation tasks or<br />
research focus requirements. One capability comparison focuses on support of criminal network<br />
investigation tasks (see Section 15.3.1), and we interpret support across tasks as support of the<br />
hypothesis (which we tested in Chapter 14). A second capability comparison evaluates support<br />
of conceptual, structural, and mathematical models (see Section 15.3.2). The mapping between<br />
231
Figure 15.1: Mapping research focus requirements to criminal network investigation tasks: a line between a task and a requirement indicates that<br />
support of the task is support of the requirement.<br />
232<br />
CHAPTER 15. EVALUATION
CHAPTER 15. EVALUATION<br />
Figure 15.2: Mapping research focus requirements to conceptual, structural, and mathematical<br />
models: a line indicates that support of the model is support of the requirement.<br />
each model and our research focus requirements is shown in Figure 15.2, where a line indicates<br />
that support of the model is equal to support of the requirement.<br />
End user interviews provided us with an initial qualitative evaluation of criminal network investigation<br />
tasks (see Section 15.2). Measures of performance for our extension of centrality algorithms<br />
and the transformative predict missing links algorithm evaluate research focus requirements, and<br />
the mapping between requirements and measures of performance can be seen in Figure 15.3, where<br />
a line indicates, that if a measure of performance is good, then it is supporting the requirement.<br />
Our research has focused on developing new concepts for criminal network investigation, and<br />
our methods for evaluation have been designed to evaluate those concepts. Consequently, our<br />
software development approach has been based on “proof-of-concept” prototyping, and involved<br />
the integration of criminal network investigation processes (primarily synthesis and sense-making)<br />
by applying a variety of technologies, such as software systems engineering, hypertext and various<br />
mathematical models for computational support. Because of this integration of processes, we<br />
apply the three mentioned evaluation methods (end-user interviews, capability comparisons, and<br />
measures of performance). But we also review the importance post-crime data sets because they<br />
have been our main source of evaluation data (both for synthesis and sense-making evaluation)<br />
and we therefore found it necessary to describe their relevance as opposed to pre-crime or real-time<br />
crime criminal networks (see Section 15.1). We present usability feedback gathered from semistructured<br />
interviews with a number of end-users from various criminal network investigation fields<br />
(see Section 15.2). We have compared the capabilities of CrimeFighter Investigator with other<br />
leading commercial tools and research prototypes for criminal network investigation (see Section<br />
15.3). Finally, we have evaluated the sense-making algorithms using measures of performance<br />
found relevant for the intended use of CrimeFighter Investigator (see Section 15.4).<br />
233
15.1. POST-CRIME DATA AND INFORMATION CHAPTER 15. EVALUATION<br />
Figure 15.3: Mapping research focus requirements to measures of performance. A line indicates,<br />
that if a measure of performance is good, then it is supporting the requirement at the other end<br />
of the line.<br />
15.1 Post-crime data and information about criminal network<br />
investigations<br />
Obtaining data for testing criminal network investigation tools is an obstacle for much security<br />
informatics research, especially when focusing on synthesis, sense-making and dissemination 86 .<br />
One option would be to have access to first-hand evidence, but “it is very difficult to get firsthand<br />
evidence of crimes while they are being perpetrated - an observer would most likely be<br />
legally required to try to prevent the crime rather than letting it take place” [30]. It is however<br />
often preferred to take proactive measures, (e.g., be able to act before a bomb explodes), and we<br />
would benefit more from a first-hand witness account of all the steps leading up to a crime being<br />
perpetrated, but it is often not possible for researchers to follow such investigations (according to<br />
our experience).<br />
A secondary option would be to gain access to classified information (secret intelligence such<br />
as human intelligence and technical intelligence, see Section 5.8) directly from the intelligence<br />
agencies - some of which might be real-time and other from for example human sources, who<br />
might have infiltrated criminal groups to follow their planning of crimes. But as we will discuss in<br />
Section 15.6.2, such cooperation between the Danish intelligence services and academia does not<br />
exist to our knowledge.<br />
That leaves researchers in the field of criminal network investigation with the option typically<br />
resorted to: building their own data sets based on publicly available sources of information (open<br />
source intelligence) 87 or using already existing data sets of past crimes and attacks. And open<br />
source intelligence has actually been quoted to provide 80% of the relevant information in allsource<br />
analysis [214] (with secret intelligence providing the gold nuggets connecting that relevant<br />
information). Collecting and processing open source intelligence can however be a very time<br />
consuming task, which is why researchers are developing tools that can automatically harvest<br />
and pre-process information to assist criminal network investigators in their work. But automatic<br />
harvesting and processing cannot be applied to all open information sources, and investigators are<br />
almost always required as part of the process.<br />
But why do criminal network investigation researchers want synthesized criminal networks in<br />
234
CHAPTER 15. EVALUATION 15.1. POST-CRIME DATA AND INFORMATION<br />
Figure 15.4: How post crime data and information can be used for two very different types of<br />
evaluation, either directly for computational evaluation, or indirectly for usability testing through<br />
the synthesis of the post crime data and information as the data and information emerged and<br />
evolved in the criminal network investigation.<br />
the first place? Because we use post-crime data, often referred to as data sets, for evaluation of<br />
acquisition and algorithm based sense-making investigation tasks. These data sets are, to a certain<br />
extent, synthesized, complete data sets. We use post-crime information about how information<br />
structures emerged and evolved throughout the criminal network investigation for testing the<br />
synthesis functionality of our tool. Finally, we use post-crime information about investigations for<br />
requirement generation (i.e., criminal network investigation tasks) as well as validation (evaluation)<br />
of requirements.<br />
To be able to say that a tool can be used for usability testing through the synthesis of the post<br />
crime data and information as the data and information emerged and evolved in the criminal<br />
network investigation, we would first have to establish that synthesis is equivalent to a certain<br />
degree to the actual real-time synthesis of criminal networks (illustrated in Figure 15.4). We<br />
describe our first steps toward establishing this below, in Section 15.1.1.<br />
15.1.1 Comparing post-crime data set creation and real-time investigation<br />
Synthesizing criminal networks post crime based on multiple sources resembles, to a certain degree,<br />
the process of initially synthesizing the actual criminal network during real-time investigation. You<br />
gradually learn more and more about the criminal network under investigation - structures emerge<br />
and evolve. It would therefore be relevant to task some one with synthesizing a post crime network,<br />
e.g., the Daniel Pearl network (see Section 3.5.1), based on open sources. The hypothesis for this<br />
work would be to test whether or not a tool for real-time criminal network investigation is also<br />
suitable for synthesizing networks after the investigation is concluded, since it is essentially the<br />
same task only with different type of input and output. We would expect to learn two things from<br />
researching such a hypothesis: First, we would know if CrimeFighter Investigator is suitable for<br />
criminal network synthesis of the information in the post crime data, and if the result of this would<br />
be suitable for sense-making and visualization. Secondly, if our first research focus would fail, we<br />
would know what kind of support was missing from CrimeFighter Investigator. Two specific tasks<br />
have been formulated for the synthesis of the Daniel Pearl network:<br />
1. Outline the chronology of events as they were revealed to the investigation team (for each<br />
source independently).<br />
2. Synthesize the networks as presented by each source, together with a network based on all<br />
three sources.<br />
235
15.2. END-USER INTERVIEWS CHAPTER 15. EVALUATION<br />
Secret Public Both<br />
Investigative journalists 0 1 1<br />
Intelligence analysts 1 5 6<br />
Police officers 3 0 3<br />
Research community 0 7 7<br />
TOTAL 4 14 24<br />
Table 15.1: An overview of end users that have been interviewed.<br />
We have done much of this work ourselves and using CrimeFighter Investigator, but doing it in a<br />
more structured way, would allow us to make conclusions about synthesis of post crime criminal<br />
networks and tool support therefore.<br />
15.2 End-user interviews<br />
We have received usability feedback from a number of people investigating criminal networks from<br />
various fields such as investigative journalism, counterterrorism, and policing (see Table 15.1). For<br />
each of the unstructured usability feedback interviews (individuals or groups) we followed three<br />
steps (not always in the listed order): first, we gave a general introduction to and demonstration<br />
of CrimeFighter Investigator. Second, the criminal network investigators were asked to describe<br />
their background and ongoing network investigations. Third, we discussed which CrimeFighter<br />
Investigator features would be useful for the criminal network investigators in their work.<br />
15.2.1 Alex Strick van Linschoten (Trafalgar Square, London)<br />
To exemplify our interview approach we provide extracts of an interview held with historian and<br />
investigative journalist Alex Strick van Linschoten (author of [134]). The example demonstrates<br />
the value of CrimeFighter Investigator usability feedback for both development of future features<br />
and evaluation of existing features. Alex is investigating the alleged links between al-Qaeda and<br />
the Afghan Taliban and he has observed several network characteristics.<br />
Alex’s data set on the Afghan Taliban spans the time-period 1970-2011. As of 2011 the data<br />
set has 500-600 individuals, a network he claims to have memorized. The data set is based<br />
on interviews with Taliban members who were asked who they fought with in the ’80s, their<br />
andiwaal groups (friend groups formed by Afghans when teenagers) and other relations. Reports<br />
on Afghanistan by the International Security Assistance Force (ISAF) are also contributing to<br />
the data set. 70 percent of the relations in the network are based on rumors, which is indicated<br />
using relation weights. When Alex interviews Taliban members he notes down attributes such<br />
as ‘name’, ‘date of birth’, ‘place of birth’, ‘tribe’, ‘ethnicity’ and ‘andiwaal group’. Alex uses<br />
Tinderbox [24], a spatial hypertext tool, to record and structure his collected and processed<br />
network information. A snap shot from a Tinderbox investigation is shown in Figure 15.5, showing<br />
“Taliban fronts, commanders and fighters in Panjwayi/Zheray during the 1980s” [134].<br />
Alex works with the network information in a number of different ways and has in general many<br />
ideas for how it could be used. Alex studies the evolution of the network from one time period to<br />
the other (a historical evolution perspective). He believes that knowledge about an individual’s<br />
andiwaal group could be used to predict who that person might be fighting side by side with<br />
in future operations. Alex is searching for different tendencies in the data set like for example<br />
changes in age or gender.<br />
Alex has encountered a number of problems for which he requires specialized tool support, for<br />
instance a social network analysis tool that also supports an actual time line (Tinderbox only<br />
supports snapshots of the network). At the time of interview he is analyzing the network data<br />
236
CHAPTER 15. EVALUATION 15.2. END-USER INTERVIEWS<br />
Figure 15.5: A snapshot of Linschoten’s investigation in Tinderbox [24]: “Taliban fronts, commanders<br />
and fighters in Panjwayi/Zheray during the 1980s” [134].<br />
to see if there are any important observations that he has missed. Alex mentions that different<br />
layout functionality would be useful for this, e.g., laying out nodes according to betweenness<br />
centrality. Finally, if Alex exports information from Tinderbox [24] to import it into Analyst’s<br />
Notebook [2] to create a special visualization, it is not possible to get that visualization back into<br />
Tinderbox. The interchange of information is not facilitated both ways.<br />
15.2.2 British home office<br />
During a stay as a visiting researcher at Imperial College in London, we presented CrimeFighter<br />
Investigator at the British Home Office [167], followed by a discussion of particular tool features<br />
and current and previously undertaken intelligence analysis work by the British Home Office. Six<br />
intelligence analysts participated in the meeting and to protect their identities we refer to them<br />
as IA1, IA2, etc.<br />
During the demonstration of CrimeFighter Investigator I walked the meeting participants through<br />
a couple of sense-making work flows, applying predict missing links and predict covert network<br />
structure algorithms to the November 17 network. Based on the responses, we found that a higher<br />
degree of work flow transparency would be required, to have the participants ask questions for<br />
particular steps in the work flows, basically to understand what is going on. The questions and<br />
statements from the meeting participants were of a much more general nature, and some of them<br />
referred to tasks not within my focus areas such as web harvesting (see below). The questions and<br />
statements included:<br />
IA1: “We typically have much less data, or not so many attributes, as it was the case in<br />
the November 17 network you presented”.<br />
IA2: “Would it be possible to do predictions on hierarchical links (i.e., links from a space<br />
237
15.3. CAPABILITY COMPARISONS CHAPTER 15. EVALUATION<br />
to a sub space)? And would it be possible to represent such structures in CrimeFighter<br />
Investigator?”.<br />
IA3: “We would really like to be able to process large amounts of data and generate networks<br />
based on that.”<br />
IA3: “What I have seen the last five to six months, was a tool where you could link a person<br />
to a location and say, okay this person participated in a meeting here, and this other person<br />
was on the location in this and that time span; what is it the chance that they have spoken?”<br />
IA3: “It is a bit mischievous, but it could be interesting to import the information about 7/7<br />
which we had back then about individuals in the milieu to see if the algorithms could predict<br />
what would happen, that is, what individuals where involved in the planning”.<br />
IA4: “Is it possible to collect network information from youtube and other accounts?”.<br />
Based on this, we found it interesting that, given the current focus areas of the British Home<br />
Office, they seemed very interested in the adaptive modeling approach, rather than the prediction<br />
techniques presented at the meeting.<br />
15.2.3 Summary<br />
Besides the two usability feedback interviews described in Section 15.2.1 and 15.2.2, we also had<br />
unstructured interviews with Danish law enforcement police detectives, intelligence analysts, and<br />
a financial fraud expert at the i2 end user conference in Brussels 2010. Finally, we had discussions<br />
and talks with high-level researchers at security informatics and hypertext conferences. The end<br />
user interviews are summarized in Figure 15.2, where it is indicated whether or not each individual<br />
criminal network investigation task was found to be relevant for support in a tool for criminal<br />
network investigation. The end user interviews are discussed and further summarized in Section<br />
15.6.3.<br />
15.3 Capability comparisons<br />
We have carried out two capability comparisons, one based on the criminal network investigation<br />
tasks presented in Section 7.2 and the other is based on support of first class entities, selected<br />
hypertext structures, and transformative and measure algorithms (see Section 8.1, 5.1, and 8.2).<br />
In both cases, CrimeFighter Investigator is compared to the tools and prototypes reviewed in<br />
Chapter 4.<br />
15.3.1 <strong>Criminal</strong> network investigation task support<br />
The evaluation and comparison of the selected tools was made based on the identified tasks for<br />
criminal network investigation. A thorough examination of each tool has been made by the<br />
authors based on the available research literature, books, manuals, and other publicly available<br />
information. The results can be seen in Table 15.2.<br />
Each tool is rated against each task in the list. A judgment has been made whether the tool<br />
provides full support, partial support, or no support for the task. This is indicated by different<br />
icons in the table. Based on the support for individual tasks, each tool has been given a score<br />
for each process based on a judgment of how many of the tasks that they support. This score<br />
is between 0 (no support), 1 (fragmentary support), 2-4 partial support, and 5 (full support).<br />
Fragmentary support means that the core task is in theory supported by the tool through the<br />
combination of various features, but it is found to be too time-consuming to be really useful. We<br />
discuss the capability comparison of tasks in Section 15.6.4.<br />
238
CHAPTER 15. EVALUATION 15.3. CAPABILITY COMPARISONS<br />
Shared work flows<br />
Emergent collaboration<br />
Shared information space<br />
COOPERATION<br />
Report generation<br />
Storytelling<br />
DISSEMINATION<br />
Terrorist network analysis<br />
Social network analysis<br />
Decision-making<br />
Exploring perspectives<br />
Alias detection<br />
Prediction<br />
Adaptive modeling<br />
Creating hypotheses<br />
Retracing the steps<br />
SENSE-MAKING<br />
Emerging attributes<br />
Information types<br />
Brainstorming<br />
Collapsing & expanding<br />
Grouping<br />
Re-structuring<br />
Associations<br />
Entities<br />
SYNTHESIS<br />
Attribute mapping<br />
Dynamic attributes<br />
Acquisition methods<br />
ACQUISITION<br />
CAPABILITY COMPARISON<br />
Analyst’s Notebook 8.5 3 2 1 3 2 ◦ ◦ ◦<br />
Palantir Government 3.0 4 3 3 4 4 ◦ ◦ ◦<br />
Xanalys Link Explorer 6.0 4 2 1 2 3 ◦ ◦ ◦<br />
COPLINKa 4 2 1 2 2 ◦ ◦ ◦<br />
Namebase.org 0 1 1 1 0 ◦ ◦ ◦<br />
Mindmeister 2 4 1 2 4 ◦ ◦ ◦<br />
Simple tools 1 3 1 1 2 ◦ ◦ ◦<br />
Aruvi 2 1 2 3 2 ◦ ◦ ◦<br />
Sandbox 2 3 2 2 3 ◦ ◦ ◦<br />
POLESTAR 3 2 2 1 3 ◦ ◦ ◦<br />
CrimeFighter Investigator 2 4 4 3 2 ◦ ◦ ◦<br />
END USER INTERVIEWS<br />
Investigative journalism ⊠ + + + ⊠ − + + − − + − − ⊠ − + − + − − − + ◦ ⊠ + − ⊠ ◦ ◦ ◦<br />
Counterterrorism ⊠ + + + ⊠ + + + − + − + + ⊠ + + + + + + − + ◦ ⊠ − − ⊠ ◦ ◦ ◦<br />
Policing ⊠ + + + ⊠ + + − − − − + − ⊠ + + − − − + + + ◦ ⊠ + + ⊠ ◦ ◦ ◦<br />
Researchers & Industry ⊠ + + + ⊠ + + + + + + + + ⊠ − − − + − − − − ◦ ⊠ − − ⊠ ◦ ◦ ◦<br />
Capability Comparison legend - investigative processes (0: no support, 1: fragmentary support, 5: full support) investigative tasks (: supported, :<br />
partially supported, : not supported). ◦ indicates that specific cooperation tasks were added after the capability comparison was complete.<br />
End user interview legend ⊠ indicates criminal network investigation tasks not relevant for the evaluation method. + indicates the relevance of supporting<br />
the task for the given profession and a − indicates the opposite. ◦ means that the task was added after the interviews<br />
239<br />
Table 15.2: An overview of the capability comparison of CrimeFighter Investigator, the end user interviews, and the criminal network investigation<br />
processes and tasks the tool was evaluated against.<br />
a Based on a combined evaluation of the three modules COPLINK Connect, Detect, and Collaboration as well as the COPLINK criminal network analysis tool CrimeNet<br />
Explorer (previously CrimeLink Explorer).
15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION<br />
Figure 15.6: Proposed computational modeling concepts and their interrelationship.<br />
15.3.2 Capability comparison of the computational model supported<br />
For this capability comparison we will assess state-of-the-art according to tailorability of the computational<br />
model. We have previously defined ownership of information and transparency of<br />
process to be direct results of tailorability, meaning the ability to extend and customize existing<br />
functionality for a specific purpose. In our chosen approach, we claimed that the level of<br />
tailorability depends on the computational model. We proposed a computational model that separated<br />
structural and mathematical models, both utilizing a conceptual model offering three first<br />
class entities.<br />
The evaluation and comparison of the selected tools was made based on the concepts developed<br />
for our approach to criminal network sense-making. These concepts are summarized in Figure<br />
15.6. At the center is tailoring, a concept that facilitates extension and customization of structural<br />
and mathematical models. Tailoring leads to transparency of the sense-making process and<br />
ownership of sense-making computed information. Transparency and ownership increases trust<br />
in the provided information, which will increase the likelihood of that information being used for<br />
operational or other decision-making.<br />
A thorough examination of each tool has been made by the authors based on the available research<br />
literature, books, manuals, and other publicly available information. The results can be seen in<br />
Table 15.3.<br />
Each tool is rated against each concept (model) and sub-concept in the list. A judgment has been<br />
made whether the tool provides full support (), partial support (), or no support () for this<br />
concept, indicated using the shown icons in the table. Based on the support for individual subconcepts,<br />
each tool has been given a score for each concept (conceptual model, structural models,<br />
and mathematical models) based on a judgment of how many of the sub-concepts that they<br />
support. This score is between 0 (no support), 1-2 (fragmentary support), 3-7 (partial support),<br />
and 8-9 (full support). Fragmentary support means that the core concept is in theory supported<br />
by the tool through the combination of various features (not the listed sub-tasks), but it is found<br />
to be too complicated to be really useful in terms of tailorability. We discuss our comparison of<br />
model capabilities in Section 15.6.4.<br />
15.4 Measures of performance<br />
We have developed measures of performance (MOPs) for the algorithm-based techniques that<br />
CrimeFighter Investigator supports, also referred to as criminal network sense-making. We first<br />
calculate measures of performance for our extended centralities, and then we describe the development<br />
and subsequent test of three MOPs for the transformative predict missing links work<br />
240
CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE<br />
Conceptual model 5 7 5 2 5 7 7 8<br />
First class information elements <br />
First class relations <br />
First class composites <br />
Structural models 4 7 5 2 5 6 7 8<br />
Navigational structure <br />
Spatial structure <br />
Taxonomic structure <br />
Mathematical models 5 5 5 0 2 0 0 7<br />
Transformative** <br />
Measuring <br />
Table 15.3: The authors’ assessment of computational modeling concepts *(AN = Analyst’s Notebook,<br />
PG = Palantir Government, XLE = Xanalys Link Explorer, CFI = CrimeFighter Investigator),<br />
**(Filtering is not included).<br />
flow.<br />
15.4.1 Social network analysis: extending centrality measures<br />
Based on an organized drug crime network and other reviewed cases 88 , we define three tool requirements<br />
describing investigative needs that we aim to support:<br />
1. When node-link-node associations are not dominant, then semantic associations will reduce<br />
investigation uncertainty by computation of extended centrality measures.<br />
2. Centrality measures for criminal network entities, must support empty endpoint associations<br />
for more accurate results.<br />
3. A combination of several direct and semantic associations can be necessary to support when<br />
computing centrality measures for criminal network entities.<br />
Method<br />
We have tested CrimeFighter Investigator’s support of three tool requirements on a filtered version<br />
of the investigation of an organized drug crime network [10], and a semi-altered version of the same<br />
investigation. We calculate two centrality measures, degree and betweenness, for two conditions,<br />
with and without two designed and implemented associations.<br />
We test the co-location association on an investigation inspired by an organized drug crime network<br />
to evaluate the requirement for support of semantic associations. The investigation had no direct<br />
associations between entities prior to the test. We have filtered out all entities except the closeup<br />
photos (i.e., the blue rectangles) and created an investigation using CrimeFighter Investigator<br />
where individuals are positioned with the same relative distance. All individuals are given numbers<br />
or letters as name, except for the two lieutenants Anton Artis (A.A.) and Roland Brice (R.B.).<br />
The network with the semantic co-location association included is shown in Figure 15.7a and the<br />
calculated centralities are shown in Figure 15.7b.<br />
We have defined the following four information entities used on the investigation board and use<br />
colored rectangles to represent them in Figure 15.8: portrait pictures are blue, large surveillance<br />
241<br />
AN 8.5*<br />
PG 3.0*<br />
XLE 6.0*<br />
COPLINK<br />
Aruvi<br />
Sandbox<br />
POLESTAR<br />
CFI 1.0*
15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION<br />
photos are orange, text cards with meta data about individuals are green, and header text cards<br />
with red text are dark red. Based on this augmentation of the investigation board we observe a<br />
number of semantics. Most obviously all portrait Polaroid pictures are placed below a meta data<br />
text card. Sometimes a surveillance photo is placed next to the portraits. Finally, the investigation<br />
board is divided horizontally into areas by the header text cards placed at the top.<br />
Prior to testing the empty endpoint association we found that empty endpoints rarely occurred<br />
in the investigation we analyzed. Links are used to connect two entities, and even if the contents<br />
of one entity is unknown it is still created as a placeholder. It is unclear whether this is simply<br />
because it does not make sense to work with empty endpoints or if it is because of a structural bias<br />
toward links as simple entity connectors. To test the influence of the empty endpoint association<br />
we have used some of the links from the previous test to create a new test case (see Figure 11.1).<br />
We assume that a number of subgroups have been detected (the four colored composites) and that<br />
the investigators know there is some connection from the main network to each of these subgroups<br />
but it is unclear how and therefore an empty endpoint is positioned next to each subgroup.<br />
To test the requirement for centrality measures to consider multiple associations, we use the same<br />
network as for the empty endpoint requirement (see Figure 11.1). However, this time we test<br />
both the empty endpoint association and the co-location association together. The with condition<br />
therefore means that the algorithm replaces empty endpoints with actual nodes (placeholders) and<br />
creates links between co-located nodes that are not already directly associated.<br />
Summary of results<br />
Testing the requirement for semantic associations illustrated how centrality measures can be applied<br />
to spatial network structures using a co-location association. It is evident that when no<br />
relations exist in an investigation prior to analysis, there is a need to define associations between<br />
entities in a different way if the investigators want to calculate node centrality to deal with the<br />
uncertainty of an ongoing investigation. We see that degree centrality indicates the individuals<br />
on the right hand side in Figure 15.7b as central to the network (e.g., 9, 6, 8, and 10), but they<br />
are of little importance, when considering betweenness. At the same time degree doesn’t point<br />
to the two lieutenants A.A. or R.B. as key players like we expected. We therefore find that one<br />
should be careful with considering spatial co-location as a measure for network degree centrality.<br />
Betweenness centrality clearly points to A.A. and R.B. as key players in the network together<br />
with individual 2. Given the results of our two other tests it is also interesting that individual 5<br />
is placed in top four in terms of betweenness.<br />
When we tested the empty endpoints requirement we found that the measure of degree centrality<br />
provides investigators with no clear tendencies, although it more strongly indicates individual F, D,<br />
A.A., and 3 as central to the network. The betweenness results more distinctly point to A.A. and<br />
R.B. when including the empty-endpoints association. We also observe that individual 2 is ranked<br />
as fourth instead of seventh which is a more realistic depiction of this individual’s betweenness in<br />
the network. Individual 5 has the highest change in betweenness when including empty endpoints,<br />
making him an interesting subject for further investigation. As mentioned earlier, it would be<br />
possible to model empty endpoints using information element placeholders until the content of the<br />
empty endpoint is known. This also means that traditional social network analysis measures of<br />
centrality could be applied. We therefore recommend to test if empty endpoints have higher value<br />
for restructuring tasks during synthesis than for centrality algorithms.<br />
Our test of the requirement for support of multiple associations was successful in terms of extending<br />
two measures of centrality with more than one association from our topology. But for the test<br />
investigation the test results did not add much investigative value. The inclusion of both empty<br />
endpoint and co-location associations connects all entities in the criminal network through the<br />
empty endpoints (individual 5 is connected to individual 6 and 12, individual F to individual H,<br />
and individual A.A. to individual M). This makes the degree and betweenness centrality of key<br />
nodes without the associations less distinctive. The numbers are flattened because the information<br />
242
CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE<br />
al-Qaeda November 17<br />
version → full full id 1-20 full full<br />
sampling → 100% 25% 50% 100% 50%<br />
Nodes 366 256 15 22 17<br />
Attributes 17 17 17 11 11<br />
Complexity* 9.53 9.53 9.53 2.09 2.09<br />
Links 999 249 18 63 32<br />
Link density 0.015 0.008 0.17 0.27 0.24<br />
*Complexity indicates the average number of<br />
enumerated values for each entity attribute.<br />
Table 15.4: The November 17 and al-Qaeda datasets.<br />
elements in the subgroups achieve higher measures of betweenness centrality with the associations<br />
included. The most interesting result for this final test was that the degree and betweenness<br />
centrality of individual 5 is increased considerably when the associations are added. Together,<br />
our three requirement tests have shown that measures of centrality extended with novel types of<br />
associations provided new insights into two organized crime networks that traditional centrality<br />
measures could not provide. Most important result was that the centrality of individual 5 was<br />
increased in all three tests. Individual 5 was not known to be a central entity in the network<br />
before the tests.<br />
15.4.2 Predict missing links algorithm<br />
Our measures of performance (MoPs) for the predict missing links algorithm focus on the internal<br />
structure, characteristics, and behavior of the CrimeFighter Investigator sense-making sub-system.<br />
We have developed three measures that helped us answer questions about how the CrimeFighter<br />
Investigator predict missing links algorithm performs in terms of information volume, attribute<br />
completeness, and attribute accuracy. In the longer term, these MoPs will help us build a process<br />
that criminal network investigators can have confidence in, going before a decision maker [216].<br />
We need to make sure that algorithm supported sense-making tasks can perform on the criminal<br />
networks that investigators are dealing with on a daily basis. More specifically, we want to evaluate<br />
if the integration of synthesis and sense-making tasks is feasible.<br />
To test the developed algorithm, we use two criminal networks: November 17 and al-Qaeda. The<br />
data set of the (believed defunct) Greek terrorist group November 17 (N17) was derived from open<br />
source reporting [112]. The N17 group was a small close knit organization of 22 individuals with<br />
63 links out of a potential 231 links. The links of the dataset indicate that open source reporting<br />
has demonstrated some connection between the two individuals at some point in the past, but no<br />
specific weightings of the links are indicated [184].<br />
The second dataset is the al-Qaeda network (2003). All the network information was gathered<br />
from public domain sources: “documents and transcripts of legal proceedings involving global<br />
Salafi mujahedin and their organizations, government documents, press and scholarly articles, and<br />
Internet articles” [188]. We have included acquaintance, friend, and post joining jihad relations,<br />
but the algorithm does not differentiate between them. Nuclear family, relatives, religious leader,<br />
and ties not in sample links are excluded from our version of the data set.<br />
We use sampled versions of the full networks for our evaluations and the topology of all networks<br />
are presented in Table 15.4. The sampled networks are created by removing either 50 or 25<br />
percent of the links in the network and then see what is left. The number of nodes and links<br />
are inherently an issue for performance. The number of attributes that each node has does not<br />
impact the performance of the ‘missing links’ algorithm since tests are run with four attributes<br />
every time. We define the complexity of node attributes as the average of valid enumerated values<br />
243
15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION<br />
Data set → November 17 al-Qaeda<br />
L Cutoff 2.5 2.5<br />
Attribute 1 Role Children<br />
Attribute 2 Faction Clump<br />
Attribute 3 Resources Fate<br />
Attribute 4 Degree centrality Degree centrality<br />
Table 15.5: Algorithm setup for the November 17 and al-Qaeda data sets.<br />
Data set<br />
“Original” data set<br />
Version Sampling Time (s) TP*# TP% FP*# FP%<br />
November 17 (full) (50%) 0.219 9 42.9 12 57.1<br />
100% al-Qaeda (id 1-20) (50%) 0.078 7 35.0 13 65.0<br />
al-Qaeda (full) (25%) 63.093 288 4.9 5547 95.1<br />
Attribute accuracy<br />
November 17 (full) (50%) 0.235 5 35.7 9 64.3<br />
90% al-Qaeda (id 1-20) (50%) 0.79 6 46.2 7 53.8<br />
al-Qaeda (full) (25%) 37.562 165 5.1 3052 94.9<br />
November 17 (full) (50%) 0.124 1 16.7 5 83.3<br />
70% al-Qaeda (id 1-20) (50%) 0.62 5 45.5 6 54.5<br />
al-Qaeda (full) (25%) 24.656 167 5.0 3171 95.0<br />
Attribute completeness<br />
November 17 (full) (50%) 0.282 5 45.5 6 54.5<br />
90% al-Qaeda (id 1-20) (50%) 0.094 7 41.2 10 58.8<br />
al-Qaeda (full) (25%) 41.344 197 4.8 3939 95.2<br />
November 17 (full) (50%) 0.531 5 45.5 6 54.5<br />
70% al-Qaeda (id 1-20) (50%) 0.079 5 41.7 7 58.3<br />
al-Qaeda (full) (25%) 24.328 146 4.4 3167 95.6<br />
* TP = true positives, FP = false positives.<br />
Table 15.6: Measures of performance for the ’predict missing links’ algorithm. This algorithm is<br />
at the core of the predict ’covert network structure’ and ’custom node removal’ algorithms.<br />
per attribute. Link density is the ratio between the number of links and the number of potential<br />
links and indicates for example how connected and covert the given network is.<br />
We logged three variables for each test. Time is the seconds it takes to predict missing links.<br />
True positives are predicted links that exist in the non-sampled version of the data set. False<br />
positives are predicted links that do not exist in the non-sampled version of the data set. The<br />
’predict missing links’ algorithm was customized in the same way for each sampled data set before<br />
each test as described in Table 15.5. The al-Qaeda attributes are selected to match the number<br />
of enum values for each November 17 attribute.<br />
We evaluate the ’predict missing links’ algorithm against all the data sets using the three measures<br />
of performance. The results listed in Table 15.6.<br />
Information volume. This measure of performance is based on an evaluation of the change in<br />
processing time and true and false positive ratios when the number of nodes and links increases<br />
across the three sampled data sets.<br />
We observe that the sampled al-Qaeda data set increases the time required to process the prediction<br />
significantly (as expected). However, in the worst case the logged time is only 63 seconds and it<br />
does not raise any operational concerns for most criminal network investigations. We realize that<br />
the network can be much larger, and expect the required time to increase also for the tested data<br />
set if attributes with more enumerated values were selected. But it is our experience that for very<br />
244
CHAPTER 15. EVALUATION 15.5. SUMMARY<br />
large networks, criminal network investigators will request predictions within subgroups mostly<br />
and not the whole network.<br />
Attribute accuracy. The ‘missing links’ prediction algorithm is based on that attribute values<br />
are machine-recognizable, i.e., the value should be one of a list of predefined enumeration<br />
values (e.g., Role [leadership, operational] or Degree centrality [high, middle, low]). We<br />
have decreased the attribute accuracy of the sampled data set by scrambling a percentage of the<br />
enumeration values.<br />
The decreasing accuracy of enumeration values clearly impacts on the number of predicted links,<br />
but the ratio between them does not change indicating some robustness of the ‘missing links’<br />
algorithm. The time actually decreases together with the decreasing accuracy of attribute values;<br />
a decrease in predicted links can more easily be processed by the algorithm. One interesting<br />
observation here is that the ratio of true positives dropped significantly for the November 17 data<br />
set at 70% accuracy to 1 (from 5 at 90%). We expect this is caused by the less attributes compared<br />
to the al-Qaeda data set, making it more vulnerable to the random scrambling of attribute values.<br />
Attribute completeness. End user requirements and usability feedback have indicated a need<br />
to support dynamic and emerging entity attributes, since limited information is typically available<br />
about the individuals in criminal networks. To simulate this we delete attribute values from the<br />
data sets by replacement with empty values.<br />
Like attribute accuracy the total number of predicted links decreases as the number of non-empty<br />
attribute values increases but the ratios stay more or less the same. We anticipated this similarity<br />
between the accuracy and completeness MoPs as the CrimeFighter Investigator does not support<br />
technology that could improve the attribute accuracy by correcting for example typographical<br />
spelling errors.<br />
15.5 Summary<br />
To summarize our evaluations, we have used three different methods for evaluating our developed<br />
tool support for criminal network investigation: capability comparisons, end user interviews, and<br />
measures of performance. The use of multiple of multiple evaluation methods was necessitated by<br />
the different nature of different criminal network processes embedded in our target-centric model.<br />
Our three methods gave us good evaluation coverage across all of them, from acquisition to cooperation.<br />
Acquisition and synthesis tasks maps to evaluation of information #1 (emerging and<br />
fragile structure). Acquisition tasks, information types, and emerging attributes maps to evaluation<br />
of information #2 (integrating information sources). Sense-making tasks maps to human<br />
factors #1 (augment human intellect) and human factors #4 (human-computer synergies).<br />
Dissemination tasks maps to evaluation of human factors #2 (transparency and ownership),<br />
and so forth.<br />
A couple of requirements were found not to be covered by the selected evaluation methods, this was<br />
however expected. Observing the mapping figures for requirements to tasks (Figure 15.1), measures<br />
