Tuesday 4 October 2011

STL Telecom Analysis: Uncovering the Weakest Links


This photo taken on March 1, 2009 in the Hague shows chief prosecutor of the
Special Tribunal for Lebanon, Canadian Daniel Bellemare, speaking about the
tribunal set up to try suspects in the 2005 assassination of Lebanon's former
prime minister Rafic Hariri. (Photo: AFP - Marcel Antonisse)
Published Tuesday, October 4, 2011

The STL indictment used to implicate Hezbollah in the killing of Rafic Hariri is based on highly touted telecom-analysis. But an in-depth examination of this evidence reveals that it is unlikely to stand in a fair trial Analysis -

The latest twist in the never-ending saga of the international investigation into the 2005 assassination of former Lebanese Prime Minister Rafic Hariri happened on Friday. One of Australia's top cops and former chief investigator for the tribunal, Nick Kaldas, reiterated accusations that Hezbollah was behind the killing.

The case against Hezbollah is largely based on telecom evidence cited in the tribunal's indictment of four suspects who are linked to Hezbollah. In a much cited CBC report into the Hariri investigation, telecom analysis was uncritically hailed as “probably the single most important intelligence-gathering tool in modern times.” In the case of the Hariri tribunal, telecom data was used to build a whole narrative surrounding the assassination’s planning and execution and to identify some of the accused. Resorting to telecom data gave a highly politicized investigation an air of objectivity. It provided the tribunal with a much needed lifeline after testimonies used to implicate Syria in previous reports were undermined.

But despite the valuable information provided by the telecom analysis, a systematic in-depth examination of the type of telecom data used, the method of identifying suspects, and the level of security of mobile networks in Lebanon all reveal that the evidence is mostly of a speculative nature. This casts serious doubts on the prosecutor's conclusions and the integrity of his case.

Telecom Data

Relying on CDRs: How They Work...or Don't
The data obtained by the investigative team came from Lebanese mobile network operators. Although a mobile network creates and maintains large amounts of data, the STL has indicated that only one type of data, the Call Detail Record (CDR), was used by the investigation.

A Call Detail Record (CDR) of cell phone use is a computer generated record used for billing purposes. It contains less detail than other types of logs. However, it is the most likely to be retained by the network operator because of its use for customer invoicing. The indictment specifically refers to CDRs and does not mention any other logs used in the telecom analysis.

Paragraph 18 of the indictment explains that a CDR contains “information such as incoming and outgoing phone numbers, the date and time of a call, its duration, call type, and the approximate location of mobile phones by reference to the cell-towers which carried a call.”

Co-Location: Hard to Pin Down

CDRs are used to determine whether two phones are always present - i.e. detected - in the same place at the same time but never in contact with each other, a procedure referred to as co-location. Co-location is a central method of analysis used in the indictment. If co-location is detected, it is inferred that one person is using both these phones. This appears logical, but it depends on the amount of data used to demonstrate the effect.

If you had minute-by-minute plots of two cell phones as they moved around, down to a resolution of one meter, and those movements overlap throughout, you would have very strong evidence of co-location. But this is apparently not the case based on the indictment. In paragraph 25 (b) of the indictment, phones are co-located “as evidenced by the timing and locations of the calls[my italics].” This implies that data records used for analysis are only those generated when a call is made, via CDR logs.

If this is the case, then the location is referring to the entire coverage area of a cell phone tower used to transmit data between the cell phone and the network's operating center. This location is thus shared with hundreds of other cell phones at any point in time. And if you only have a data record when a phone call is made, then you can only check which two among these hundreds of phones are co-located when both phones happen to be used within a short time, so you could have both their locations during that interval. How often this happens is not stated in the indictment.

Building the Networks Narrative

The weakness of co-location evidence is not the only loophole in the evidence provided. The entire narrative of who called who and when is in doubt. The STL case is based on unravelling four major phone networks, dubbed the Red, Blue, Green, and Purple networks, respectively. The first three were closed networks, i.e. networks whose phones communicated exclusively with each other.

We can assume the Red network was uncovered first. The fact that the Red network always operated around Hariri - it had a particular pattern of phone calls on the day of the assassination, and the fact that it ceased operation one minute before the blast, would have made it stand out in any rudimentary communication analysis. This probably led the investigative team to conclude that the Red network was the operational assassination team on the ground.

By analyzing the locations of the Red phones, several other phones were likely co-located with phones in the Red network. This would be the Blue network involved in logistical support, especially in matters that required contact with the public, like buying phone cards and purchasing the van allegedly used in the blast.

The involvement of the Green network is more tenuous. One of the suspects with both a Red phone and Blue phone had six other phones. Let’s call him suspect ‘A’ - later identified by the STL investigative team as Salim Ayyash, the alleged field coordinator of the entire operation. One of the many phones located with ‘A’, and not part of the Red or Blue networks, was used to call someone outside the Red and Blue networks. Let's call this person suspect ‘B’ — later identified by the STL as Hezbollah high ranking official Mustafa Baddredine, the ultimate commander of the operation.

Calls betwen ‘A’ and ‘B’ using the Green network were made at critical moments: when the Red network was tailing Hariri, when the van was being purchased, and one-hour before the explosion. It is important to note that linking the calls to the events appears to be based on the fact that their timing coincided with these events. CDR logs do not contain the content of phone calls, only the time of call and its duration.

This Green network ceased one hour before the assassination. The only other link to the assassination is that ‘B’ was in the vicinity of the blast site on February 3rd, 11 days before the assassination. From all of this, the investigative team extrapolates that ‘B’ headed the entire operation.

Unlike the Green, Blue, and Red networks, the Purple network is an open network of only three phones. According to the indictment, the Purple network was responsible for creating the video tape in which Abu Adass, a young religious man, takes responsibility for the assassination. Abu Adass disappeared a month before the assassination.
River to Sea Uprooted Palestinian

No comments: