Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Author Supervisor
Rasmus Rosenqvist Petersen Uffe Kock Wiil
The Maersk Mc-Kinney Moller Institute The Maersk Mc-Kinney Moller Institute
University of Southern Denmark University of Southern Denmark
Campusvej 55, Odense, Denmark Campusvej 55, Odense, Denmark
rrp@mmmi.sdu.dk ukwiil@mmmi.sdu.dk
Criminal network investigations such as police investigations, intelligence analysis, and investiga-
tive journalism involve a range of complex knowledge management processes and tasks. Criminal
network investigators collect, process, and analyze information related to a specific target to cre-
ate intelligence products that can be disseminated to their customers. Investigators deal with an
increasing amount of information from a variety of sources, especially the Internet, all of which
are important to their analysis and decision making process. But information abundance is far
from the only or most important challenge for criminal network investigation, despite the massive
attention it receives from research and media. Challenges such as the investigation process, the
context of the investigation, human factors such as thinking and creativity, and political deci-
sions and legal laws are all challenges that could mean the success or failure of criminal network
investigations.
Information, process, and human factors, are challenges we find to be addressable by software
system support. Based on those three challenges we formulated our hypothesis for tool support,
and analyzed problems related to each individual challenge. Our response to these problems
is a list of research focus requirements, to guide our development of new processes, tools, and
techniques that ultimately would reduce the impact of the challenges and support the hypothesis.
We propose hypertext as the key technology to bridge human and tool related requirements to
provide integrated support for both, resulting in increased capabilities, that ultimately will create
a synergy effect useful for criminal network investigation.
We create a target-centric process model (acquisition, synthesis, sense-making, dissemination,
cooperation) encouraging and supporting an iterative and incremental evolution of the criminal
network across all five investigation processes. The first priority of the process model is to ad-
dress the problems of linear process models that introduce compartmentalization, reducing sense
of responsibility and deterioration of information as it passes through compartments. We have de-
veloped a list of criminal network investigation tasks encapsulating the work within each process,
selected based on their contributions to the success of investigations.
Basic criminal network investigation concepts have been developed and tested using proof-of-
concept prototyping, resulting in generic software components for tool support of criminal network
investigation. We have used these components to build CrimeFighter Investigator, iteration by
iteration, embracing the concepts embedded in the components. We analyze, design, and demon-
strate support of individual criminal network investigation tasks for each of the five processes,
and we also describe the deployment of CrimeFighter Investigator in scenarios that span multiple
processes and tasks. We have used three methods to evaluate CrimeFighter Investigator, capa-
bility comparisons, end user interviews, and measures of performance. We have found that our
evaluation methods provide good coverage of the research focus requirements. When summarizing
evaluation of the requirements, we found strong support of most and medium or weak support
of few. In general, our evaluation showed that we had focused on the right challenges, and the
interdependency of the requirements made it clear that a more narrow focus, leaving out one of
the challenges, would have provided much less support.
We can conclude that all indicators point toward support of the hypothesis: addressing the chal-
lenges of information, process, and human factors by providing tool support based on advanced
software technologies is a useful tool for investigators, as it increases the capabilities of both
human and tool, thereby reducing the impact of the challenges. Rather than focusing on the
inner-workings of network analysis techniques, we have worked toward supporting end user inter-
actions with techniques, to achieve better investigation results. We consider our results to represent
guidelines for how to conduct research of tool support for criminal network investigation.
To my father
for his insistent fight to live
To my mother
for fighting alongside her husband, my father
Preface to revised version
This dissertation is the result of three years Ph.D. studies. The work was carried out from
September 1st 2009 to September 30th 2012. The initial version was submitted October 1st .
This revised version is based on feedback from my Ph.D. committee members Patricia L. Branting-
ham, Kaj Grønbæk, and Kasper Hallenborg. Furthermore, working in the network visualization
and analysis industry changed my views on the importance and power of visualization. But the
foundation of my research is still the same: structure domains, agile processes, and human cogni-
tion. Finally, ideas have kept emerging and evolving after the initial version was submitted.
Happy investigation . . .
v
Acknowledgments
First of all thanks to everybody at the Maersk-McKinney Moller Institute (University of Southern
Denmark), professors and lecturers, for their academic advice and encouragements to continue my
research, secretaries, for helping me out on numerous occasions and without who no one at the
institute would get anything done. To my fellow Ph.D. students, with whom I have spent countless
hours at the foosball table or discussing foreign politics and cultural differences and similarities
over a cup of chai, coffee, or beer: shukria, dhanyavaad, gracias, tak, . . . thank you!
A special thanks goes to my supervisor, Professor Uffe Kock Wiil, who has guided and supported
the basic ideas of my research over the past five years. He has always taken the time to provide
constructive feedback whenever I was doubtful about which direction to take, even after becoming
project manager for the largest grant in the history of our university. Thank you Uffe, for always
supporting my ideas and guiding me if I was about to get lost in some case, theory, or book - I
have learned a lot from your approach to research, and I hope to one day achieve your sense of
information and structure.
I have been fortunate to make two 1-month visits to international research institutions: at Impe-
rial College in London, I worked closely with Dr. Christopher J. Rhodes, developing CrimeFighter
Investigator support for inference-based prediction. Thank you Chris, and everybody else at Im-
perial College, for showing me around, introducing me to indian pale ale, and always being willing
to help. Also thank you to the Research Councils United Kingdom, Institute for Security Science
and Technology (Imperial College) and the United Kingdom Ministry of Defense for supporting
the work and publication of a paper on node removal. At University of Hof in Bavaria, I worked
closely with Dr Claus Atzenbeck, director of Institute for Information Systems (iisys), primarily
focusing on domain analysis and discussions of how to design usability experiments. Thank you
Claus, and everybody else at iisys, for welcoming me and showing me various aspects of Bavarian
life. Also thank you to Claus for writing several knowledgeable papers related to criminal network
investigation.
The places that I have worked on my dissertation around the world, and the friends living in
those places, deserve a special thanks; it has been incredibly motivating and inspiring for me.
Unfortunately, the list is too long to mention everybody and everywhere here. To everyone not
mentioned: thank you!
My Ph.D. dissertation builds upon previous publications in hypertext and security informatics
conference proceedings, one accepted security informatics journal paper, and one accepted com-
putational approaches to counterterrorism handbook chapter. I am thankful to the numerous
reviewers who have helped me improve my work by giving useful and insightful comments on
submitted manuscripts.
vii
Resumé
ix
der er indlejret i komponenterne. Vi analyserer, designer og demonstrerer understøttelse af in-
dividuelle efterforskning opgaver for hver af de fem omtalte processer, og vi beskriver også an-
vendelse af CrimeFighter Investigator i scenarier, der involverer flere processer og opgaver. Vi
har brugt tre metoder til at evaluere CrimeFighter Investigator: sammenligning af opgave- og
model-understøttelse, slutbruger interviews, og forskellige metrikker der kan måle effektiviteten af
algoritme-baserede analyse teknikker på flere områder. Ved hjælp af diagrammer har vi opsum-
meret relationerne mellem efterforsknings opgaver og vores opsatte forsknings krav, vi fandt at
de tre evalueringsmetoder ydede god dækning af disse krav. Når vi opsummerer vores evaluering
af forsknings kravene finder vi at mange er godt understøttet, imens få er nogenlunde eller svagt
understøttet. Helt generelt viser vores evaluering at vi har fokuseret på de rette udfordringer,
og at den gensidige afhængighed imellem forskningskravene gjorde det klart, at havde vi valgt
et mere snævert fokus, f.eks. udeladt en af udfordringerne, ville det have resulteret i dårligere
understøttelse af de resterende krav.
Vi kan konkludere at alle indikatorer peger imod understøttelse af den hypotese vi har stillet:
hvis udfordringerne information, proces, og menneskelige faktorer adresseres ved værktøjs un-
derstøttelse baseret på avancerede software teknologier, vil resultatet være et brugbart værktøj
for efterforskere, da det øger kapaciteten for både mennesker og værktøj, og dermed reducerer
den indflydelse som udfordringer ellers ville have. I stedet for at fokusere på specifikke algoritme-
baserede teknikker til netværks analyse har vi arbejdet hen imod understøttelse af slutbrugerens
(efterforskerens) interaktion med og kontrol af sådanne analyse teknikker, med det formål at
opnå bedre efterforskningsresultater. Vi betragter vores resultater som retningslinjer i forhold til
forskning indenfor software værktøjer der understøtter efterforskning af kriminelle netværk.
Contents
Preface v
Acknowledgements vii
Resumé x
1 Introduction 3
1.1 Myths and disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.1 Selecting challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.2 Research focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Theory and technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4 CrimeFighter toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.1 CrimeFighter Investigator within this framework . . . . . . . . . . . . . . . 14
1.5 Dissertation structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5.1 Reading directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2 Method 19
2.1 General Ph.D. approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 Software development methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1 Prototyping reviewed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.2 Proof-of-concept prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.3 Software baseline and evolution . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3 Empirical evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1 Case study research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4 Ph.D. study program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
xi
II The domain 29
4 Related work 65
4.1 Commercial tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.1.1 Analyst’s Notebook 8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.1.2 Palantir Government 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.1.3 Xanalys Link Explorer 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1.4 COPLINK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.2 Research prototypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.1 The Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.2 POLESTAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.3 Aruvi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2.4 Dynalink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3 Investigative journalism tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.1 Namebase.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.2 Mindmeister . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.3.3 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9 Acquisition 153
9.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.1.1 CONCEPT: Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.1.2 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
9.1.3 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
9.1.4 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.2.1 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.2.2 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.2.3 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
9.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
9.3.1 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
9.3.2 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
9.3.3 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
10 Synthesis 161
10.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.1.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.1.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.1.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 162
10.1.4 TASK: Create, delete, and edit associations . . . . . . . . . . . . . . . . . . 164
10.1.5 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
10.1.6 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
10.1.7 TASK: Collapsing and expanding . . . . . . . . . . . . . . . . . . . . . . . . 165
10.1.8 TASK: Information types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 166
10.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10.3.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10.3.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10.3.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 168
10.3.4 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
10.3.5 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
11 Sense-making 171
11.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
11.1.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
11.1.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.1.3 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.1.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.1.5 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
11.1.6 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.1.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.1.8 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
11.1.9 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 179
11.1.10 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
11.1.11 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 180
11.1.12 TASK: Terrorist network analysis . . . . . . . . . . . . . . . . . . . . . . . . 180
11.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
11.2.1 CONCEPT: Algorithm (sense-making work flows) . . . . . . . . . . . . . . 181
11.2.2 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
11.2.3 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
11.2.4 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
11.2.5 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.2.6 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.3.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.3.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 189
11.3.3 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
11.3.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
11.3.5 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
11.3.6 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
11.3.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
11.3.8 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
11.3.9 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 199
12 Dissemination 201
12.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.1.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.1.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.2.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.2.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.3.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.3.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
13 Cooperation 205
13.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
13.2 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
15 Evaluation 231
15.1 Post-crime data and information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
15.1.1 Comparing post-crime and real-time data . . . . . . . . . . . . . . . . . . . 235
15.2 End-user interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
15.2.1 Alex Strick van Linschoten (Trafalgar Square, London) . . . . . . . . . . . 236
15.2.2 British home office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
15.2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
15.3 Capability comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
15.3.1 Criminal network investigation task support . . . . . . . . . . . . . . . . . . 238
15.3.2 Capability comparison of the computational model supported . . . . . . . . 240
15.4 Measures of performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
15.4.1 Extended centrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
15.4.2 Predict missing links algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 243
15.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
15.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
15.6.1 Visualization or visual filtering . . . . . . . . . . . . . . . . . . . . . . . . . 246
15.6.2 End user involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
15.6.3 Discussing end user interviews . . . . . . . . . . . . . . . . . . . . . . . . . 248
15.6.4 Discussing capability comparisons . . . . . . . . . . . . . . . . . . . . . . . 248
15.6.5 Discussing measures of performance . . . . . . . . . . . . . . . . . . . . . . 250
16 Conclusion 253
16.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
16.2 Requirements, challenges, and hypothesis . . . . . . . . . . . . . . . . . . . . . . . 254
16.2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
16.2.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
16.2.3 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
16.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
16.4 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
16.4.1 Literature reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
16.4.2 Future software development . . . . . . . . . . . . . . . . . . . . . . . . . . 258
16.4.3 Future evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
1
CHAPTER 1
Introduction
3
1.1. MYTHS AND DISCLAIMERS CHAPTER 1. INTRODUCTION
Criminal network investigators merge and organize pieces of information from different sources
in order to reason about them and support their decision making process. The structure of
the relationships between these pieces of information is fragile by nature, since new information
may change it substantially. Besides supporting the emergent nature of incoming information,
such structures should also be an appropriate medium for communicating with others. This
includes keeping track of previous discussions, representing their evolution, and permitting various
parallel versions that occur by following different directions of thought. Finally, their presentation
should foster awareness and permit notification services that inform the analyst about potential
unseen and non obvious connections beyond the borders of individual information sources [20].
When investigators work with this type of information, following a target-centric and iterative
process would encourage and support the continuous restructuring of the information and the
communication with other investigators by making everybody stakeholders of the investigation,
building a network of information around their target, in a shared information space. Despite
the many iterations over the information and structure, interpretations and decisions must be
maintained. To solve the type of complex problem that a criminal network investigation can be,
the investigator must cooperate with their tools during investigations. The investigator must be the
decision maker (especially in low probability situations), while algorithms should be responsible for
routine calculations. The investigator will fill in the gaps, either in the final intelligence product
or in the tool, when the tool has a technique or work flow that is applicable in a particular
circumstance [130].
This dissertation is the result of three years of Ph.D. studies (with 18 months allocated to re-
search), toward the analysis, design and implementation of CrimeFighter Investigator, a criminal
network investigation tool addressing information, process, and human factors challenges in crim-
inal network investigation. The remainder of this chapter is organized as follows: we start out by
debunking a number of myths about work focused on tool support for criminal network analysis;
myths that we have encountered during our research. We would like to present our view on these
myths to the reader, to sort out any confusion from the start (Section 1.1). Having introduced
the domain criminal network investigation above, we move on to defining the challenges for this
domain, and based on an analysis, we select those challenges that a software systems engineer can
address, and we discuss why these challenges will benefit from software system support (Section
1.2). We move on to present the theory and technology that has underpinned our work (Section
1.3). We describe the CrimeFighter toolbox, and how CrimeFighter Investigator fits into that
framework (Section 1.4) and provide our readers with and overview of dissertation structure (Sec-
tion 1.5). Finally, we provide reading directions based on the expected areas of interest in Section
1.5.1.
4
CHAPTER 1. INTRODUCTION 1.1. MYTHS AND DISCLAIMERS
it‘” or “who are going to do it?”. That is simply a wrong approach undermining the very nature
of criminal network investigation. That is the first myth, we would like to debunk, formulated as
a question to us (and other researchers in the field):
Myth #1 Isn’t your ultimate goal to create big red “who did it?” or “who are going to do it?”
buttons, for world leaders and decision makers, to weed out the criminals?
No, this has never been the objective of our work. We believe this myth is the result of one of
two visions for artificial intelligence; the compelling vision, that “human intelligence can be
so precisely described, that it can be matched by a machine” [202]; a machine that think and
create new abstractions and concepts, just like living organisms [202]. But this vision has not
yet been realized, the computer cannot detect complex patterns it has never seen [131]. The
other vision for artificial intelligence focuses on the synergies between man and machine [131].
It has been called human-computer symbiosis, and was initially described by Licklider in
1960 [130], and summarized in a 2012 TED talk: “Licklider wanted humans and machines to
cooperate. The idea is that humans are great at certain things, like creativity and intuition.
Computers are great at calculation, scale, and volume. The idea is [. . . ] to take a human and
make [him or] her more capable” [131]. The hypertext research community has developed
many technologies for the “augmentation of human intellect” [62]. We propose hypertext
technology as a bridge between humans and computers to leverage the above mentioned
synergies to solve the complex problems associated with criminal network investigation.
Myth #2 Shouldn’t you consider the ethics of what you are doing before applying social network
analysis algorithms to decide who are criminals and who aren’t?
Well, it has never been our goal to perform rode black box calculations on data sets, and
then think that any criminal network investigator would use that information as his sole
evidence of charging someone with something. As described above, we aim for cooperation
between humans and computers (with the human as the controlling entity), bridging human
intellect and computational power using hypertext technologies to benefit from the resulting
synergies.
Myth #3 Information overload is the key challenge for criminal network investigation?
Sure, information overload (or abundance) is one of several problems for the challenge that
information poses to criminal network investigation. But there are many important chal-
lenges (and related problems) for criminal network investigation to consider. Whether or
not information overload is a problem depends on the nature of the information: How is it
stored, does it contain many different entity types, etc.
All of the above are myths and assumptions. It has always been our intention to understand the
processes involved in the work of criminal network investigators, the structures of the criminal
network information that investigators collect, process and analyze, and the human factors that
decides the successes and failures of criminal network investigations. Our work has always been
about that, and this dissertation is about that. Before continuing, we encourage our readers to
study the following disclaimers as well:
Disclaimer #1 While we have studied visualizations and layouts to some extent, this work does
not focus on visualization. This causes some problems, as one reviewer has pointed out to
us, “it is unfair to compare the strengths of one tool with the weaknesses of another tool” -
a situation that occurs in Chapter 15, when we present an capability comparison of various
representative tools. We do, however, discuss visualization (also in Chapter 15).
Disclaimer #2 This is not a big data analytics project. While the aim might be the same, the
means are not. In a recent talk, Chen (2012) stated that a research aim of “leveraging big
data analytics [for] delivery of a patient-centric decision support and patient empowerment
solution”3 . The general approach of the research was first to understand the information
5
1.2. CHALLENGES CHAPTER 1. INTRODUCTION
structures in a certain domain (e.g., health or security informatics), then create database
tables to match these information structures before applying big data analytical methods.
The understanding of information structures had taken two years for the health informatics
domain. When asked after his talk, Chen admitted that this was indeed a somewhat static
approach, in that if changes were made to the structures, all the data would have to be
aggregated again before analytics could continue. Actually, Chen was facing a concrete
challenge of transitioning from version 9 to version 10 of the international classification of
diseases (ICD).
Disclaimer #3 I am first and foremost knowledgeable in the domain of software systems engi-
neering with a strong foundation in hypertext technologies. However, as it will be clear later
on, a prerequisite to successful software development is understanding the domain. Taking
a course on media and terrorism in the middle east and participating in and giving a talk
at an interdisciplinary conference on terrorism and new media has made it clear that I am
not an expert in global jihad or radicalization processes. But it has made it possible for
me to talk to people who are. Nor has reading books about organized crime or watching tv
shows about criminals selling drugs made me an expert in these matters. But participation
in the annual European international security informatics conference (EISIC) 2011 and 2012
has provided me with new ideas and a network of people who work within that domain.
And studying research areas such as human cognition, creativity, information science, social
science, and so on, has not made an expert on these areas either. But it has to some extent
made me knowledgeable about the different areas of research and made it possible for me to
talk with the real experts about it.
I typically use Analyst’s Notebook to generate a report for the state attorney han-
dling the case in court. I do not use Analyst’s Notebook before I am done with my
analysis. Statement (translated from Danish) by an intelligence analyst from the
Danish security and intelligence service, who we met at an Analyst’s Notebook user
conference4 .
Analyst’s Notebook is good for making visualizations but it has a very static feeling
to it. Statement from Alexander Strick van Linschoten, a historian, investigative jour-
nalist, and an author of several books (e.g., [134]) at a meeting on Trafalgar Square,
London.
Based on cases and observations of criminal network investigation, contact with experienced end-
users from various communities (see Section 15.2), examination of existing process models (see
Sections 3.3 and 3.4) and existing tools for criminal network investigation (see Chapter 4) we
maintain a list of criminal network investigation challenges. The list of challenges can be seen as a
list of potential pitfalls that can cause criminal network investigation failure, either on their own,
or in combination with other challenges; the list serves as the basis for our problem definition and
research focus. The list is not exhaustive; we expect to uncover additional challenges over time.
6
CHAPTER 1. INTRODUCTION 1.2. CHALLENGES
We divide criminal network investigation challenges into the following groups: information, pro-
cess, context, human factors, tacit knowledge, management, and finally problems related to politics
and legal framework. Some of these challenges are more relevant than others in terms of developing
software tools supporting criminal network investigation. We therefore review them all here, but
do not make a detailed review of political and legal framework challenges - we merely recognize
that they are there.
Information. Criminal network investigation challenges related to information are many, e.g.,
the structure of the information is often emerging and evolving, i.e., no pre-defined structure
can be applied to guide the analysis work. Information abundance and scarcity are other central
problems. Finally, the information might be inconsistent and impartial, showing variation in types
of meta data or missing entities. The following quotes emphasize these problems:
“No, there was no shortage of information. There was too much – a blizzard of it,
a whiteout so complete investigators routinely lost their way in it.” - in the months
after 9/11 FBI and CIA analysts received an “overpowering” amount of unprocessed
intelligence, and the fear of the next attack made them “chase tens-of-thousands dead
end leads” [146].
We typically have much less data, or not so many attributes, as it was the case in
the November 17 case you used - comment from intelligence analyst after presenting
work on inference-based prediction at the British Home Office [167].
Process. It has certain consequences whether the criminal network investigation follows a linear
process model or a target-centric process-model. Research of linear intelligence cycles has shown
it to define an “antisocial series of steps that constrains the flow of information [. . . ] and too often
results in throwing information over the wall ” [40], causing compartmentalization5 [40, 113, 146].
For security reasons, compartmentalization can seem compelling, since it provides organizations
and departments complete control over the information they receive, and the information which
they disseminate to the next link(s) in the chain. But the approach has received bad reviews in
prominent commission reports [45, 110, 152, 153], which should weigh heavier than the desire for
complete control.
“With a better working methodology and a wider focus the Norwegian police security
service (PST) could have tracked down the offender prior to July 22. However, the
commission does not have the basis for arguing that PST thereby could have preempted
the attacks.” - One of six main conclusions in the July 22 Commissions report [153].6
“The police has for 10 years isolated themselves and rejected all criticism. Nor-
wegian police has been very closed and unwilling to change. The commission repeats
criticism that has been raised many times before, but this time they can not reject it.”
- translated comment by Professor Petter Gottschalk when interviewed about the 22
July Commissions report [78].7
Context. The location of a criminal network investigation (e.g., country or neighborhood) can
influence what technologies and tools are available for an investigation. If the country of the inves-
tigation has a high level of corruption, it can be hard to trust the information given by government
officials, because their affiliations are not known. The organization leading an investigation can
have a different approach to investigation, deeply rooted in their culture, making cooperation with
others complicated. Two competing intelligence agencies could also inhibit investigative progress
for one another. Simple things, like the control of surveillance cameras or the interception of cell
phone calls, could mean an important difference in available intelligence. If the investigators and
the criminals are at the same level in terms of technology and tools, the investigators are not likely
to gain an advantage based on that.
7
1.2. CHALLENGES CHAPTER 1. INTRODUCTION
“Societies where there are strong professional law enforcement and intelligence
forces are very different in their susceptibility to terrorist attack from societies where
the police and security services are weak, corrupt or compromised.” - Woo (2009)
comments on the difference in environments (or contexts) that criminal network inves-
tigations might have to navigate [252].
“Here on the ground in Karachi [. . . ] the people conducting the raids and brushing
off death threats do not have the most rudimentary printer, let alone computers, access
to databases, cell phones. They don’t even have decent cars.” - Mariane Pearl on
the technology available in Karachi, Pakistan, for the team investigating her husbands
kidnapping [162].
Human factors. Knowledge about how human cognition and creativity helps investigators solve
problems and is important for a better understanding of the human factors involved in criminal
network investigation. There are also a number of important aspects when investigators solve
crimes together: Because of the different professions, traditional ways of doing things, and their
personal knowledge (see below) of the members on the investigative team it can be challenging to
work with a shared target model, in a so called common information space. When investigators
use tools for criminal network investigation, the factors make them trust the information that
these tools are of course of high value (just as the factors that have the opposite effect).
“The human mind does not work that way. It operates by association. With one
item in its grasp, it snaps instantly to the next that is suggested by the association
of thoughts, in accordance with some intricate web of trails carried by the cells of
the brain.” - Bush (1945) denouncing that humans find information by traversing a
complex hierarchical structure of classes [33].
“One [type of creativity] is to be flexible and freely associating - the traditional un-
derstanding of creativity, and what might be called the artistic approach. The other type
of creativity is to be persistent and focused – a more rational and conscious creativity,
which we maybe could call the engineering approach” - interview with leading cogni-
tion researchers Carsten De Dreu and Bernard Nijstad about a model of two types of
creativity [210].
Tacit knowledge. The kind of knowledge that investigators apply during investigations and
which is learned through experience. It might be possible to document this knowledge, but during
investigations is often applied in an ad-hoc manner and cannot be quantified and then be dissem-
inated to other investigators (and tool support is therefore also not possible). Interrogation is a
prominent example of such tacit knowledge: asking the right questions, tricking the suspect or
potential suspect by setting up traps that make them give up their secrets.
“This, too, is role playing, and it requires a seasoned actor. If a witness or suspect
is belligerent, you wear him down with greater belligerence. If the man shows fear, you
offer calm and comfort. When he looks weak, you appear strong. When he wants a
friend, you crack a joke and offer to buy him a soda. If he’s confident, you are more
so, assuring him that you are certain of his guilt and are curious only about a few select
details of the crime.” Simon (1991) on interrogation [204].
8
CHAPTER 1. INTRODUCTION 1.2. CHALLENGES
Management. The capabilities of the individual investigator will have different impact on the
decisions made by, i.e. the shift manager. The approach of the team manager can affect the
outcomes of investigations: If the leader is playing the statistics game and adhering to what
his superiors say, then maybe only a certain type of cases are being solved. And if higher level
management does not provide the investigative teams with the warrants, technology, tools, and
general resources they need, it is certain it will have an effect on the outcome of criminal network
investigations?
Politics and legal framework. What kind of resources does politicians make available for the
criminal network investigation units. What legal framework does the investigators have to follow
- is there even a framework of laws? Police and counterterrorism organizations are institutions of
power, existing in a forced and ever changing relationship with the media, the world of the inves-
tigative journalist and proliferation of terrorism, where the publication of a new lead as provided
by an anonymous source can send ripples through those organizations, relocating resources and
changing the focus from open investigations to current issues in order to protect the power of the
leadership.
1. Information: A basic understanding of criminal networks (types, cases, etc.) and criminal
network information (complexities, structures, etc.) is required to define an appropriate
conceptual model thereof. Related to that is a study of analytical techniques, to find those
techniques suitable for criminal network complexities and structures.
9
1.3. THEORY AND TECHNOLOGY CHAPTER 1. INTRODUCTION
Figure 1.1: Matrix of criminal network investigation challenges. Along the y-axis is the degree of
coupling to criminal network investigations vs. institutions or environments, and along the x-axis
is an estimate of whether or not the challenge is quantitative and can be modeled, or if it is more
internal and qualitative of nature, hence not suitable for modeling.
2. Process: A criminal network investigation process must support the mechanisms required
for successful investigation of criminal networks. The investigative process should not intro-
duce compartmentalization and bureaucracy to please management or organizations, thereby
inhibiting the natural flow and ultimately the success of the investigation.
3. Human factors: Knowledge about the human factors involved in criminal network investi-
gation is key to the development of a software system that truly supports criminal network
investigation processes. Both in terms of how investigators solve problems cognitively and
general consideration of interactions with information and algorithms required for criminal
network investigation.
In Section 6.1.1, 6.2.1 and 6.3.1 our research focus is outlined based on the challenges presented
here.
10
CHAPTER 1. INTRODUCTION 1.3. THEORY AND TECHNOLOGY
Figure 1.2: Criminal network investigation pillars of theory and technology. Each pillar represents
important aspects of engineering software tool support for criminal network investigation.
11
1.4. CRIMEFIGHTER TOOLBOX CHAPTER 1. INTRODUCTION
As indicated in Figure 1.2 the list of pillars is not exhaustive and the theories and technologies
are not limited to the ones shown inside each pillar; we expect to uncover additional theories and
technologies for all five pillars (and potentially new pillars) over time.
Web harvesting tools make use of data acquisition agents (spiders) to harvest data from the
Web. The spiders are controlled by the data conversion tools.
Data conversion tools are responsible for both collecting (through spiders) and transforming
data.
Data mining tools provide selected data mining algorithms to discover new knowledge in
data based on defined patterns.
Social network analysis tools perform analysis to uncover new patterns and to gain deeper
knowledge about the structure of terrorist networks.
12
CHAPTER 1. INTRODUCTION 1.4. CRIMEFIGHTER TOOLBOX
Visualization tools use graph layout algorithms to visualize discovered knowledge regarding
terrorist networks. It can also be used as a graphics engine to support some of the tasks
performed by the other tools in the toolbox.
“The toolbox also contains the following [human-centric] tools”, supporting “the intelligence ana-
lysts in performing specific tasks by providing dedicated features that enhance the work efficiency
when performing manual intelligence analysis work” [247]:
Knowledge base tools help maintain the knowledge base by allowing intelligence analysts
to explore and revise the knowledge base content as well as to work with meta data.
Structure analysis tools focuses on supporting the manual work with emergent and evolv-
ing structure of terrorist networks to uncover new relationships between people, places,
events, etc.
CrimeFighter Investigator is part of the CrimeFighter toolbox. The CrimeFighter toolbox for
counterterrorism is a novel approach to terrorism network analysis [245]. The goal is to provide
a number of desktop tools that are grouped into three overall software packages each containing
knowledge management tools and services relevant to counterterrorism [247]. These tools and
services are designed and implemented to enable them to inter operate and exchange information.
The CrimeFighter toolbox is depicted in Figure 1.5.
The Explorer and Investigator packages each support different knowledge management processes
that result in generation of terrorist networks consisting of nodes and links. These terrorist
networks are stored in the knowledge base. The Assistant package provides various features to
analyze and visualize networks - as generated by the Explorer and Investigator packages.
The research on CrimeFighter can be divided into four overall areas:
13
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION
3. CrimeFighter Assistant is a software package with various services that supports anal-
ysis and visualization of terrorist networks. Terrorist network analysis is aimed at finding
new patterns and gaining a deeper knowledge and understanding about terrorist networks.
Terrorist network visualization deals with the complex task of visualizing the structure of
terrorist networks.
4. CrimeFighter toolbox architecture. In order for the developed tools and services to
be able to inter operate and exchange information, the overall software architecture of the
toolbox must enable a service in one package to use a service in another package. For
instance, the structure generated by the services of the Investigator package must be able to
use the analysis and visualization services available in the Assistant package.
14
CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE
Chapter 1 (Introduction) starts out by debunking some myths about our work which people
have confronted us with during the last three years, either when presenting at conferences,
having lunch with colleagues or discussions about work with family and friends. We also
present a number of disclaimers to provide an understanding of the boundaries for our
research in criminal network investigation, a subfield of security informatics 910 . Normally
it is discouraged to define something by what it is not, but we feel it is necessary here to
provide the reader with an opportunity to get an initial idea of what this Ph.D. dissertation
is about.
We outline a list of criminal network investigation challenges Chapter 1 (Section 1.2), and
argue our choice to focus on three of them (information, process, and human factors) for
software system support (Section 1.2.1). To guide our research we analyze problems related
to each of the challenges and formulate research focus requirements as a response to these
problems. Our research has been based on extensive literature reviews of related research
15
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION
areas (theory) and studies of relevant technologies (see Section 1.3), together they constitute
our state-of-the-art on criminal network investigation11 . Section 1.4 describes the role of
CrimeFighter Investigator and the other tools in the CrimeFighter toolbox. The section also
discusses how we expanded our focus from counter terrorism to criminal network investiga-
tion. The introduction is concluded with this section on the structure of our dissertation
and provides reading directions for different categories of readers (see below).
Chapter 2 (Method) deals with both the general method applied throughout the entirety of
the Ph.D. project described in this dissertation, in terms of literature studies, software
development, how paper writing has been planned and done, conference participations etc.
This work was guided by Bardram’s (2007) so called fish model (see Section 2.1).
Our software development methodology has been an iterative approach to incrementally
implementing tool support for criminal network investigation tasks based on the research
focus requirements. Software increments have been proof-of-concept prototypes supporting a
specific criminal network investigation task or work flow and we therefore have both a general
review of prototyping and the (our) more specialized proof-of-concept prototyping in Section
2.2. Section 2.3 covers our approach to acquiring empirical evaluation of our developed
concepts, which has been a mix of the prototyping already described, case-studies, end-
user (usability) feedback and measures of performance. Finally, we describe the framework
provided to us by our employer, University of Southern Denmark (Technical Faculty), within
which we had to conduct our research (Section 2.4)
Part II describes various aspects of our domain criminal network investigation. First, we take a
closer look at criminal networks and investigation thereof: what is a network, what is a criminal
network, and how do investigators investigate networks? Then we study what existing knowledge
(theory) and technology that is useful, in terms of understanding and supporting criminal network
investigation. What are the existing tools and what can they do? In the final chapter of this part
of the dissertation we define the problem by describing a number of specific problems and give
detailed descriptions of research focus requirements as a response to these requirements.
Chapter 3 (Criminal network investigation) is a difficult research area to frame. The net-
work part indicates links to the field of network science comprising complex systems research.
Criminal tells about the nature of the information in the network. But unlike other domains,
deciding what is and what isn’t criminal network information is something rooted in our laws,
unlike the biologist’s classification of let’s say butterflies (see Section 3.1). Criminal network
investigations such as police investigations, intelligence analysis, and investigative journal-
ism share many characteristics, and we use example from each of these to define the type of
criminal network investigation we want to support (Section 3.6). Knowledge about the struc-
tures that criminal networks have formed in the past, is an important tool for investigators,
and we review both meta structures and sub structures in Section 3.2.
Investigation is a process with the aim of producing an intelligence product for the customer
(decision maker). Like any other process with a specific end goal, several types of processes
have been developed. We review the traditional linear investigation process (Section 3.3)
as well as a new target-centric approach (Section 3.4). Finally, we present four criminal
network investigation cases in Section 3.5, describing the aspects of each investigation, that
we find to be particularly interesting.
Chapter 4 (Related work) focuses on reviewing commercial tools (Section 4.1), research pro-
totypes (Section 4.2), and investigative journalism tools (Section 4.3. We try to emphasize
the areas where the tools are strong, i.e., their support of criminal network investigation
tasks that could help reduce the impact of criminal network investigation challenges. At
the same time we also highlight support of investigation tasks that would inhibit criminal
network investigation.
16
CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE
Chapter 5 (Theory and technology) is dedicated to presenting the theories and technologies
that are part of our state-of-the-art for criminal network investigation. Some theory and
technology is core to criminal network investigation, like: hypertext, semantic web, human
cognition, the creative process, intelligence, and mathematical models, and they receive more
attention i Chapter 5 because of that. But theory from information science and social
science, knowledge about simple tools for idea generation, case studies of sub groups and
individuals, ethics, trust and user acceptance, and interaction and visualization are also
important, and therefore introduced.
Chapter 6 (Problem definition and research focus) is a crucial chapter, as it binds our dis-
sertation together. The chapter takes the three challenges selected in Chapter 1, and based
on the domain knowledge acquired in Chapter 3, 4, and 5, problems associated with the
three challenges are analyzed, and four research focus requirements to guide the tool de-
velopment are formulated for each challenge. The research focus requirements are used
throughout the dissertation. The introduction to Part II (the domain) contains a map of
the interrelationships of chapters with Chapter 6 at the center.
Part III presents our model for criminal network investigation and outlines the boundaries for tool
support. Analysis, design and implementation is described for each of five investigation processes.
Chapter 7 (Process model and tasks) This chapter presents a target-centric and iterative
model for criminal network investigation, addressing the problems of linear process models.
The model has five main processes (acquisition, synthesis, sense-making, dissemination, and
cooperation), and the role of each process is described. A list of criminal network investi-
gation tasks for each of the five processes is also described. Further analysis, design, and
implementation of each individual task is presented in Chapter 9 to Chapter 13.
Chapter 8 (Concepts, models, and components for CrimeFighter Investigator) starts out
by presenting the foundation for our tool support: a conceptual model with first class enti-
ties is presented in Section 8.1. We separate mathematical and structural models, to provide
a computational model that can apply algorithms to the emerging and evolving structures
synthesized by investigators (see Section 8.2). Knowledge management and hypertext con-
cepts are introduced together with a list of software components (Section 8.3), requirements
for key components are presented in Section 8.4, and designs for three of these components
are presented in Section 8.5.
Chapter 10 (Synthesis) tasks assist investigators in enhancing the target model. The chapter
presents analysis, design, and implementation of selected synthesis tasks for criminal network
investigation.
Chapter 12 (Dissemination) tasks help the investigative team to formulate their accumulated
knowledge for the customer. The chapter presents analysis, design, and implementation of
selected dissemination tasks for criminal network investigation.
Chapter 13 (Cooperation) Cooperation has received little attention in our research, and this
chapter therefore contains a brief introduction to thoughts and analysis of support for the
17
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION
Part IV describes our evaluation approach and discusses the results, presents our final conclusions
and outlines future work.
Chapter 15 (Evaluation and discussion) evaluates our tool support for criminal network in-
vestigation using three methods: end user interviews (Section 15.2), capability comparisons
(Section 15.3), and measures of performance (Section 15.4). The evaluations are summa-
rized and discussed. The chapter also discusses the issues of visualization and end user
involvement in tool development and evaluation.
Chapter 16 (Conclusion and future work) concludes the Ph.D. dissertation by summariz-
ing our research. We make our conclusions about support for research focus requirements,
criminal network investigation challenges, and the hypothesis in Section 16.2. Our contribu-
tions are presented in Section 16.3 and future work in terms of literature studies, software
development, and software evaluations in Section 16.4
Academics in security informatics. We would of course like to say that the dissertation in
its whole is relevant for readers in this category. However, it might be relevant first to
skim through the myths and disclaimers in Chapter 1 and then, if it still sounds relevant
and interesting, turn to Chapter 3 to see if our focus areas within the domain of criminal
network investigation matches the reader’s expectations. After that, we suggest the reader
proceeds freely, to his or her liking.
Decision-makers (government and private). Readers in this category might have a primary
interest in the operational application of the concepts we have developed for criminal network
investigation and the evaluation and discussion thereof. For these readers we recommend
studying Chapter 3 on criminal network investigation first, and then quickly turning the
focus toward Chapter 9 to Chapter 13 to read about our implemented support for individual
criminal network investigations, or go straight to Chapter 14 for a description of criminal
network investigation work flows and our support thereof.
The media might find it interesting to start by reading the dissertation abstract, and then turn
to the final chapter of the dissertation, Chapter 16, for our general conclusions and lists of
contributions. If more information is required about a certain contribution, the reader may
return to this section (or the list of contents), to locate the chapter(s) with more information
related to the particular contribution.
18
CHAPTER 2
Method
Today functional problems are becoming less simple all the time. But
designers rarely confess their inability to solve them. Instead, when a
designer does not understand a problem clearly enough to find the
order it really calls for, he falls back on some arbitrary chosen formal
order. The problem, because of its complexity, remains unsolved.
Christopher Alexander (1964), in notes on the synthesis of form [8]
This chapter presents our method. The development of suitable software system support for
criminal network investigation is a, by no means, simple problem. We have approached this
problem iteratively, to get an incremental understanding of the challenges involved, in the hope
that we would not “fall back on some arbitrary chosen formal order” [8], as Alexander (1964)
warns solution designers in general. We hope that our method will help others to understand and
create their own support for criminal network investigation as well. We find our method to be a
general method for solving ill structured problems.
We have followed Bardram’s (2007) fish model during the three years of research (see Figure 2.1):
first, a open-minded approach to the problem during the first year (the fish head), then a one
and a half year where the focus is continuously narrowed (the fish body) and then a short six
month period of writing the dissertation (the fish tail). This overall process is outlined in Section
2.1. Our software development methodology has been iterative and incremental, each increment
a proof-of-concept prototype, a manifestation of a design idea that concretize and externalize a
conceptual idea [132] (see Section 2.2). Our method for empirical evaluation is tightly coupled
with our prototyping approach, but also has other aspects, such as the use of case-studies, which
are described in Section 2.3. Finally, we take time to describe the study program we have followed
in Section 2.4, since the Danish model only leaves room for 18 months of actual research during
three years of Ph.D. studies. We feel it is necessary, that our work is evaluated accordingly, but
more importantly it is the framework within which we had to conduct our research, and hence
19
2.1. GENERAL PH.D. APPROACH CHAPTER 2. METHOD
Figure 2.1: Bardram’s (2007) fish model [22] describes a useful framework for a 3 year Ph.D.
project: the open minded phase (12 months), followed by an increasingly focused phase (18
months), and finally the writing up phase (6 months).
In the first year our overall goals were: (1) to conduct literature studies of the application domain
and the relevant supporting research fields. (2) to develop a first set of design concepts for the
software tool and to evaluate the concepts based on a first prototype. This was achieved using an
open-minded approach as described in Figure 2.1. The first year of our Ph.D. project included
activities such as attending courses & conferences, conducting literature studies (reading related
work etc.), prototype development (which includes making experiments) and participating in and
organizing various conferences and symposiums, such as the international workshop on countert-
errorism and open source intelligence (2009), the international conference on advances in social
networks analysis and mining (2010), the international symposium on open source intelligence ‘&
web mining (2010) and finally giving an invited presentation at the interdisciplinary terrorism and
new media conference (2009)12 .
The work in year one made it possible for us at the beginning of the second year to start writing and
publishing papers. The first one was for Hypertext 201113 describing a model of criminal network
investigation we had developed14 , indicating the responsibilities of tools for criminal network
investigation and humans (investigators) [174]. The year continued with further implementation
of the system requirements outlined in that paper. Half way through my second year I spent
a month in London at Imperial College, Institute for Security and Science Technology, where I
studied inference prediction methods under the supervision of Dr. Christopher J. Rhodes. At the
end of the year I went to Germany and visited University of Hof, Institute of Information Systems,
where I studied spatial hypertext and started the analysis and design of usability experiments
under the supervision of institute director Dr. Claus Atzenbeck.
20
CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY
The third year focused on continued increments of CrimeFighter Investigator, authoring of confer-
ence papers, a journal paper for the Springer security informatics journal (special issue on criminal
network investigation) [176], and a book chapter for the Springer handbook on computational ap-
proaches to counterterrorism [175]. The final months were focused on writing up the dissertation,
aggregating all published and unpublished work into one cohesive whole.
Figure 2.2: A typical agile development loop of feedback, coding, delivery, and client testing. The
cycle can be a month, a week, or even a day on an agile project, whereas the traditional alternative,
sequential water fall methods, typically have cycles of several months to years, providing the
development team with less feedback to learn from and adapt to [43].
Prototyping will be based on relevant scenarios related to the criminal network investigation
domain. Selected scenarios are described in Section 3.5 and provide requirements and design
concepts for initial prototypes.
This is primarily a review of Floyd (1984) [70], which we find relevant because a prototypes have
formed the increments of our work. In this review, we focus on the term prototype in relation
to software development, the different steps that characterizes prototyping and the different ap-
proaches to prototyping. We have included reviews of specific parts of the article relevant for our
work.
21
2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD
A “prototype” literally means “first of type”, a notion which makes sense in those
branches of engineering where the manufacturer’s aim is to mass-produce goods of the
same type.
Software development prototyping however takes place in the context of an overall system devel-
opment process. When we use the term “prototyping” in connection with software development it
indicates that we are primarily interested in the process rather than the “prototype” as a product.
Due to a number of working experiences a lot of software developers are motivated to employ an
approach that involves an early practical demonstration of relevant parts of the desired software
on a computer.
According to the iterative and incremental cycle of agile software development described above,
prototyping helps introduce the element of communication and feedback. The degree of this
depends on the chosen approach to prototyping.
Prototyping can be seen as consisting of four steps; functional selection, construction, evaluation
and further use:
1. Functional selection refers to the choice of functions which the prototype should exhibit.
The interesting part of this is that the selection should be based on work tasks relevant for
a later demonstration. The prototype is usually differentiated from the final product, by
selecting a few functions that are completely implemented (“vertical prototyping”, see figure
2.3) or a larger set of functions not implemented in detail (“horizontal prototyping”, see
figure 2.3). The two directions are often both used in a single prototype.
Figure 2.3: If you have a set of system requirements (functions) to prototype, then horizontal
prototyping means implementing a few of those functions completely and vertical prototyping
means implementing some part of many functions.
2. Construction refers to the effort required to make the prototype. When constructing the
prototype focus should be kept on the selected functions that are expected to be working at
the intended evaluation. This also means that “certain quality requirements pertaining to
the final product, such as reliability, data security or efficiency” [70] can be omitted, unless
these requirements are supposed to be part of the demonstration. Morale: You should only
do what is necessary in order to get the prototype ready for demonstration.
3. Evaluation is the step where it is decided how to proceed with the further development of
the prototype. Hence it is important that all necessary resources are made available during
22
CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY
the evaluation. The communication channels should be considered at the level of which the
evaluation takes place, e.g. problems arising from man-machine or man-man interactions
should be considered.
4. Further use of prototype. The prototype can be used “as a learning vehicle and be
thrown away after wards, or it may be used fully or partially as a component of the target
system” [70]. Creating the learning process involves the following aspects:
Early availability (e.g. rapid prototyping),
Demonstration, Evaluation and Modification (e.g. user feedback at evaluation
of demo results in a modification of the prototype),
Teaching and Training (preparing users for their work with the target system),
Commitment (users also become stakeholders for design and functionality demon-
strated by the prototype)
It must be kept in mind that if a prototype is demonstrated and there is a
discussion with the prospective users about its evaluation, the commitment to
the target system is very strong. Should essential changes of some features of
the prototype be made during implementation of the final product without the
explicit content of the user, serious problems regarding its acceptance must be
expected.
We find the most important points for our work to be those related to commitment (why we
had a complete quote).
The purposes for creating a prototype can be many, and Floyd (1984) [70] distinguishes between
the following three broad classes of prototyping:
Summary
Since the initial prototypes of this Ph.D. project were based on architecture, design concepts and
specific components from previous research within the same field, as well as development of new
concepts and components all three approaches to prototyping will come into play. We specialize
our approach to prototyping below.
23
2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD
characteristic of a prototype - being an incomplete portrayal of a design idea - is the reason behind
[the] metaphorical description of prototypes as filters. [. . . ] When incomplete, a prototype reveals
certain aspects of a design idea - that is, it filters certain qualities” [132].
We have adopted aspects of both the traditional requirements approach, and the communication
of design rationale as well as functioning as a filter for a design space, to create our own proof-of-
concept prototyping approach:
Requirements: We adopt the horizontal prototyping, realizing that our prototypes may span
multiple requirements (criminal network investigation tasks). We adopt a mix of Floyd’s
(1984) three approaches to prototyping: exploratory prototyping; experimental prototyping;
evolutionary prototyping.
Communication and filter: We use proof-of-concept prototypes for communication with su-
pervisor, fellow lab colleagues, readers of scientific papers and of course potential end users.
We use proof-of-concepts prototypes for filtering the design space, focusing on particular
characteristics of prototypes (see Section 2.2.2).
Following Lichter et. al (1993) and the four kinds of prototypes presented there [129], we typically
develop presentation prototypes to present functionality to either our Ph.D. supervisor, other lab
members, potential end users (i.e., intelligence analysts at the British Home Office [167]), or to
explain functionality to the readers of our scientific papers. The presentation prototype then
becomes part of our pilot system (CrimeFighter Investigator), either after some refactorings, or
maybe the architecture is already suitable for the implemented extension. Figure 2.4 (below)
describes our prototyping approach (process in lower left corner), as well as how it relates to the
incremental growth of our pilot system, CrimeFighter Investigator.
Finally, starting with a proof-of-concept approach has been noted as a common characteristic of
successfully funded and high impact intelligence and security informatics projects [37].
We have in general focused on interactive visual functionalities, when designing and implementing
our proof-of-concept prototypes (testing human-computer interaction). That means, that graphics
(visualizations) such as information about what is happening on the screen, or which algorithm
currently running, has not been implemented: “the designer screens out unnecessary aspects of
the design that a particular prototype does not need to explore” [132].
24
CHAPTER 2. METHOD 2.3. EMPIRICAL EVIDENCE
pages, brainstorming ideas, scientific quotes, etc.) will reveal relationships between the entities
and their associated topics [246]. This basic idea made Construct very interesting and usable with
regards to ASAP. The following features of Construct were adopted (and refactored to a varying
extent) in by ASAP: a square 2D movable entity with changeable fields, various mouse events for
registering clicks, dragging etc. and the hierarchy feature. Construct had a feature for linking
entities, but it was not utilized in ASAP, and therefore had to be re-introduced when starting the
work on CrimeFighter Investigator. We refer to Chapter 8 for further details on the features and
concepts adopted from ASAP when starting the work on CrimeFighter Investigator.
Figure 2.4: The software baseline for this Ph.D. project was the output of our master thesis, the
ASAP tool. The ASAP tool has been refactored to support various versions of the CrimeFighter
Investigator, before the final version presented in this thesis.
To illustrate the changes (or increments) made between the different tools, we list basic software
metrics for each of the tools in Table 2.116 . CrimeFighter Investigator 1 (September 2010), 2
(September 2011), and 3 (September 2012) are the major releases of CrimeFighter investigator,
but metrics are only shown for the third and final release in the table.
Table 2.1: Selected software metrics for Construct, ASAP, and CrimeFighter Investigator after
year 3 (CFI: CrimeFighter Investigator, MLOC: method lines of code, LOC: total lines of code).
25
2.3. EMPIRICAL EVIDENCE CHAPTER 2. METHOD
“Many Ph.D. students do cool projects, but to have statistical evidence for the ef-
fect of your implemented software features, you need to design and report usability
experiments.” - Dr. Claus Atzenbeck, Director for Institute of Information Systems,
University of Hof.
However, as Dr. Atzenbeck also pointed out, designing and report usability experiments is a long
process not suitable for a 18 months research project. We started designing usability experiments
for CrimeFighter Investigator features under Dr. Atzenbeck’s supervision and following his for
the WildDocs spatial hypertext system [18], guided by Field and Hole (2003) [69]. We hope to
complete this work in the future.
We decided to gather empirical, quantitative and qualitative, evidence using other methods. Be-
cause of the wide range of criminal network investigation processes and tasks we cover, several
methods have been necessary to evaluate all aspects of our developed software system support:
post-crime data sets and investigations 18 , end-user interviews, capability comparisons, and mea-
sures of performance. These methods are described in detail and discussed in Chapter 15.
Before continuing to Section 2.3.1 on case study research, it is important to note that we have been
doing case study research in the context of software systems engineering, not case study research
of the effect of applied software systems engineering or criminal network investigation concepts.
But can we generalize our findings in case studies and use them as arguments for the software
requirements we generate? The strengths and weaknesses of case studies as compared to for
example formal experiments (e.g., usability experiments) are summarized in the following quote:
“Although [case studies] cannot achieve the scientific rigor of formal experiments,
[they] can provide sufficient information to help you judge if specific technologies will
benefit your own organization or project. Even when you cannot do a case study of
26
CHAPTER 2. METHOD 2.4. PH.D. STUDY PROGRAM
your own, the principles of good case-study analysis will help you determine if the
case-study results you read about are applicable to your situation” [118].
Flyvbjerg (2006) further advocates the use of case studies and their scientific value by explaining
and correcting five common misunderstandings about case studies: “(a) theoretical knowledge is
more valuable than practical knowledge; (b) one cannot generalize from a single case, therefore,
the single-case study cannot contribute to scientific development; (c) the case study is most useful
for generating hypotheses, whereas other methods are more suitable for hypotheses testing and
theory building; (d) the case study contains a bias toward verification; and (e) it is often difficult
to summarize specific case studies.” [71] (misunderstandings are also discussed in Flyvbjerg (2011)
[72]). An interesting conclusion on the strengths of case studies from the business management
domain comes from Gill (1995): “theory developed from case study research is likely to have
important strengths such as novelty, testability and empirical validity, which arise from its close
linkage with empirical linkage” [76].
1 The research training program was previously known as Information and Communication Technology.
27
2.4. PH.D. STUDY PROGRAM CHAPTER 2. METHOD
28
Part II
The domain
29
The chapters in part II introduces the domain of tool support for criminal network
investigation, and then sharpens further our initial problem definition and hypoth-
esis from Chapter 1. Chapter 3 describes criminal network investigation. Chapter
4 describes existing tool support for criminal network investigation and explains
strengths and weaknesses of these state-of-the-art tools. Chapter 5 summarizes a
range of theories and technologies required for tool support for criminal network
investigation. These three chapters represents our domain knowledge. Chapter 6
expands our initial description of the three challenges information, process, and
human factors, which we chose to focus on in Chapter 1, and which formed the
foundation of our research hypothesis. For each challenge, a set of specific problems
are listed, based on our domain knowledge. We also define our research focus for
each of the three challenges, framed by a set of requirements. Each requirement
is viewed as a software feature, which, if supported in a suitable fashion, would
strengthen a software tool’s support of the related challenge.
Figure 2.5 provides an overview of the central role that Chapter 6 plays in terms
of previous and future chapters. Figure 2.5 shows that the research focus require-
ments relate to the criminal network investigation process model and tasks, and
subsequently how the processes relates to Chapter 9 to 13, each of these chapters
describing analysis, design, and CrimeFighter Investigator support for tasks asso-
ciated with a process. Chapter 8 is also part of the foundation for Chapter 9 to
13, and the concepts and components analyzed and designed in that chapter have
been developed to support the research focus requirements in Chapter 6. Chapter
9 to 13 leads to Chapter 14, describing criminal network investigation work flows
involving multiple criminal network investigation processes and tasks. Chapter 15
and Chapter 16 evaluates and concludes our dissertation.
Figure 2.5: How Part II links to Part I, III, and IV of this dissertation.
31
32
CHAPTER 3
If we are to think seriously about the world, and act effectively in it,
some sort of simplified map of reality . . . is necessary.
Samuel P. Huntington (1996), in the clash of civilizations and the remaking of world order [102].
Network-based techniques are widely used in criminal investigations because patterns of association
are actionable and understandable, but a criminal network is a special kind of network and a
focused review of this domain is necessary. We start this chapter with our understanding of
what a criminal network is and is not (Section 3.1). This includes a comparison of criminal
networks with other networks such as social networks, biology networks, physics networks, and
other complex systems. Investigations of how criminal networks evolve over time is important to
understand the need for information structure support; a criminal network is not a static entity.
Equally important is an understanding of how criminal networks form (emerge) and what ties a
network together to sustain the required level of secrecy and efficiency necessary for the networks
survival, as mentioned above. We discuss the differences between pre- and post-crime criminal
networks, and again, how one becomes the other, e.g., through a radicalization process. Finally,
we discuss the implication that individuals and other entities (organizations, locations, etc.) in
criminal networks are criminals or part of criminal activity. Part of the explanation is given below,
that criminal networks are investigated for potential criminals or criminal activity in situations
where decision makers want to take proactive measures. But again, we need to be aware of the
difference between legal and illegal activity [87].
We start the chapter with an introduction to what a criminal network is Section 3.1, followed by a
review of criminal network structures. An investigator in any domain would benefit from a general
knowledge about the known basic information structures within that domain [8, 9, 90]. In Section
3.2, we present the building blocks of such structures. We divide the structures created with
those entities in two categories, organizational (meta) structures and smaller (sub) structures, and
discuss the structures in each category often appearing in criminal networks.
After this review of various structures, we review two different types of processes for criminal
network investigation; the linear approach and the target-centric approach. The analysis of these
two different approaches will also serve as input for our problem definition in Chapter 6. The
classic linear approach to investigation (see Section 3.3) is the “faulty” investigative process,
because it introduces compartmentalization which has a negative impact on information sharing
and shared responsibility, ultimately causing intelligence failure. The target-centric approach, on
the contrary, has all stakeholders (collectors and processors, analysts, and customers) working
33
3.1. CRIMINAL NETWORK? CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
on the same shared target-model removing compartmentalization from the equation and in stead
helps introduce concepts such as ownership and transparency. Read about the our preferred
investigative process in Section 3.4.
We present four case studies of criminal network investigations in Section 3.5. We discuss and
reference those cases throughout the dissertation. The cases are: the Daniel Pearl investigation, the
hunt for Khalid Sheikh Mohammed, the Latonya Wallace and John Scott homicide investigations,
and finally the Barksdale drug organization in Baltimore. For each of these case studies, we set the
scene for investigation, we describe the investigative team and the individuals that constitute it,
we discuss the investigative approach of the team, and the criminal network under investigation.
We conclude this chapter with a summary based on three distinct criminal network investigation
types 3.6. We give a short introduction to the the general characteristics of the criminal network
investigations we focus on, and then we present the three specific investigation domains of our
particular interest, namely policing, counterterrorism, and investigative journalism. We discuss
each investigation domain in terms of the three challenges information, process, and human factors
and present case-studies from each investigation domain.
34
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.1. CRIMINAL NETWORK?
emphasis on both secrecy and efficiency [244], but as we will see criminal networks also have other
distinctive features.
While the emphasis is different in terrorist networks and social networks, the entities are often the
same, namely humans. In other network domains theory from physics is used to localize the source
of diffusion in complex networks (e.g., “the source of a contaminant or virus”) [177], where the
nodes might be houses or cities and links represent means of transportation between them, and
so on (see Section 5.9 for examples). In all these networks the entities are of the same type within
each individual network. But in criminal networks, as we will see in the investigations described in
Section 3.5.1 to 3.5.4, it will be clear that many different types of entities can be expected to occur
in the networks. And furthermore, the relations between entities are not of one type, but multiple
types. In general, we think of criminal networks as semantic webs (see Section 5.2 for detailed
review) of information entities. It is important to understand both the differences in emphasis
and entity types, when analyzing criminal networks. Consequently, this is also important when
developing tools support for criminal network investigation.
35
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
36
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES
Figure 3.1: The three first class entities of criminal networks are information elements (nodes, left),
relations (links, middle), and composites (groups, right). The circles indicate connection points
for directly associating the entities, while the small light gray squares are for resizing entities.
perspective (e.g., [188]), interviews and presentations (e.g., [166, 167]), and informal talks with
criminal network investigators together with our own ideas, we present an outline of general
organizational (meta) structures and smaller (sub) structures. The organizational structures are
often used to describe the network as a whole21 . However, large networks may exhibit the outlines
of many such meta structures. The sub-structures are smaller structural components above the
abstraction level of the basic network building blocks, the first class entities node, link, and group.
3.2.1 Nodes, links, and groups: the basic entities of criminal network
structures
The building blocks of criminal networks are information entities. Our network model (Figure 3.1)
defines three such entities, namely information elements (nodes), relations (links), and composites
(groups). Nodes hold information about real-world objects. Investigators basically think in terms
of people, places, things, and their relationships. We use rectangles as visual abstractions here
for simplicity, but any symbol (circles, triangles, etc.) could have been used to illustrate different
types of real-world objects. Links of different types and weights can associate information entities
directly. Links have two endpoints, they can be both directed and undirected, and they have
different visual abstractions (see Figure 3.1, middle). Composites are used to associate entities
in sub groups. We work with three types of composites [174]: Reference composites are used to
group entities in the common information space. Inclusion composites can collapse and expand
information to let investigators work with subspaces. Relation composites can collapse and expand
multiple relations between two information elements. The circles in Figure 3.1 indicate connection
points for direct association of entities. The smaller light gray squares are for resizing entities.
Later, we will abstract the concepts of the circles and light gray squares to a single concept.
We formalize our criminal network model mathematically by stating that a criminal network (CN )
is a list of entities (E) and entities are lists of nodes (N ), links (L), and groups (G). Beyond this,
the organizational structures and smaller sub structures described below have not been formalized
mathematically. We leave this perspective for others and instead take a structural perspective,
allowing for some investigative flexibility, that strict mathematical formalization might inhibit.
37
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.2: An example of hierarchical (left), a Figure 3.3: Emerging structures in the early
cellular (middle), and flat structure (right). phases of criminal network investigations.
HIERARCHICAL
As previously mentioned, criminal network structures are emergent and evolving and the criminal
network is modeled incrementally, from the selection of a target is selected to some meaningful
structure emerges, that can provide insight and new potential leads for the investigators.
Sageman (2004) state that “terrorist networks are not static; they evolve over time” [188]. A
large organization like al-Qaeda has developed many “levels and concepts of organization” [155]
from it’s establishment to now. Sageman depicts al-Qaeda as four clusters with one leadership
cluster, the central staff. “After 1996, the central staff was no longer directly involved in terrorist
operations, but the other three major clusters were connected to their central staff contacts by
their lieutenants in the field” [188] (see Figure 3.5). Two of the al-Qaeda clusters are comprised
of several cohesive subgroups, while the southeast Asian cluster is more hierarchically structured,
with a leader and a consultative council at the top. When the cluster was created it was divided
into four geographical regions, and each region had several branches:
All the network information was gathered from public domain sources: “documents and tran-
scripts of legal proceedings [. . . ], government documents, press and scholarly articles, and Internet
38
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES
articles” [188]. Based on this information, an elaborate list of person attributes was synthesized.
Hierarchical criminal networks can emerge in both top-down (i.e., recruitment [188]) and bottom-
up (i.e., linkage [236]) ways.
CELLULAR
After 10 years of investigative journalism the Pearl Project published a report on the kidnapping
and murder of Daniel Pearl depicting five cells responsible for various tasks, with all cells connecting
to the mastermind behind the kidnapping [227] (see Figure 3.6). However, from the account of the
official investigation we know how fragmented and inconsistent information about the kidnappers
initially was [162], and from another account we get a vivid description of how investigations
faced “the eternal problem of any investigation into Islamist groups or Al-Qaeda in particular: the
extreme difficulty of identifying, just identifying, these masters of disguise, one of whose techniques
is to multiply names, false identities, and faces” [128].
FLAT
Krebs’s almost iconic network of 9/11 hijackers has been referenced widely [122] (see Figure 3.7).
It was aggregated based on open sources, but it is not possible to see the intermediate states of the
network prior to the published version, which would have been interesting from an investigation
point of view. Also, it is not clear what exact evidence that formed the individual links between
the hijackers. But the final relatively flat structure of the network is informative for investigators,
since it can be observed that each individual and cells on each of the flights have low connectivity.
SEMI-LATTICE
From an investigative point of view, it can be argued that the semi-lattice is a better structure
for modeling for example organized crime networks (like the drug selling organization described
in Section 3.5.4). And from a mathematical point of view we expect that the semi-lattice could
39
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
more precisely be used to model overlapping network entities, whatever they might be. Alexander
(1965) defines a semi-lattice based on sets: “A collection of sets forms a semi-lattice if and only if,
when two overlapping sets belong to the collection, then the sets of elements common to both also
belongs to the collection” [9] (see Figure 3.8). A semi-lattice can be used to represent overlaps
between different (groups of) entities. This is a very interesting feature, since an overlap indicates
some sort of association between entities, and that association can be key to solving the case. As
commented by Hirtle (1995), “a tree structure is one realization for a hierarchical structure for
the representation of space. It is easily constructed and understood, but it is also a rigid structure
that does not allow for overlap. Ordered trees provide an extension that allows for some degree
of overlap, whereas a semi-lattice is an even richer structure that appears to be consistent with
many aspects of cognitive space [9]” [89]. In some literature, the organized crime networks are
defined as hybrids [228]. We have observed that a hybrid of a flat tree (hierarchy) and the clique,
shaped by the environment in which it resides, is an often occurring structure.
The Wire is a television show about organized crime, based on yearlong embedded field work by
the authors, that has inspired our work in this domain. It has been argued that the The Wire is
actually a show about the city [10, 34, 163] and not the individual characters (e.g., criminals and
police officers). It is the different institutions in the city that are the real powerful entities (quote
from [127] as quoted in [34]):
The narrative first emerges out of the police investigation of the drug trade, as law
enforcement tries to capture Avon Barksdale by proving that he is the hub of a network
of linked corners and dealers. In order to succeed, the law enforcement side must
gain access to the dealers’ principles of interconnectedness, and they do so through the
wiretap, which itself both emerges from and exposes new links: it first brings together
the Baltimore police, the FBI, the District Attorney, and the courts, and it then allows
them to piece together the structure of the Barksdale drug dealing hierarchy, which
then links up to local politics and the real estate market; later, when the wire takes in
the evidence of dockworkers, it also reveals global economic trading patterns that link
urban poverty to unions and local politics to transnational criminal traffic. Thus the
networking technology of the wiretap is itself a point of contact among other networks.
The whole social world then emerges, in The Wire, not as a set of discrete hierarchies
and institutions, but as the sum of the sites where they intersect.
And it is exactly such intersections that the semi-lattice could be used to model. Taniguchi et al.
(2011) presents a study of open air drug markets and the gangs selling drugs there. These drug
markets are the street corners vividly described by Simon and Burns [204,205] and brought to life
in The Wire. Taniguchi et al. provides the following definition of a gang: “a group of five or more
people with (1) some type of structure, (2) a common identifier, (3) a goal or philosophy that binds
40
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES
them and (4) whose members are individually or collectively involved in criminal activity” [221].
To model street corners and associate gangs with those individual corners, Thiessen polygons are
used to describe the corners, and census geography polygons are used to indicate individuals on
each of those corners (see Figure 3.9).
We find that specific structures often underpin or shape criminal networks. Krebs’ (2002) analysis
of the hijacker operation behind the September 2001 attack found that it is the dense under-
layer of prior trusted relationships that is found to be at the base of the network’s stealth and
resilience and not the commanding control of a single or select few leader(s)” [122]. For urban
organized crime “groups organize around criminal values and activities just as other groups would
converge around noncriminal activities” [150]. The city has a great influence on organized crime
networks: “[a network] can be, but does not have to be, a product of urban design and economic
conditions” [150]. If the city shapes urban organized crime, then it could be interesting to know
what the structure of a city is? Alexander (1965) argues that “a city is not a tree” but a semi-
lattice: “I believe that a natural city has the organization of a semi-lattice; but that when we
organize a city artificially, we organize it as a tree. [. . . ] Both the tree and the semi-lattice are
ways of thinking about how a large collection of many small systems goes to make up a large and
complex system.” [9].
Figure 3.8: The structure illustrated in a and Figure 3.9: The solid line polygons are Thiessen
b is a semi-lattice, since “wherever two units polygons, forming unique spatial regions, sys-
overlap, the area of overlap is itself a recogniz- tematically allocating crimes to the physically
able entity and hence a unit also” [9]. closest street corner. While the Thiessen poly-
gons do not overlap or have gaps between them,
other polygons could be added in a different
layer to represent overlaps with the Thiessen
polygons (in this case census geography for each
of the polygons) [221].
Criminal networks of a certain complexity will typically have the features of more than one orga-
nizational meta structure. And the criminal networks we have studied have featured more than
one of the smaller sub structures described below.
41
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.10: Examples of sub structures include cliques (left), bridges (middle), and hubs (right).
CLIQUE
A clique is a network structure where “every node is connected to every other node” [188], as
shown in Figure 3.10a. Wasserman and Faust (1994) classifies the clique as cohesive subgroup,
and gives the following definition of the clique: “a clique in a [network] is a maximal complete
sub[network] of three or more nodes. It consists of a subset of nodes, all of which are adjacent to
each other, and there are no other nodes that are also adjacent to all the members of the clique.
The restriction that the clique contain at least three nodes is included so that mutual dyads are not
considered to be cliques.” [240]. Scott (2000) suggests a distinction between strong cliques (cliques
in directed networks) and weak cliques (when the direction of links is disregarded). For criminal
network investigation (and perhaps sense-making algorithms in particular), the n-clique [195, 240]
is very interesting:
“In this concept n is the maximum path length at which members of the clique
will be regarded as connected. Thus, a 1-clique is the maximal complete sub-[network]
itself, the set in which all pairs of [nodes] are directly connected at distance 1. A
2-clique, on the other hand, is one in which the members are connected directly (at
distance 1) or indirectly through a common neighbor (distance 2)” [195].
In our deployment of a custom made node removal algorithm (outlined in Section 14.2) we setup
rules to detect a change in distance between nodes, changing from distance 2 prior to the node
removal to distance 1 after the node removal (followed by an inference-based prediction of missing
links in the network). In the deployment scenario, the investigators argue that links matching these
rules might be indication of tasks being shifted from the removed node, to the new destination
nodes of distance 1 from the source nodes. It could be interesting also to investigate a change in
n-cliques after a node removal.
“A clique is a very strict definition of cohesive subgroup. [. . . ] The absence of a single line, [. . . ]
will prevent a subgraph from being a clique” [240]. To present examples of cliques in criminal
networks, we have to take the mathematical (and textual) definition loosely, and think more of it as
42
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES
a tight-knit group22 . A good example is provided by Sageman (2004) who references his discovery
that “people joined the jihad in small groups” (he later refers to them as bunches-of-guys), and
then states that:
“When one of the friends was able to find a bridge to the jihad, they often went
as a group to train in Afghanistan. Examples abound in [Sageman’s] sample: the
Montreal group, the Hamburg group, the Khamis Mushayt group, the Lackawanna
group. These are dense, small networks of friends who can vouch for each other. In
network terminology, they form cliques.” [188].
Omar Saeed Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl
(see Section 3.5.1 made an effort to keep his operational cells separate purposefully, as described
below. “Amjad Hussain Farooqi, Asim Ghafoor, and Asif Ramzi were all allegedly implicated in
helping Omar Sheikh plot Daniel Pearl’s kidnapping” [227]. Amjad Farooqi was a friend from
militant circles. Asim Ghafoor came with Omar to Karachi, a 28 year old deputy in a militant
group, “which would be instrumental in doing Sheik’s dirty work on the streets of Karachi” [227].
Salman Saqib met Omar and Asim at the airport to pick them up, but Omar kept introductions
short, and Saqib therefore only knew Asim Ghafoor as “the fat guy”. Upon arrival in Karachi,
Sheikh had only two days to setup his operation [227], another factor that surely helped keep the
operational cells secret.
BRIDGE
“A bridge is a line that is critical to the connectedness of the graph. A bridge is a line such that
the graph containing the line has fewer components than the subgraph that is obtained after the
line is removed” [240]. Applying this to criminal networks, we define a bridge to be an entity
or structure (several associated entities) who connects to distinct parts of the network. In more
structural terms, Scott (2000) references work on cycle analysis which “goes on to define a bridge
as a line that does not itself lie on a cycle but that may connect two or more cycles” [195]. This
is illustrated in Figure 3.11, the link between node B and E bridges the two cycles ABDC and
EFIH. In peak analysis a node is a peak if it is more central than any other point to which it is
connected and a bridge is then a central node that connects two or more peaks [195]. An example
of a bridge between peaks is shown in Figure 3.12 and the bridge was found to be an important
feature of the al-Qaeda network that Sageman (2004) investigated:
“In the case of global Salafi mujahedin [. . . ] there is one common element that is
specific to them and to no one else, and that is the fact that they made a link to the
jihad. These links are key to the dynamics of terror networks. How does one go about
joining the global Salafi jihad?” [188].
Questions similar to that asked in the quote above are equally important for other types of criminal
networks, such as “how does one go about joining organized crime groups?”, like for example a
group selling criminals selling drugs (see Section 3.5.4).
HUB
“A major topic of research in recent years has been the investigation of hubs on the performance
and behavior of network[s]. Results indicate that hubs can have a quite disproportionate effect,
playing a central role particularly in network transport phenomena and resilience, despite being
few in number” [155].
A hub in a criminal network is a well-connected (high degree) node [155], e.g. the entrepreneur of
a terrorist cell [154] (i.e., clique), receiving information from the outside and communicating it to
the other members of the cell.