of performance to requirements (Figure 15.3), and models to requirements (Figure 15.2), we see<br />
that Process #1 (target-centric and iterative) and Process #3 (make everybody stakeholders)<br />
are not covered by our evaluation methods. Only argument for coverage would be that support of<br />
the retracing the steps task, and hence information #4 (versioning support), would reveal who<br />
take e.g., early decisions in an investigation and hence their responsibility for the final outcome<br />
would stay throughout the investigation and they would be stakeholders. But we find that to be<br />
a rather weak argument for coverage. As mentioned, this was expected. Our process model was<br />
developed to address these two research focus requirements, and our arguments for designing the<br />
process model in this particular way based on literature studies, expert end users, and our ideas<br />
for how to design such a process.<br />
In summary, for the evaluations presented in this chapter of a tool for criminal network investigation,<br />
CrimeFighter Investigator, we find it has strong support for information #1, information<br />
245
15.6. DISCUSSION CHAPTER 15. EVALUATION<br />
#3, process #4, human factors #1, and human factors #4, medium support of information<br />
#1, human factors #2, and human factors #3, and weak support of information<br />
#1 and process #2. This summary is visualized in Table 15.7. Comparison of CrimeFighter<br />
Investigator with other tools was covered in Section 15.3.<br />
Information Process Human factors<br />
Requirement #1 #2 #3 #4 #1 #2 #3 #4 #1 #2 #3 #4<br />
Measures of performance 3 1 1 1 - 1 - 2 2 1 - 1<br />
Models 2 1 2 2 - 2 - 3 3 3 1 3<br />
Capability comparisons 6 1 3 1 - 1 - 2 3 2 3 3<br />
Support - - <br />
Table 15.7: Summary of evaluation according to requirements. A large black square indicates<br />
strong support of a requirement, a medium sized black square means medium support, and a<br />
small black square is a symbol for weak support of the requirement. We have used values of 1 to<br />
6, to indicate the support of individual evaluation methods for each research focus requirements,<br />
primarily based on the mappings between the methods and the requirements (see Figure 15.1,<br />
15.2, and 15.3).<br />
15.6 Discussion<br />
We will discuss the implications of the evaluation results for CrimeFighter Investigator above in<br />
Section 15.2, 15.3, and Section 15.4. But first we discuss visualization as a lead-in to discussing<br />
who are treated as the customer, when it comes to tool support for criminal network investigation,<br />
and who really are the customer(s). A second discussion before that of the evaluation results, is<br />
about end user involvement in evaluation of criminal network investigation tools, the problems we<br />
faced in relation to this and our suggestions for how to get the end users from the security domains<br />
and law enforcement (police officers, detectives, intelligence analysts) involved in the evaluation,<br />
but also development, of tool support for criminal network investigation.<br />
15.6.1 Visualization or visual filtering<br />
Even with the carefully placed disclaimer in the introduction, we feel a need to discuss the issue<br />
of visualization here, based on who we think the customer for tool support of criminal network<br />
investigation is. The general critical reader (or perhaps a PhD committee member) could question<br />
our lacking coverage of visualization, and rightfully so. All we have done in terms of visualization<br />
is to mention (with certain amounts of sarcasm) how beautiful pictures it can make. And we have<br />
presented much criticism: on how static visualization tools often seem [166] and how users often<br />
only use the tools to draw the final networks of their investigation to present to their higher level<br />
managers (see Section 15.2). We have described, maybe not in so many words, how we have sat<br />
at the back of an IBM i2 end user conference and chuckled when the CEO mentioned the new<br />
3D icons, how cool they were (he used the word cool), and then looked up at them and paused.<br />
One would have expected, when looking around the room, to see other people smiling and shaking<br />
their heads; but no, everybody were looking mesmerized at the CEO and the icons; 3D icons are<br />
mesmerizing.<br />
We didn’t do structured literature reviews of information visualization and related fields, so who<br />
are we to offer an opinion on the subject? Clearly, we have no idea of the depth of this field and the<br />
246
CHAPTER 15. EVALUATION 15.6. DISCUSSION<br />
many important applications in relation to security informatics and criminal network investigation.<br />
Nonetheless, we discuss it, and we use Ray Kroc’s quote from the beginning of this chapter, as a<br />
basis of our discussion, and to indicate the non-scientific nature of the discussion. When Ray Kroc<br />
talks about “looking after the customer”, he is most likely referring to customer service: smiling<br />
service; fast service; and a nice, clean, and well kept establishment. In the documentary SuperSize<br />
Me, the implication is that McDonald’s is looking after the customer by providing them with well<br />
tasting food that to some extend makes them addicted to that same food; or the amount of sugar<br />
it contains. In combination, looking after the customer, becomes excellent service, a nice, clean,<br />
and (might we add) colorful restaurant, together with selling the customer something that tastes<br />
very good, but ultimately is not good for the customer.<br />
For companies that sell criminal network visualization software, the customer is first of all the<br />
individuals who pay the large license fees, typically managers in companies and organizations<br />
requiring such software. We believe that the true customer of criminal network investigation tools<br />
are the investigators who are going to use the tools. The questions is now, how best to look after<br />
this customer? We should surely not inhibit the investigator in any way, not inhibit the sense for a<br />
specific emerging structure, the investigator’s imaginativeness and creativity, when an idea makes<br />
the investigator draw a row of two story houses, before asking a tool which of those houses have<br />
roof access to a certain back alley. When the investigator thinks of new and innovative ways to<br />
fill the negative (void) space in a criminal network investigation, producing new leads and solving<br />
cases. That is our point of view, and it is the point of view we have had throughout this work and<br />
which we have been developing tool support for.<br />
Naturally, when all that is said, visualization is important in a tool box for fighting crime (e.g.,<br />
criminal network investigation). And there is a tool in the CrimeFighter toolbox which focuses<br />
on visualization (see Section 1.4 in the introduction). Maybe, if we could call it something like<br />
visual filtering, indicating a more active involvement on the part of the investigator, rather than<br />
just selecting between a variation of layouts and color schemes, it would be a better match, and<br />
also become useful for the tasks of the criminal network investigator.<br />
15.6.2 End user involvement<br />
Evaluation of new processes, tools, and techniques for criminal network investigation is a challenging<br />
task, at best. Especially when humans are given such a central role as we have given them,<br />
and because our intended end users are from a part of society where it is not custom to talk freely<br />
and openly about your work and methods. Initially, when security informatics researchers start<br />
their work, they turn to the institutions of their homeland for inspiration, advice, and guidance.<br />
These institutions includes intelligence services and agencies, police and special units. In Denmark<br />
this would be either the danish security and intelligence service (DSIS 89 ) or the danish defense<br />
intelligence service (DDIS 90 ). Our supervisor, Professor Uffe Kock Wiil, has held several meetings<br />
with representatives from the Danish intelligence services prior to the beginning of our research,<br />
and the author has met representatives as well, on a number of occasions during the past three<br />
years. The feedback received by the author can be summarized to “you are using all the right<br />
words”, but “we do not adopt or test software within the organization before it reaches a certain<br />
level of maturity”. While that seems like a reasonable strategy for institutions whose work and<br />
information from outside sources depends on a certain level of secrecy [27], all software engineers<br />
know what happens when you leave the customer out of the development process loop: the risk<br />
for project failure (i.e., not delivering the desired product or any product at all) is significantly increased<br />
[43,54,165]. But there is a trade off between secrecy and openness that has to be carefully<br />
balanced 91 . During the nineties the media suspected DSIS to be a ‘state within the state’, and<br />
the previous director of operations for DSIS says that his sources within the media have noticed a<br />
return close to that level of secrecy [27]. As the 22 July commission report [153] states, ‘extreme<br />
secrecy’ might have contributed to not stopping (parts of) the terrorist attacks on 22 July (2011)<br />
in Norway [27, 153].<br />
As mentioned above, the development of complex software systems requires the involvement of the<br />
247
15.6. DISCUSSION CHAPTER 15. EVALUATION<br />
customer as a stakeholder together with the developers and their managers, in order to produce<br />
a product with the required level of maturity, suitable for testing on classified data. We suggest<br />
that collaboration is established between the Danish intelligence services or the less secretive parts<br />
of law enforcement, such as police, with domestic research institutions. Such collaborations exists<br />
in other countries: at Simon Fraser University the Institute for Canadian Urban Research Studies<br />
(ICURS) based in the School of Criminology has a secure crime lab, where researchers can test<br />
their algorithms on police data. At Arizona University’s AI lab, 300 police officers participated<br />
in a survey-based evaluation of the COPLINK software 92 . Naturally, it takes time to build the<br />
required level of trust between academia and law enforcement, once your software tool is mature<br />
enough. Our three years in the security informatics research community helped us reach a point<br />
where we now find ourselves knowledgeable enough to ask these questions. But if was not required<br />
to experience the classical “oops, I tripped and spilled your wine on you (to test if you are wearing<br />
a wire)” before gaining access to knowledge from intelligence service agents, we might have been<br />
able to ask these questions earlier.<br />
15.6.3 Discussing end user interviews<br />
Unstructured and informal interviews, where the interviewer asks questions about individual criminal<br />
network investigation tasks and demonstrates some tool features, and the interviewee talks<br />
about their work and answers questions, have proved useful for an initial establishment of whether<br />
or not the research is on the right tracks. However, the aggregation of the interviews often becomes<br />
a difficult task for the interviewer. It is the interviewer who decides how to map responses and<br />
statements, and the evaluation naturally becomes subjective to a certain degree, and is qualitative<br />
in the sense that it is based on the opinions of interviewers. We found it to be a good approach,<br />
to keep separate the interviewees from different investigation domains, also because certain terminologies<br />
exist within those domains, making it easier to decide if a statement was for or against<br />
the support of a certain criminal network investigation task.<br />
15.6.4 Discussing capability comparisons<br />
We discuss our capability comparison of tasks in Section 15.6.4 and models in Section 15.6.4.<br />
Capability comparison of tasks<br />
Before discussing the results in Table 15.2, it makes sense to ask the question whether the tasks<br />
used for evaluation and comparison are the right tasks to support by software tools? The goal<br />
should be that the investigators can use the tools to reach better results faster. We have interacted<br />
with investigators when compiling the task list. The task list has subsequently been confirmed<br />
by investigators as important tasks to support in a software tool. The investigators also noted<br />
the absence of details regarding tasks in the acquisition and cooperation processes. We intend to<br />
address this in future work and constantly expand and revise our list of tasks to be supported<br />
based on interactions with end-users.<br />
The results in Table 15.2 are not surprising. Our focus on synthesis, sense-making, and dissemination<br />
have resulted in relatively good support for these processes ranging from 3 (dissemination)<br />
over 4 (sense-making) to 4 (synthesis). On the other hand, our tool scores somewhat low on<br />
acquisition (2) and cooperation (2) as expected.<br />
Compared to the other tools, CrimeFighter Investigator is the only tool that supports the majority<br />
of the envisioned synthesis tasks. Other tools support the synthesis tasks to a varying degree.<br />
Regarding sense-making, our tool scores higher than the other tools except for Palantir that<br />
received the same score. Our plans for future work (see Section 6) will result in a tool that<br />
fully supports the envisioned tasks related to synthesis, sense-making, and dissemination. Our<br />
conclusion is that our tool currently provides the most comprehensive support for synthesis and<br />
248
CHAPTER 15. EVALUATION 15.6. DISCUSSION<br />
sense-making.<br />
It can be observed from Table 15.2 that the tools used in watchdog journalism are not as elaborate<br />
as the commercial tools for policing and counterterrorism. The market for policing and counterterrorism<br />
tools are much bigger than the market for watchdog journalism tools. We envision that<br />
our tool can be useful to investigative journalists due to the supported tasks.<br />
It can also be observed from Table 15.2 that the commercial tools provide good support for<br />
acquisition and dissemination. Acquisition is essential for a commercial tool, since many of their<br />
customers have enormous amounts of data that needs to be made available to the investigations.<br />
Dissemination is also essential for a commercial tool, since the investigation results needs to be<br />
communicated to the customer in a comprehensive manner. In the longer term, our future work<br />
will also address the acquisition and dissemination issues, but not to the extent of what commercial<br />
tools do. Our long term research goal is to provide the most comprehensive support for synthesis,<br />
sense-making, and cooperation.<br />
Commercial tools provide many powerful features for the synthesis tasks that they support, while<br />
there seems to be an increased focus on supporting sense-making tasks in research prototypes<br />
like Sandbox, POLESTAR, and CrimeFighter Investigator. For example, Analyst’s Notebook is<br />
very strong on visualization as part of its synthesis support, but lacks many of the features for<br />
sense-making. Wright et al. states that Analyst’s Notebook seems better suited as a report tool<br />
than a thinking tool since it does not encourage various alternative thinking [254]. This claim was<br />
supported by end-users we met at an i2 user conference 93 : “I typically use Analyst’s Notebook<br />
to generate a report for the state attorney handling the case in court. I do not use Analyst’s<br />
Notebook before I am done with my analysis”.<br />
The comparison of supported tasks is made based on whether a particular feature is supported<br />
or not - not how well it is supported. Commercial tools are by nature more mature and typically<br />
provides qualitatively better features than research prototypes (which often aim at providing proofof-concept<br />
implementations of features). CrimeFighter Investigator has so far only been evaluated<br />
based on the existence of support for tasks, not how well end-users feel they are supported in<br />
practice. This type of evaluation involving investigators from the three overall areas is planned to<br />
start, when the envisioned list of tasks have been implemented.<br />
CrimeFighter Investigator uses well-known (and tested) hypertext concepts and structuring mechanisms<br />
that have proved useful to solve similar knowledge management tasks. In fact, the tool<br />
builds on previous work by the authors on the use of multiple hypertext structures to support<br />
knowledge management tasks related to agile planning [170]. Thus, we are confident that the<br />
provided support to a large degree will be conceived as useful by the end-users in supporting the<br />
investigative tasks. Further evaluation results will help fine-tune the usability of the provided<br />
features.<br />
Capability comparison of tasks<br />
We observe two tendencies in our assessment of computational modeling concepts in commercial<br />
tools and research prototypes for criminal network investigation. Separating commercial tools from<br />
research prototypes, we see that the research prototypes are slightly more diverse in their support<br />
of first class entities. Tools and research prototypes are equally strong in terms of structure domains<br />
supported; the commercial tools are strong on navigational structures, where the research<br />
prototypes have better support for spatial structures. Finally, the commercial tools outperform the<br />
research prototypes in terms of mathematical models (measures) supported. CrimeFighter Investigator<br />
has better support of first class entities (conceptual model), structure domains (structural<br />
models), and transformative and measuring algorithms (mathematical models) than the state-ofthe-art<br />
tools and research prototypes analyzed for this comparison.<br />
In our “invented” work flow scenario described in Section 14.3, Mark used sense-making tailoring<br />
to be able to understand and reason about the network information he was asked to analyze. More<br />
specifically he customized a prediction algorithm to base its inferences on different information<br />
249
15.6. DISCUSSION CHAPTER 15. EVALUATION<br />
element attributes for different parts of the network. He also extended the actual prediction of<br />
links to be conditioned by the betweenness centrality of the individuals between who links where<br />
predicted, prior to that prediction. The tailoring in CrimeFighter Investigator made the process<br />
transparent and helped Mark to gain a feeling of ownership toward the information provided. In<br />
other words, he trusted the sense-making provided information enough to forward his findings to<br />
his decision-making superiors.<br />
15.6.5 Discussing measures of performance<br />
We have developed and calculated measures of performance (MoP) for two extended centrality<br />
algorithms (degree and betweenness) and one transformative algorithm (predict missing links).<br />
In the longer term, these MoPs will help us build a process that criminal network investigators<br />
can have confidence in, going before a decision maker. MoPs are therefore also related to our<br />
discussion of involving end users in the evaluation of new tools for criminal network investigation<br />
(see Section 15.6.2). We expect that good MoPs will also be required to convince individuals in law<br />
enforcement institutions in order for them to decide whether or not to start a collaboration with<br />
the purpose of further development of the tool, or bringing it in-house to test on some up-to-date<br />
data.<br />
It is interesting that the information volume MoP does not have strong relations to our research<br />
focus requirements as it was illustrated in Figure 15.3. In fact, we only found it to have limited<br />
relations to support of the augmentation of human intellect requirement (human factors #1).<br />
But it is not surprising, as we have never thought of information volume on its own to be a<br />
complicated information problem, as it will be a matter of computing power and resources to<br />
solve it (as previously mentioned). However, if other information problems such as accuracy<br />
and completeness are introduced, information volume could become an issue, since computations<br />
becomes more complicated and time consuming.<br />
250
CHAPTER 15. EVALUATION 15.6. DISCUSSION<br />
(a) test scenario 1 (b) colocation results<br />
251<br />
(c) empty endpoint results (d) two associations results<br />
Figure 15.7: The organized drug crime investigation with links representing co-location associations (a). The degree and betweenness centralities for<br />
each of three tests: co-location association (b), empty endpoints association (c), and both co-location and empty endpoints associations (d).