43
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.11: An example of a bridge in cy- Figure 3.12: An example of a bridge in peak
cle analysis: the link between node B and E analysis: a node is a peak if it is more central
bridges the two cycles ABDC and EFIH (figure than any other point to which it is connected
adopted from [195]). and a bridge is then a central node that con-
nects two or more peaks [195] (figure adopted
from [195]).
Figure 3.13: The three isomorphism classes of dyads: null dyads (left), asymmetric dyads (middle),
and mutual dyads (right). (figure adopted from [240])
DYAD
Knowledge about triads, dyads, and singletons in criminal networks can be useful for pattern
searching (see sections and example below), and it is also primarily with this in mind that we
review these three structures.
“A dyad is an unordered pair of actors and the arcs that exist between the two actors in the
pair” [240]. There are three possible states or isomorphism classes for dyads as shown in Figure
3.13: null dyads (left), asymmetric dyads (middle two), and mutual dyads (right).
TRIAD
Three nodes (information elements) without the links that may exist between them is called a
triple; when we also consider the links between these nodes we have a triad [155, 240]. Following
our claim, that an understanding of basic network structures is advantageous when analyzing
complex criminal networks, Scott (2000) refers to sociology researchers who argue that “complex
social structures can be seen as built from simple structures” [195] and say specifically about
the triad: “simple triadic structures are the building blocks of larger social structures, and the
properties of complex networks of social relations can, they argue, be derived from an analysis of
these building blocks” [195].
For directed networks, “a triple of actors gives rise to sixty-four possible configurations of choices
and non-choices” [240]. Figure 3.14 shows the 16 triad isomorphism23 classes (types) encapsulating
these sixty-four configurations (adopted from [240]). The triad types in Figure 3.14 are organized
in seven columns, and within each column the types have the same number of links present, where
a mutually directed link counts as two links (i.e., mutual dyad ), from 0 in the first column to 6 in
the last column. Each triad class is labeled using standard MAN labeling24 , which consists of three
to four characters. The first character indicates number of mutual dyads, the second character is
44
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES
Figure 3.14: A triple of nodes gives rise to sixty-four possible triad configurations, 16 isomorphism
classes of which are shown here with standard MAN labeling (see text). The classes are organized
in columns, according to number of links present. (figure adopted from [240])
asymmetric dyads, and the third character represents null dyads. Finally, the fourth character, if
present, is D for down, U for up, T for transitive, or C for cyclic [240].
SINGLETON
We define a criminal network singleton as a structure consisting of one node that has zero to
unlimited links or associations to other entities in the criminal network. In online social networks,
a singleton is described as the type of user that does not connect with any other users [124]. This is
an interesting structural concept for criminal network investigation, e.g., when investigating lone
wolf terrorism [153]. Maybe the singleton does not have any relations to other users in the online
social network, but could have relations to entities in the real world, like persons, activities etc. A
challenge here will of course be the mapping of the online social network avatar of the individual
and the persons identity in the real world [29]. In Section 14.1 and 14.3, we discuss analysis of
criminal networks where single entities (individuals) played key roles.
As with triads and dyads discussed above, the singleton is useful for building patterns, based on the
experience of investigators (their heuristics), which can be used for searching and (visual) filtering
purposes. We illustrate this with a short discussion of a technique using importance flooding to
identify networks of criminal activity [139]. The technique uses three kinds of importance rules
(activity-based group rules, multi-group membership rules, and path rules), as shown in Figure
3.15. “Weights are assigned to rules, nodes are evaluated for group membership based on the rule,
and nodes are assigned initial importances scores equal to the sum of the weights of groups to
which they belong” [139].
45
3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.15: Three types of initial importance rules. Examples of how singletons, dyads and triads
can form the foundations of rules and search patterns [139].
Figure 3.16: The intelligence cycle: “adapted Figure 3.17: The intelligence cycle as “adapted
from factbook on intelligence, office of pub- from a briefing, the intelligence community,
lic affairs, central intelligence agency (October available at the director of national intelligence
1983), p. 14” [113]. website (www.dni.gov)” [32].
While the intelligence cycles presented in Figures 3.16 and 3.17 are linear and mechanistic in
their approach, the cycle or circular visualization actually illustrates an important point, which
should be included in future designs of intelligence analysis processes. Bruce and George (2008)
says about their process model: “despite its simplification of what is a very complex process, this
conceptualization does underline the analyst’s pivotal role in transforming information provided
46
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.3. LINEAR
by various collection systems into judgment and insight for the policy customer” [32]. Clark’s
linear intelligence process model (shown in Figure 3.18 captures the two linear models discussed
above, as well as others.
The intelligence cycle of the danish defense intelligence service is described on their website [52] (in
Danish, see Appendix B.2 for original text). We have adopted the visual model shown in Figure
3.19 from the text version. The process is straightforward and individual steps resemble those
of the other linear processes discussed in this section: (1) the starting point is a prioritization,
considering the service’s tasks and resources, and the customers input; (2) next, it is outlined what
the service already knows, and what it wants to know, resulting in a formulation of the intelligence
need; (3) then follows intelligence gathering from open and closed sources; (4) intelligence gathering
is followed by analysis, and the hypothesis is tested with available information. If the information
doesn’t match the expectations, there might be a need to go back to (2), asking new questions
and formulating a new intelligence need; (5) finally a report is generated, preferably as precise as
possible, in which a special focus is put on the distinction between what is information and what
is an assessment made by analysts.
We make three interesting observations about the DDIS intelligence cycle: Although there is a
feedback loop from analysis to intelligence need, it is stated that it will only be needed if there are
new questions to be asked. From Figure 3.19 we can also see how the customer is actually “cut
out” of the loop: once the prioritization of the task is made, then DDIS takes over until analysis is
complete and a report can be generated for the customer. We find the recognition that analysis is
not something that one analyst can do alone positive; it is team work. However, it is stated that
it cannot be done by one person, which doesn’t recognize the negative impact that team work can
also have (see Section 5.5 on the creative process which discusses this aspect).
47
3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
attention at all devoted to understanding how analysis might have been better and to laying out
any game plan for improving intelligence analysis on terrorism” [32]. The general problem seems to
be a lack of focus on the analytical process it self, also in policing where “process models generally
include some form of feedback or evaluation; however, there is a widespread paucity of evaluation
of police tactics and the intelligence process” [180]. We have therefore decided not to list failed
criminal network investigation, and then try to sum up the failures of those investigations, knowing
it very likely would be “a linear criminal network investigation process or mechanistic approach
was the key reason for intelligence failure. Compartmentalization was introduced, inhibiting in-
formation sharing”. Instead we review the Curveball case, which is a very good example of how
a transnational intelligence operation increases compartmentalization and can potentially lead to
war. The case is reviewed below in Section 3.3.1.
CURVEBALL
In this section, we take the intelligence process perspective on the intelligence estimates of weapons
of mass destruction (WMD) in Iraq: “In addition to faulting collection efforts, fragmented intel-
ligence community operations, management, and other aspects of the intelligence system, the
Silberman-Robb WMD Commission [45] was explicit in critiquing the analytic record as well as
the analytic process” [32]. We discuss how intelligence traveled from the mouth of an Iraqi de-
fector to the German intelligence services, crossing the Atlantic to CIA Director George Tenet,
who briefed the president and U.S. secretary of state Colin Powell. On February 5 (2003) Colin
Powell presented to the United Nations (UN) council the evidence against Saddam Hussein and his
allegedly active WMD program. The intelligence was based on a single source, an Iraqi defector
who manufactured a story based on open source UN reports and his work as a chemical engineer.
CIA director George Tenet convinced Powell that the intelligence was solid and in March 2003 the
U.S. and their allies invaded Iraq (without UN mandate).
Every piece of available intelligence was used for the UN
presentation. Analysts created colored 3D versions of
Curveball’s sketches and descriptions of mobile chemi-
cal laboratories (Figure 3.20), recorded audio was tran-
scribed onto slides and played simultaneously and var-
ious satellite photos of mentioned locations were anno-
tated with indications of suspicious activity. Figure 3.20: 3D drawings used as evi-
The Curveball investigation mainly involved overall tasks dence in UN presentation.
concerned with translation, interpretation, and re-formulation of the contents of interrogation
reports crossing the Atlantic. Preparation of the evidence for the UN presentation involved linking
many different information types. Issues were information scarcity, versioning of information, and
most importantly compartmentalization between and within agencies: “Clandestine operatives are
trained to spread falsehoods. Intelligence agencies spin or hide the truth as a matter of policy and
law. And spy services, even close allies, routinely conceal information from each other” [59].
The channels through which the information traveled from Curveball to Colin Powell are depicted
in Figure 3.21 using pictures and in a schematic form in Figure 3.2226 . The Iraqi defector, ironically
codenamed Curveball, was interrogated by the German foreign intelligence agency BND. The
Germans normally interviewed Curveball in Arabic, using a translator, but the Iraqi spoke English
sometimes (and even started to use a few words in German). The BND sent German summaries
of their English and Arabic interview reports to the U.S. Defense Intelligence Agency (DIA) unit
in Germany (Munich House) as well as the British intelligence service (not in Figure 3.21).
The DIA team at Munich House translated the German back to English and prepared their own
summaries. The summaries were sent to DIA’s directorate for human intelligence in a high-rise
office building in Clarendon, Virginia. The directorate delivered 95 DIA reports to, among others,
the new CIA unit named weapons intelligence nonproliferation and arms control, also known as
WINPAC. WINPAC had been established to streamline CIA’s reporting and analysis of weapon
48
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC
related threats, and reported to CIA’s analysis department. 700 analysts worked in WINPAC,
but only six analysts worked in the unit focused on biological warfare programs that handled the
Curveball reports. The biological warfare unit sent the reports up the CIA hierarchical ladder. At
some point they caught interest, and the CIA created new versions of the streamlined WINPAC
reports to put in the president’s daily brief, which George Tenet brought to the White House [242].
On February 5 (2003) Colin Powell presented to the United Nations (UN) council the evidence
against Saddam Hussein and his allegedly active WMD program.
We bring this lengthy account of the Curveball informations journey, because it illustrates how
many different compartments there was in the process, each compartment amending information
with their own interpretations and translations, based on the text given to them from the previous
compartment. The flow of intelligence reports and documents being sent between, assessed and
reformulated by different compartments, is shown in great detail in Figure 3.22.
“Here the goal is to construct a shared picture of the target, from which all participants
can extract the elements they need to do their jobs and to which all participants can
contribute from their resources or knowledge, so as to create a more accurate target
picture. [. . . ] It is important to note that the collaborative process is not a substitute
for competitive analysis - the process by which different analysts present alternative
49
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
50
3.4. TARGET-CENTRIC
Figure 3.22: Overview of the complete intelligence process from the interviews with Curveball to the Presidents Daily Brief and secretary of state
Colin Powells presentation at the UN. The figure shows the many cycles of interpretation, summarization, rewriting and analysis it went through
before reaching its destination [59].
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC
To create and evolve information technologies assisting criminal network investigators “requires
a deep understanding of the analytical processes that intelligence analysts carry out” [39]. Inves-
tigative teams from the terrorism and police fields are facing complex threat environments. As an
example experts across academia, business, and government sectors have indicated that terrorism
is becoming more amorphous, more complex, more sporadic, more amateurish, more difficult to
predict, more difficult to trace, and more difficult to observe and analyze [109]. This issue was
also outlined in the Home Office Strategic plan 2004-2008: “The growth of organized crime, fueled
by the ease of communication and travel, as well as the changing terrorist threat, have demanded
a significant shift in the way we operate”.
Figure 3.24: Gill’s cybernetic model [77], as reproduced with permission in Ratcliffe (2008) [180].
Within the investigative domain of policing, intelligence policing has produced many interesting
inputs toward a target-centric approach to criminal network investigation. As mentioned in Sec-
tion 3.3, the intelligence cycle “emphasizes the intelligence in intelligence-led policing, but not
necessarily the policing” [180]. Ratcliffe (2008) references Gill’s cybernetic model [77] (see Figure
3.24) as a positive development in that direction, because Gill (2000) in his process model has
embedded the assertion “that the reality of the intelligence cycle is that time and other constraints
play a limiting role on the ability of this ideal-type process to function as a cycle and that the
process in reality is more messy and complex, and that each stage is autonomous” [180]. Another
51
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
interesting feature of Gill’s model is the concept of the filter (or power screen) to indicate that, in
generic terms, some entity has influence on the process in question [77, 180]. Similar model filters
could also be used to indicate responsibilities during criminal network investigation.
We believe that human factors are a significant part of these other constraints mentioned above.
Our target-centric model for criminal network investigation (see Chapter 7) is inspired by Clark’s
target-centric approach to intelligence analysis [40]. However, while Clark’s model puts focus on
the shared target-model (common information space) between all stakeholder of the intelligence
process, he lacks to describe the human factors involved, e.g. human cognition and creativity,
when modeling emerging and evolving information structures. In a review of Clark’s book, Wirtz
(2006) states that the human element of identifying appropriate analytic techniques “limits the
effectiveness of the techniques identified by Clark: their success and failure rest on analysts’ initial
definition of the problem they face. If this cognitive framework is incorrect or unsophisticated,
then it is unlikely that even the most advanced analytical techniques will yield useful results”
[251] and concludes: “after all, no one has yet linked failure of intelligence to the fact that the
opponent had better equations” [251]. To summarize, while the target-centric approach creates
the right foundation for criminal network investigation process, there is a need also to include an
understanding of human factors and information structures, to improve further on this approach.
An example of how to work successfully in a target centric manner was Deuce Martinez, a CIA
top analyst, who was assigned to temporary duty in Pakistan to help pinpoint the location of Abu
Zubaydah28 . Deuce Martinez “was regarded as one of the best targeters the agency had” [146].
In the following quote Martinez has been flown into Pakistan and is briefed about the target
and available (limited) intel (see Section 3.5.2 for more details on that investigation), quotation
from [146]:
That list was later shortened down to two Faisalabad prospects, they were attacked simultane-
ously, and Zubaydah and two accomplishes where shot, but Zubaydah survived long enough to be
interrogated [146].
The fact that Deuce Martinez did this targeting largely on his own (at least the analytical part,
he was given access to intel already processed by others) leads to another important point of the
target-centric approach: The target-centric approach is not an advocation for group work, albeit
being a human-centered process. Years of research show that group work does not create more
ideas or increase creativity [4]. We discuss human cognition and creativity in Section 5.4 and 5.5.
A target-centric approach is about having a common information space, the target model, as a
frame of reference for investigators on a team to refer to), so that no information is hidden from
other investigators at any time. As opposed to the traditional intelligence process reviewed in
Section 3.3, which introduces compartmentalization into investigations.
52
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES
from year-long observations and experiences in the domain. For each review we set the scene
for the investigation to get the reader situated, followed by a description of the criminal network
investigation team and the investigative approach they take. Each review is concluded with
summary of pre- and post-crime network structures, focusing on organizational meta structures,
building block sub structures, and complexities and emergent behaviors of the network information.
We will provide an overview of other criminal network investigation cases elsewhere (e.g., Section
5.7).
When The Wall Street Journal reporter Daniel Pearl was kidnapped on January 23 2002 in
Karachi, Pakistan, an elaborate investigation was started to figure out who the kidnappers were
and where they had taken Daniel Pearl. We have chosen this specific investigation for four main
reasons: First of all because of its complexity. It has been stated that societies where the police and
security services are weak, corrupt or compromised are more susceptible to terrorist attacks [252].
The leader of one cell involved in the kidnapping of Daniel Pearl and responsible for exterior rela-
tions, was in fact a police man part of an elite anti-terrorist unit but also an Afghan war veteran
and linked to Jaish e-Mohammad30 [128, 162]. Adding to the complexity of the investigation is
the city Karachi itself and its population that no one seems to know how to count: “there are
two million Afghans, Bengalis, Arabs, Sudanese, Somalis, Egyptians, Chechens, in short, foreign-
ers without papers forming an army of natural candidates for al-Qaida recruiting agents” [128].
Hence aliases play a key role because “you run up against the eternal problem of any investigation
into Islamist groups or al-Qaida in particular: the extreme difficulty of identifying, just identify-
ing, these masters of disguise, one of whose techniques is to multiply names31 , false identities, and
faces” [128].
THE TEAM
The investigative team (see Figure 3.25) consisted of Mariane Pearl (wife and French magazine
journalist) and Asra Nomani (Indian-born Muslim and reporter for the WSJ). After the Pakistani
authorities were involved, Captain (leader) and Dost (both representing a Pakistani counterter-
rorism unit) and Zahoor (also from Pakistan), joined the investigation. They are followed by four
Americans: Randall Bennett (regional security officer at the U.S. consulate in Karachi), two FBI
computer experts, and Maureen Platt. Finally, John Bussey (Daniel Pearl’s boss at the WSJ) and
Steve LeVine (fellow foreign correspondent at the WSJ normally posted in Kazakhstan) joins the
team.
Mariane and Asra start a link chart (target model) on a white board when they realize Daniel is
missing (Figure 3.26). They add information as they discover it going through Daniel’s calendar
and computer. They work asynchronously, taking turns adding text (mainly person names) and
directed links (relations) to the chart. As more and more information is added, the link chart
becomes increasingly complex. Attributes like phone numbers and pictures are added to the
existing text entities. As more relations between persons are discovered, their lines start crossing
each other and symbols like colored shapes are used to highlight and differentiate information.
53
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.25: The team investigating the kid- Figure 3.26: Link chart complexity has in-
napping of Daniel Pearl. creased significantly.
Figure 3.27: The network behind the kidnapping of Daniel Pearl as synthesized by The Pearl
Project [227] using Palantir software [5], a tool reviewed in Section 4.1.
When the team encounters a dead end, the link chart is used to go through missing information
that would potentially reveal something important. Team members joining the investigation late
(e.g., Steve LeVine) use the chart to get up to speed on things.
The type of information related to the Daniel Pearl investigation and the environment in which
it takes place is very complex. In Karachi there are two million foreigners without official papers
forming an army of potential candidates for Al-Qaeda kidnapping operations. The Daniel Pearl
investigation was “up against the eternal problem of any investigation into Islamist groups or
Al-Qaeda in particular: the extreme difficulty of identifying, just identifying, these masters of
disguise, one of whose techniques is to multiply names, false identities, and faces” [128].
THE NETWORK
The post-kidnapping network shows some well defined structures, that we review here. The pre-
kidnapping network (i.e., the investigation) faced information complexities and dynamics, which
we will also review here since it represents important knowledge about the early stages of criminal
network investigations.
The organizational meta structure of the Daniel Pearl kidnapping network was cellular with
6 distinct cells as shown in Figure 3.27. The prominent and interesting sub structures of the
network are the individual cells. Each cell in the kidnapping network were tightly nit cliques:
Khalid Sheikh Mohammad alledgly brought his nephews for the killing of Daniel Pearl; Fahad
54
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES
Naseem and Salman Saqib, responsible for sending out ransom notes, where cousins. Omar Saeed
Shaikh was the mastermind bridging them together and transmitting orders around the network.
We find that several complexities and emergent behaviors were introduced into the Daniel
Pearl investigation. Aliases as mentioned above (multiple names, false identities, and faces), made
the identification of individuals involved in the investigation very difficult.The social and political
context the criminal network investigation team had to work and navigate in, was very complex
and hence an obstacle to progress. Omar Saeed Shaikh recruited individuals for the different cells
only a few days before the kidnapping, and this sudden emergence of the network helped keep
it secret and hence protected from detection. The fact that Daniel Pearl was meeting Shaikh
Gilani on the day of his kidnapping made him the obvious suspect in the team’s “who did it?”
hypothesis. Unfortunately, the hypothesis was wrong.
As we saw in the previous criminal network investigation case (and which we will see in later
investigations as well) Khalid Sheikh Mohammad (KSM) has an important role in many of them.
In the investigation of Daniel Pearl’s kidnapping (Section 3.5.1), KSM was later revealed to have
performed and video-recorded the murder of Daniel Pearl assisted by two of his nephews [146,227].
McDermott and Meyer (2012) describes how KSM had safe houses throughout Afghanistan, and an
elaborate logistics network, though his connections with high ranking Afghan Taliban individuals
are unclear - we summarize an interview with van Linschoten about the Afghan Taliban network
in Section 15.2.1 and have also studied his book on the subject [134]. KSM was a key figure in the
al-Qaeda organization (al-Qaeda and affiliated movements (AQAM) is reviewed in Section 14.3).
KSM is the uncle of the worlds most famous Islamist terrorist before 9/11, Ramzi Yousef: “Yousef
had attempted to blow up the world trade center in 1993, killing six people, wounding scores of
others, and causing hundreds of millions of dollars in damage” [146]. KSM played a minor role
by wiring 660 dollars to an accomplish of Yousef (Basit), for the planning and execution of the
attack. Basit ended up using 3000 dollars on the building a bomb. KSM and Yousef then went to
the Philippines planning to assassinate “the Roman Catholic pope and the American President
Bill Clinton, and blow up a dozen American flagged jumbo jets in flight over the pacific” [146].
“KSM was secretly indicted in the US in 1996, thanks to [Pellegrino and his team]. When the
indictment was unsealed, no one noticed. If your target wasn’t al-Qaeda, it didn’t matter” [146].
Shortly after 9/11 Abu Zubaydah informs FBI agents hat KSM was the mastermind of 9/11 [146].
The hunt for KSM continued until one year after 9/11.
THE TEAM
After 9/11 (2001) many agencies and even more agents were assigned to the KSM case, but we
focus on the initial case officer Frank Pellegrino and his investigation partner, Michael Besheer.
Pellegrino is the personification of the artistic creative type [210]: “Pellegrino was the real deal
[. . . ]. Everybody wore by and large what might as well have been FBI issued dark suits. Their
desks were perpetually clean. Pellegrino’s was a mess. By outward appearances so was he. His
hair was long, at least by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ].
He was always busy, always late, always in a hurry” [146]. “Free association analytical work”
is Pellegrino’s basic approach. Michael Besheer on the other hand, is the focused, rational, and
conscious investigator. Besheer’s approach to collecting evidence was always the same, no matter
55
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
the size of the task, in the following example a plane: “Parts of the plane had to be disassembled,
examined, tagged as evidence and shipped to New York to be used as exhibits in a trial. His
attention to detail was perfectly suited for the task” [146]. See Section 5.4.2 for a more detailed
review of Pellegrino and Besheer’s collaboration and cognitive approach to investigation.
The hunt for KSM has been called the most fragmented investigation in U.S. history [146], spanning
multiple terrorist attacks prior to and after the 9/11 attacks (2001). As such, it is difficult to
categorize the investigation to catch KSM as following either a linear process or a target-centric
approach, since it actually comprises many investigations.
To avoid the pitfall of setting intelligence failure equal to information sharing [32], we list the
investigative efforts rooted in analytical process and tasks that inhibited the investigation progress:
First failure was the overly adherence to the complete analyst skill that says: “self-confidence to
admit and learn from analytical errors” [32]. Before 9/11 important leads had been missed, and
after 9/11 there was a “white-out” of information. The 9/11 attacks created so much information
that no one could make sense of it all: “there was no shortage of information. There was too
much – a blizzard of it, a white out so complete investigators routinely lost their way in it” [146].
The second failure was, that the two main agencies on the investigation (FBI and CIA) had very
different approaches: “the FBI, given its criminal investigation into the 9/11 attacks, was primarily
concerned with the past, with what had happened, with the crime that had been committed.
The CIA was interested in the future, what might happen tomorrow, or even today. The FBI
wanted evidence; the CIA needed intelligence” [146]. In our opinion, the third failure of the
KSM investigation was the removal of the case officer Frank Pellegrino from the investigation; the
investigator with the most subject matter knowledge.
THE NETWORK
The organizational meta structure of KSM’s criminal network is a flat structure. KSM was a
freelancer and an entrepreneur who over the years created his own network of contacts, however
tightly embedded it was (became) in the al-Qaeda organization and other (smaller) organizations
with allegiance to al-Qaeda, like Hambali’s Jemaah Islameyah [146]. Based on these observations
it would be fair to argue that KSM’s network had resemblance of a social network of business
contacts. He had relationships with individuals that had certain abilities that could help sort
different problems when needed, often logistical problems. Interesting sub structures in KSM’s
criminal network are the network cells that he deploys throughout the world to carry out terrorist
plans hatched somewhere else. An early example was his nephew Basit (also known as Ramzi
Yousef) and the people he recruited for the World Trade center bombing in 1993.
The complexities and emergent behaviors in the KSM investigation are similar to those
of other investigations into transnational terrorism or national security matters (e.g., see the
Curveball case in Section 3.3.1). KSM used up two dozen aliases but curiously also sometimes
traveled under his own name [146]. He was able to stay under the radar, not leaving any too
obvious evidence around, or his world wide network helped him, either by hiding him or warning
him before raids. Agency bureaucracy and inter-agency communication problems also inhibited
and stalled investigations and sharing of important information.
56
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES
The two homicide investigations that we use as an example here were investigated by detectives
from the Baltimore Police Department’s homicide unit during 1988. In 1988, there were 234
homicides in the city of Baltimore. “The vocabulary of the homicide unit recognizes two distinct
categories of homicides: whodunits and dunkers. Whodunits are genuine mysteries; dunkers
are cases accompanied by ample evidence and obvious suspect” [204]. Both the investigations
described here were of the genuine mystery kind, which is why we found them relevant for analysis.
Latonya Wallace’s body was found, 11 years old, in the alley behind a residential block in the city’s
midtown. She lived three and a half block away with her mother and stepfather. She went to the
library on a Tuesday, and was seen leaving the library, disappearing “into the daytime bustle of a
Baltimore street and vanished” [204] until her body was then found the following Thursday in the
morning. The John Scott homicide starts with John Scott stealing a car. A car chase is begun,
and when the police catches up with John Scott, he leaves the car and starts running. An officer
leaves starts pursuit by foot, but trips while releasing his gun from it’s holster and accidentally
fires a round in the direction of John Scott. Moments later he is found death by other police, face
down and with a bullet in his back. It seems to be a dunker, but it turns out that the bullet in
John Scott’s back was not from the police officers service weapon; a genuine mystery.
THE TEAM
Homicide detectives usually work in pairs, where one is the primary investigator. The primary
investigator owns the crime scene, and to a lesser degree the investigation. Two shifts, the night
shift and the day shift. Simon (1991) follows the shift led by lieutenant Gary D’Addario. The shift
has three squads of five detectives, each led by a squad supervisor (Detective Sergeant). When a
little girl is shot or a police officer is involved in a shooting, the whole shift takes on the task of
investigating those murders.
The investigator who answers the phone will become the primary investigator, and the secondary
investigator will depend on who’s turn is up, or simply who is nearby and free when the phone
is answered: “by that argument, the repetitive violence of the city’s drug markets betrayed the
weakness in the homicide unit, namely that investigations were individual, haphazard and reactive”
[204]. Sometimes investigators participate in more long-term, surveillance based (intelligence-led)
investigations: “Edgerton’s detachment from the rest of the unit was furthered by his partnership
with Ed Burns, with whom he had been detailed to the Drug Enforcement Administration for an
investigation that consumed two years. [. . . ] Unable to prove the murder, Burns and Edgerton
instead spent months on electronic and telephone surveillance, then took the dealer down for drug
distribution to the tune of thirty years, no parole.” [204].
THE NETWORK
The network structures of homicide investigations are not focused on social networks (i.e., mainly
with person entities) as in the investigations described earlier in this chapter. And the complexities
and dynamics are also somewhat different, as it is outlined below.
There isn’t much organizational meta structure to a dunker homicide investigation. Typically
there is the victim, the assailant still at the crime scene, admitting to committing the murder and
holding the weapon that was used to do it. The whodunit investigations also have a victim, and
then no, one or multiple suspects. The meta structure of a whodunit investigation can be seen as
a star network [240], with the victim at the center, and then each surrounding node represents the
a suspect (an individual or a group of individuals), who has their own network of home address,
friends, time lines, etc.
57
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Again, the sub structures of homicide investigations are not focused on social networks, like
many of the other investigations discussed above, but focuses on other aspects (evidence). A lot
of reasoning structures exist in reactive policing. “A body in an alley leaves a detective with
questions: What was the dead man doing in that alley? Where did he come from? Who was
he with?” [204]. The time line mentioned below is also used for reasoning, e.g., in relation to
time of death. If time of death was at this particular hour, we create these hypotheses, but if
it was 10 hours later, then we can create these other hypotheses. Since it was suspected that a
cop had shot John Scott, all the radio communication from that night was transcribed, in order
to match it up with statements taken from police officers during interrogation. Time lines are
used extensively in the Latonya Wallace case to match the alibi’s of suspects with a chronology
of events as the investigators has them synthesized at the time of interview with the suspects.
The crime scene presents a network of physical evidence related to the scene and the victim.
Homicide detectives typically solve cases by the use of physical evidence, and not first establishing
the motive, as it is often portrayed in movies, tv shows, etc. When detective Edgerton realizes
that Latonya Wallace’s body may not have been carried into the alley from the ground, but could
also have been carried down from the fire stairs he draws a map. “Edgerton taped two sheets
of letter paper together and divided the space into sixteen long rectangles, each representing one
of the sixteen adjoining rowhouses on the north side of Newington Avenue. In the center of the
diagram, behind the rectangle marked 718, Edgerton crudely drew a small stick man to mark
the location of the body. The he indicated the location of the fire stairs at 718, extending from
the rear yard to a second-floor landing and then the roof, as well as other fire stairs and ladders
on other properties” [204]. Edgerton uses the drawing to narrow down the houses with roof top
access, which means a person could have could the body down from the roof and put in the alley.
Complexities and emergent behaviors are introduced in several ways. The location of the
crime scene can add many new complexities to an investigation. The crime scene could be on
the street, in an alley, or in a row house, each place associated with different challenges [204]. A
homicide detective has three open cases on his desk at all times. On top of that, the bosses may
decide that the homicide unit needs to focus on a particular series of murders for political reasons.
The shift commander assigns the investigations of detectives busy with other prominent cases to
new detectives, ruining their previous leg work and trust build up with informants etc. But the
shift commander is often under pressure to raise the clearance rate and may see no other way.
Information may change for homicide investigations in many different ways, e.g in the Latonya
Wallace investigation the autopsy showed two meals in her stomach: One nearly digested meal of
spaghetti and meat ball, and one only slightly digested meal of hot dogs with sauerkraut. This
information is used to give an estimate of time of death. But deep into the investigation the
criminal network investigation team learns that the menu at Latonya’s school did have those two
meals on the menu at two days following each other, but each was in fact a day earlier than
the police was initially informed, changing an important parameter in the estimate of time of
death, and hence also the basis of many hypotheses. Witness statements can change many times
during an investigation. The general thought is that suspects lie, often for no reason, and the
investigators use physical evidence from the crime scene to catch the witnesses lying and make
them tell the truth. A typical example is mentioning something that was or wasn’t at the crime
scene, formulating interrogation questions accordingly.
58
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES
ability to describe investigative context is exceptional. By context, we mean factors such as power,
the pros and cons of law enforcement culture, distribution of resources, and the impact of politics
that ultimately can decide the success or failure of investigations [34].
The organized crime investigation begins with narcotics lieutenant Cedric Daniels being ordered
“to organize a detail of narcotics and homicide cops to take down Avon Barksdale’s drug crew which
runs the distribution of heroin in several of Baltimore’s projects. Realizing that low-level buy-
and-busts are getting them nowhere34 , the detail of cops [. . . ] add visual and audio surveillance
to their law enforcement tools” [34]. The team is provided with office space in a basement, from
where they can work the case and monitor the many wires they set up in an attempt to map out
the network of individuals in the Barksdale organization.
THE TEAM
The criminal network investigation team has one narcotics lieutenant (Daniels) who is the team
leader, four detectives, three police officers, and one informant. The lieutenant manages the team
and is the final decision maker, the detectives take care of investigation and following leads, the
police officers bring people in, take pictures, and so on. The informant provides the team with
inside information from the streets, e.g., how to dress if a police detective is going undercover.
A senior police officer, recognizing that “all the pieces matter” is put in charge of information
collection and processing and he starts adding snippets of information on to the investigation
board shown in Figure 3.28a. The board functions as the team’s common information space.
Figure 3.28b shows some of the information entities used on the investigation board. There are
polaroid close-ups of individuals, and two types of text cards: one with meta information about
entities and one functioning as headers. In the middle, there is a surveillance photo and at the
bottom a newspaper clipping.
Figure 3.28: The Wire case - a shared information space, in this case a physical board (left), with
different types of information entities (right).
59
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
THE NETWORK
The organizational meta structure of the Barksdale organization is a hierarchical and somewhat
flat structure, that maintains a top-down chain of command as shown in Figure 3.29 [10,206,249].
The top consists of the leader Avon Barksdale, his second-in-command Stringer Bell who admin-
istrates and manages the organization, and, Avon’s sister Briana Barksdale, who is responsible
for the financial side together with Stringer. Maurice Levy is the organizations lawyer who offers
legal advice and acts as defense lawyer for members of the organization. At the bottom of the
organization are the drug selling crews: typically a crew is responsible for a high-rise building,
an area in the low-rises, or a street corner (so called open-air drug markets [221]). Each crew
has a chief, one or more high ranking lieutenants who control a number of dealers and runners,
responsible for arranging a buy, getting the money, retrieving the drugs from a nearby location
and handing it over to the buyer. For communicating strategies and commands to the crews,
the leadership (primarily Stringer) has lieutenants to enforce his commands (in season one Anton
Artis and Roland Brice work as the lieutenants), and they in turn have their enforcers who they
forward tasks to. But Stringer Bell also shows up in person to ask crew chiefs to solve specific
tasks or follow a new strategy.
Figure 3.29: The Barksdale organization in sea- Figure 3.30: The Barksdale organization in sea-
son one of The Wire, chart from [249]. son two of The Wire, , chart from [249].
Interesting network sub structures are the crews (or gangs), a group working their individual
corners. The lieutenants function both as bridges between the leadership/top and the crews,
while enforcing orders from the leadership, in terms of destabilizing other organizations, etc.
Complexities and emergent behaviors are (again) introduced in several ways. Complexity in
a surveillance-based investigation like that of the Barksdale organization, are a bit different than
the complexities related to counterterrorism investigations. Examples include communication
encryption used by the drug crews, e.g., applying a numerical encryption to phone numbers sent
via pagers, or taking pictures to designate where to meet [10, 206]. The legal framework is also
responsible for some complexity. To arrest someone for dealing drugs (of a street corner) you
typically have to catch the individual receiving money and then handing over the drugs. The
60
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY
crew running the street corner can circumvent this by having one person receive the money, a
runner to get the drugs from a stash, and then a third will deliver the drugs around a corner or at
the purchasers car. The police often make an undercover cop buy the drugs to be able to arrest
individuals on a street corner (buy and bust).
Dynamics are introduced by emergent and evolving information and political and management
decisions: When investigations start, criminal network entities are often associated in other ways
than through well established relationships to other entities. First, the entities are randomly
positioned in the information space and maybe only a few are directly linked (e.g., the known
accomplishes of the target). Later, more entities are linked, groups are created, and structures
emerge. During the first iterations, spatial associations like entity co-location play an important
role. A spatial association with certain semantics could be entities placed in close proximity of each
other to indicate a subgroup in the network or snippets of information about a certain individual.
Or entities might be placed above and below each other to indicate hierarchical importance. And
it may take many iterations before it is clear what attributes (entity meta data) are relevant as
input for analysis algorithms. In other words, “semantics happen” [197].
3.6.1 Policing
Reactive policing is getting competition from intelligence-led policing, more information is being
gathered and used, but evidence from interrogations and other street human intelligence weighs
heavy; human factors play are large role for that aspect, less so for the analytical methods. We
describe process models, information, and human factors related to policing below.
Process (e.g., [7,53,83]). Many models have been developed over the years, ranging from reactive
community and problem-oriented policing models to the more proactive intelligence-led and
61
3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.31: A criminal network investigation example illustrating the preferred approach to
analysis for policing, counterterrorism, and investigative journalism investigations. The screen
shot is from the Daniel Pearl investigation, where two investigators discussing the relevance of one
individual’s connection to the terrorist organization Jaish e-Mohammad.
terror-oriented (i.e., political) policing models. These models run in parallel to the tradi-
tional law enforcement model characterized by its paramilitary and bureaucratic “command
and control” structure, and focus on incident-driven response to calls for service. Police
investigations include a variety of tasks like criminal profiling, crime scene analysis, data
processing, and storing and sharing of information.
Information (e.g., [10, 53, 204]) Most information produced by police officers is difficult to rep-
resent and thus to access and communicate due to its nature. Police knowledge tends to be
implicit and experience-based. Human intelligence includes statements from witnesses and
informants living on the street. A whodunit homicide crime scene produces a lot of physical
evidence like crime scene photos, lifted fingerprints, hairs, etc., which gets examined and
cataloged. Surveillance is used on bigger investigations producing signal intelligence such as
audio (telephone calls), pager communication, and video.
Human Factors (e.g., [204, 210, 239]) As mentioned, police knowledge tends to be implicit and
experience-based, e.g., the questions an investigator asks himself or witnesses when con-
fronted with a complicated investigation. Or what approach to use when you have a certain
type of individual in the interrogation room. Other human factors relate to problem solving:
detectives must have an ability to “think out of box” and associate different items, facts,
and individuals from the crime scene and investigation to come up with new hypotheses
that could potentially solve a standstill case. The capacity of a detectives working memory
decides how many entities he or she can joggle when processing information.
3.6.2 Counterterrorism
Counterterrorism investigations are by far the investigation domain with most focus on keeping in-
formation classified, information is often signal and imagery intelligence, and human factors relate
more to creativity and cognition for analytical abilities. We describe process models, information,
and human factors related to counterterrorism below.
Process (e.g., [39, 40, 178]). Before 9/11 (2001), investigations were mainly handled by a nations
security services, but are now moving toward joint operations with police in what is often
62
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY
Information (e.g., [40, 146, 214]) Counterterrorism information mainly uses secret intelligence35
obtained from surveillance such as satellite imagery or phone calls. Open source intelligence
is information readily available for everyone and has been found to actually represent 80%
value whereas secret intelligence has been only to represent 20% of the value36 . Information
can vary from knowing whether it will be full moon and the fields have just been harvested
before inserting troops on the ground in a foreign country 37 to year long surveillance (video,
audio, infiltration, etc.) following a groups increasing radicalization and knowledge of bomb
making right up to the point prior to a terrorist attack.
Human factors (e.g., [146, 225]) Given the often proactive nature of counterterrorism efforts, a
lot of “free association” and “out of the box” thinking is often required to generate hypotheses
about potential outcomes.
Process (e.g., [101,128,136]). While police and counterterrorism units enforce the law, investiga-
tive journalism often results in the first rough draft of (new) legislation. It has helped bring
down governments, imprison politicians, reveal miscarriages of justice, and shame corpora-
tions. Classical investigative journalism was primarily about digging. It was done on the
street, talking to people, drinking in bars, while tracing down leads, all the time scribbling
notes on scraps of paper and stashing them away in files and boxes. The human factor is
still important (see below), but the availability of computer-assisted reporting tools to search
public databases and the online open source information overload has changed the game for
ever. Everything has become more complex, and the investigators are adapting to this new
situation.
Information (e.g., [120, 162, 204]). Investigative journalism is still to a certain degree based on
human intelligence (interviews with anonymous sources), especially in areas where a lot of
local information might not be available on line. Open source intelligence for background
checks or similar, database searches, interviews with relatives, colleagues, etc. Pictures by
photographers and own audio from interviews. Information could also be the investigative
journalists own observations, e.g., spending a year in a Baltimore police department homicide
unit. Maybe a journalist will gain access to otherwise classified information, government or
commercial, again based on interviews with anonymous sources.
63
3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Human factors (e.g., [128, 146]). Experience and tacit knowledge (ability to ask the right ques-
tions, personal network, etc.) are key tools for a successful investigative journalist. Mind
mapping abilities (linking together facts for correct understanding and coherent stories) are
important, just as when a homicide detective is trying to understand a complicated crime
scene. A journalist can sometimes have an advantage in gaining access to interviews and
information, since the journalist is the protector of civil liberties and the voice of the people,
while police officers and secret agents might have more trouble getting people to talk about
an incident.
64
CHAPTER 4
Related work
Existing work related to criminal network investigation falls into two categories. Related work
from various research fields has provided much inspiration in the design and development of
CrimeFighter Investigator. This type of related work is reviewed in Section 5.1. The other type of
related work is centralized around tools that support criminal network investigation tasks. This
chapter focuses on such tools. A comparison of our approach against existing work in that area is
described in Chapter 15.
A number of existing tools support criminal network investigation processes and tasks. The tools
have been selected to cover prominent commercial tools (Section 4.1), tools actually used by
investigators, as well as research prototypes (Section 4.2) and tools for investigative journalism
(Section 4.3) to get a comprehensive overview of the state-of-the-art tool support for criminal
network investigation tasks. We find the review of investigative journalism tasks relevant, due to
the supported tasks.
Our analysis of state-of-the-art tools is mainly based on open source material (tool websites,
reviews and blogs, academic papers, etc.), but for a few of the commercial tools, statements
from end users have also been included. Naturally, the commercial tools have lots of information
about their products on their website, but while there are many colorful screen shots and videos,
and statements generated by the marketing department, there isn’t much technical depth to that
material (with Palantir Government providing most technical explanations through the videos on
their site). The research prototypes on the other hand are described with a technical point of view
in academic papers, but other than that, not much material can be found (except if papers mention
research prototypes other than their own). Network analysis tools, frameworks, and libraries gets
perhaps the best open source coverage, since they are used by everyone when building their tools:
the technologies are detailed described in academic papers, journal papers and books; their usage
and examples thereof are provided by all the researchers, developers, and companies who utilize
the technologies; even the software itself is often open source.
65
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK
For each of the reviewed tools, we focus on support of criminal network investigation tasks. Our
related work review is applied later, in Chapter 15, where we compare the capabilities of these
state-of-the-art tools from the policing, counterterrorism, and investigative journalism domains
against each other and CrimeFighter Investigator (see Section 15.3). The analysis of conceptual,
structural, and mathematical models is also used later for a capability comparison of the tools on
those parameters.
The remainder of this chapter is organized as follows: we start out with a review of commercial tools
in Section 4.1 covering Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer
6.0, and COPLINK. We indicate the tool versions to set the boundaries of our analysis. Next, we
look at research prototypes in Section 4.2, covering The Sandbox for Analysis, POLESTAR, Aruvi,
and the mentioning of a new research prototype Dynalink. Tools for investigative journalism are
reviewed in Section 4.3 and covers Namebase.org, Mindmeister, and a range of simple tools.
SPECIFIC FEATURES
Analyst’s Notebook supports “flexible data acquisition via intuitive drag-and-drop, importing or
multiple database access capabilities” [108]. Another interesting import feature is, that “when
importing data into Analyst’s Notebook 8, users now have the ability to export transformed data
into a comma separated or tab separated file allowing them to save and reuse the transformed
version of their original file” [104]. Analyst’s Notebook supports column actions 39 on import [107],
such as Add Prefix (“Adds text or values immediately before the values imported from a data
66
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS
column”) and Extract Portion of Text (“Extracts a specific portion of text or data from a data
column”).
AN supports information elements and relations, and visualization of groups in a network (see
Figure 4.1). A range of 3D icons are supported as visual abstractions for information elements,
e.g., ‘male person’, ‘telephone’, and ‘refugee center’ in Figure 4.1. Information elements are cre-
ated using drag and drop from a special pane, and attributes are added to information elements
also using drag and drop from a similar pane [104]. As mentioned, relations between information
elements are supported and Figure 4.1 (upper left corner) shows simple examples such as ‘asso-
ciate’, ‘address’, and ‘subscriber’. Three types of directed links are supported: multiple, directed,
and single. If information elements are phones, then the type multiple can be used to indicate
number of phone calls between the two phones at different times of day. The type directed can be
used to indicate phone calls from phone a to phone b and vice versa, and the type single could
have the total number of phone calls between the two phones. Group entities (composites) are not
supported, only indirectly using visualizations (see Figure 4.1). That also means that information
cannot be collapsed or expanded. All information found relevant for the investigation exists at the
same level in the information space, and then parts of it can be highlighted or emphasized using
various filters, histograms, etc. [2, 104, 107]. AN supports multiple information types, e.g., drag
and drop of pictures onto information elements to add the picture as a visual abstraction.
The focus of AN is on visual analysis. It has support for many perspectives on information such
as visual symbols in the information space, chronologies of events, heat matrices (e.g., indicating
during what time spans crimes occurred in the past), positioning of information entities onto maps
to do geographic analysis, etc. AN has strong support of social network analysis and visualization
thereof. Multiple centrality measures (eigenvector, betweenness, degree, and closeness) can be
selected to run simultaneously, the results of which are visualized using color and entity size in
the information space.
Finally, AN supports the generation of a wide range of reports for dissemination of analysis results.
Creating hypotheses in a collaborative manner is not supported, but in one product video [105]
there is an example of analysts that are asked to assemble a single target profile. While they are
working they can comment on and review each others work, and when finished they can assemble
their work into “a multi-dimensional report”.
67
CHAPTER 4. RELATED WORK
68
4.1. COMMERCIAL TOOLS
Figure 4.1: Augmented screen shot of Analyst’s Notebook illustrating supported entities and concepts: information elements and relations, various
visual symbols, a satellite view, tabbed panes with e.g., chart creation tasks and examples of visual filtering for different purposes. (source: [2])
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS
control model, revisioning database and immutable audit logs. Palantir also used existing legislation
as guidelines on how to address ethical issues in implementation [223], e.g., the 9/11 commission
implementation act [152].
Our analysis of Palantir Government is based on open source material such as white-videos (e.g.,
[191,194,237], video demonstrations (e.g., [230]), white-papers (e.g., [222,223]), and academic and
other papers and articles (e.g., [26, 161]). For the intelligence community Palantir have described
an intelligence infrastructure, where visualization and link analysis is the “top of the iceberg”, in
a layered architecture comprising the four layers data integration, search & discovery, knowledge
management and collaboration [192], as shown in Figure 4.2.
Figure 4.2: Visualization and Link Analysis is the “top of the iceberg”, in a layered architecture
comprising the four layers Data Integration, Search & Discovery, Knowledge Management and
Collaboration (source: [192]).
SPECIFIC FEATURES
Palantir Government has a data integration platform, which is a framework for data integration
with “a powerful model that accommodates every kind of enterprise data source” [194], structured
and unstructured, such as online sources, databases, text files and spread sheets [192, 194]. To
get an understanding of what Palantir means by structured and unstructured data, we use an
example from a counterterrorism demonstration video [230]. In this video, a text file (document)
describing an investigation asset meeting three other individuals at an charity event. When the
document is viewed in a so called Browser, some entities such as names and email addresses, are
recognized and highlighted as if they were hyperlinks in a web browser. The entities were high
lighted using one of several entity extraction methods (automated or manual). If using automated
extraction, errors will occur and not all important entities are highlighted (e.g., the home address
of an individual). The user now has the option to manual extract entities such as phone numbers
and addresses, indicate their type and link them to the already recognized entities (individuals)
in the document. Furthermore, entities can be merged (i.e., they represent the same entity) using
drag and drop, and the data is becoming increasingly structured. [230]
In general, Palantir data integration focuses on the importance of supporting open formats and
application programming interfaces (api): “you need a platform that allows you to import informa-
tion, interact with that information, and then get it out of the system” [194]. A short, but precise,
description of the purpose of criminal network investigation tools. The object (entity) model of
Palantir Government is very impressive. It has its own separate architecture layer between the
data storage and the end user (analysts, developers, and administrators) as shown in Figure 4.3
69
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK
(left). This separate layer for the data model leverages “lossless data abstractions” [237], making
it possible to “track every piece of information back to its source” [237] (see Figure 4.3, right).