15.6. DISCUSSION CHAPTER 15. EVALUATION<br />
Figure 15.8: Augmented version of an organized crime investigation showing a shared information<br />
space and various content. Close-up pictures are blue, surveillance photos are orange, text cards<br />
with meta information about individuals are green and text cards functioning as headers are dark<br />
red.<br />
252
CHAPTER 16<br />
Conclusion and future work<br />
The art of investigation is in part the art of seeing, of finding a place<br />
to stand so that you can see. To see a ghost presents a special kind of<br />
problem.<br />
McDermott and Meyer (2012), in the hunt for Khalid Sheikh Mohammed [146]<br />
<strong>Criminal</strong> network investigation involves a number of complex knowledge management tasks such<br />
as collection, processing, and analysis of information. Synthesis and sense-making are core analysis<br />
tasks; analysts move pieces of information around, they stop to look for patterns that can help them<br />
relate the information pieces, they add new pieces of information and iteration after iteration the<br />
information becomes increasingly structured and valuable. Synthesizing emerging and evolving<br />
information structures is a creative and cognitive process best performed by humans. Making<br />
sense of synthesized information structures (i.e., searching for patterns) is a more logic-based<br />
process where computers outperform humans as information volume and complexity increases.<br />
CrimeFighter Investigator is a novel tool that supports a target-centric and iterative criminal<br />
network investigation process and related tasks through the application of advanced software<br />
technologies such as hypertext structure domains, semantic web concepts, known human-computer<br />
interaction metaphors, and a tailorable computational model rooted in a conceptual model defining<br />
first class entities that enable separation of structural and mathematical models.<br />
As a result of numerous commission reports evaluating the efforts of counterterrorism and police<br />
(e.g., [110,152,153]), there is a growing request for more openness in intelligence agencies and law<br />
enforcement in general, especially close to home (e.g., Norway [153] and Denmark [27]). As we have<br />
mentioned, these Commission Reports often presents how the information was there, available and<br />
linkable, and therefore resorts remedies such as information sharing, joint intelligence units, merged<br />
databases etc, but does little to improve on the intelligence process [32] (analytical methods). The<br />
22 July Commission Report concluded, among other things, that following a different methodology<br />
could have changed if not the final outcome, then the outcome of sub-parts of the Norwegian<br />
tragedy. Intelligence services in Denmark, such as the danish defense intelligence service have<br />
made organizational changes and talked about more openness 94 , and the author has through<br />
interviews and meetings learned that new technologies such as semantic web technology, and ideas<br />
such as intelligence in the cloud, readily retrievable by phones and tablets in the field 1 . We believe<br />
that the Danish intelligence services are moving in the right direction, with an increased focus<br />
on utilizing available information and communication technologies. But in terms of tool support<br />
1 This information is based on classified interviews and meetings, held between the author and the anonymous.<br />
253
16.1. SUMMARY CHAPTER 16. CONCLUSION<br />
based on an increased understanding of the interrelationship between information, process, and<br />
human factors, much knowledge has still to be acquired, new concepts and models developed, and<br />
software designed, implemented, and tested. In our opinion, the research that we present in this<br />
Ph.D. dissertation makes important contributions to further developments in that direction.<br />
This chapter concludes our work by presenting our final conclusions. Section 16.1 summarizes our<br />
work. Section 16.2 summarizes our results related to criminal network investigation challenges<br />
and associated problems. Finally, Section 16.3 outlines the major contributions of our work, and<br />
Section 16.4 presents suggested future work and evaluation.<br />
16.1 Summary<br />
We started out as engineers, with the goal to engineer a software system for criminal network<br />
investigation. We studied our domain, we talked with the end users, we analyzed related work,<br />
theory and technology, and generated requirements. We created designs for those requirements,<br />
and implemented software prototypes as proof of the concepts we had developed. We did so,<br />
following an agile methodology, iteration by iteration, release by release. We incrementally built<br />
Crimefighter Investigator one proof-of-concept prototype at the time, from a pilot system to an<br />
actual criminal network investigation tool, assisting investigators when investigating their genuine<br />
mysteries and hunts for ghosts. As software systems engineers, we succeeded early.<br />
But as we got further into the research, we discovered a need to develop a new criminal network<br />
investigation process, new concepts and models as the foundation for tools and techniques. Three<br />
criminal network investigation challenges that had been found to result in (tool supported) criminal<br />
network investigation failure, either separately or together, where being addressed in a manner<br />
suitable for the tasks of the criminal network investigator. We noticed that existing software systems<br />
were only in part guided by requirements addressing problems related to information, process,<br />
and human factors challenges. We identified these problems, formulated such requirements, and<br />
adopted some concepts from knowledge management and hypertext theory and technology. Based<br />
on those concepts we developed models and software components for support of criminal network<br />
investigation. We found, that no matter what ill-structured problem an individual or a group of<br />
individuals are trying to solve, there are some basic concepts, structures, and components that<br />
can be applied. Some basic building blocks from which to build software systems.<br />
In summary, we first took in the scattered particulars related to criminal network investigation<br />
under one idea, so that everyone understood what we were talking about. Second, we separated our<br />
idea into parts, by dividing it at the joints (information, process, and human factors), as nature<br />
directs, not breaking any limb in half as a bad software systems engineer might Phaedrus (265D).<br />
16.2 Requirements, challenges, and hypothesis<br />
In our introduction, we listed challenges associated with criminal network investigation. We chose<br />
to focus our work on three of those challenges (information, process, and human factors), based<br />
on an estimation of the bigger impact that software technologies could make on meeting these<br />
three challenges through the assistance of a software tool (compared to the other challenges).<br />
General problems within each of the three challenge domains were listed in Chapter 6. To guide<br />
our research we created a number of research focus requirements to resolve the problems and<br />
ultimately meet the challenges of information, process, and human factors in criminal network<br />
investigations by assisting the investigators through the implementation of a novel software tool,<br />
CrimeFighter Investigator. We present our conclusions with regard to research focus requirements<br />
in Section 16.2.1, challenges in Section 16.2.2, and finally our hypothesis in Section 16.2.3.<br />
254
CHAPTER 16. CONCLUSION16.2. REQUIREMENTS, CHALLENGES, AND HYPOTHESIS<br />
16.2.1 Requirements<br />
The research focus requirements we listed in Chapter 6 were evaluated using three different methods<br />
in Chapter 15. A summary of the evaluation is shown in Table 16.1, indicated whether<br />
evaluations found that we had strong, medium, or weak support of each research requirement,<br />
through our developed processes, tools, and techniques. Our evaluation methods were found to<br />
provide good coverage of the research focus requirements, except for process #1 (target-centric<br />
and iterative) and process #3 (make everybody stakeholders). However, this was expected, and<br />
our process model was found to cover those two requirements.<br />
Information Process Human factors<br />
Requirement #1 #2 #3 #4 #1 #2 #3 #4 #1 #2 #3 #4<br />
Support <br />
Table 16.1: Summary of evaluation according to requirements. A large black square indicates<br />
strong support of a requirement, a medium sized black square means medium support, and a<br />
small black square is a symbol for weak support of the requirement.<br />
The results in Table 16.1 shows that we have provided strong to medium support of all requirements,<br />
and we can therefore conclude that we have addressed the problems associated with each<br />
individual criminal network challenge. Furthermore, the strong to medium support of the requirements<br />
also leads us to conclude that we chose the right challenges to focus on, as our developed<br />
processes, tools, and techniques were found to address and have an impact on those challenges.<br />
16.2.2 Challenges<br />
Following the conclusions on research focus requirements above, we conclude on the degree to<br />
which we have addressed each challenge in more detail. Below we present our conclusions on each<br />
of the three criminal network investigation challenges:<br />
Information. We conclude that the weak support of information #2 (integrating information<br />
sources) is because this requirement has not been prioritized. We focused on the development of<br />
a conceptual model with first class entities, then it would later have been easier to provide e.g.,<br />
images as visual abstractions for information elements. The same is the case for information #4<br />
(versioning support), which development was dependent on strong support of information #1<br />
(emergent and fragile structure), and as a consequence a well developed conceptual model. We<br />
can conclude that key information challenge requirements have strong support, and that the less<br />
supported information challenge requirements still require further development to be finished.<br />
Process. Our developed process model provides the strong support of process #1 (emergent and<br />
fragile structure), while support of process #3 (make everybody stakeholders) is considered weak,<br />
although closely related to the choice of process model. However, limited support of cooperation<br />
tasks has inhibited the development of support for process #3. Process #2 (loss-less data<br />
abstractions) is supported by the design of our entity software component, but due to the lack of<br />
support for the information types task, process #2 support is not strong. Finally, the process<br />
#4 (integration of conceptual and computational models) has strong support, and given the<br />
amount of attention, this is not surprising to us. Again, process challenge requirements have<br />
strong support, and those less supported requirements still require further development to be<br />
supported (or are related to investigation tasks, which require further development).<br />
Human factors. The research focus requirements human factors #1 (augment human intellect)<br />
and human factors #4 (human-tool synergy) were evaluated to have strong support by<br />
the developed processes, tools, and techniques. They are also closely related, as human intellect is<br />
255
16.3. CONTRIBUTIONS CHAPTER 16. CONCLUSION<br />
augmented using advanced software technologies, thereby increasing the capabilities of man (i.e., a<br />
synergy effect). Human factors #3 (simple tools ease-of-use) has medium support, mainly due<br />
to the common information space where entities can be organized in different structures, like paper<br />
cards or similar on a table. Human factors #4 (transparency and ownership) receives support<br />
from our dissemination tasks, as well as the investigators options for tailoring sense-making work<br />
flows for their particular needs. It seems that human factors are often not considered when tool<br />
support is developed for criminal network investigation. Our human factors requirements have<br />
been evaluated with a positive outcome, and the decision to also focus on the human factors<br />
challenges, has proved to have a positive impact on criminal network investigation.<br />
Based on the conclusions for the individual criminal network investigation challenges, we will make<br />
our final conclusions about support of our hypothesis below.<br />
16.2.3 Hypothesis<br />
Our hypothesis was formulated based on three criminal network investigation challenges:<br />
A software system addressing information, process, and human<br />
factors challenges would be a useful tool for assisting criminal<br />
network investigators in their work.<br />
Support of the hypothesis therefore depends on whether or not the problems associated with these<br />
challenges are dealt with. Based on our conclusions for research focus requirement support, and<br />
the importance of individual requirement support address each individual criminal network investigation<br />
challenge, we can conclude that all indicators points toward support of our hypothesis.<br />
Our approach to criminal network investigation results in tool support for criminal network investigation<br />
which assists the investigator throughout the individual processes, ensuring powerful<br />
collaboration between human and tool with a focus on addressing information, process, and human<br />
factors challenges integrated in the same software system.<br />
16.3 Contributions<br />
The CrimeFighter Investigator approach for criminal network investigation has been developed<br />
based on different types of analysis work:<br />
Involving end users. We have interacted with investigators from various communities to<br />
get their input on what kind of tool support is needed.<br />
Exploring methods. We have explored analytical practices, processes, and techniques<br />
related to policing, counterterrorism, and watchdog journalism.<br />
Studying related work. We have found inspiration from existing tools supporting criminal<br />
network investigation as well as from various existing hypertext systems.<br />
Together, this analysis work resulted in a list of tasks that guided our development. Currently,<br />
most of the envisioned tasks are supported. In general, our work has resulted in the following<br />
contributions:<br />
Challenges. Based on analysis of criminal network investigation cases, criminal network<br />
information, structures, and investigation domains, we have presented a list of key challenges<br />
for criminal network investigation. These challenges can all mean the failure or success of<br />
criminal network investigations. We selected to focus on three of these challenges, for which<br />
tool support was estimated to be applicable and useful. We further analyzed those three<br />
challenges for specific problems, and subsequently set out a list of research requirements that<br />
help us (and other software system engineers) to address the problems.<br />
256
CHAPTER 16. CONCLUSION 16.4. FUTURE WORK<br />
Process model. We have developed a target-centric and iterative criminal network investigation<br />
process model to address problems associated with a linear approach to investigation,<br />
with a particular focus on the compartment problem. More specifically, the model provides<br />
support of process #1 (target-centric and iterative) and process #3 (make everybody<br />
stakeholders).<br />
Task list. To support the acquisition, synthesis, sense-making, dissemination, and cooperation<br />
processes of our model we developed a list of criminal network investigation tasks,<br />
based on the three types of analysis work described above.<br />
Tool support for criminal network investigation. We have developed a tool to support<br />
criminal network investigation and assist investigators in creating target-centric models for<br />
their customers. The tool provides more comprehensive support for synthesis and sensemaking<br />
tasks than existing tools. Furthermore, evaluation has shown that we are on the<br />
right path to integrate a broad range of investigative synthesis and sense-making tasks in<br />
one tool to support target-centric criminal network investigation. We have observed that<br />
existing tools typically are strong on either synthesis or sense-making tasks.<br />
Novel approach to tool support. We have demonstrated how a combination of theory<br />
and technology can be used to develop tool support for the criminal network investigation<br />
processes. Other researchers have discussed the importance of human-machine cooperation.<br />
We chose hypertext technologies to bridge human and machine capabilities to resolve<br />
challenges and problems in criminal network investigation, separating structural and mathematical<br />
models.<br />
Components for tool support. We have developed generic software components for<br />
support of criminal network investigation. The components have helped develop support<br />
research focus requirements such as human factors #2 (transparency and ownership)<br />
and process #4 (integration of conceptual and computational models). Furthermore, the<br />
software components are applicable to similar knowledge management problems.<br />
Publications. Our work has been published in peer-reviewed international conference proceedings<br />
published by ACM, Springer, and IEEE. Parts of our work is accepted for publication<br />
in Springer handbook of computational approaches to counterterrorism and Springer<br />
journal on security informatics (special issue on criminal network investigation). See Appendix<br />
A for further details.<br />
While these are individual and important contributions to the field of criminal network investigation,<br />
proof-of-concept prototypes are not proof in the generic sense, further evaluation is required<br />
in order to advance the research both academically and commercially. It is important that we<br />
have implemented proof-of-concept prototypes to further enhance our understanding of analyzed<br />
and design conceptual ideas (concepts), but quantitative empirical evidence for effect to measure<br />
the impact of our conceptual ideas on criminal network investigation, together with the measures<br />
of performance we have developed and tested on some algorithms in CrimeFighter Investigator<br />
would be crucial. In essence, our work presents the guidelines for how to start a research project<br />
on criminal network investigation. We will discuss future research and other perspectives in future<br />
work (section 16.4).<br />
16.4 Future work<br />
Our future work focuses mainly on three ares: literature studies, further implementation of criminal<br />
network investigation concepts and tasks in CrimeFighter Investigator, and evaluation of<br />
CrimeFighter Investigator. The main objective of our future work is to develop a version of<br />
CrimeFighter Investigator that intelligence agencies or police think is mature enough that they<br />
257
16.4. FUTURE WORK CHAPTER 16. CONCLUSION<br />
would be willing to test it within their organization 95 , using it on a real investigations and the<br />
(often) classified information related to these investigations. The future work described in this<br />
chapter is our suggestion of how to reach that point of maturity.<br />
The literature studies will focus on topics primarily related to technology adaptation, human cognition,<br />
and creativity, like for example “how does ‘trust’ affect the adaptation of new technology?”<br />
(see Section 16.4.1). In terms of future software development, it would be important to test for<br />