Figure 4.3: The object model has its own separate architecture layer between storage and end
user (left). This approach secures lossless data abstractions, even with multiple sources forming
the basis for object properties, e.g., name or email (right). (source: [237])
Palantir Government supports nodes, links, and groups for synthesis and “users interact with
their data as first order conceptual objects” [237]. It is our impression that objects only cover
the nodes in criminal networks, not the relations between nodes nor the groupings of nodes, links,
and groups, especially since we are to think about objects “as empty containers or shells, within
which we fill attributes and other information about them. Examples of entities could be people,
places, computers, phones, events like meetings or phone calls, or documents like email or message
traffic” [237].
“We haven’t encoded any semantics into the object model itself. The organization actually gets to
define their semantics using a tool called Dynamic ontology” [237]. Palantir Government supports
directed links, either representing single relationships or multiple as shown in Figure 4.4, where
there are multiple relations for each link (each one represented by a circle with an icon). The
technological support relationships as means for connecting objects is based on ontologies, as
shown in Figure 4.6. There is one ontology for objects, one for relationships, and one for object
properties (attributes).
Palantir Government supports group objects to which other objects can then connect (see Figure
70
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS
Figure 4.6: Palantir Government supports an object model that is different from the ontology
describing relationships, objects, and properties (left). On the right is an example of an object
model with an ontology. (source: [237])
4.5, left). While expanded we notice that the group icon remains in the space. When the group
is collapsed all the connected objects are hidden (see Figure 4.5, right).
Palantir government also records a history of the users actions. This means that investigators
can return to a point in an investigation, i.e., a point where a certain action was done by the
investigator (e.g., a search). However, if the investigator makes a change now, a branch is created
in the investigation, visualized with a new icon in the history bar, indicating the number of old
slides (the old branch), as shown in Figure 4.7 [230]. This means that investigators can use
branches to represent different hypotheses, or maybe they are just alternate interpretations of
the same information: “Unlike a typical undo redo, Palantir maintains a fully branched history
of everywhere an investigation has been. This allows an analyst to explore hypotheses or see
where [some evidence] might lead an investigation, without fear of in anyway contaminating or
corrupting that investigation” [230]. Finally the history adds a learning perspective to Palantir
Government: “this investigation [history] provides an importing training aid, allowing analysts to
show other analysts how they reached their conclusions, which paths they take, and what they do
when they reach dead ends” [230].
Palantir Government investigation summaries can be exported into Microsoft Powerpoint or HTML
formats [230]. The user can select the individual history slides that are to included in the sum-
mary using check boxes, additional information about each individual slide can be added, and the
summary can be given a title.
Real-time update of database indexes is supported, since Palantir Government found it was nec-
essary “in order to truly enable enterprise-wide real-time collaboration” [230]. The collaboration
focuses on sharing data as well as analyses, collaboration inside as well as across agencies, across
71
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK
compartments and across classification. The collaboration concepts are based on how engineers
collaborate. Finally, Palantir Government is the “only system designed with civil liberties and
privacy protections” [192]. An example of how an investigator can search for a specific object in
other investigations is shown in Figure 4.8. In terms of human-computer interaction, the circular
object action menu in Figure 4.8 is interesting and an intuitive method for doing so; the object is
in the middle with available menus around, no matter where it is positioned in the investigation.
Figure 4.9: Example of exporting a Link Ex- Figure 4.10: An example of to create search
plorer chart to Microsoft Excel spreadsheet. queries in Link Explorer by the use of drag and
(source: [6]) drop. (source: [6])
4.1.4 COPLINK
COPLINK is designed for both general policing and specialist use for detectives/crime analysis
[53]. The tool consists of three modules: “Connect” database, “Detect” criminal intelligence, and
“Collaboration” [84]. With the merger between Knowledge Corporate Computing and i2 in 2009,
COPLINK became a separate product line within i2 Limited. In 2011, i2 Limited was purchased
by IBM. We do not present our analysis of the COPLINK tool here, as we have chosen to focus
on the other three tools reviewed above (Analyst’s Notebook, Palantir Government, and Xanalys
Link Explorer), since they target a more complete investigation cycle.
72
CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES
4.2.2 POLESTAR
POLESTAR (POLicy Explanation using STories and ARguments) is an integrated suite of knowl-
edge management and collaboration tools for intelligence analysts [178]. Pioch and Everett (2006)
points out the reasons for intelligence failure relating to current information systems that “inhibit
collaboration and stifle insight with antiquated processes that encode [. . . ] compartmentaliza-
tion” [178]. POLESTAR supports the end-to-end intelligence analysis process, covering the pro-
cesses search, read, collect, structure, write, review, and revise. The entities in POLESTAR are
so called Facts, which are basically text snippets collected from websites by first highlighting the
text and then dragging it into a portfolio browser. The user can augment the fact with various
meta data, such as the source of the information and their interpretation of it.
The portfolio browser has tools for knowledge structuring such as the wall of facts (see Figure
4.13) that includes a time line view (Figure 4.14). The wall of facts “is a blank workspace onto
73
CHAPTER 4. RELATED WORK
74
4.2. RESEARCH PROTOTYPES
Figure 4.11: An augmented screen shot from the Sandbox for analysis, illustrating basic entities and features. ‘Pin’ labels are used to ask questions
and start hypotheses (a). The conceptual model supports card-like entities and groups (d), picture entities (b), and relations (c). An assertion
group are used gather evidence proving a statement true or false and the assertion group has “Support and Refute Gates” along the sides - (e) is an
example of dragging evidence through the support gate to an assertion group. (source: [254])
CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES
Figure 4.12: The Sandbox interaction gestures includes loop-to-group gestures, lasso-selection
gestures, and x-to-delete gestures.
which the analyst can drag and drop snippets of information that they have collected” [178].
Snippets placed at the edge of the wall of facts is shrunk, while snippets at the center are full
size. Investigators can add claim text boxes around which snippet arguments can be positioned,
or snippets can be grouped hierarchically using sub-workspaces. The wall of facts time line view
shows the chronology of snippets according to the dates that investigators have added: “seeing this
arrangement can clarify relationships that are hard to detect when looking at a series of textual
dates” [178]. Interestingly, the time line view supports also sub-time lines.
POLESTAR has strong support for creating hypothesis (like the Sandbox, see Section 4.2.1), and
mentions the importance of having an explicit structure to easier locate weak arguments. As with
any argumentative structure, the basis in POLESTAR is a hypothesis. The hypothesis can be
supported or rebutted by claims (i.e., the claim box mentioned above) and assumptions. Claims
and assumptions are typically based on interpretation of a fact, which the investigator has entered
meta data about, such as info type, reliability, classification, and source. The fact originates from
a source document.
4.2.3 Aruvi
Aruvi is the prototype implementation of an information visualization framework that supports
the analytical reasoning process [200,201]. As mentioned, analysis is focused on what can be done
using visualizations, but has some structure in terms of the argumentative reasoning support and
the navigation history. Shrinivasan and Wijk (2008) formulate five requirements for the analytical
reasoning process in information visualization [201], which are summarized to the challenge of
providing the user with an overview of what has been done and found: “to keep track of the
exploration process and insights, a history tracking mechanism and a knowledge externalization
75
4.2. RESEARCH PROTOTYPES CHAPTER 4. RELATED WORK
mechanism respectively are essential” [201]. Figure 4.15a, 4.15b, and 4.15c explain the Aruvi
support of history tracking. Initially, Shrinivasan and Wijk (2008) . . .
“. . . use a history tree representation to show the structure of the exploration pro-
cess. A node represents a visualization state. An edge between the adjacent nodes is
labeled with the user action (see Figure 4.15a). [. . . ] Figure 4.15a shows the structure
of the navigation. A branch represents a revisit and reuse of an already existing visu-
alization state. To understand the temporal context, it is important to see the sequence
of visualization states along with the structure of the navigation. Figure 4.15b shows
the structure of the navigation ordered by time in the horizontal direction. The user
can toggle between the two representations during the analysis via the settings interface
(see Figure 4.15c-1). The user can revisit the visualization states sequentially in the
order of creation using the back and forward arrow keys. This action is similar to the
undo-redo mechanism. Also, the user can hover over a node to get information about
the visualization state (see Figure 4.15c-3) and jump to any visualization state in the
navigation view. An overview window is used for panning over the history tree (see Fig-
ure 4.15c-4). When a visualization state is linked to objects in the knowledge view, it is
marked with a star in the navigation view (see Figure 4.15a, 4.15b and Figure 4.15c-2).
The current visualization state in the navigation is highlighted in yellow.” [201]
Figure 4.15: History trees and navigation view. Figure 4.16: Aruvi knowledge view.
For knowledge externalization, Shrinivasan and Wijk (2008) decided to design a knowledge view
as a basic graphics editor, because “it helps the users to construct diagrams to externalize their
mental models and structure arguments” [201]. Figure 10.8 shows the Aruvi knowledge view,
where:
“A note is the basic entity to record findings. A note is either rectangular (see
Figure 10.8a) or elliptical (see Figure 10.8b) in shape. Notes can be organized into a
76
CHAPTER 4. RELATED WORK 4.3. INVESTIGATIVE JOURNALISM TOOLS
group with a title (see Figure 10.8c). The tool supports multiple group levels (see Figure
10.8d). A connector line can be drawn between notes, groups, and a note and a group
([with or without direction], see Figure 10.8e). When an entity in the knowledge view is
linked to a visualization state it is marked with a star” [201] (see Figure 10.8f ).” [201]
4.2.4 Dynalink
Dynalink is a framework for visualizing dynamic criminal networks. “The interactive and visual
features of Dynalink can be useful in discovering and analyzing both relational patterns of criminal
networks” [160]. A primary strength of Dynalink “is that it can process huge datasets” [160], the
system has been tested against a crime dataset consisting of 125.558 criminals.
4.3.1 Namebase.org
Namebase.org43 is a database of books and clippings where users can search for names and
individuals, groups, and corporations [136]. The search finds books and clippings that cite the
name searched. It also has an option to draw a social network diagram (see Figure 4.17). Searching
can be performed in the following ways: ‘name search’, ‘proximity search’, ‘country search’ and
‘document scan’, but only in the existing databases; no ingestion of additional data is possible.
The before mentioned social network diagram can be used to draw relations between the search
results, providing an alternative perspective to listed results. The user can click entities in the
social network diagram, to focus on that entity.
77
4.4. SUMMARY CHAPTER 4. RELATED WORK
4.3.2 Mindmeister
Mindmeister is a collaborative tool for online mind mapping [3] (see screen shot in Figure 4.18).
Mindmeister supports the following formats for import of mind map data: original Mindmeister-
TM TM
files, FreeMind 44 , Mindjet MindManager 45 , and finally text files where entities are simply
separated using spaces or tabs and the first line is the title of the mind map.
Figure 4.18: Augmented Mindmeister screen shot, high lighting various concepts that the tool
supports: entity types, groups, visual symbols, multimedia, and hypotheses.
Entities are for example topics and ideas, or relations as shown in Figure 4.18. All entities support
grouping. If one entity is dropped on another entity, it becomes a sub-entity of the entity it is
dropped on (a group is started or expanded). Sub-entities can be collapsed by clicking the circle
with a minus (see Figure 4.18). The minus becomes a plus which could be used for expanding that
information again. Mindmeister supports real-time brainstorming: “simultaneously work with
colleagues on the same map and see changes as they happen” [3]. Finally, like any mind mapping
tool, Mindmeister is strong on generation of hypotheses and alternate interpretations.
78
CHAPTER 4. RELATED WORK 4.4. SUMMARY
made in the Aruvi knowledge view are also indicated in the workspace (using the same color).
This sort of decision-making support was not found in the other research prototypes.
Each individual simple tool for investigative journalism solve the task they are intended for, but if
more than one simple tool is required to solve task, it becomes a problem, since they do not exist
in an integrated environment. And simple import and export tasks might be more complicated
than for example solving (some of) the tasks by hand.
In summary, the reviewed commercial tools and research prototypes supporting a cards-on-table
metaphor, have some basic features in common. They support information elements and rela-
tions, the basic building blocks for creating networks. The support of composites (groups) is
more sporadic, with Palantir having better support. For further comparison of criminal network
investigation task and model support we refer to Section 15.3.
79
4.4. SUMMARY CHAPTER 4. RELATED WORK
80
CHAPTER 5
This chapter presents state-of-art on core theories and technologies relevant to the development
of tool support for criminal network investigation, addressing the challenges associated therewith
(see Section 1.2 and Chapter 6). We will elaborate our initial discussion of the theory and technol-
ogy pillars introduced in Chapter 1. The pillars represent high level functional and non-functional
aspects of developing criminal network investigation tools. Lower level (functional) software re-
quirements are the research focus requirements presented in Chapter 6. The theories (sciences)
and technologies listed for each pillar have provided us with the knowledge and understanding
necessary to develop tool support of that particular aspect. The pillars are shown in Figure 5.1,
and colors are used to indicate how well the different theories and technologies are covered in this
chapter or in a fragmented manner throughout the dissertation (see the coverage legend at the
bottom of Figure 5.1). The theories and technologies have been selected based on their relation
to the overall hypothesis and the three criminal network investigation challenges, information,
process, and human factors.
We will present each theory and technology from the perspective of criminal network investigation.
The pillars and their theory and technology building blocks are briefly described below, with
references to the respective sections reviewing them in greater detail.
Emerging and evolving pillar. A complex software systems engineering problem is the sup-
port of emergent and evolving information structures [172]. The complexity arises because
the premise for such support is that you don’t know what structures will emerge as end
users synthesize and organize their domain information: they might end up with spatial, hi-
erarchical, or argumentation structures, and most often the result will be a mix of multiple
structure types. In general terms, structure is an abstraction used to describe the form of
some object, whether it is a house [8], a city [9], a software development plan [165, 170] or
criminal network information entities pieced together, forming network structures [174]. We
have presented basic sub structures and organizational meta structures of criminal networks
in Section 3.2.
Hypertext is a technology that provides methods for supporting various structure domains.
Research of these structure domains is helpful in understanding how structures are formed
81
CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.1: Criminal network investigation pillars of theory and technology. The colors indicate
how well each individual research area or technology has been covered, e.g., green building blocks
are covered in great detail while red building blocks are not covered.
82
CHAPTER 5. THEORY AND TECHNOLOGY
and to learn general ways of implementing software support of similar structures, that can
then be mapped to the other information domains (see Section 5.1). Semantic web is a
technology aiming at adding semantics to web pages, to make them understandable by
machines, through the description of knowledge domains using ontologies to describe the
objects on web pages and their interrelationship. This has been extremely helpful in terms
of supporting networks, where information elements can be of different types, where relations
can be weighted and of different kinds (we cover basic semantic web technology relevant for
our work in Section 5.2). Information science has helped find the appropriate trade-off
between having a completely generic system that the end user can customize to suit any
particular information domain and adding some domain knowledge into the system prior to
providing the user with access (see Section 5.3).
Problem solving pillar. This pillar deals with cognitive processes, creativity, and tools support-
ing a human-centered, target-centric team approach to criminal network investigation. We
think of criminal network investigation as a process (or processes) for crime related problem
solving. Section 5.4 deals with human cognition in terms of the mind’s approach to solving
problems. More specifically, what are the strengths, weaknesses, and limitations of human
cognition, so that we know how not to inhibit the strengths in any way and to decrease the
impact of weaknesses and limitations. Software systems engineering has different processes
describing approaches to software development, one of which, the agile approach, we find
useful for our target-centric approach to criminal network investigation. Agile modeling is
described in the section of software systems engineering and Section 5.6, covering a range of
modeling techniques, very different from traditional approaches to problem solving. Many
different tools - both physical and software - could be used for and are good for different
kinds of problem solving. Such tools are described in Section 5.6. Finally, we have conducted
a review of the creative process, which talks about creativity in general, and discusses the
benefits of creativity in real versus nominal groups (Section 5.5).
Suspects and criminals pillar. Domain knowledge has provided us with many functional and
non-functional aspects of tool support for criminal network investigation. The functional
aspects comes from experiences and literature that tells us about the individuals that form
the type of criminal networks we want to investigate, and how and why these individuals
became part of those networks; for example radicalization tendencies and processes. It can
be argued, that such knowledge is more important than knowledge about individuals who
have already committed a crime, in terms of the ability to take proactive (de-radicalizing)
measures. But it is not the focus we have chosen in this Ph.D. dissertation, and would
require very detailed modeling capabilities, but we hope our approach will evolve in that
direction in the future. The field of Social Science is a large provider of such knowledge,
and we used it and described in fragments throughout the dissertation. Also, studies from
social science about criminals, i.e., the profile characteristics of individuals (Case-studies of
individuals is covered in Section 5.7). For similar studies of groups we refer to Section 3.5.
Investigation pillar. We reviewed two different approaches to criminal network investigation
(linear and target-centric) in Chapter 3 and we will cover our process model and tasks for
criminal network investigation in Chapter 7. Here we will focus on studies of technologies that
can help investigators make sense of criminal networks together with a review of intelligence
and the ethical issues involved in dealing with and making decisions based on criminal
network investigation.
We review the concept of intelligence, by focusing on open source intelligence and what role
it has played for our work in Section 5.8. Section 5.9 on mathematical models covers different
types of computational network analysis (also referred to as techniques or algorithms), and
how these mathematical models can be useful in terms of supporting various analysis needs
when investigating criminal networks. Ethical issues such as privacy and civil liberties is
discussed in Section 5.10, an aspect of security informatics often neglected by academic
software system engineers.
83
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY
Tool usage pillar. In terms of tool usage aspects, this pillar focuses mainly on trust and user ac-
ceptance (see Section 5.11). Models for assessing the acceptance of new technology are many,
e.g., the technology acceptance model (TAM) for information technology [51]. And technol-
ogy assessment researchers have given their suggestions for the “fundamental determinants
of user acceptance” [51], e.g. Davis (1989) suggests perceived usefulness and perceived ease
of use. In the criminal network investigation domain we find trust to be the fundamental
determinant for tool user acceptance. Because of the security nature of the information and
the importance of decision being made based on that information, it is highly relevant that
investigators and decision-makers (intelligence customers) trust the information, knowledge,
and ultimately intelligence products that tools for criminal network investigation produce.
We have a brief introductory review of interaction and visualization in Section 5.12. Computer-
supported collaborative work (CSCW) or simply groupware is not covered in this dissertation,
but we have studied important work in the field (e.g., [60]), and a substantial part of the
course advanced software technologies for knowledge management focused on groupware46 .
As indicated in Figure 5.1, software systems engineering is the foundation, on which all the theory
and technology pillars stand. The color indicates that we do not have a separate section or
chapter on the software system engineering concepts we have applied in this project, it is covered
throughout the dissertation.
5.1 Hypertext
Organizing and making sense of information has been the main focus of hypertext research from
its very beginning. Hypertext systems aim at augmenting human intellect, i.e. increasing the ca-
pability of man to approach a complex problem situation, to gain comprehension to suit particular
needs, and to derive solutions to problems [62]. The most widely used structure abstractions in
hypertext are nodes and links. Nodes are informational units that can be connected through links.
Users can traverse links and thereby navigate through a hypertext (graph). Nodes and links, how-
ever, have been criticized for a lack of support for emergent and evolving structures [199]. Spatial
hypertext was designed for dealing with these shifting structures, and is found to be well suited
for the purpose, e.g., the ease of changing a visual property or moving an object [198].
”Hypertext, in its most general sense, allows content to appear in different contexts”47 [141].
That is, a person who is about to encounter a diverse amount of knowledge (or data) can aug-
ment that knowledge with different hypertext structures, making it more intuitive and easier to
comprehend. All the structuring domains reviewed below “contain basic notions, although each
also has its own specialized and tailored abstractions” [159]. Over the years, various hypertext
structuring mechanisms have been proposed to support different types of information structuring,
organization, and sense-making tasks. Several of these structuring mechanisms (or structuring
domains) play a vital role in the design and development of tool support for criminal network
investigation.
84
CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT
Hypermedia System (DHM) [115] is a prominent hypermedia system that provides a rich set of
composite types.
For criminal network investigation purposes, associative structures (including composites) are use-
ful for synthesis tasks such as manipulating entities and relations, re-structuring, and grouping.
Relations can be unidirectional or bidirectional and either weak (suspected but unconfirmed re-
lationship) or strong (known close relationship such as family or friendship ties). Bush (1945)
summarizes how information is usually found by traversing a complex hierarchical structure of
classes and then claims that: “The human mind does not work that way. It operates by associa-
tion. With one item in its grasp, it snaps instantly to the next that is suggested by the association
of thoughts, in accordance with some intricate web of trails carried by the cells of the brain” [33].
NoteCards is an example of a navigational hypertext system that allows the user to create such a
“intricate web of trails” [73].
NoteCards
We have selected NoteCards for analysis because the basic entities are cards: “The basic construct
in NoteCards is a semantic network composed of note cards connected by typed links. NoteCards
provides two specialized types of cards, Browsers and FileBoxes that help the user to manage
networks of cards and links” [170]. Figure 5.2 illustrates some notecard examples, where “each
notecard contains an editable [content] such as a piece of text, a structured drawing, or a bitmap
image. Each card also has a title” [73]. Figure 5.3 illustrates examples of Browser cards and
FileBox cards.
The purpose of the NoteCards environment is “to help people formulate, structure, compare, and
manage ideas”. NoteCards intends to support the nature of idea processing, something that is very
important to our work as described in Section 5.4. Halasz et al. (1987) considered idea processing
to be “a convolution of several different activities that can be roughly divided into three phases:
acquisition, analysis, and exposition” [73]. These phases are very similar to the three phases of
the generic creative process model: problem preparation, idea generation and idea evaluation (see
Section 5.5). Furthermore, the goal of idea processing is described as a way of moving “from
a chaotic collection of unrelated ideas to an integrated, orderly interpretation of the ideas and
their interconnections”. It comes as little surprise that the most common use of the NoteCards
environment “is as database for storing personal information such as notes to oneself, clippings
from electronic mail messages, quick ideas jotted down, sections of a paper in progress, etc”.
Halasz et al. (1987) assess NoteCards according to the subjects information management and
idea processing [73]. It is concluded that information management is appropriately supported,
especially when it comes to organizing information “into arbitrary (e.g., non-hierarchical) network
85
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.3: Example Browser Card (large) and FileBox Card (small). [73]
structures tailored to their specific applications”. Idea processing was found to be “relatively
difficult” by many users. This is mainly because “representing and manipulating ideas in Note-
Cards is a task that requires considerable strategic planning”. In other words, it is not intuitive
for the users how to make a structure that can clarify their “unorganized and poorly understood
collection[s] of ideas” [73].48
Systems
A spatial hypertext system allows its users to represent information elements as visual “icons”.
Analysts can represent relationships among objects implicitly by varying certain visual attributes
(e.g., color, size, and shape) of the icons and by arranging the icons in arbitrary ways in a large 2D
space (spatial proximity). Information elements can be grouped in collections. A spatial parser
can then recognize the spatial patterns formed by these icons. First generation spatial hypertexts
primarily focus on research-related information analysis [142] and general idea-processing. Sec-
ond generation spatial hypertexts have been used in tasks such as “note taking, writing, project
management, and conference organization” [198] and scholarly work processes [246]. But first and
86
CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT
second generation spatial hypertexts are considered to be general-purpose as described in [199] due
to their purely spatial hypertext concepts implementations [121] and non-formalized information
elements. We do not consider them to be usage-oriented like the following tools (some of which
have multiple usage-orientations). Over the years several strains of spatial hypertext systems
have been developed and evolved, e.g. from NoteCards [73] over Aquanet [140] and VIKI [142]
to VKB [198] and VITE [95] and from the Construct Space Tool [246] to ASAP [170–172]. A
prominent example of a spatial hypertext system is the Visual Knowledge Builder (VKB) [198].
Aquanet (1991) started the strain and facilitates spatial manipulations and visually indicated
links, using a browser-based approach [121, 140, 141]. Experiences with use showed that users
created linkless spaces of nodes arranged in regular graphical patterns that indicated relationships
among nodes spatially and visually [199]. Figure 5.4 shows an excerpt of an analysis of machine
translation systems and technologies. The distinct patterns of graphical objects indicates the
composites build by the users to represent a single machine translation system or technology (i.e.,
the red/pink, blue, green and white with gray border rectangles).
VIKI (1994) was developed next to explore spatial hypertext as a geometric and visual struc-
turing paradigm [142]. VIKI’s emphasis is on flexibility, informality and change. VIKI’s spatial
hypertext model is based on information elements, visual symbols, collections and composites.