example the extensibility of our developed framework, by the addition of new synthesis structures<br />
such as the semi-lattice (discussed in Section 3.2). We outline that and other relevant future<br />
software development tasks in Section 16.4.2. As described in Chapter 15, we have evaluated our<br />
approach with a number of different methods. Future evaluations and methods are described in<br />
Section 16.4.3.<br />
16.4.1 Literature reviews<br />
We have studied various literature throughout this Ph.D. project to solve independent problems<br />
and we have studied literature guiding the understanding of all these problems under a cohesive<br />
whole. Just like with the software development (although with longer iterations), we have also<br />
iterated through our literature studies, and the literature listed below has come to our attention<br />
at the end of the Ph.D. project and will be necessary to study before moving forward (starting<br />
the next iteration).<br />
1. Technology adaptation. It should be investigated what factors decide the adoption of<br />
new technologies, to improve the chances of having new technologies evaluated and then<br />
later adopted by the intended end users. E.g., how does trust affect the adaptation of new<br />
criminal network investigation technology? A good starting point would be the technology<br />
acceptance model (TAM) [51].<br />
16.4.2 Future software development<br />
In this section, we list future software development work, according to criminal network investigation<br />
processes and tasks:<br />
Besides better acquisition support through integration with CrimeFighter Explorer, we propose<br />
the following future work for acquisition support:<br />
1. Drag and drop. Acquiring information using drag and drop from other applications is<br />
essential for fast and easy synthesis of information in the common information space. It<br />
would also mean that support for information #2 (integrating information sources) would<br />
be significantly improved.<br />
2. Import. Providing support for import of basic network formats beyond comma separated<br />
values would increase the options for integrations with other tools, and increase support of<br />
information #2 (integrating information sources).<br />
CrimeFighter Investigator currently has strong support for synthesis tasks, but increased focus<br />
on the following tasks would make the support more complete, and make the tool more ready for,<br />
e.g., usability experiments:<br />
1. Branched history. It will be necessary to extend the navigable history feature to also<br />
support branched history [96,117]. In terms of synthesis, this means development of methods<br />
for recording and navigating branched history. This would result in stronger support of<br />
versioning (information #4).<br />
2. Information types. Extend support of information types beyond text snippets and meta<br />
data information to also include pictures, maps, audio, etc. (information #2).<br />
258
CHAPTER 16. CONCLUSION 16.4. FUTURE WORK<br />
Although CrimeFighter Investigator has good support for sense-making, there are some criminal<br />
network investigation tasks that should get more attention in the future, and new concepts would<br />
have to be developed accordingly:<br />
1. Branched history. Overlaps with branched history support for synthesis (above). Branched<br />
history would leverage creating hypotheses using information structures (as opposed to using<br />
argumentative structures). The Visual Knowledge Builder (VKB) [198] introduced the<br />
concept of navigable history [96, 117].<br />
2. Visualization. It would be important to support the integration with visualization libraries,<br />
to import basic layouts, that can then be applied to CrimeFighter Investigator networks.<br />
Integration could also be with other tools, e.g. CrimeFighter Assistant [80, 147, 245], for<br />
advanced structural analysis and visualization integration. See also filtering below.<br />
3. Filtering. We have found that once networks grow to a certain size in CrimeFighter Investigator,<br />
filtering becomes a key sense-making task. We can think filtering features in<br />
two categories: visual filtering, using colors, size, and positioning, and actual filtering, i.e.,<br />
taking a subpart of network into a separate space to work with it there or alternatively<br />
the removal of entities from the space, in both cases based on entity attributes or patterns.<br />
Commercial state-of-the-art tools (reviewed in Section 4.1) such as Analyst’s Notebook and<br />
Palantir Government are very strong on visual filtering, and we therefore suggest to focus<br />
on actual filtering to think some of the challenges associated with such an approach. As an<br />
example, what if a sub-part of network is filtered out and placed in a new space to work on<br />
it there, and then later after the work is complete, the analyst wants to merge the results<br />
back into the original network?<br />
4. Custom algorithms and sense-making work flows. Future work for custom algorithms,<br />
includes saving sense-making work flows and later application of saved work flows together<br />
with a dedicated editor for building these work flows in a more intuitive manner, rather than<br />
having to use list boxes, sliders, and check boxes to tailor the work flows.<br />
5. Prediction. When developing the support for the transformative inference-based prediction<br />
algorithms at Imperial College in London, a range of interesting future work was discussed<br />
with Dr. Christopher J. Rhodes, e.g., how would variations in the gold standard impact the<br />
measures of performance for the covert network structure and missing links algorithms. It<br />
was also discussed to add support for analyzing the secondary effects of agent insertion into<br />
a criminal network (i.e., the opposite of the already supported node removal algorithm).<br />
Dissemination has received some attention in this Ph.D. dissertation and interesting further<br />
development for both story telling and report generation is mentioned below:<br />
1. Story telling. To further enhance story telling beyond simple navigation of history, e.g.,<br />
by letting the user attach specific views to the history to show how the betweenness between<br />
entities at that particular point or maybe an animation of the evolution of the criminal<br />
network so far.<br />
2. Report generation. The transparency and ownership of investigations (human factors<br />
#2) would be significantly improved, if the end user had access to a report template editor.<br />
The user could then add the specific building blocks (visualizations, results, etc.) to reports<br />
they want to generate for their particular investigation, in order to highlight certain aspects<br />
of the information.<br />
Finally, providing better support for cooperation, human-computer interaction, and visualization,<br />
is part of our longer term goals.<br />
259
16.4. FUTURE WORK CHAPTER 16. CONCLUSION<br />
16.4.3 Future evaluation of tool support<br />
We propose the following future evaluations of CrimeFighter Investigator tool support for criminal<br />
network investigation:<br />
1. Usability experiments would involve finishing up experiment designs and then actually<br />
executing the experiments to get quantitative evaluation of our approach, i.e. our approach<br />
to synthesis. We plan to involve researchers and end-users in these capability comparisons<br />
in the future. We are currently designing structured usability experiments following [18, 69]<br />
for evaluation of specific CrimeFighter Investigator features.<br />
2. Capability comparisons. A logical next step for our capability comparisons of both<br />
criminal network investigation tasks and conceptual, structural, and mathematical models<br />
would be to provide professional end users of the commercial tools and research prototypes<br />
with surveys where they could indicate the support of individual tasks or models.<br />
3. Software components. It would be important to test the extensibility of our developed<br />
software components. We propose to evaluate the entity component, by testing the addition<br />
of new synthesis structures such as the semi-lattice. Evaluation criteria could be whether<br />
or not sense-making algorithms would still run as expected, given this (and other) new<br />
abstractions for the entity concept. Taniguchi (2011) mentions that the use of Thiessen<br />
polygons “to understanding the relationship between gang drug activity and crime is not<br />
without limitations” [221], since they “may be both over inclusive (encompassing areas not<br />
used for drug distribution) and under inclusive (missing areas used for drug distribution)”<br />
[221]. We believe this to be a strength in terms of criminal network investigation; being<br />
able to represent entities in a non-final manner, whether they overlap (semi-lattice) or not<br />
(Thiessen polygon) makes it possible to iterate toward a solution for an ill-structured problem<br />
without requiring predefined structures.<br />
4. Ethical responsibility and impact. We propose to use the developed process model to<br />
first of all assign ethical responsibilities for investigators and tool (CrimeFighter Investigator)<br />
according to each of the five processes (acquisition, synthesis, sense-making, dissemination,<br />
and cooperation. Once ethical responsibilities have been assign, the impact of each of those<br />
could be assessed and evaluated. See Figure 16.1, for our initial thoughts on how to assign<br />
ethical responsibility and our expected impact of that responsibility for the different<br />
stakeholders as well as the tool.<br />
Figure 16.1: Assessing ethical impact responsibilities.<br />
260
Notes<br />
1 We find reconciliation in the fact that even a multi million dollar company like Palantir Technologies have found<br />
it necessary to start with disclaimers in some of their presentations. One presentation, Palantir as Intelligence<br />
Infrastructure [191, 192], has a slide with the header ‘What Palantir ISN’T!’, and then lists (1) A Visualization<br />
Tool, (2) A closed environment, and (3) One database to rule them all.<br />
2 We recognize that some investigations can be solved using e.g., social network analysis, if the investigators<br />
have a hairball of 100.000 phone calls and 10.000 people and you want to learn if these guys are calling the same<br />
group of people. This was an example given at the i2 EMEA user conference 2010 in Brussels, Belgium. But, when<br />
investigating Operation Crevice and the 7/7 (2005) bombings in London, there was a lot of registered phone calls,<br />
but one individual appearing in Operation Crevice, was missed because of slight variations in his name.<br />
3 Professor Hsinchun Chen (AI lab, University of Arizona) gave a talk about his health informatics research at a<br />
workshop on information and knowledge management for welfare technology. Chen has given keynote talks on the<br />
big data analytics topic in the security informatics domain (dark web), e.g. at EISIC 2011 and EISIC 2012. EISIC<br />
stands for European International Security Informatics Conference.<br />
4 The user conference mentioned, was the 2010 i2 EMEA user conference held in Brussels, Belgium.<br />
5 Sometimes the term ‘compartmentation’ is used instead of compartmentalization.<br />
6 The July 22nd Commissions report was made public and presented on August 13th 2012. The original text of<br />
our translation is (PST the Norwegian Police Security Service: Med en bedre arbeidsmetodikk og et bredere fokus<br />
kunne [Politiets sikkerhetstjeneste] PST ha kommet p˚a sporet av gjerningsmannen før 22/7. Kommisjonen har<br />
likevel ikke grunnlag for ˚a si at PST dermed kunne og burde ha avverget angrepene.<br />
7 Petter Gottschalk has done police research for years and written several books on the subject, e.g. [53]. His<br />
comment as it was printed in Information on August 13 is [78]: Politiet har i 10 ˚ar isoleret sig og afvist al kritik.<br />
Norsk politi har været meget lukket og ikke villet forandre sig. Kommissionen gentager kritik, som har været rejst<br />
mange gange før, men denne gang kan de ikke afvise det<br />
8 The 2010 International Conference on Advances in Social <strong>Network</strong>s Analysis and Mining (ASONAM 2010), held<br />
9-11 of August 2010 in Odense, Denmark, jointly with the International Symposium on Open Source Intelligence<br />
and Web Mining 2010 (OSINT-WM 2010).<br />
9 The work to make criminal network investigation a separate area within security informatics has begun, e.g.,<br />
with the call for papers for a special issue of the security informatics journal on criminal network investigation<br />
(see http://www.springer.com). We hope that by presenting our own boundaries for the field of criminal network<br />
investigation, we can help shape and position the area even better within the field of security informatics research<br />
10 The term security informatics was coined by Hsinchun Chen (2006) initially as Intelligence and Security Informatics<br />
(ISI): “development of advanced information technologies, systems, algorithms, and databases for international,<br />
national and homeland security related applications, through an integrated technological, organizational,<br />
and policy-based approach” [37]. Terrorism informatics is another related field that was also coined by Hsinchun<br />
Chen (2008): “application of advanced methodologies and information fusion and analysis techniques to acquire,<br />
integrate, process, analyze, and manage the diversity of terrorism-related information for national/international<br />
and homeland security-related applications” [1, 38]<br />
11 Our analysis of commercial tools and research prototypes used for policing, intelligence analysis, and investigative<br />
journalism in Chapter 4 is naturally also part of state-of-the-art.<br />
12 The invitation to give a talk at the terrorism and new media conference (2009), was based on a submitted<br />
paper, adaptive counterterrorism tools over silver bullets (see Appendix A).<br />
13 See Appendix A for further information on our published papers and other work.<br />
14 Our model for criminal network investigation published at Hypertext 2011 is described in Chapter 7.<br />
15 Figure adopted from the following url: http://www.mikesmart.com/application_development/agile_development.<br />
htm.<br />
16 The metrics have been calculated using the Metrics plugin (version 1.3.6) for Eclipse [source: http://metrics.<br />
261
NOTES NOTES<br />
sourceforge.net/update].<br />
17 Information acquired by means of observation or experimentation [61].<br />
18 By post-crime data sets and investigations we mean simply data sets and investigations that have been aggregated<br />
and described after a criminal offense has been committed, and typically also prosecuted in court. This is<br />
explained in greater detail in Section 15.1<br />
19 This statement was initially made in relation to terrorist networks in [244], but we believe that the same applies<br />
to different types of criminal networks, such as organized crime networks.<br />
20 The Enron email dataset was collected and prepared by the CALO project (Cognitive Assistant that Learns<br />
and Organizes) [http://www.ai.sri.com/project/CALO].<br />
21 Newman (2010) discusses general large-scale structures of networks [155]. Authors have studied general structures<br />
in particular criminal network domains such as terrorist networks (e.g., [92,122,188,189]), many of which are<br />
focused on the organization of al-Qaeda (e.g., see the discussion between Hoffman and Sageman (2008) [93, 190]).<br />
22 The term cell is also often used about cliques and tight-knit groups [128, 188, 227].<br />
23 Two triad configurations are considered isomorphic, if they share dyadic features (i.e., the number of null dyads,<br />
asymmetric dyads, and mutual dyads).<br />
24 Standard MAN labeling is described by Wasserman and Faust (1994) [240].<br />
25 This compartmentalization problem has also been recognized by software development experts [43, 54]<br />
26 Our account of the assessment processes of Curveball reports is primarily based on Drogin (2008) [59].<br />
27 Similar observations have been made for software development processes [43].<br />
28 Abu Zubaydah was one in a group of global jihadists believed to have “holed up” in Punjab (Pakistan). Abu<br />
Zubaydah “had long-standing and close ties to [al-Qaeda’s] inner circle of leadership” [146], and CIA therefore<br />
thought he could have information about the next attack.<br />
29 National Security Agency.<br />
30 Jaish e-Mohammad (JEM), “Army of the Prophet”. The police man, Adil Mohammad Sheikh, claimed in court<br />
that he did not know the purpose of the operation he was involved in [162].<br />
31 Omar Saeed Shaikh, the mastermind of the plot, used at least seventeen aliases himself: Mustafa Ahmad,<br />
Mustafa Ahmed al-Hawsawi, Mustafa Sheikh Saeed, Omar Saiid Sheikh, Shaykh Saiid, Chaudry Bashir, Rohit<br />
Sharma, Amir Sohail, Arvindam, Ajay Grupra, Raj Kumar, R. Verma, Khalid, P. Singh and Wasim! [128]<br />
32 The primary writers are David Simon and Ed Burns. Burns has worked as a Baltimore police detective for<br />
the homicide and narcotics divisions. Simon is an author and journalist who worked for the Baltimore Sun city<br />
desk for twelve years. He authored homicide: a year on the killing streets and co-authored the corner: a year<br />
in the life of an inner-city neighborhood with Burns [10, 204–206]. We have previously focused on policing and<br />
investigative journalism as two investigation types that could benefit from the concepts we develop and implement<br />
in CrimeFighter Investigator [174].<br />
33 We have previously described the advantages of a board-based approach for the planning domain, where information<br />
structures are also emergent and evolving (see [172]).<br />
34 “After years of random buy-and-bust interventions, law-enforcement controls of serious crime networks have<br />
gradually come to follow the key player strategy” [150]. Morselli follows up by stating that “a more accurate<br />
appraisal of the social organization of drug-trafficking [. . . ] would follow a resource-sharing model in which collaboration<br />
among resourceful individuals would be at the base of coordination in such operations” [150]. We find that<br />
this is also the approach taken by the investigators in The Wire by targeting not only Avon Barksdale but a range<br />
of important individuals in and around the decision-making body of the organization.<br />
35 Secret intelligence includes human intelligence (humint), signal intelligence (sigint), imagery intelligence (imint),<br />
and measurement and signature intelligence (masint).<br />
36 A copy of the manuscript draft documenting this [214] is on file with the author.<br />
37 As mentioned by Arno H. P. Reuser, Chief of Open Source Intelligence, Defense Intelligence and Security<br />
Service, the Netherlands.<br />
38 We are aware that the IBM i2 analysis product line has products covering aspects of criminal network investigation<br />
not covered by Analyst’s Notebook.<br />
39 Analyst’s Notebook supports the following column actions on import: Add Prefix, Add Suffix, Change Capitalization,<br />
Compress Repeated Characters, Copy Value from Previous Row, Extract Portion of Text, Find and<br />
Replace Text, Prefix with Another Column, Remove Characters, Remove Prefix. The source of this information is<br />
hands on lab handouts [107], on file with the author.<br />
40 After submission of the dissertation, we have become aware that IBM i2 iBase also has support for creation of<br />
search queries using drag and drop http://www-142.ibm.com/software/products/us/en/ibase/.<br />
41 TRIST stands for “The Rapid Information Scanning Tool” [114].<br />
42 Apparently, the information in the Sandbox has been cleaned for names and similar.<br />