The information elements in VIKI are semi-structured content-holding entities that may have no
internal structure, or may have a number of fields added to them in order create user-specified
structure. Visual symbols are manipulable references to an information element. The symbol size
can be used to limit the amount of content revealed. Users can also specify which field’s contents
are shown and they can scroll through content to focus attention on a specific segment. VKB
extends on VIKI in a number of ways, but the focus is primarily on more advanced visual cues
and support of collaborative tasks [198]. VKB kept the notion of information elements, collections,
and subspaces (see Figure 5.5). VITE is a system developed to explore the design and reuse of
systems incorporating two-way mappings, again following the cards-on-table metaphor [95, 97].
The attribute/value mapping pairs are the primary content rather than meta data attached to
a larger plain text or image information element, which is likely to be the case in a structural
computing environment (see Section 5.1.6).
The Socs application “permits the intuitive connecting of information on a space. It supports
emergent and dynamic knowledge structures, fosters communication, awareness, and notification
services, enables multiple trails of thought in parallel (i.e., thought experiments), as well as ver-
sioning with easy access to previous states” [20]. The tool is targeted at criminal profiling or crime
scene analysis supporting small teams of officers, following the cards on table metaphor. Atzen-
beck (2008) presents the Socs social space on which information elements represent collaborators,
87
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY
using a graphical icon and a label as visual abstraction [19]. The space could be divided into
separate areas, indicating the role of the persons in that specific setting.
The ASAP tool49 uses spatial and taxonomic hypertext structuring mechanisms to provide sup-
port for project planning [170]. “Project planning in agile teams is a collaborative process relying
on face-to-face communication and shared information to succeed” [171, 172]. The ASAP tool
implements a bi-directional mapping between the interactive areas of the task card and the un-
derlying data. Based on the tool’s usage-orientation, the separator was implemented as a novel
structuring mechanism, allowing the user to create a temporal separation of grouped cards, en-
abling auto generation of views and reports. ASAP lets the user interact with an information
element’s underlying content.
To summarize, the majority of the reviewed tools implement a cards-on-table metaphor, and hence
the geometric shapes representing pieces of information has not evolved considerably. The focus
has been on developing powerful general purpose structuring mechanisms and support of long
term collaboration, as the primary means for the users to reach their ends [198].
88
CHAPTER 5. THEORY AND TECHNOLOGY 5.2. SEMANTIC WEB
89
5.2. SEMANTIC WEB CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.6: The World Wide Web in 1994 as Figure 5.7: A flat world, devoid of meaning [23].
presented by Tim Berners-Lee [23].
Figure 5.8: “A document might describe a per- Figure 5.9: Semantics have been added to web
son, the title document to a house describes a documents [23].
house and also the ownership relation with a
person”, etc. [23].
example of a relation rule for a family could be that a hasMum property can only exist between
two persons if the hasParent property exists.
Figure 5.10 presents these concepts and the technology used to realize the semantic part of semantic
web. Each individual layer in Figure 5.10 is dependent on technology in underlying layers. The
red layers represent technology that functions as the basis for the semantic technology: an URI is
a web identification that can point to a specific semantic web resource. XML is an element-based
syntax making it possible to create documents with structured data. Semantic web provides these
structured data with meaning.
The blue layers represent standardized semantic web technology: RDF is a simple language
for description of data models referring to resources (using URI web identifications) and their
relations [75]. An RDF based model could for example be written using XML syntax and consist
of so called triples using the following formatting < subject, property, object >. A simple example
of a web page sentence is shown in Figure 5.11, where the RDF triples for that sentence is explained.
Where RDF adds meta data to documents, RDFS and OWL are used to annotate RDF data
with semantic meta data [75]. Semantic meta data could be object properties such as how objects
are related to each other hierarchically (taxonomies) as shown in Figure 5.12 where t-shirt and
pants are subclasses in relation to the classification clothesType. An ontology, which only contains
subclass-relations is also called a taxonomy. Another type of semantic meta data is data type
properties, e.g., which brand a single piece of clothes belongs to.
Even though semantic web projects have shown the advantages of using this technology within
specific information domains parts of the technology has not yet been realized and standardized.
90
CHAPTER 5. THEORY AND TECHNOLOGY 5.3. INFORMATION SCIENCE
Figure 5.10: Semantic Web technology architecture - the blue layers is the semantics technology
while the red layers are basic World Wide Web technology.
Figure 5.11: RDF t-shirt example - graph visu- Figure 5.12: A hierarchical taxonomy with
alization and matching RDF triples. classes and subclasses.
A list of primary security related layers are left out in Figure 5.10: A vertical encryption layer for
securing and verifying the authenticity of data from the semantic web. This could be achieved by
using suitable digital signatures for RDF statements. Related to this layer are layers for creating
trust in semantic web information. The user interface is the final layer making it possible for
humans to use semantic web applications. [75]
91
5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY
Hjørland and Albrechtsen (1995) are particular concerned with a theoretical background from
which to make priorities between all possible information connections and relations [91]. The
domain-approach to information science is argued to be able to provide such a theoretical frame-
work. Putting this in a system context, “it is probably useful to specify some conceptual rela-
tionships to provide the system with at least a rudimentary domain knowledge facility prior to
any interaction with users” [91]. Hjørland and Albrechtsen (1995) also present an user-centered
paradigm in information science: “By a user-centered paradigm, we refer to information access
driven not by the structure of the database in the system, but rather by views of the databases
needed to satisfy an information need as perceived by the user. Thus, the user defines dynamically
the type, amount, and structure of the data required to satisfy an information need. This implies
not just the user definition of the view, but the user selection of the model in which the view is
framed.” [91]
Some positive synergies exist between the information science discipline and hypertext (described
in Section 5.1). Hjørland and Albrechtsen (1995) argue that “hypertext is a fascinating research
area and a promising technology. It is however only a technology, and as such cannot substitute
for a theoretical approach such as domain analysis. But a theoretical approach can illuminate a
technology and its possibilities” [91]. And follow up by stating that, “hypertext is a technology,
which is fertile soil for remedies to classical problems in information science” [91].
92
CHAPTER 5. THEORY AND TECHNOLOGY 5.4. HUMAN COGNITION
associating - the traditional understanding of creativity, and what might be called the artistic
approach. The other type of creativity is to be persistent and focused – a more rational and
conscious creativity, which we maybe could call the engineering approach” [210]. “The two ways of
being creative does not exclude each other Bernard Nijstad explains in the interview and continues:
the majority of us switch between the methods based on needs and switch back and forth several
times during a task ” [210]. We call the rational and conscious approach to creativity problem
solving because it exists in a less free domain, where goals and means are defined beforehand [210].
Human working memory and long term memory is described by De Dreu and Nijstad:
The working memory was initially described as our ability to remember seven dif-
ferent things, such as names or numbers. Today, we have a more complex picture of
working memory as a sort of central arena, where you put the things that are part of
your conscious thinking - it still only has room for a rather limited number of elements,
normally five to nine. But the elements should rather be seen as a sort of focus points
into your collective pool of knowledge and associations. Think about a super advanced
3D version of Wikipedia (see Figure 5.14), where all words and images has dozens of
associations to other places. A memory element is a piece of this spider web, that you
have lifted up to look at. [210]
5.4.2 Besheer and Pellegrino - a case in point of rational and free asso-
ciation creativity
FBI case officer Frank Pellegrino hunting Khalid Sheikh Mohammed and Matthew Besheer [146]
serve as an example of the two types of creativity described above from the domain of criminal net-
work investigation. Their background is outlined in Section 3.5.2. Pellegrino is the personification
of the artistic, creative, and free-association type described in [210]. Michel Besheer (see below)
makes the following observations about him: “Pellegrino was the real deal [. . . ]. Everybody wore
by and large what might as well have been FBI issued dark suits. Their desks were perpetually
clean. Pellegrino’s was a mess. By outward appearances so was he. His hair was long, at least
by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ]. He was always busy,
always late, always in a hurry” [146]. When Pellegrino asks Besheer if he wants to join in the hunt
for an international target to the Philippines and Malaysia, he offers the following arguments: “If
this guy is going, [. . . ] I’ll be happy to go with him. Maybe even protect him; free him up to do
his free-association analytical work” [146].
93
5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.14: When a person thinks about something the memory element (green cube) related to
that is brought from the long term memory (left) into the working memory (right).
Michael Besheer is the focused, rational, and conscious creative type. Detective Besheer had
written a report about the security at the World Trade Center in 1992, stating that the Trade
Center garage was vulnerable to truck bombs. Nobody listened to that report, but when the
attack happened in 1993, his expertise was suddenly needed: “Even with high security clearance,
he ended up digging through stacks of parking tickets, any record that somebody wanted chased.
It was pure grunt work. He did it all tirelessly and without complaint”. His approach to collecting
evidence was always the same, no matter the size of the task, in this case a crashed plane: “Parts
of the plane had to be disassembled, examined, tagged as evidence and shipped to New York to
be used as exhibits in a trial. His attention to detail was perfectly suited for the task” [146].
Given our focus on hypertext structure domains, we are interested in learning what structures
are better suited for representation of human cognition: “a tree structure is one realization for a
hierarchical structure for the representation of space. It is easily constructed and understood, but
it is also a rigid structure that does not allow for overlap. Ordered trees provide an extension that
allows for some degree of overlap, whereas a semi-lattice is an even richer structure that appears
to be consistent with many aspects of cognitive space [9]” [89]. We discussed the semi-lattice in
Section 3.2.
Hypertext research found that the premature decisions of structure was inhibiting human informa-
tion organization capabilities (see review of NoteCards [73], Section 5.1.1). New approaches that
avoid this early commitment to structure were therefore researched, developed, and formalized.
Researchers on creativity have written about how the personal need for structure can have both
a negative and a positive impact on creativity depending on that persons level of personal fear of
invalidity [239].
94
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS
Figure 5.15: The components of creativity [239] are an individual or a group going through a
creative process to develop a product.
At the end of this chapter we hope to have gained enough knowledge to conclude where creativity
ends and planning starts, what skills (creative, systematic, analytic) are important when planning
or managing and the phases included in these very different processes. We begin the review, by
looking at relevant creative process models.
95
5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY
One of the first models was given by Wallas [74, 239] in 1926. Wallas describes creativity as
involving four phases: preparation, incubation, illumination and verification. In the preparation
phase “the creator becomes obsessed with the problem, collects relevant data and traditional
approaches to it, and perhaps attempts, unsuccessfully, to solve it” [74]. During incubation the
creator unconsciously continues to work on the problem without actively attempting to solve it. In
the illumination phase “a possible [solution] surfaces to consciousness in a vague and unpolished
form” [74], i.e. a creative insight has occurred. Finally verification of the idea is performed by
proof and communication to others.
Later models by Osborn (1963), Amabile (1983), and Scheiderman (2000) all “moved away from
proposing unconscious stages of incubation and illumination, toward a more conscious process
of deliberately coming up with ideas” [239]. Table 5.1 summarizes the phases included in their
individual models.
Table 5.1: Generic creative process model as described by Warr and O’Neil (2005) [239].
All the creative process models presented in Table 5.1 have an analytical phase of preparation,
where relevant information is collected to understand the problem and its domain. Then there
is “the more specifically creative phase” where ideas are generated based on the gathered and
reviewed information. Finally all the models have an idea evaluation phase, where it is evaluated
if the goal of producing truly creative ideas is achieved.
We believe that the generic problem preparation phase (analysis of problem in Table 5.1) would
be difficult to support by a computer system, since it is a head-on approach where traditional
solutions are applied and not much time is spend on creative thinking. The idea generation phase
however has a brainstorming feel to it which is very interesting because it seems to map into
initial phases of a criminal network investigation process, just as it does the planning process.
Idea evaluation using for example communication to or response from others would benefit from
an electronic version of the generated ideas, because they could easily be altered, deleted and
moved around. And it would be easy to distribute the ideas to people at other locations.
96
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS
Production blocking. Production blocking has the highest negative effect when ideas are ex-
pressed verbally within a group. Only one person can speak at a time and hence communicate
his/her ideas. People “may subsequently forget their ideas or suppress them because they
may feel their ideas less relevant as time passes”. Or they rehearse their ideas internally not
paying attention to other group members. Usually, however, ideas are not only communi-
cated verbally but also jotted down on notepads, white boards or flip charts. A number of
synchronous interaction techniques have been applied to solve the production blocking prob-
lem. Examples relevant to our work are: writing ideas down on cards and using electronic
brainstorming systems. This also helps the influence of evaluation apprehension discussed
next, because such methods make ideas anonymous by allowing the group members to use
writing as a communication channel.
Evaluation apprehension “Members of a group may [. . . ] fear criticism from other group
members, preventing them from expressing ideas” [239] and thoughts which results in a
reduced number of ideas produced by the group. This usually happens when someone
believes that another group member has expert knowledge within the domain and then
expects some sort of negative evaluation from that person (This is the primary reason for
separating Idea Evaluation from Idea Generation in Table 5.1). To overcome the negative
effects it has been suggested [239]:
[. . . ] that anonymous means of expressing ideas remove an individual’s identifi-
cation with an idea and therefore help encourage people to express their ideas as
the fear of criticism is removed. This anonymous communication has been a key
feature of electronic brainstorming systems.
Free riding. “Free riding [. . . ] is the result of group members becoming lazy, relying on other
members in the group and not contributing as many ideas as they could”. This usually
happens when contributors to some work are evaluated as a group, compared to when their
individual performance is evaluated.
Two solutions that could reduce the effect of free riding are: Highlighting identifiability in
groups and increasing the accountability for individual performance. However a balance has
to be kept between evaluation comprehension and free riding, e.g. exposing everybody’s
work in the weekly company newsletter to avoid free riding will most likely make people
more comprehensive to evaluation.
9: Encountering events. The solid arrows indicate what typically happens when some sort of
event is encountered: “notice is taken of the event (9), a competent response is chosen (3),
and that response is carried out (6)”. An example could be that somebody realizes they need
milk, they decide to go to the grocery store and then they go get the milk. But sometimes
a response doesn’t emerge right away and instead the event sparks an idea54 . And that is
when the complete tour around the life cycle of creative endeavors begins. Analysis: This
phase is obviously part of what we defined as the ‘Creative Process’ in the introduction. In
terms of software development the initiating event could be the investigation leader passing
a task to an investigator. At this point nothing tangible (to others) has been produced; only
the urge of the creator to pursue the idea exists.
97
5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY
98
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS
7: Reorienting ones perspective / realizing the goal. The first product is finished which is
something that needs to be acknowledged and a response to this new situation is necessary.
The arrow back to ‘Formulating a goal’ is a sort of reflection arrow: Did things turn out
as expected? What can be said about the goal set up in the first place? Etc. Analysis:
Creativity plays a part in this phase, when trying to imagine how to maximize the outcome
of the newly released product. The reflection on how the result is compared to initial
formulation of the goal is considered to be an important learning process for future products.
8: Using the result. Launching the product as imagined in phase 7 when the goal was realized.
It “is the most spontaneous and unpredictable phase of the endeavor, and for the right
people, the most exciting.” [149]. It is also the phase were it is possible to reflect on all
the phases leading to the launched product, by looking at the plan as indicated by the
arrow. After a while the new product is merged into the general understanding of status
quo and new events are encountered because of this, i.e. the cycle is complete. Analysis:
The reflective learning nature of this phase is interesting.
Figure 5.17: The life cycle of creative endeavors showing steps 9 to 8 [149].
Summary
Out of routine life arises desire for change. A raw idea is refined into a goal, which
is further refined into a concrete objective. A decision is then made, the consequent
implementation problems identified, and a plan made which takes them into account.
The work is then carried out, bringing the innovator (or team) to the realization of the
goal. The result is then exploited, and eventually becomes part of the everyday routine.
In Table 5.2 we consider if each phase applies to the creative process discussed in this section:
(Y)es or (N)o. It is also indicated whether or not each phase is considered supportable or not by
a software tool. The reasoning behind these indications are given in the analysis of each phase of
the life cycle of creative endeavors above, and summarized below in the table.
99
5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY
1: Formulating a goal
2: Exploring options
3: Making a choice
goal
The Creative Process Y Y Y Y Y N N Y N
Supportable N N Y N Y Y Y N N
We find that ‘encountering events’, ‘formulating a goal’, and ‘exploring options’ are part of the
generic problem preparation phase in creative process models. ‘identifying the problems to be
solved’ is similar to the generic idea generation phase and ‘making a choice’ and ‘reorienting ones
perspective’ is part of the generic idea evaluation phase.
The suggested tools for ‘exploring options’ like a team brainstorming process, simulation and
prototyping indicates to us, that the phase is supportable by a software tool. ‘Identifying the
problems to be solved’ by listing them in classes around a circle and then putting subproblems
adjacent to each problem is very well suited for computational support, just like the phase ‘making
a plan to deal with the problems’. When ‘reorienting ones perspective’ it would be convenient to
have an electronic version of the old plan to alter according to the new perspective.
5.5.4 Summary
We have reviewed the creative process by analyzing relevant models (their nature and phases) and
have gained important insight into this, to us, previously unknown domain. Furthermore, we have
looked at some human factors that might influence the outcome of the creative process and finally
we reviewed and analyzed the phases comprised in an entire creative endeavor.
100
CHAPTER 5. THEORY AND TECHNOLOGY 5.6. SIMPLE TOOLS
Figure 5.18: A sketch of the creative room we designed for agile planning sessions during our
master thesis. [165]
base process like eXtreme Programming [165] (often referred to as XP) or Crystal Clear [42],
or “alternatively, you may decide to pick the best features from a collection of existing software
processes, to form your own process” [11] (see Figure 5.19). This alternative matched well with
our purpose of building a creativity enhancing tool that could form software processes as well as
the many different approaches to criminal network investigation.
Figure 5.19: AM enhances other software processes [11], and criminal network investigation pro-
cesses could also benefit.
AM is not prescriptive but a collection of practices, “guided by principles and values, for software
professionals to apply on a day-to-day basis” [11]. The following points describing the scope of AM
are important to us: “AM is not an attack on documentation”, “AM is not an attack on CASE55
tools” and “AM is a way to work together effectively to meet the needs of project stakeholders”
(which is also what the collaborative Blitz Planning56 session is all about).
We were also interested in AM’s views on tools for modeling and agile work areas (e.g., criminal
network investigation work areas, or war rooms, as they are often called). These views would
support the decisions made when developing the Blitz Planning prototype and creating the vision
for the Creative Room. These are reviewed next. One of AM’s core practices dictates using the
simplest tools. AM distinguishes between two types of modeling tools; simple tools and CASE
tools where simple tools are “manual items you use to model systems” [11]. These simple tools
can however also be supported with different technology which will be explained later. CASE
tools (defined as “software packages”) can also be applied since the AM core practice on tools is:
101
5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY
Ambler (2002) lists a number of simple tool advantages [11]. We find that the following advantages
are relevant to apply, and comments on the direct relation whenever it is found necessary. Simple
tools are inclusive (we decided that our software version of Blitz Planning would have to be as
similar as possible compared to the paper card version of Blitz Planning), provide tactile feedback,
are flexible, are non-threatening to users, are quick to use, can be used in combination with complex
ones and promote iterative and incremental development.
As mentioned earlier, simple AM tools can be supported with technology. One important point
here is that electronic white boards are mentioned. We limit ourselves to presenting some rele-
vant examples here. The examples are mainly taken from [41] which presents “a survey of agile
teams for tools they say help produce better software quicker”. The survey is conducted Cock-
burn (2004), “an internationally respected expert on object-oriented design, software development
methodologies, use cases, and project management” [41].
Cockburn categorizes simple tools by purpose (hiring, collaboration, communication and manage-
ment) and form (environmental, social, physical devices, process and thinking). We select tools
that are relevant to our work and comment when necessary. In the next section we list simple,
but computerized, tools such as WIKIs and Spreadsheets.
Form: Environmental. Again lots of wall space for posting information radiators and convex
or straight desks so people can cluster around the monitor. Social. Collocated teams for
fast communication, personal interaction, retrospectives and reflection activities, pair pro-
gramming and posting information radiators in unusual places to attract communication
(e.g., in the bathroom). Physical. Index cards and Post-it notes, butcher lining walls and
halls, white boards (standard or movable, printing, recording, or with a camera) and poster
sheets (plain paper, 3M sticky, or plastic cling sheets e.g. LegaMaster Magic-Charts). We
note the wall-to-wall writable and movable surface concept for expressing ideas. Process.
Project planning jam session (XP’s planning game [125], Crystal Clear’s blitz planning [42],
or Scrum’s sprint planning [125]), reflection or retrospective workshops, pair programming
sessions, refactoring, growing the system functional bit by bit, time boxing, spike prototyp-
ing57 and frequent delivery.
As agile development moved into distributed development, people started to find and invent on-
line collaboration tools [41]: “WikiWiki and thread-based discussion group technologies, instant
messaging technologies with group and recording variants, and distributed brainstorming tech-
nologies”, e.g. CardMeeting (see www.cardmeeting.com and [165]). The Wiki Web technology
discussed next was created by Ward Cunningham, one of the XP founders [125].
Our own experiences with project Wikis are few, but they have proved useful during previous
master courses, where it was used for fast accumulation of knowledge on the project subject.
Larman elaborates further on the concept in [125]: “Like blogs, Wiki Webs (or Wikis) allow people
to edit Web pages using only their browser, but they go farther: they allow one to easily create
new pages. and hyperlinks between Wiki pages, using only a browser and special WikiWords.
102
CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS
Of course, these capabilities are available with myriad tools, but Wikis make the tasks especially
simple and fast. Thus, Wikis are a popular tool on agile projects to capture project information,
and as a simple knowledge management tool”.
The need for, and how to make, agile planning software has been discussed by many [11, 44]. On
his website www.xprogramming.com Ron Jeffries comments on planning software claiming that:
“There’s something very right about a team working together with whiteboard[s], cards, things
posted on the wall. Everyone can be engaged, involved, equal”. We note that the important
point is not that physical items (or tools, as described in section 4.3.3) are at play, but more what
these items make the users feel and do. This is highly related to the social approach to software
development and management described in Peopleware [54] by DeMarco and Lister: “The major
problems of our work are not so much technological as sociological in nature”.
Ron Jeffries claims that making the switch to software results in “someone own[ing] the keyboard,
and everyone else [being] an observer”. We interpret this as being a problem of cramping the
whole team together in front of a single work station. A solution could be to move everybody in
front of a larger media with which everybody can interact. Cohn (2004) [44] discusses the main
advantages of paper over software and lists: “Their low tech nature is a constant reminder that
stories are imprecise”, “The typical note card can hold a limited amount of writing. This gives it
a natural upper limit on the amount of text.” and “note cards [. . . ] are very easy to sort and can
be sorted in a variety of ways. A collection of stories can be sorted into high, medium and low
priority piles”. We consider all the findings in this section so far to be requirements for any agile
piece of planning software.
AM recognizes that “the physical environment in which you work has a significant impact on how
effective you are as an agile modeler”. It states a number of factors that are considered critical
when creating an effective work area, like the creative room scenario envisioned in our master
thesis [165] (see Figure 5.18):
Dedicated space is important if the project teams are to be most effective. The team should
not have to “find an available meeting room to get some modeling done”. And the team
should not have to worry about other people erasing the white board sketches and other
notes.
Significant white board space. The working area can never have too much white board space:
“My preference is white boards floor to ceiling, wherever empty wall exists” [11].
A computer in the modeling area can be an advantage, if the team wants to research something
on the Internet or “access previous models that have been placed under version control”.
This relates to the wanted prototype feature: project methodology history database. If a
computer is placed in the modeling area, we have to make sure it is not counterproductive
for the team as a whole, e.g. complicated software can introduce a barrier to communication.
Wall space to attach paper. Space for attaching information on paper is also important: “It’s
good to have some non-white board wall space” [11].
To make the concept of a creative modeling area work, it is important that private areas are also
provided to team members. Everybody needs private time during the day.