43 Namebase.org website at http://www.namebase.org/, last visited 2012.<br />
44 FreeMind is a free mind-mapping software written in Java. See http://freemind.sourceforge.net/wiki/<br />
262
NOTES NOTES<br />
index.php/Main_Page for more details.<br />
45 See http://www.mindjet.com/ for more details on Mindjet Manager.<br />
46 The author and supervisor shared the lecturing for the course advanced software technologies for knowledge<br />
management.<br />
47 It is important to note that this quote uses “the term hypertext broadly, to cover both textual and multimedia<br />
content”.<br />
48 The review of NoteCards was to some extent also part of our master thesis [165].<br />
49 ASAP is an acronym for advanced support for agile planning. See Section 2.2.3 for more information on this<br />
tool, or refer to [165, 170, 171]<br />
50 Tim Berners-Lee gave a “talk a[t] the very first International World Wide Web Conference, at CERN, Geneva,<br />
Switzerland, in September 1994. This was the conference at which the formation of W3C was announced” [23]<br />
51 We would like to point out that the link to the ‘Enneagram of Personality’ for deciding peoples personality has<br />
not affected our work.<br />
52 In a nominal group each individual works separated from the rest of the when generating ideas<br />
53 “Wisdom indicators” [149].<br />
54 The event that starts the life cycle of creative endeavors could be a dream: “The classic example is Kekule’s<br />
discovery of the ring-shaped structure of the benzene molecule via a dream about a serpent biting its tail.” [74]<br />
55 CASE stands for Computer-aided Software Engineering.<br />
56 Blitz Planning is the planning method promoted by Crystal Clear [42], which we were developing support for<br />
during our master thesis.<br />
57 Throwaway prototyping lasting not more than a day or two [41].<br />
58 Harakut-ul Mujahedin (HUM) was one of the many small Islamic guerrilla groups that proliferated in Pakistan<br />
and Afghanistan around the time when Omar went the Convoy of Mercy to Bosnia, but ended up in Split, Croatia<br />
[189].<br />
59 The project was also mentioned as ‘the Northern Project’ in various correspondence.<br />
60 More often referred to in international media simply as the “Danish Cartoons”<br />
61 When Headley’s home was searched on October 18 th , a plane ticket to Copenhagen for October 29 th with<br />
departure from Atlanta was found<br />
62 Persons graduated from Cadet College Hasan Abdal.<br />
63 “Everything is not a joke [. . . ]. We are not rehearsing a skit on Saturday Night Live. Making fun of Islam<br />
is making fun of Rasoosallah SAW [Messenger of Allah, Peace be on Him], [. . . ] call me old-fashioned but I feel<br />
disposed toward violence for the offending parties, be they cartoonists from Denmark or Sherry Jones (Author of<br />
Jewel of Medina) or Irshad Manji (Liberal Muslim trying to make lesbianism acceptable in Islam, among other<br />
things) [. . . ] They never started debates with folks who slandered our Prophet, they took violent action. Even if<br />
God does not give us the opportunity to bring our intentions to fruition, we will claim ajr (a religious award) for<br />
it [. . . ]”. [57]<br />
64 CINCENT: Commander-in-Chief, U.S. Central Command.<br />
65 See also APS Physics news at http://physics.aps.org/articles/v5/89.<br />
66 Another commercial tool is Analyst’s Notebook 8.5, stating to have protection of civil liberties ‘baked in’ [2].<br />
67 Before Afghanistan and Iraq, Denmark had an international focus on peacekeeping missions, when it came to<br />
inserting soldiers on the ground.<br />
68 An primary high explosive, known as “Satans Mom” because of its unstable nature [209].<br />
69 Morten Skjoldager, a Politiken journalist, has authored a book on Danish terrorism cases entitled “Truslen<br />
indefra - De danske terrorister” (translated: “The threat from within - The Danish terrorists”), published by<br />
‘Lindhardt og Ringhof’ in 2009.<br />
70 More specifically the addition of §114 to the existing Danish Penal Code<br />
71 Refer to [13] for a description of the extensions of existing Danish Penal Code provided in the second counter<br />
terrorism law.<br />
72 Following the most recent incident, where an intruder threatened cartoonist Kurt Westergaard in his own home<br />
on January 1 st 2010, the right wing parties, has suggested that further tightening of law might be necessary. [88]<br />
73 For Brennans complete speech, please refer to [William J. Brennan Jr., 1987. ‘The Quest to Develop a Jurisprudence<br />
of Civil Liberties in Times of Security Crisis.’ Speech, December 22, 1987, at the Law School of Hebrew<br />
University, Jerusalem, Israel.]<br />
74 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK<br />
[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However,<br />
none of these studies ask the users to what degree they trust the information provided by the systems and how<br />
that affects their acceptance of the technology.<br />
75 <strong>Criminal</strong> network investigation cases other than those presented in Section 3.5 have been analyzed, e.g., the<br />
263
NOTES NOTES<br />
intelligence used for the United States case against Iraq concerning their (alleged) weapons of mass destruction<br />
program [59,242], and the links between Operation Crevice and the 7/7 bombings in the United Kingdom [110,252].<br />
Studies of the Afghan Taliban network (based on literature (e.g., [134]) and an interview (Section 15.2.1)) and al-<br />
Qaeda and affiliated movements (AQAM) (Section 14.3).<br />
76 Alex Steiner is a pseudonym for a DIA (defense intelligence agency) officer [59].<br />
77 Many abbreviations are used in the literature for the described criminal network investigation steps. Processing<br />
is also referred to as triage [7]. Synthesis [40] was chosen over foraging [25,254], collation [83], and textualization [20].<br />
Sense-making over analysis [40]. Dissemination over presentation [25].<br />
78 Structural models are typically embedded in mathematical models (e.g., see Brantingham (2009) [30]).<br />
79 The amount of memory required to store branched history is an important concern that was raised by Dr.<br />
Atzenbeck during the authors visit to institute for information systems (iisys) at University of Hof.<br />
80 The Sageman (2003) data set was provided by a classified source and is on file with the author.<br />
81 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK<br />
[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However,<br />
none of these studies ask the users to what degree they trust the information provided by the systems and how<br />
that affects their acceptance of the technology.<br />
82 Sageman (2004) discusses the concept of a bridge to jihad [188], Veldhuis and Staun (2009) reviews the root<br />
causes for radicalization of European minorities [234], and many researchers have studied online radicalization<br />
[29, 48, 49, 236, 241]<br />
83 The link charts could of course be automatically generated based on these incident reports, as it has been<br />
suggested for organized crime using a so called importance flooding technique [139].<br />
84 However, we have developed and tested measures of performance for the predict missing links algorithm in<br />
Section 15.4. The predict missing links algorithm plays an important role in the custom node removal algorithm.<br />
85 The Danish CTU is “invented” for this scenario and is not related to the Danish Security and Intelligence<br />
Service’s Center for Terror Analysis or other Danish counterterrorism units.<br />
86 We know that for entity extraction from text there exists data sets (corpus’s), which researchers can test the<br />
efficiency of their algorithms on and then compare it to the efficiency of other researcher’s algorithms (e.g., see [55])<br />
87 We have built our own data sets and investigation information from the Daniel Pearl investigation [128,162,227].<br />
Sageman (2004) aggregated his al-Qaeda network from open sources [188], as was the November 17 data set [184].<br />
88 Several criminal network investigations have inspired our work. The investigation of Daniel Pearl’s kidnapping<br />
and murder was target-centric and used large pieces of paper on a wall to synthesize information entities as they were<br />
discovered [128, 162, 227]. The investigation to locate and arrest the 9/11 mastermind Khalid Sheikh Mohammed<br />
(both before and after the attacks), was, by the Federal Bureau of <strong>Investigation</strong>, conducted in a target-centric<br />
manner and always with a focus on gathering evidence both for later potential trials but also to map and understand<br />
the network of individuals, events, and places that was emerging [146]. Researchers and writers Strick van Linschoten<br />
and Kuehn have been mapping a network of Afghan Talibans to investigate their associations with the Afghan Arabs<br />
from 1970 to 2010 [134]. They use Tinderbox for their mapping efforts [166]. Tinderbox is a software tool that<br />
takes a board-based approach to synthesis of networks and supports multiple structures [24].<br />
89 In Danish ‘Politiets efterretningstjeneste’, PET in short.<br />
90 In Danish ‘Forsvarets efterretningstjeneste’, FE in short.<br />
91 See Steele (2009) discussing secret intelligence vs. open source intelligence [214], and a recent article by<br />
Bonnichsen (2012), previous DSIS director of operations [27].<br />
92 Professor Hsinchun Chen (AI lab, University of Arizona) told author this during an informal conversation,<br />
August 2012. Professor Chen also mentioned that it had taken about two years to establish the required trust with<br />
law enforcement, before law enforcement let the 300 police officers participate in the survey.<br />
93 The 2010 i2 EMEA user conference held in Brussels, Belgium.<br />
94 During the spring of 2011 DDIS restructured their organization in order to shape and streamline the service,<br />
to be better equipped to manage future tasks (see [52] and Appendix B.2 (danish text).<br />
95 A classified source has told the author during an informal conversation that maturity was a key criteria within<br />
the source’s organization, that has to fulfilled before they would take a look at any new technology.<br />
264
Bibliography<br />
[1] Terrorism informatics - knowledge management and data mining for homeland security.<br />
Springer (2008)<br />
[2] Ibm i2 analyst’s notebook (2012). URL http://www.i2group.com/<br />
[3] Mindmeister (2012). URL http://www.mindmeister.com<br />
[4] Npr: Ted radio hour podcast - where ideas come from (2012)<br />
[5] Palantir government (2012). URL http://palantir.com/government<br />
[6] Xanalys (2012). URL http://www.xanalys.com/<br />
[7] Adderly, R., Musgrove, P.: Police crime recording and investigation systems - a user’s view.<br />
International journal of police strategies and management 24(1), 100–114 (2001)<br />
[8] Alexander, C.: Notes on the Synthesis of Form. Harvard University Press (1964)<br />
[9] Alexander, C.: A city is not a tree. Architectural Forum 122(1), 58–62 (1965)<br />
[10] Alvarez, R., Simon, D.: The Wire: Truth Be Told. Pocket Books (2004)<br />
[11] Ambler, S.: Agile Modeling. John Wiley & Sons inc (2002)<br />
[12] Amland, B.H.: 2 convicted in al-Qaida terror plot in Norway. Associated Press (2012)<br />
[13] Anonymous: Den nye anti-terrorpakke (danish)<br />
[14] Anonymous: The legal framework of pets workspaces: The penal code chapter 12 and<br />
13 (danish) URL http://www.pet.dk/Arbejdsomraader/Lovgrundlaget/Straffeloven.<br />
aspx<br />
[15] Anonymous: Fakta: Tuneser-sagen (2008). August 29<br />
[16] Anonymous: Assesment of the terror threat against denmark (2009). October 27<br />
[17] Anonymous: Tidslinje: Danmark i krig i afghanistan (2009). January 1<br />
[18] Atzenbeck, C.: Wilddocs - investigating construction of metaphors in office work. Ph.D.<br />
thesis, Aalborg University (2006)<br />
265
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[19] Atzenbeck, C., Hicks, D.L., Memon, N.: Emergent structure and awareness support for<br />
intelligence analysis. In: Proceedings of the conference on information visualization, pp.<br />
326–332. IEEE Press (2008)<br />
[20] Atzenbeck, C., Hicks, D.L., Memon, N.: Supporting reasoning and communication for intelligence<br />
officers. International journal of networking and virtual organisations 8(1/2), 15–36<br />
(2011)<br />
[21] Badalamente, R.V., Greitzer, F.L.: Top ten needs for intelligence analysis tool development.<br />
In: proceedings of the 2005 international conference on intelligence analysis (2005)<br />
[22] Bardram, J.E.: The art of doing a phd. online (2007). URL http://www.itu.dk/people/<br />
bardram/pmwiki/pmwiki.php?n=Main.ArtPhD. Last consulted: Jan 28 th 2010<br />
[23] Berners-Lee, T.: W3 future directions. Plenary at International World Wide Web Conference,<br />
CERN, Geneva, Switzerland (1994)<br />
[24] Bernstein, M.: The Tinderbox Way. Eastgate Systems (2006)<br />
[25] Bier, E.A., Card, S.K., W, B.J.: Principles and tools for collaborative entity-based intelligence<br />
analysis. IEEE transactions on visualization and computer graphics 16(2), 178–191<br />
(2010)<br />
[26] Bohannon, J.: Counterterrorism’s New Tool: ’Metanetwork’ Analysis. Science 325(5939),<br />
409–411 (2009). DOI 10.1126/science.325\ 409. URL http://dx.doi.org/10.1126/<br />
science.325_409<br />
[27] Bonnichsen, H.J.: Man skal kunne være sine hemmeligheder bekendt (2012). September 20<br />
[28] Brachman, J.M.: Global Jihadism: Theory and Practice. Routledge (2009)<br />
[29] Brachman, J.M., Levine, A.: You too can be awlaki! Fletcher Forum of World Affairs 35,<br />
25–46 (2011)<br />
[30] Brantingham, P., Glässer, U., Jackson, P., Vajihollahi, M.: Modeling criminal activity in<br />
urban landscapes. In: N. Memon, J.D. Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical<br />
methods in counterterrorism, pp. 9–31. Springer, Wien (2009)<br />
[31] Børsting, M., Østergaard, M.: Politikere er klar til at stramme terrorloven (2009). October<br />
28<br />
[32] Bruce, J.B., George, R.Z.: Introduction: intelligence analysis - the emergence of a discipline.<br />
In: R.Z. George, J.B. Bruce (eds.) Analyzing intelligence - origins, obstacles, and innovations,<br />
pp. 1–15. Georgetown University Press (2008)<br />
[33] Bush, V.: As we may think. Atlantic Monthly 176(1), 101–108 (1945)<br />
[34] Capers, B.: Crime, legimaticy, our criminal network, and the wire. Ohio state journal of<br />
criminal law 8, 459–471 (2011)<br />
[35] Carley, K.M.: Destabilizing dynamic covert networks. In: Proceedings of the 8th international<br />
command and control research and technology symposium. Evidence Based research<br />
(2003)<br />
[36] Carley, K.M., Lee, J.S., Krackhardt, D.: Destabilizing networks. Connections 24, 31–34<br />
(2001)<br />
[37] Chen, H.: Intelligence and Security Informatics for International Security - Information<br />
Sharing and Data Mining. Springer (2006)<br />
266
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[38] Chen, H.: Terrorism informatics. In: Dark Web, Integrated Series in Information Systems,<br />
vol. 30, pp. 31–41. Springer New York (2012)<br />
[39] Chin, G., Kuchar, O.A., Wolf, K.E.: Exploring the analytical processes of intelligence analysts.<br />
In: proceedings of the international conference on human factors in computing systems,<br />
pp. 11–22. ACM Press (2005)<br />
[40] Clark, R.: Intelligence analysis: a target-centric approach. CQ Press (2007)<br />
[41] Cockburn, A.: What the agile toolbox contains (2004)<br />
[42] Cockburn, A.: Crystal Clear - A human-powered methodology for small teams. Addison<br />
Wesley (2005)<br />
[43] Cockburn, A.: Agile Software Development: The Cooperative Game (2nd Edition) (Agile<br />
Software Development Series). Addison-Wesley Professional (2006)<br />
[44] Cohn, M.: User stories applied - for agile software development. Addison Wesley (2004)<br />
[45] Commission on the Intelligence Capabilities of the United States Regarding Weapons of<br />
Mass Destruction, Washington DC: Report to the President of the United States (2005)<br />
[46] Conklin, J.: Dialogue Mapping. John Wiley and Sons Ltd (2006)<br />
[47] Conklin, J., Begeman, M.L.: gibis: a hypertext tool for exploratory policy discussion. ACM<br />
Trans. Inf. Syst. 6(4), 303–331 (1988)<br />
[48] Conway, M.: Jihadi video and auto-radicalisation: evidence from an exploratory youtube<br />
study. In: Intelligence and Security Informatics. Lecture Notes in Computer Science (LNCS),<br />
pp. 108–118. Springer, Wien (2008)<br />
[49] Conway, M.: From al-zarqawi to al-awlaki: The emergence of the internet as a new form of<br />
violent radical milieu (2012)<br />
[50] Custers, B.: Effects of unreliable group profiling by means of data mining. In: Discovery<br />
Science, pp. 291–296 (2003)<br />
[51] Davis, F.: Perceived usefulness, perceived ease of use and user acceptance of information<br />
technology. MIS Quarterly 13, 319–340 (1989)<br />
[52] DDIS: Danish defense intelligence service website (2012). [url:http://fe-ddis.dk/Pages/<br />
Default.aspx, last visited September 2012]<br />
[53] Dean, G., Gottschalk, P.: Knowledge management in policing and law enforcement. Oxford<br />
University Press (2007)<br />
[54] DeMarco, T., Lister, T.: Peopleware: Productive Projects and Teams (Second Edition).<br />
Dorset House Publishing Company, Incorporated (1999)<br />
[55] DeRosa, M.: Data Mining and Data Analysis for Counterterrorism. Center for Strategic<br />
and International Studies (CSIS) (2004)<br />
[56] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. abdur rehman hashim syed’,<br />
also known as “pasha,” “major,” and “abdur rahman” (2009)<br />
[57] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. david c. headley, also known<br />
as “daood gilani”’ (2009)<br />
[58] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. tahawwur hussain rana’ (2009)<br />
[59] Drogin, B.: Curveball. Ebury Press (2008)<br />
267
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[60] Ellis, C.A., Gibbs, S.J., Rein, G.: Groupware: some issues and experiences. Commun.<br />
ACM 34(1), 39–58 (1991). DOI 10.1145/99977.99987. URL http://doi.acm.org/10.<br />
1145/99977.99987<br />
[61] Empirical: The american heritage dictionary of the english language (4th ed.) (2000)<br />
[62] Engelbart, D.C.: A conceptual framework for the augmentation of man’s intellect. In:<br />
Computer-supported cooperative work, pp. 35–65. Kaufmann (1988)<br />
[63] Erétéo, G., Buffa, M., Gandon, F., Grohan, P., Leitzelman, M., Sander, P.: A state of the<br />
art on social network analysis and its applications on a semantic web (2008)<br />
[64] Erétéo, G., Limpens, F., Gandon L., F., Corby, O., Buffa, M., Leitzelman, M., Sander, P.:<br />
Semantic social network analysis: a concrete case. In: Handbook of Research on Methods<br />
and Techniques for Studying Virtual Communities: Paradigms and Phenomena, pp. 122–<br />
156. IGI Global (2011)<br />
[65] Europol: TE-SAT 2009: EU Terrorism Situation and Trend Report 2009 (2009)<br />
[66] Europol: TE-SAT 2010: EU Terrorism Situation and Trend Report 2010 (2010)<br />
[67] Europol: TE-SAT 2011: EU Terrorism Situation and Trend Report 2011 (2011)<br />
[68] Ferry, J.P., Lo, D., Ahearn, S.T., Phillips, A.M.: <strong>Network</strong> detection theory. In: N. Memon,<br />
J. David Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical Methods in Counterterrorism,<br />
pp. 161–181. Springer Vienna (2009)<br />
[69] Field, A., Hole, G.: How to Design and Report Experiments. Sage Publications Ltd (2003)<br />
[70] Floyd, C.: A systematic look at prototyping. In: B. et al. (ed.) Approaches to Prototyping,<br />
pp. 105–122. Springer-Verlag (1984)<br />
[71] Flyvbjerg, B.: Five misunderstandings about case-study research. Qualitative Inquiry pp.<br />
219–245 (2006)<br />
[72] Flyvbjerg, B.: Case study. In: N.K. Denzin, Y.S. Lincoln (eds.) The Sage Handbook of<br />
Qualitative Research, pp. 301–316. Sage (2011)<br />
[73] Frank G. Halasz, T.P.M..R.H.T.: Notecards in a nutshell (1987)<br />
[74] Gabora, L.: Cognitive mechanisms underlying the creative process. In: Proceedings of the<br />
4th conference on Creativity & cognition, C&C ’02, pp. 126–133. ACM, New York, NY, USA<br />
(2002). DOI 10.1145/581710.581730. URL http://doi.acm.org/10.1145/581710.581730<br />
[75] Gerber, A.J., Barnard, A., var der Merwe, A.J.: A semantic web status model (2006)<br />
[76] Gill, J.: Building theory from case studies. Small business and enterprise development 2,<br />
71–75 (1995)<br />
[77] Gill, P.: Rounding up the usual suspects? Developments in contemporary law enforcement<br />
intelligence. Ashgate Pub Ltd (2000)<br />
[78] Gjerding, S., Toft, S.B.: Ansvarlige for utøya-svigt er for længst g˚aet af (2012). August 13<br />
[79] Gloor, P.A., Zhao, Y.: Analyzing actors and their discussion topics by semantic social<br />
network analysis. In: Proceedings of Information Visualization (IV 2006), pp. 130–135<br />
(2006)<br />
[80] Gniadek, J.: Destabilizing terrorist networks through link importance analysis. Master’s<br />
thesis (2010)<br />
268
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[81] Graber, D.A.: Terrorism, censorship and the 1st amendment: In search of policy guidelines.<br />
In: P. Norris, M. Kern, M. Just (eds.) Framing Terrorism - The News Media, the Government<br />
and the Public, pp. 27–42. Routledge (2003)<br />
[82] Halasz, F.G.: Reflections on notecards: seven issues for the next generation of hypermedia<br />
systems. Commun. ACM 31(7), 836–852 (1988)<br />
[83] Harper, W.R., Harris, D.H.: The application of link analysis to police intelligence. Human<br />
Factors 17(2), 157–164 (1975)<br />
[84] Hauck, R.V., Chau, M., Chen, H.: Coplink: arming law enforcement with new knowledge<br />
management technologies. In: Advances in digital government: technology, human factors,<br />
and policy, pp. 163–179. Kluwer Academic Publishers (2002)<br />
[85] Havaleschka, L.: Tidslinje: Glasvej-sagen dag for dag (2008). October 28<br />
[86] Heer, J., Card, S.K., Landay, J.A.: prefuse: a toolkit for interactive information visualization.<br />
In: Proceedings of the SIGCHI conference on Human factors in computing systems,<br />
CHI ’05, pp. 421–430. ACM, New York, NY, USA (2005). DOI 10.1145/1054972.1055031.<br />
URL http://doi.acm.org/10.1145/1054972.1055031<br />
[87] Hemmingsen, A.S.: Anti-demokratiske og voldsfremmende miljøer i danmark, som bekender<br />
sig til islamistisk ideologi - hvad ved vi? Research report for the danish ministry of social<br />
affairs and integration, DIIS - Danish Institute for International Studies (2012)<br />
[88] Henriksen, M.: Venstre ˚abner for terrorstramninger (2010). URL http://www.berlingske.<br />
dk/danmark/venstre-aabner-terrorstramninger. January 3<br />
[89] Hirtle, S.: Representational structures for cognitive space: Trees, ordered trees and semilattices.<br />
In: A. Frank, W. Kuhn (eds.) Spatial Information Theory A Theoretical Basis for<br />
GIS, Lecture Notes in Computer Science, vol. 988, pp. 327–340. Springer Berlin / Heidelberg<br />
(1995)<br />
[90] Hjarvard, S.: Den politiske presse - en analyse af danske avisers politiske orientering. Journalistica<br />
(2007)<br />
[91] Hjørland, B., Albrechtsen, H.: Toward a new horizon in information science: Domainanalysis.<br />
Journal of the American Society for Information Science 46(6), 400–425 (1995)<br />
[92] Hoffman, B.: Inside Terrorism. Columbia University Press (2006)<br />
[93] Hoffman, B.: The myth of grass-roots terrorism. Foreign Affairs 87 (2008)<br />
[94] Hoskins, A., O’Loughlin, B.: Television and Terror: Conflicting Times and the Crisis of<br />
News Discourse. New Security Challenges. Palgrave MacMillan, Basingstoke, Hampshire,<br />
U.K. (2007). [Chapter 7: ‘Drama and Documentary: The Power of Nightmares’]<br />
[95] wei Hsieh, H., III, F.M.S.: Supporting visual problem solving in spatial hypertext. J. Digit.<br />
Inf. 10(3) (2009)<br />
[96] Hsieh, H., Shipman, F.: Activity links: supporting communication and reflection about<br />
action. In: Proceedings of the sixteenth ACM conference on Hypertext and hypermedia,<br />
HYPERTEXT ’05, pp. 161–170. ACM, New York, NY, USA (2005)<br />
[97] Hsieh, H., Shipman, F.M.: Manipulating structured information in a visual workspace. In:<br />
Proceedings of the 15th annual ACM symposium on User interface software and technology,<br />
UIST ’02, pp. 217–226. ACM, New York, NY, USA (2002)<br />
[98] Hüttemeier Christian og Børsting, M.: Afghanerne skal selv overtage ansvaret om 2 ˚ar<br />
(2009). URL http://politiken.dk/politik/article844927.ece. November 26<br />
269
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[99] Hu, P.J.H., Chen, H., Hu, H., Larson, C., Butierez, C.: Law enforcement officers’ acceptance<br />
of advanced e-government technology: A survey study of coplink mobile. Electronic<br />
Commerce Research and Applications 10, 6–16 (2011)<br />
[100] Hu, P.J.H., Lin, C., Chen, H.: User acceptance of intelligence and security informatics technology:<br />
A study of coplink. The American Society for Information Science and Technology<br />
56, 235–244 (2005)<br />
[101] Hunter, M.L., Hanson, N., Sabbagh, R., Sengers, L., Sullivan, D., Thordsen, P.: Story-based<br />
inquiry: a manual for investigative journalists. UNESCO (2009)<br />
[102] Huntington, S.P.: The Clash of Civilizations and the Remaking of World Order. Simon &<br />
Schuster (1996)<br />
[103] Ib, H.: Ledende artikel: Fjenden p˚a besøg (2009). October 28<br />
[104] IBMi2: i2 analyst’s notebook 8. What’s New (technical report) (2009). [issue 1, downloaded<br />
from company website]<br />
[105] IBMi2: i2 analyst’s notebook product video. i2 EMEA user conference (2010). [on file with<br />
author]<br />
[106] IBMi2: i2 emea user conference (2010). [http://www.i2group.com/emeauc/index.asp,<br />
last visited 2011]<br />
[107] IBMi2: Training team: hands on lab handouts. i2 EMEA end user conference (2010). [on<br />
file with author]<br />
[108] IBMi2: Ibm i2 analyst’s notebook premium. Handout at IBM i2 intelligence analysis seminar<br />
(2012). [on file with author]<br />
[109] III, J.O.E.: Countering terrorism with knowledge. In: H. Chen, E. Reid, J. Sinai, A. Silke,<br />
B. Ganor (eds.) Terrorism Informatics - Knowledge Management and Data Mining for Homeland<br />
Security. Springer (2008)<br />
[110] Intelligence and Security Committee, United Kingdom: Could 7/7 have been prevented?<br />
Review of the intelligence on the London terrorist attacks on 7 July 2005 (2009)<br />
[111] Irons, L.R.: Recent patterns of terrorism prevention in the united kingdom. Homeland<br />
Security Affairs 4 (2008)<br />
[112] Irwin, C., Roberts, C., Mee, N.: Counter terrorism overseas. Defence Science and Technology<br />
Laboratory (Dstl/CD053271/1.1), UK (2002)<br />
[113] Johnson, L.K. (ed.): Handbook of intelligence studies. Routledge (2009)<br />
[114] Jonker, D., Wright, W., Schroh, D., Proulx, P., Cort, B.: Information triage with trist. In:<br />
Proceedings of the International Conference on Intelligence Analysis, (2005)<br />
[115] Grø nbæk, K.: Composites in a dexter-based hypermedia framework. In: Proceedings of the<br />
1994 ACM European conference on Hypermedia technology, ECHT ’94, pp. 59–69. ACM,<br />
New York, NY, USA (1994)<br />
[116] Kebbell, M.R., Muller, D.A., Martin, K.: Understanding and managing bias. Dealing with<br />
uncertainties in policing serious crime pp. 87–97 (2010)<br />
[117] Kim, D., Shipman, F.M.: Interpretation and visualization of user history in a spatial hypertext<br />
system. In: Proceedings of the 21st ACM conference on Hypertext and hypermedia,<br />
HT ’10, pp. 255–264. ACM, New York, NY, USA (2010)<br />
270
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[118] Kitchenham, B., Pickard, L., Pfleeger, S.L.: Case studies for method and tool evaluation.<br />
IEEE Software pp. 52–62 (1995)<br />
[119] Kleine, D.: The capability approach and the ‘medium of choice’: steps towards conceptualising<br />
information and communication technologies for development. Ethics and Inf. Technol.<br />
13(2), 119–130 (2011)<br />
[120] Klerks, P.: The network paradigm applied to criminal organizations: Theoretical nitpicking<br />
or a relevant doctrine for investigators? Connections 24(3), 53–65 (2001)<br />
[121] Kolb, D.: Other spaces for spatial hypertext. Journal of Digital Information 10(3) (2009)<br />
[122] Krebs, V.: Mapping networks of terrorist cells. CONNECTIONS 24(3), 43–52 (2002)<br />
[123] Krog, T.N.: Her trænede terroristerne (2009). October 29<br />
[124] Kumar, R., Novak, J., Tomkins, A.: Structure and evolution of online social networks. In:<br />
Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery<br />
and data mining, KDD ’06, pp. 611–617. ACM, New York, NY, USA (2006). DOI 10.1145/<br />
1150402.1150476. URL http://doi.acm.org/10.1145/1150402.1150476<br />
[125] Larman, C.: Agile & Iterative Development - A Managers Guide. Addison Wesley (2004)<br />
[126] Laville, S.: Al-Qaida-inspired plotters planned attacks on high-profile London targets. The<br />
Guardian (2012)<br />
[127] Levine, C.: Artful accuracy and the problem of form: Why the wire feels real Unpublished<br />
manuscript<br />
[128] Levy, B.H.: Who killed Daniel Pearl? Melville House Publishing (2003)<br />
[129] Lichter, H., Schneider-Hufschmidt, M., Züllighoven, H.: Prototyping in industrial software<br />
projects - bridging the gap between theory and practice. In: Proceedings of the 15th international<br />
conference on Software Engineering, ICSE ’93, pp. 221–229. IEEE Computer<br />
Society Press, Los Alamitos, CA, USA (1993). URL http://dl.acm.org/citation.cfm?<br />
id=257572.257623<br />
[130] Licklider, J.C.R.: Man-computer symbiosis. IRE transactions on human factors in electronics<br />
pp. 4–11 (1960)<br />
[131] Lillie, B.: Human-machine synergy: Shyam sankar at tedglobal 2012. TED (2012). [blog,<br />
http://blog.ted.com/, last visited September 2012]<br />
[132] Lim, Y.K., Stolterman, E., Tenenberg, J.: The anatomy of prototypes: Prototypes as filters,<br />
prototypes as manifestations of design ideas. ACM Trans. Comput.-Hum. Interact.<br />
15(2), 7:1–7:27 (2008). DOI 10.1145/1375761.1375762. URL http://doi.acm.org/10.<br />
1145/1375761.1375762<br />
[133] Lindhardt, C.: Al-qaeda st˚ar bag ambassadebombe (2008). URL http://politiken.dk/<br />
udland/article518880.ece. June 5<br />
[134] Linschoten, A.S., Kuehn, F.: An enemy we created: the myth of the Taliban/Al-Qaeda<br />
merger in Afghanistan, 1970-2010. Hurst (2012)<br />
[135] MacDougall, I.: Norway ’bomb plot’ highlights al-Qaida problems. Associated Press (2012)<br />
[136] MacFadyen, G.: The practices of investigative journalism. In: H. De Burgh, P. Bradshaw<br />
(eds.) Investigative journalism, pp. 138–156 (2008)<br />
[137] MacKensie, J.: The battle for aghanistan: Militancy and conflict in helmand (2010)<br />
271
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[138] Maltesen, B.: Tunesersag skal for højesteret (2009). URL http://politiken.dk/indland/<br />
article852324.ece. December 4<br />
[139] Marshall, B., Chen, H., Kaza, S.: Using importance flooding to identify interesting networks<br />
of criminal activity. J. Am. Soc. Inf. Sci. Technol. 59(13), 2099–2114 (2008). DOI 10.1002/<br />
asi.v59:13. URL http://dx.doi.org/10.1002/asi.v59:13<br />
[140] Marshall, C.C., Halasz, F.G., Rogers, R.A., Janssen Jr., W.C.: Aquanet: a hypertext tool<br />
to hold your knowledge in place. In: Proceedings of the third annual ACM conference on<br />
Hypertext, HYPERTEXT ’91, pp. 261–275. ACM, New York, NY, USA (1991)<br />
[141] Marshall, C.C., Shipman III, F.M.: Spatial hypertext: designing for change. Commun. ACM<br />
38(8), 88–97 (1995)<br />
[142] Marshall, C.C., Shipman III, F.M., Coombs, J.H.: Viki: spatial hypertext supporting emergent<br />
structure. In: Proceedings of the 1994 ACM European conference on Hypermedia<br />
technology, ECHT ’94, pp. 13–23. ACM, New York, NY, USA (1994)<br />
[143] Mason, R.O.: Four ethical issues of the information age. MIS Q. 10(1), 5–12 (1986)<br />
[144] McBride, M., Morgan, S.: Trust calibration for automated decision aids (2010)<br />
[145] McCall, R.J., Bennett, P.R., D’Oronzio, P.S., Oswald, J.L., Shipman III, F.M., Wallace,<br />
N.F.: Hypertext: concepts, systems and applications. chap. PHIDIAS: integrating CAD<br />
graphics into dynamic hypertext, pp. 152–165. Cambridge University Press, New York, NY,<br />
USA (1992)<br />
[146] McDermott, T., Meyer, J.: The Hunt for KSM - Inside the Pursuit and Takedown of the<br />
Real 9/11 Mastermind, Khalid Sheikh Mohammad. Little, Brown and Company (2012)<br />
[147] Memon, B.: Identifying important nodes in weighted covert networks using generalized<br />
centrality measures. In: European Intelligence and Security Informatics Conference 2012,<br />
Odense, Denmark. Odense, Denmark (2012)<br />
[148] Memon, N., Wiil, U.K., Alhajj, R., Atzenbeck, C., Harkiolakis, N.: Harvesting covert networks:<br />
a case study of the iminer database. Int. J. Netw. Virtual Organ. 8(1/2), 52–74<br />
(2011)<br />
[149] Moore, R.K.: The life cycle of creative endeavors. Enneagram Monthly (1997)<br />
[150] Morselli, C.: The criminal network perspective. In: Inside criminal networks, Studies of<br />
organized crime, vol. 8, pp. 1–21. Springer New York (2009)<br />
[151] Mortensen, M.N., Bangsgaard, J.: Tidligere pet-chef: Uværdig tuneser-sag (2008). URL<br />
http://www.berlingske.dk/danmark/tidligere-pet-chef-uvaerdig-tuneser-sag.<br />
November 15<br />
[152] National commission on terrorist attacks upon the United States, United States: The 9/11<br />
Commission Report (Executive Summary) (2004). URL http://www.9-11commission.<br />
gov/report/911Report_Exec.pdf.<br />
[153] National commission on terrorist attacks upon the United States, Norway: The 22/7 Commission<br />
Report (2012). URL http://22julikommisjonen.no/Rapport<br />
[154] Nesser, P.: Structures of jihadist terrorist cells in the uk and europe. In: Proceedings of the<br />
Joint FFI/King’s College Conference on “The Changing Faces of Jihadism” (2006)<br />
[155] Newman, M.E.J.: <strong>Network</strong>s - an introduction. Oxford University Press (2010)<br />
272
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[156] Nørgaard Kristensen, N., Ørsten, M.: Danish media at war - the danish media coverage of<br />
the invasion of iraq 2003. Journalism : theory, practice and criticism 8, 323–343 (2007)<br />
[157] Nürnberg, P.: Structural computing and metadata management. In: Proceedings of the 2 nd<br />
Conference on Knowledge Management and Knowledge Technology (2002)<br />
[158] Nürnberg, P.J., Leggett, J.J., Schneider, E.R.: As we should have thought. In: Proceedings<br />
of the eighth ACM conference on Hypertext, HYPERTEXT ’97, pp. 96–101. ACM, New<br />
York, NY, USA (1997). DOI 10.1145/267437.267448. URL http://doi.acm.org/10.1145/<br />
267437.267448<br />
[159] Nürnberg, P.J., Wiil, U.K., Leggett, J.J.: Structuring facilities in digital libraries. In:<br />
Proceedings of the Second European Conference on Research and Advanced Technology for<br />
Digital Libraries, ECDL ’98, pp. 295–313. Springer-Verlag, London, UK, UK (1998)<br />
[160] Park, A.J., Tsang, H.H., Brantingham, P.L.: Dynalink: A framework for dynamic criminal<br />
network visualization. In: Proceedings of European Intelligence and Security Informatics<br />
Conference, pp. 217–224. IEEE (2012)<br />
[161] Payne, J., Solomon, J., Sankar, R., McGrew, B.: Grand challenge award: Interactive visual<br />
analytics - palantir: The future of analysis. In: Proceedings of Symposium on Visual<br />
Analytics Science and Technology, pp. 201–202. IEEE (2008)<br />
[162] Pearl, M.: A mighty heart. Virago Press (2004)<br />
[163] Penfold-Mounce, R., Beer, D., Burrows, R.: The wire as social science-fiction? Sociology<br />
45(1), 152–167 (2011)<br />
[164] Perlez, J., Shah, P.Z.: Embassy attack in pakistan kills at least 6 (2008). URL http:<br />
//www.nytimes.com/2008/06/03/world/asia/03pakistan.html. June 3<br />
[165] <strong>Petersen</strong>, R.R.: Asap: Agile planning in future creative room. Master’s thesis, University of<br />
Southern Denmark (2008)<br />
[166] <strong>Petersen</strong>, R.R.: Interview with alex strick van linschoten. A discussion of CrimeFighter<br />
Investigator, Tinderbox, Gephi, Analyst’s Notebook in relation to Alex’s work with mapping<br />
the temporal evolution of Afghan Taliban., Trafalgar Square, London, United Kingdom<br />
(2011)<br />
[167] <strong>Petersen</strong>, R.R.: Presentation of crimefighter investigator. Presented and demonstrated work<br />
on prediction of covert network structure and missing links to a group of British intelligence<br />
analysts, British Home Office, London, United Kingdom (2011)<br />
[168] <strong>Petersen</strong>, R.R.: Association and centrality in criminal networks. In: Proceedings of European<br />
Intelligence and Security Informatics Conference. IEEE (2012)<br />
[169] <strong>Petersen</strong>, R.R., Rhodes, C.J., Wiil, U.K.: Node removal in criminal networks. In: Proceedings<br />
of European Intelligence and Security Informatics Conference, pp. 360–365. IEEE<br />
(2011)<br />
[170] <strong>Petersen</strong>, R.R., Wiil, U.K.: Asap: a planning tool for agile software development. In:<br />
Proceedings of the nineteenth ACM conference on Hypertext and hypermedia, HT ’08, pp.<br />
27–32. ACM, New York, NY, USA (2008)<br />
[171] <strong>Petersen</strong>, R.R., Wiil, U.K.: Asap: A lightweight tool for agile planning. In: Proceedings of<br />
the 4th International Conference on Software and Data Technologies (ICSOFT), pp. 265–272<br />
(2009)<br />
273
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[172] <strong>Petersen</strong>, R.R., Wiil, U.K.: Analysis of emergent and evolving information: the agile planning<br />
case. In: J. Cordeiro, K. Ranchordas Alpesh, B. Shishkov (eds.) Software and data<br />
technologies, Communications in computer and information science, vol. 50, pp. 263–276.<br />
Springer Berlin Heidelberg (2011)<br />
[173] <strong>Petersen</strong>, R.R., Wiil, U.K.: Crimefighter investigator: A novel tool for criminal network<br />
investigation. In: Proceedings of European Intelligence and Security Informatics Conference,<br />
pp. 360–365. IEEE (2011)<br />
[174] <strong>Petersen</strong>, R.R., Wiil, U.K.: Hypertext structures for investigative teams. In: proceedings of<br />
the 22nd ACM conference on hypertext, pp. 123–132. ACM Press (2011)<br />
[175] <strong>Petersen</strong>, R.R., Wiil, U.K.: Crimefighter investigator: <strong>Criminal</strong> network sense-making. In:<br />
V.S. Subrahmanian (ed.) Computational Approaches to Counterterrorism (2012). Accepted<br />
for publication<br />
[176] <strong>Petersen</strong>, R.R., Wiil, U.K.: Crimefighter investigator: Integrating synthesis and sensemaking<br />
for criminal network investigation. Security Informatics (special issues on criminal<br />
network investigation) (2012). [Accepted for publication]<br />
[177] Pinto, P.C., Thiran, P., Vetterli, M.: Locating the source of diffusion in large-scale networks.<br />
Phys. Rev. Lett. 109, 068,702 (2012). DOI 10.1103/PhysRevLett.109.068702. URL http:<br />
//link.aps.org/doi/10.1103/PhysRevLett.109.068702<br />
[178] Pioch, N.J., Everett, J.O.: Polestar: collaborative knowledge management and sensemaking<br />
tools for intelligence analysts. In: proceedings of the international conference on information<br />
and knowledge management, pp. 513–521. ACM Press (2006)<br />
[179] Popp, R., Poindexter, J.: Countering terrorism through information and privacy protection<br />
technologies. IEEE Security and Privacy 4(6), 18–27 (2006)<br />
[180] Ratcliffe, J.: Intelligence-Led Policing. Willan Publishing (2008)<br />
[181] Reuters: Two chicago men charged in connection with alledged roles in foreign terror plot<br />
that focused on targets in denmark (2009). October 27<br />
[182] Rhodes, C.: The use of open source intelligence in the construction of covert social networks.<br />
In: U.K. Wiil (ed.) Counterterrorism and Open Source Intelligence. Lecture Notes in Social<br />
<strong>Network</strong>s (LNSN 2), pp. 159–170. Springer, Wien (2011)<br />
[183] Rhodes, C.J., Jones, P.: Inferring missing links in partially observed social networks. Journal<br />
of the operational research society 60(10), 1373–1383 (2009)<br />
[184] Rhodes, C.J., Keefe, C.M.J.: Social network topology: a bayesian approach. Journal of the<br />
operational research society 58(12), 1605–1611 (2007)<br />
[185] ritzau: Fængslet for terror mod dansk ambassade (2009). URL http://politiken.dk/<br />
udland/article763350.ece. August 5<br />
[186] ritzau: Pet: Attentatmanden handlede alene (2010). URL (http://politiken.dk/<br />
indland/article871831.ece. January 2<br />
[187] Robinson, L.: Information science: communication chain and domain analysis. Journal of<br />
Documentation 65(4), 578–591 (2009)<br />
[188] Sageman, M.: Understanding Terrorist <strong>Network</strong>s. University of Pennsylvania Press (PENN),<br />
Philadelphia, Pensylvania (2004)<br />
[189] Sageman, M.: Leaderless Jihad. University of Pennsylvania Press (2008)<br />
274
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[190] Sageman, M.: The reality of grassroots terrorism. Foreign Affairs 87 (2008)<br />
[191] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [video, http://youtu.<br />
be/jTnDyLndIqI, last visited September 2012]<br />
[192] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [Powerpoint Presentation,<br />
on file with author]<br />
[193] Saunders-Newton, D., Scott, H.: “but the computer said!”: Credible uses of computational<br />
modeling in public sector decision making. Social Science Computer Review 19, 47–65 (2001)<br />
[194] Schimpf, B.: Data integration platform. Palantir Technologies (2011). [online video, http:<br />
//www.palantirtech.com/government/videos/whitevideos, last visited 2011]<br />
[195] Scott, J.: Social network analysis, a handbook (second edition). Sage (2000)<br />
[196] Security, D., (PET), I.S.: Terror arrests in Copenhagen (undated). URL http://www.pet.<br />
dk/Nyheder/morkhoj-uk.aspx<br />
[197] Shipman, F., Moore, J.M., Maloor, P., Hsieh, H., Akkapeddi, R.: Semantics happen: knowledge<br />
building in spatial hypertext. In: Proceedings of the thirteenth ACM conference on<br />
Hypertext and hypermedia, HYPERTEXT ’02, pp. 25–34. ACM (2002)<br />
[198] Shipman III, F.M., Hsieh, H., Maloor, P., Moore, J.M.: The visual knowledge builder:<br />
a second generation spatial hypertext. In: Proceedings of the 12th ACM conference on<br />
Hypertext and Hypermedia, HYPERTEXT ’01, pp. 113–122. ACM, New York, NY, USA<br />
(2001)<br />
[199] Shipman III, F.M., Marshall, C.C.: Formality considered harmful: Experiences, emergingthemes,<br />
and directions on the use of formal representations ininteractive systems. Comput.<br />
Supported Coop. Work 8(4), 333–352 (1999). DOI 10.1023/A:1008716330212. URL<br />
http://dx.doi.org/10.1023/A:1008716330212<br />
[200] Shrinivasan, Y., van Wijk, J.: Supporting exploration awareness for visual analytics. In:<br />
Visual Analytics Science and Technology, 2008. VAST ’08. IEEE Symposium on, pp. 185<br />
–186 (2008). DOI 10.1109/VAST.2008.4677378<br />
[201] Shrinivasan, Y.B., Wijk, J.J.: Supporting the analytical reasoning process in information<br />
visualization. In: proceedings of the 26th conference on human factors in computing systems.<br />
ACM Press (2008)<br />
[202] Sifakis, J.: A vision for computer science - the system perspective. Central European Journal<br />
of Computer Science 1, 108–116 (2011)<br />
[203] Silber, M.D., Bhatt, A.: Radicalisation in the West: The Homegrown Threat (2007)<br />
[204] Simon, D.: Homicide - a year on the killing streets. Picador (1991)<br />
[205] Simon, D., Burns, E.: The corner - a year in the life of an inner-city neighbourhood. Broadway<br />
Books (1997)<br />
[206] Simon, D., Burns, E.: The wire (the complete first season) (2002)<br />
[207] Sipser, M.: Introduction to the theory of computation. PWS Publishing Company (1997)<br />
[208] Skjoldager, M.: Truslen indefra: De danske terrorister. Lindhardt & Ringhof (2009)<br />
[209] Skjoldager, M., Holst, N.: Landsretten dømmer to for terror (2009). June 26<br />
275
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[210] Skøt, J.: At løse et svært ingeniørproblem er som at spille p˚a et instrument. Ingeniøren pp.<br />
14–15 (2012). Translated title: “Solving a difficult engineering problem is like playing an<br />
instrument<br />
[211] Smith, E.A.: Complexity, networking, & effects-based approaches to operations. CCRP<br />
(2006)<br />
[212] Sparrow, M.K.: The application of network analysis to criminal intelligence: An assessment<br />
of the prospects. Social <strong>Network</strong>s 13, 251–274 (1991)<br />
[213] Sørensen, L.M.: Al-qaeda-leder trænede dansk terrorist (2009). URL http://politiken.<br />
dk/indland/article807742.ece. October 11<br />
[214] Steele, R.D.: Human intelligence (humint): All humans, all minds, all the time (2009).<br />
[Draft 3.7 Article 11 Jul 09 APPROVED By DoD and CIA PRB. On file with author.]<br />
[215] Steele, R.D.: Open source intelligence. In: L.K. Johnson (ed.) Handbook of intelligence<br />
studies, pp. 129–147. Routledge (2009)<br />
[216] Stenbit, J.P., L, W.I., Alberts, D.S.: NATO code of best practice for C2 assessment, [Chapter<br />
5: Measures of Merit]. CCRP (2002)<br />
[217] Stoll, C.: Silicon snake oil: Second thoughts on the information highway (1995)<br />
[218] Sullivan, K.: Denmark tries to act against terrorism as mood in europe shifts (2005). August<br />
29<br />
[219] Taarnby, M.: Jihad in Denmark: am overview and analysis of jihadi activity in denmark<br />
1990-2006. Danish Institute for International Studies (2006)<br />
[220] Tanfani, J., Shiffman, J., Shea, K.B.: American suspect in mumbai attack was dea informant<br />
(2009). December 14<br />
[221] Taniguchi, T.A., Ratcliffe, J.H., Taylor, R.B.: Gang set space, drug markets, and crime<br />
around drug corners in camden. Journal of research in crime and delinquency 48, 327–363<br />
(2011)<br />
[222] Technologies, P.: Hard technical problems in civil liberties protection. Tech. rep. (2011).<br />
Whitepaper<br />
[223] Technologies, P.: Privacy and civil liberties are in palantir’s dna. Tech. rep. (2011). Whitepaper<br />
[224] Thomas, G.: A typology for the case study in social science following a review of definition,<br />
discourse, and structure. Qualitative Inquiry 17(6), 511–521 (2011)<br />
[225] Thompson, J., Hopf-Weichel, R., Geiselman, R.E.: The cognitive bases of intelligence analysis.<br />
Tech. rep., U.S. Army, Research Institute for the Behavioral and Social Sciences (1984)<br />
[226] Thomsen, C.B.: P˚a sporet af to terrormistænkte (2009). November 15<br />
[227] Todd, B.F., Nomani, A.: The Truth Left Behind: Inside the Kidnapping and Murder of<br />
Daniel Pearl (2011)<br />
[228] Tusikov, N.: The godfather is dead: A hybrid model of organized crime. Aprehendiendo al<br />
delincuente: crimen y medios en América del Norte pp. 143–160 (2010)<br />
[229] Unavailable: Big data: crunching the numbers. The Economist (2012)<br />
[230] Unknown: Palantir counterterrorism demonstration. Palantir Technologies (2009). [video,<br />
http://www.palantir.com/2009/03/fullct/, last visited September 2012]<br />
276
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[231] Unknown: London terror bomb plot: the four terrorists. The Telegraph (2012)<br />
[232] Van Dyke Parunak, H.: Don’t link me in: set based hypermedia for taxonomic reasoning.<br />
In: Proceedings of the third annual ACM conference on Hypertext, HYPERTEXT ’91, pp.<br />
233–242. ACM, New York, NY, USA (1991)<br />
[233] Vedder, A., Custers, B.: Whose responsibility is it anyway? dealing with the consequences<br />
of new technologies. In: P. Sollie, M. Düwell, A.M. Cutter, B. Gordijn, G.E. Marchant,<br />
A. Pompidou (eds.) Evaluating New Technologies, The International Library of Ethics, Law<br />
and Technology, vol. 3, pp. 21–34. Springer Netherlands (2009)<br />
[234] Veldhuis, T., Staun, J.: Islamist Radicalisation: A Root Cause Model (2009)<br />
[235] Vidino, L.: Al Qaeda in Europe: The New Battleground of International Jihad. Prometheus<br />
Books (2005)<br />
[236] Vidino, L.: Radicalization, linkage, and diversity: Current trends in terrorism in europe<br />
(2011)<br />
[237] Vijaykumar, S.: Object model. Palantir Technologies (2011). [online video, http://www.<br />
palantirtech.com/government/videos/whitevideos, last visited 2011]<br />
[238] Vogel, K.M.: ‘iraqi winnebagos T M of death’: Imagined and realized futures of us bioweapons<br />
threat assessment. Science and Public Policy 35, 561–573 (2008)<br />
[239] Warr, A., O’Neill, E.: Understanding design as a social creative process. In: Proceedings of<br />
the 5th conference on Creativity & cognition, C&C ’05, pp. 118–127. ACM, New York, NY,<br />
USA (2005)<br />
[240] Wasserman, S., Faust, K.: Social <strong>Network</strong> Analysis: Methods and Applications. Cambridge<br />
University Press (1994)<br />
[241] Weiman, G.: Terror on facebook, twitter, and youtube. Brown Journal of World Affairs 16,<br />
45–54 (2010)<br />
[242] Weiner, T.: Legacy of Ashes: The History of the CIA. Anchor Books (2008)<br />
[243] Wiil, U., Hicks, D., P., S.: Vision and progress towards structural computing support for<br />
knowledge management. UCS 9 (2003)<br />
[244] Wiil, U.K., Gniadek, J., Memon, N.: Measuring link importance in terrorist networks. In:<br />
Proceedings of the international conference on advances in social networks analysis and<br />
mining, pp. 225–232. IEEE (2010)<br />
[245] Wiil, U.K., Gniadek, J., Memon, N., <strong>Petersen</strong>, R.R.: Knowledge management tools for<br />
terrorist network analysis. In: Knowledge Discovery, Knowledge Engineering and Knowledge<br />
Management. Lecture Notes in Communications in Computer and Information Science<br />
(LNCCIS). Springer, Wien (2011)<br />
[246] Wiil, U.K., Hicks, D.L.: Tools and services for knowledge discovery, management and structuring<br />
in digital libraries. In: Proc. 8 th Conf. Concurrent Engineering, pp. 580–589 (2001)<br />
[247] Wiil, U.K., Memon, N., Gniadek, J.: Knowledge management processes, tools and techniques<br />
for counterterrorism. In: K. Liu (ed.) KMIS, pp. 29–36. INSTICC Press (2009)<br />
[248] Wiil, U.K., Memon, N., Gniadek, J.: Crimefighter: A toolbox for counterterrorism. Lecture<br />
notes in communications in computer and information science (Knowledge discovery,<br />
knowledge engineering and knowledge management) 128, 337–350 (2011)<br />
277
BIBLIOGRAPHY BIBLIOGRAPHY<br />
[249] anonymous Wikipedia: Avon barksdale. URL http://en.wikipedia.org/wiki/Avon_<br />
Barksdale. [last visited on August 5, 2012]<br />
[250] Wilson, C.: Searching for saddam: A five-part series on how the u.s. military<br />
used social networking to capture the iraqi dictator (updated 2010). URL<br />
http://www.slate.com/articles/news_and_politics/searching_for_saddam/2010/<br />
02/searching_for_saddam_5.single.html<br />
[251] Wirtz, J.J.: Targeting intelligence. International Journal of Intelligence and CounterIntelligence<br />
(2006)<br />
[252] Woo, G.: Intelligence constraints on terrorist network plots. In: N. Memon, J.D. Farley,<br />
D.L. Hicks, T. Rosenorn (eds.) Mathematical methods in counterterrorism, pp. 205–214.<br />
Springer, Wien (2009)<br />
[253] Wright, D.: A framework for the ethical impact assessment of information technology. Ethics<br />
and Inf. Technol. 13(3), 199–226 (2011)<br />
[254] Wright, W., Schroh, D., Proulx, P., Skaburskis, A., Cort, B.: The sandbox for analysis:<br />
concepts and methods. In: Proceedings of the conference on human factors in computing<br />
systems, pp. 801–810. ACM Press (2006)<br />
[255] Xu, J., Chen, H.: <strong>Criminal</strong> network analysis and visualization. Commun. ACM 48(6),<br />
100–107 (2005)<br />
[256] Yalcinkaya, R.: Police officers’ adoption of information technology: A case study of the<br />
turkish polnet system. Ph.D. thesis, University of North Texas (2007)<br />
[257] Youtube: General colin powell un speech on iraq part 1of5 (2012). URL http://www.<br />
youtube.com/watch?v=Nt5RZ6ukbNc. Last visited on February 19th 2012<br />
278
APPENDIX A<br />
Published papers and other written work<br />
This appendix lists all our published work (Section A.1) together with unpublished papers and<br />
manuscripts (Section A.2).<br />
A.1 Published papers<br />
Published papers with most recent papers first.<br />
1. <strong>Petersen</strong>, R.R. “Association and Centrality in <strong>Criminal</strong> <strong>Network</strong>s”, paper submitted to<br />
EISIC conference, IEEE, 2012. Published.<br />
2. <strong>Petersen</strong>, R.R., and Wiil, U.K., “CrimeFighter Investigator: Integrating Synthesis and Sensemaking<br />
for <strong>Criminal</strong> <strong>Network</strong> <strong>Investigation</strong>”, paper submitted to Security Informatics journal,<br />
Springer, 2012. Accepted.<br />
3. <strong>Petersen</strong>, R.R., and Wiil, U.K., “CrimeFighter Investigator: <strong>Criminal</strong> <strong>Network</strong> Sense-making”,<br />
Computational Approaches to Counterterrorism book, Springer, 2012. Accepted.<br />
4. Wiil, U.K., Gniadek, J., Memon, N., and <strong>Petersen</strong>, R.R., “Knowledge Management Tools<br />
for Terrorist <strong>Network</strong> Analysis”, In LNCCIS, Vol. 272, pp. 322-337, Springer, 2012.<br />
5. <strong>Petersen</strong>, R.R. and Wiil, U.K., “CrimeFighter Investigator: A novel tool for criminal network<br />
investigation”, In Proc. EISIC, pp. 197-202, IEEE, 2011.<br />
6. <strong>Petersen</strong>, R.R., Rhodes, C.J., and Wiil, U.K., “Node removal in criminal networks”, In Proc.<br />
EISIC, pp. 360-365, IEEE, 2011.<br />
7. <strong>Petersen</strong>, R.R. and Wiil, U.K., “Hypertext Structures for Investigative Teams”, In Proc.<br />
Hypertext, pp. 123-132, ACM, 2011.<br />
8. <strong>Petersen</strong>, R.R. and Wiil, U.K., “Analysis of Emergent and Evolving Information: The Agile<br />
Planning Case”, In LNCCIS, Vol. 50, pp. 263-276, Springer, 2011.<br />
A.2 Unpublished papers and manuscripts<br />
1. <strong>Petersen</strong>, R.R. and Wiil, U.K., “A Framework Design for Information Analysis”, Submitted<br />
to I-KNOW 2010, 2010.<br />
279
A.3. PRESENTATIONS APPENDIX A. PUBLICATIONS AND OTHER WORK<br />
2. <strong>Petersen</strong>, R.R., “Towards a Framework Design for Usage-Oriented Spatial Hypertexts”,<br />
Written for PhD course on Scientific Writing, 2010.<br />
3. Terrorism and new media essay. “Danish Newspapers and the Mickey Mouse Project”, Exam<br />
essay written for PhD course on Media and Terrorism in the Middle East, 2010.<br />
A.3 Presentations<br />
1. <strong>Petersen</strong>, R.R., and Wiil, U.K., “Adaptive Counterterrorism Tools over Silver Bullets”, at the<br />
International and Interdisciplinary Terrorism and New Media Conference, Dublin, Ireland,<br />
2010.<br />
A.4 Previously published<br />
1. <strong>Petersen</strong>, R.R. and Wiil, U.K., “ASAP: A Lightweight Tool for Agile Planning”, In Proceedings<br />
of the International ICSOFT Conference, pp. 265-272, 2009.<br />
2. <strong>Petersen</strong>, R.R. and Wiil, U.K., “ASAP: A Planning Tool for Agile Software Development”,<br />
In Proceedings of the International Hypertext Conference, pp. 27-35, ACM, 2008.<br />
280
APPENDIX B<br />
Danish Defense Intelligence Service (DDIS) web documents<br />
The Danish Defense Intelligence Service intelligence cycle in Danish text is repeated below [52].<br />
B.1 Efterretningskredsløb<br />
Sammenhængen mellem indhentning, bearbejdning og analyse samt rapportering er central for<br />
efterretningsarbejdet. Vi beskriver det ved den s˚akaldte efterretningskredsløb. Kredsløbet beskriver<br />
en sammenhængende arbejdsproces, som gentages løbende.<br />
Udgangspunktet er en prioritering. Den fastsættes med udgangspunkt i tjenestens opgaver og<br />
ressourcer samt efter drøftelse med vores kunder - b˚ade i og udenfor forsvaret. Styrende er hensynet<br />
til Danmark og danske militære styrkers sikkerhed.<br />
Dernæst gør vi os klart, hvad vi allerede ved, og hvad vi gerne vil vide. Det sker ved, at vi<br />
formulerer et s˚akaldt efterretningsbehov - en liste over de spørgsm˚al, som vi gerne vil have besvaret,<br />
og de oplysninger, som vi mangler. De er udgangspunkt for indhentningen.<br />
Indhentningen søger at besvare de stillede spørgsm˚al ved at skaffe oplysninger fra kilder - det<br />
kan være b˚ade lukkede og ˚abne kilder. ˚Abne kilder er kilder, som alle kan skaffe sig adgang til,<br />
som f.eks. Internet, aviser og andre publikationer. Lukkede kilder kræver en efterretningsmæssig<br />
indsats. Det er adgangen til lukkede kilder, som er et særkende for den efterretningsmæssige<br />
vurdering. Oplysninger fra b˚ade˚abne og lukkede kilder skal vurderes og analyseres. Er oplysningen<br />
og/eller kilden troværdig? I den forbindelse er det en styrke i analysen at kunne sammenholde<br />
oplysninger fra ˚abne og fra lukkede kilder.<br />
I analysen tager man udgangspunkt i en forestilling om, hvordan situationen er - en s˚akaldt<br />
hypotese - som man afprøver mod de oplysninger, man har. Det, som er interessant, er om der er<br />
oplysninger, som ikke passer med ens forestilling. S˚a er der m˚aske en anden hypotese, som passer<br />
bedre p˚a de oplysninger, man har. Dette er ikke et arbejde, som én medarbejder kan gøre alene.<br />
Det er i høj grad et holdarbejde, hvor man afprøver sine hypoteser og analyser med sine kolleger.<br />
I den forbindelse kan analytikeren støde p˚a nye spørgsm˚al, som vedkommende ønsker besvaret,<br />
eller oplysninger, som er mangelfulde. S˚a formulerer analytikeren et nyt efterretningsbehov.<br />
N˚ar en analyse er færdig, skal den omsættes til en rapport. I den forbindelse er det vigtigt<br />
at videregive vurderingen s˚a præcist som muligt. I rapporteringen skelner vi normalt skarpt<br />
mellem oplysninger og vurdering. Vi gengiver oplysninger, s˚a det ikke fremg˚ar, præcist, hvorfra<br />
de stammer. Det er nødvendigt for at beskytte kilderne og FE’s indhentningskapacitet. Af samme<br />
281
B.2. FE FORETAGER OMPRIORITERINGER APPENDIX B. DDIS WEB DOCUMENTS<br />
˚arsag er FE’s rapporter normalt klassificeret. Det gælder ogs˚a de rapporter, som FE modtager<br />
fra udenlandske samarbejdspartnere.<br />
B.2 FE foretager omprioriteringer<br />
FE omprioriteter sine ressourcer for fortsat at kunne leve op til de udfordringer, som<br />
en moderne efterretningstjeneste st˚ar over for, og samtidig kunne imødekomme krav<br />
om besparelser.<br />
06-01-2012 - kl. 14:50<br />
FE ser behov for at foretage en række omprioriteringer. Dette indebærer nedlæggelse af nogle af<br />
tjenestens nuværende indhentningskapaciteter og samtidig en styrkelse af andre. Konsekvensen<br />
er, at FE’s station ved Dueodde p˚a Bornholm lukkes, ligesom der sker ændringer p˚a FE’s indhentningsstationer<br />
i Nordjylland og p˚a Amager. Det er forventningen, at der vil skulle afskediges 27<br />
medarbejdere, heraf 17 p˚a Bornholm. Samtidig er det hensigten at ansætte ca. 20 nye medarbejdere<br />
med andre kompetencer.<br />
˚Arsagen til disse omprioriteringer er behovet for at tilpasse FE til den teknologiske udvikling<br />
kombineret med udviklingen i det samlede trusselsbillede, holdt op imod de samlede økonomiske<br />
rammer.<br />
FE gennemfører s˚aledes omprioriteringerne med henblik p˚a at styrke indhentningen inden for de<br />
omr˚ader, der vurderes at være mest relevante for Danmarks sikkerhed. Det kræver en fortsat<br />
tilpasning af kapaciteter og kompetencer.<br />
I for˚aret 2011 gennemgik FE en større reorganisering for at m˚alrette og effektivisere tjenesten, s˚a<br />
den er rustet til at h˚andtere fremtidens opgaver. Den nye organisation udspringer af kravet om,<br />
at organisationen til enhver tid skal understøtte og afspejle FE’s prioriteter og opgaveløsning. Det<br />
samme krav gælder for FE’s indhentningskapaciteter.<br />
Trusselsbilledet rettet mod Danmark samt behovet for støtte til forsvarets udsendte styrker,<br />
kræver, at vi hele tiden har en tidssvarende indhentning, der kan agere fleksibelt.<br />
282