103
5.7. CASE-STUDIES OF INDIVIDUALS CHAPTER 5. THEORY AND TECHNOLOGY
all, we have observed that in many of the criminal network investigations we have reviewed and
studied, a single individual has made plans and carried them out on his own, or an individual
has been the main reason in terms of driving a network subgroup toward a crime (i.e., the en-
trepreneur in Nesser’s (2006) model of jihadist terrorist cells in the UK and Europe [154]). Having
established the relevance of studying a single individual in criminal network (as well as the life of
the person prior to joining that particular network), what should such study focus on? We list
our first priority choices here:
“Open source world” associations: The individual’s links (associations) to the “open
source world”, particularly prior to and during a crime. By “open source world” we mean
associations that could have been picked up on through open source intelligence channels.
Knowledge about these associations is required, in order to analyze how that particular
individual could have been found prior to the crime. Again, such associations would have to
be abstracted as much as possible, in order to be found applicable to future cases. Examples
of a persons associations with the “open source world” are very different in nature, but for
the sake of argument we list a subset of those here: re occurring locations, other individuals,
money transfers, phone calls, emails, etc.
Meta data: Case-studies of individuals will reveal patterns in attribute (meta data) that
are available about criminals, as well as differences in meta data. This is important in
terms of establishing what attributes are typically static and which are typically dynamic.
We divide attributes into biographical (year of birth, marital status, children, parents) and
characteristics (employment, education, skills, etc.).
The individuals we discuss below have already been subject to a lot of research, and therefore
discuss the potential of looking at these individuals once more, taking an even more structural (or
network) approach. Khalid Sheikh Mohammed is mentioned throughout this dissertation, but is
not covered in this section. Omar Saeed Sheikh, the mastermind of the Daniel Pearl kidnapping,
is reviewed in Section 5.7.1. David Headley, who was in Copenhagen to scout the locations of
future Mohammed caricature attacks, is reviewed in Section 5.7.2.
104
CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS
case in Section 3.5.2), but at a much smaller scale and less successful, he was the entrepreneur
and mastermind in the 1994 kidnappings of tourists in India and the 2002 kidnapping of Daniel
Pearl. It would be interesting to look at the individuals involved in the failed 1994 kidnappings,
the 1999 hijacking that set Omar free after the 1999 failure, the 2002 kidnapping of Daniel Pearl,
and finally how it came to be, that when he was arrested, he had stayed with a retired ISI general
for one week, living near a Pakistani military base. It would be relevant to search for links between
the different attacks and kidnappings, and if it would be reasonable to say something about how,
if possible, those links could have been discovered during the investigations of the events.
105
5.8. INTELLIGENCE CHAPTER 5. THEORY AND TECHNOLOGY
Tahawwur Hussain Rana usually arranged Headley’s travels, taking the role as organizer and
financier. Headley was an employee of Rana’s company, First World Immigration Services, and
has claimed to travel as part of his employment, however never bringing much evidence in his
luggage [57]. Both Headley and Rana traveled extensively between United States, Asia and Europe:
On two occasions (January and July 2009) prior to his arrest October 3rd 2009 Headley was in
Denmark, visiting JyllandsPosten in both Copenhagen and Aarhus. He also met with high ranking
representatives of fundamental islamist organizations, including Lashkar-e-Taiba, Harkat-ul Jihad
Islami and their leader and front figure Muhammad Ilyas Kashmiri, who supported Headley’s
continued focus on Denmark, when asked by LeT to change their focus to target Indian interests.
Kashmiri is a well connected man in terms of terrorism contacts: He has worked with the Afghan
Taleban leader Mullah Omar and is one of the leaders in Al-Qaeda’s Brigade 313. Furthermore he
has experience with guerrilla warfare and terrorism from his participation in the Kashmir conflict.
In summary, Headley’s role was primarily that of a minion and planner, traveling the world,
meeting people and gathering information [220], which was then communicated to other parts of
the MMP network.
5.7.3 Summary
While Omar Saeed Sheikh was an example of the entrepreneurial terrorist, the mastermind who
plans and plays minor roles, David Coleman Headley and the Mickey Mouse project was an
example of a new strategy implemented by Al-Qaeda. Terror cells now have their base in a different
country, using their foreign passport, plus a business visa in Headley’s case which he used to avoid
questioning from immigration authorities (e.g., India, Mumbai 2008). After the announcement on
October 27th PET added this threat from “outside” to their threat level assessment [16], since the
general opinion in Denmark previously was that the threat mainly was from persons already in
the country. Also there has been added a new role of planner to the terrorism cell, separated from
the person who actual carries out the attack. Before the attacks in India, Mumbai 2008, this was
usually the same person.
5.8 Intelligence
The following anecdote from 2009 describes the authors first encounter with intelligence (prior to
that the focus had been on information):
After a successful opening ceremony for the research lab at city hall only 1 month
into my Ph.D. studies, another student and I was chatting with Jarret Brachman and
Arno Reuser. Little did I know who I was talking to at the time. The opening ceremony
had been attended by local police brass, the mayor, the United States and Pakistan am-
bassadors, and so on, and I had decided that paying attention to the titles of individuals
was not important. At one point, Reuser shares some of his experience on open source
intelligence: “Let us say that the Netherlands wanted to deploy ground troops in an
African country. The most valuable actionable intelligence for securing the success of
such an operation would be information about whether or not the crops in the area had
recently been harvested and if it had, is it going to be a full moon on the night of the
operation, and if so, will it be cloudy?”.
The anecdote makes it clear that the nature of actionable intelligence can be many things, and
that simple information such as the weather and local harvest season could be more important
to success than, let’s say, information about the target of Arno Reuser’s operation scenario. Hitz
(2009) presents a somewhat different perspective on intelligence and intelligence gathering today:
106
CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS
tracking of terrorists and their potential weapons by good detective work and perceptive
mining of reams of open sources. This is no longer back-alley skulking in a trench coat.
It is down-and-dirty police investigative work, tracing radicals and their bomb-making
materials, and recruiting informants to watch mosques and radical meeting sites.
Since we have discussed the intelligence process and its elements (activities) in Chapter 3 (more
precisely Section 3.3 and 3.4), we will focus here on intelligence in general, and two different types
of intelligence, open source intelligence and secret intelligence. We will discuss the value of open
source intelligence against secret intelligence, and outline their role in a bigger intelligence picture
(see Section 5.8.2). But first we take a look at the differences and similarities between intelligence
and information (Section 5.8.1).
107
5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.20: Secret Intelligence Misses 80 percent of the Relevant Information [source: OSS.NET].
method has also been used to locate leaders in terrorist networks, by traversing a network of phone
calls, locating sources [177]65 .
Specific techniques for terrorist network analysis often take the mentioned centrality measures as
input to their computations. Examples include measures of link importance based on secrecy
and efficiency [245], the prediction of covert network structure [184], missing links [183], and
missing key players [182], and custom-made techniques developed by investigators to target
network-specific analysis tasks, such as the node removal technique described in [169]. In this
section we discuss various mathematical models (techniques) relevant for criminal network inves-
tigation. We look at social network analysis for criminal network investigation in Section 5.9.1
and prediction techniques in Section 11.1.7.
Techniques from social network analysis and graph theory can be used to identify key entities
in criminal networks [240]. Information about key entities (individuals, places, things, etc.) is
helpful for network destabilization purposes [35], or as input for other criminal network analysis
108
CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS
Entity degree centrality. An entity is central when it has many links (associations) to
other entities in the network. This kind of centrality is measured by the degree of the entity,
the higher the degree, the more central the entity. Degree centrality can be divided into in-
degree centrality and out-degree centrality, referring to the number of incoming and outgoing
links an entity has. A social network with high degrees of both is a highly cohesive network.
Entity closeness centrality. Closeness centrality indicates that an entity is central when
it has easy access to other entities in the network. This means that the average distance
(calculated as the shortest path) to other entities in the network is small.
Entity betweenness centrality. Usually not all entities are connected to each other in
a network. Therefore, a path from one entity to another may go through one or more
intermediate entities. Betweenness centrality is measured as the frequency of occurrence
of an entity on the geodesic connecting other pairs of entities. A high frequency indicates
a central entity. These entities bridge networks, clusters, and subgroups: “betweenness
centrality fleshes out the intermediaries or the brokers within a network” [150].
Entity eigenvector centrality is like a recursive version of entity degree centrality. An
entity is central to the extent that the entity is connected to other entities that are central. An
entity that is high on eigenvector centrality is connected to many entities that are themselves
connected to many entities.
Semantic web concepts have many characteristics in common with our understanding of criminal
network entities and their associations. Similar to centrality measures for criminal networks (see
Section 5.9.1 above), semantic web concepts have been developed to measure the centrality of
entities in online social networks. We are interested in analysis of complex systems in which nodes
could be any object, relations (links) could be of any nature, and structures are generated by
the users (investigators). Semantic web technology can explicitly model the interactions between
individuals, places and things in complex systems of information entities, but classical social
network analysis methods are typically applied to “these semantic representations without fully
exploiting their rich expressiveness” [64]. A short summary of semantic web technology and a
social network analysis example is given in [63]:
Semantic web [technologies] provide a graph model, a query language and type and
definition systems to represent and exchange knowledge online. These [technologies]
provide a [. . . ] way of capturing social networks in much richer structures than raw
graphs. Several ontologies can be used to represent social networks. The most pop-
ular is FOAF1 , used for describing people, their relationships and their activity. A
1 http://www.foaf-project.org/
109
5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY
large set of properties is dedicated to the definition of a user profile: “family name”,
“nick”, “interest”, etc. The “knows” property is used to connect people and to build a
social network. [. . . ] The properties in the RELATIONSHIP2 ontology specialize the
“knows” property of FOAF to type relationships in a social network more precisely (fa-
milial, friendship, or professional relationships). For instance the relation “livesWith”
specializes the relation “knows”.
Figure 5.21: “Queries that extract the degree centrality of [individuals] linked by the property
foaf:knows and its specialization relationship:worksWith” [63].
5.9.2 Prediction
Prediction techniques include extrapolation, projection, and forecasting based on past and current
states of a criminal network. These three predictive techniques follow the approach of assessing
forces that act on an entity [40]. The value of prediction lies in the assessment of the forces that
will shape future events and the state of the criminal network. An extrapolation assumes that
those forces do not change between the present and future states; a projection assumes that they
do change; and a forecast assumes that they change and that new forces are added.
Bayesian inference is a (forecasting) prediction technique based on meta data about individuals
in criminal networks. A statistical procedure that is based on Bayes’ theorem can be used to infer
the presence of missing links in networks. The process of inferring is based on a comparison of
the evidence gathered by investigators against a known sample of positive (and negative) links in
the network, where positive links are those links that connect any two individuals in the network
whereas negative links are simply the absence of a link. The objective is often to assess where
links may be present that have not been captured in the collected and processed criminal network
information.
Prediction techniques
Prediction of covert network structure [184] is useful when you have a list of individuals suspected
to be part of your current criminal network investigation. The algorithm indicates probable covert
members on the list and how they are linked to the existing structure. The predict missing links
algorithm [183] starts prediction based on the current criminal network structure. The likelihood of
a link being present between all node pairs in the network is calculated based on the attribute data
of the remaining individuals. Links that have a missing likelihood higher than a pre-determined
value (calculated from the product of individual attribute likelihoods) are predicted as new links
in the network. Links are predicted in the same way by the covert network structure algorithm,
using a Bayesian inference method.
110
CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS
lizing terrorist networks. This novel method is inspired by research on transportation networks,
and the fact that the links between nodes provide at least as much relevant information about the
work as the nodes themselves. The measure of link importance offers new insights into terrorist
networks by pointing out links that are important to the performance of the network. A terrorism
domain model with both nodes and links as first class objects will allow additional features to be
built into the terrorist network and visualization tools [80, 244]. we
Criminal network investigation involves collection, processing and analysis of information related
to a specific target creating products that can be disseminated to customers. A number of complex
task are associated with these processes [174]. When supported by tools these tasks have signifi-
cant ethical impact because their usage is more or less controlled. One example is profiling, both
personal and especially group profiling by means of data mining [50] or manually inferred rules
based on observations of reoccurring relationships or characteristics of persons and groups [154].
111
5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY
The transparency of social network analysis (SNA) measures like betweenness and closeness cen-
trality [240] and prediction algorithms decreases, when applied to an increasing number of nodes
and links. Lack of evidence source linking might result in situations where it is unclear who created
the link to the source, when was the link created, who collected and processed the information
in the first place etc. [222]. Inferential judgments are based on pros and cons about positions
and issues. But if the pros and cons are not saved these decisions cannot be audited by a third
person [46].
Figure 5.22: Determinism continuum, from open-ended to closed, indicating the degree to which
technology predetermines usages [119].
During analysis, especially when applying automated features such as social network analysis and
prediction, the tool has more ethical impact and power of influence. The determinism continuum
in Figure 5.22 illustrates this perfectly. The analyst cannot help to have his or her actions and
interpretations influenced by the output of a complex analysis. When information is disseminated
to the customer, the customer has the power of influence to interpret and use the disseminated
information as he or she finds convenient.
To investigate the ethical issues on the tool side, we have studied existing literature on ethical is-
sues (e.g., [143]) and methodologies for ethical impact assessment of new (information) technology
(e.g., [233, 253]). However, identification of ethical issues and the development of methodologies
for impact assessments are still in its infancy [179, 253]. Important reasons for this underdevelop-
ment of a methodology for morally evaluating technology development are related to its complex,
uncertain, dynamic, and large-scale character that seems to resist human control [253]. And while
identified ethical issues like ‘dissemination and use of information’, ‘control, influence and power’
and ‘impact on social contact patterns’ are relevant for criminal network investigation tools they
are not process specific, making it difficult to assign ethical responsibilities.
We believe that human control of criminal network investigation tools is possible [247]. If we
combine this understanding with our findings that ethical impact at the task level is higher for
criminal network investigation tasks that dictate predetermined usage (i.e. automated tasks),
we have identified the core problem: The choices that analysts, collectors and customers prefers
to make are never fully predictable and tool support should therefore be dynamic and open-
ended [119] (Figure 5.22).
This suggests a human-centered approach where the humans (end users) are in charge of the
criminal network investigation processes and tasks and the tools are there to support them. If
the end users loose control (i.e. the tool predetermines usage) the ethical impact of the criminal
network investigation processes and tasks will increase. The challenge is to overcome the high
level of controllability that is inherent in the security and risk burdened world of criminal network
investigation.
112
CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS
We now have an initial understanding of the ethical responsibilities of end users and tools, as well
as the remedy for the ethical impact on the tool side: a human-centered approach. Based on these
observations we have designed the following list of ethical principles and values. The values can
apply to more than one principle in various ways as seen below. Not all combinations of principles
and values have been described.
Transparent. Tool transparency is a precondition to human trust. A lack of transparency
undermines the use of tool supported tasks.
(Customizable) Entities. Using an entity-based approach in which all entities are first class
is a precondition for several ethical values e.g. dynamic structuring.
(Dynamic) Reasoning. Being able to record and review reasoning sessions would clarify how
inferential judgments are made.
(Interactive) History. Creating, updating and deleting content related to entities should
be recorded for later reference. Storytelling using history events adds transparency to the
progress of an investigation.
Related work
Two approaches to addressing the ethical impact of criminal network investigation processes have
been reviewed. The following commercial tool supporting criminal network investigation work
flows represents the point of view that the protection of privacy and civil liberties should be
embedded in tools 66 . This is the approach we would like to adopt. Palantir Government 3.0 is a
platform for information analysis designed for environments where the fragments of data that an
analyst combines to tell the larger story are spread across a vast set of starting material [5]. Privacy
and civil liberties are “embedded in Palantir’s DNA”, exemplified by technologies like Access
Control Model, Revisioning Database and Immutable Audit Logs. Palantir used existing legislation
as guidelines on how to address ethical issues in implementation, e.g. the 9/11 Commission
Implementation Act [223]. More importantly, Palantir Government 3.0 has separated their entity
model from the domain ontology, making the representation of entities and their relationships
customizable. Furthermore, an interactive and navigable history of events is logged and finally
various hypertext structures are, unintentionally, facilitated. This suggests an open-ended and
dynamic approach to criminal network investigation tool support.
Another approach is presented in [179]: “the solution lies in developing and integrating advanced
information technologies for counterterrorism along with privacy-protection technologies to safe-
guard civil liberties. Coordinated policies can help bind the two to their intended use”. Examples
of privacy-protection technologies are: privacy appliance involving the use of a separate tamper-
resistant, cryptographically protected device on top of databases. Making information anonymous
is a technique used within the privacy appliance: it generalizes or obfuscates data, providing the
system with a guarantee that any personally identifiable information in the released data can’t be
determined, yet the data still remains useful from an analytical viewpoint.
113
5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY
newspapers has given Denmark a high ranking on terrorism target lists around the world. Despite
this Denmark is a nation facing actual terrorism plans only intermittently, resulting in the media
intensifying their coverage when such events occur.
The fact that the danish politicians did not hesitate to announce they were ready to evaluate
and tighten the Danish counter terrorism legislation enacted in 2002 and 2006 after the Mickey
Mouse project (MMP) had been revealed, is another interesting aspect of the influence of media
in “preparing” the public to support such statements. The controversy is that tightening the
laws conflicts with citizen liberties. Also, if “terrorism is as much about the threat of violence as
the violent act itself” [92], did David Headley (Mickey Mouse project surveillance, etc.), and his
accomplishes achieve their goal? Or is it acceptable to disregard the civil liberties of the public
for increased safety through more and stricter legislation?
The first serious response to the initial printing of the Muhammad caricatures September 30th
2005 from within Denmark, was the postulated plans and intend to murder caricature cartoonist
Kurt Westergaard by the use of strangulation [15]. On February 12th 2008 three men were arrested
facing these complaints, one Danish citizen was released while two Tunisians were administratively
expelled [15] and controversially imprisoned without trial [151]. The final verdict in the Tunisian
case is still not given, and on December 4th 2009 it was decided to try the case at the Danish
Supreme Court [138].
The more recent incidents have had some interesting characteristics in common with the Mickey
Mouse project (see Section 5.7.2). First of all the cases described below all had links to the training
camps in north Waziristan, more specifically the Federally Administered Tribal Areas (FATA) on
the border to Afghanistan. Especially the main person involved in the Glasvej case, who used
some of the same codewords as in the Mickey Mouse project.
On October 21st 2008 an unanimous jury declared Hammad Khürshid (Danish-Pakistan) and
Abdoulghani Tohki (Afghan) guilty of planning terrorism intending to use bombs [85, 209]. The
men had experimented with producing the very unstable explosive TATP68 in their common
apartment in Copenhagen [209]. The wire-puller Hammad Kürshid was sentenced 12 years in jail
at the court in Glostrup, while Abdoulghani Tohki was punished with a seven year sentence and
expelled from Denmark for life because of his Afghan citizenship [209]. After the sentencing new
information was revealed69 , which showed that Hammad Khürshid had been recruited and trained
by one of Osama bin Ladens most important lieutenants, the Egyptian Abu Ubaidah al-Masri,
in the northern Pakistani province Waziristan [213]. The first arrests associated with the Glasvej
case were made on April 2007 [209].
On June 2nd 2008 followed an incident not similar to the previous cases, primarily because it took
place in Pakistan: “A car bomb exploded outside the Danish Embassy in an upscale area of the
Pakistani capital” [164] Islamabad “killing eight persons and injuring up to 30” [185]. Al-Qaeda
later claimed to be responsible for the attack, stating it was “revenge for the publishing of the
Muhammad cartoons” [133]. The Mickey Mouse project followed this incident as the next case
with links to Pakistan.
On January 1st 2010, a 28 year old Somali man attacked cartoonist Kurt Westergaard in his home,
threatening him with a knife and an ax [186]. Westergaard successfully escaped to his custom made
panic room, and later the Somali man was pacified by the police using gun shots [186]. According
to PET the offender had close contact with the militant group al-Shabaab in Somalia [88].
The political climate in Denmark in October 2009 and Danish counterterrorism leg-
islation
“During the last decade the Danish political system has undergone a polarization. Where the polit-
ical scene earlier has been characterized by minority governments that have sought parliamentary
114
CHAPTER 5. THEORY AND TECHNOLOGY 5.11. TRUST AND USER ACCEPTANCE
support across the middle, Danish policy today is dominated by two political blocs, respectively,
a center-left block and a right block” [90], a change that started with the election of a right wing
government in 2001. On June 8th 2002 the first Danish counter terrorism law was enacted as a
direct impact of 9/11 (2001)70 . The extension of the law grants the Danish secret intelligence
service PET a number of extended powers concerning surveillance of private individuals and the
right to perform multiple searches with a single court order [14].
Denmark has been involved in the international NATO mission in Afghanistan since 2002. On
January 11th 2002 the Danish parliament unanimously decides that Danish military forces should
be available for an international security force in Afghanistan [17]. A status report from October
22nd 2009 shows that Denmark has 690 soldiers in Afghanistan, and that 28 soldiers has been
killed. “Denmark is one of the countries that measured per citizen has most soldiers killed in the
NATO led operation in Afghanistan, consisting of 43 countries” [98]. During March 2003 Denmark
also decided to join the US and British led coalition forces, although there was disagreement in
government. The majority of the population was against the decision since there was no mandate
from the UN [156].
On June 10th 2006 the second counter terrorism law was enacted71 following the 7/7 bombings
2005 in London72 . The 2006 law raised concerns of Civil Libertarians, although strong support
existed in the general public for the further tightening of the counter terrorism laws from 2002 [218]:
“The mood has shifted in Europe more toward security than it was before the London bombings,”
said Daniel Keohane, senior research fellow at the Center for European Reform in London. “The
Europeans have always been very nervous about infringing on civil liberties. But when you
experience terrorism, it changes your views.”
However, arguments regarding whether or not these laws are too strict is beyond the scope of this
Ph.D. dissertation. One comment is however describing the medias influence on Danish policy
makers:
Given the relatively short list of terrorist events related to Denmark directly, the same can be said
of the Danish governments experience with enacting and enforcing such counter terrorism laws.
And the Danish populations propensity to support them immediately after the revelation of plans
to strike against Denmark and Danish interests.
115
5.12. INTERACTION AND VISUALIZATIONCHAPTER 5. THEORY AND TECHNOLOGY
See Chapter 11 for more on criminal network sense-making and Section 5.10 for a look at ethical
issues and in trust in terms of tool support for criminal network investigation.
5.12.1 Interaction
We mention and discuss interaction theory and concepts throughout this dissertation. How we
use interactive “proof-of-concept” prototypes [132] to develop tool support for criminal network
investigation. What we would like to discuss in this section is human-tool synergies which better
describes our goals with the aforementioned tool support development. Investigators are the
decision-makers in criminal network investigations (e.g. low probability situations [130]), while
algorithms do routine calculations: “Men will fill in the gaps, either in the problem solution or
in the computer program, when the computer has no mode or routine that is applicable in a
particular circumstance” [130].
5.12.2 Visualization
Information visualization technologies have proved indispensable tools for making sense of complex
data [86]. Visualization techniques use both retinal properties and spatial arrangement for the
presentation of structured information, taking advantage of the human perceptual system. How-
ever, most visualization systems do not support the visual editing of structured information. The
lack of direct manipulation of structured information in visualization systems means that there is
no expression in such an environment, and expression is part of a real decision making process [97].
Another problem is that “information visualization applications do not lend themselves to “one
size fits all” solutions; while successful visualizations often reuse established techniques, they are
also uniquely tailored to their application domain, requiring customization” [86].
Although visualization libraries primarily offer advanced unidirectional mappings, a lot can be
learned from them in terms of requirements for a graphical-oriented framework design. The
prefuse toolkit [86] for interactive information visualization is presented as an interesting case.
Our interest is mainly due to the set of finer-grained building blocks that prefuse provides for con-
structing tailored visualizations. The template-modeled design process of “representing abstract
data, mapping data into an intermediate, visualizable form, and then using these visual analogues
to provide interactive displays” is very interesting.
5.13 Summary
This chapter started with an introduction to five pillars of theory and technology, describing the
relevance of each pillar for developing tool support for criminal network investigation, followed
by a summary of the theory and technologies within each pillar. A color legend was used to
indicate whether or not each theory or technology was covered in this chapter and to what degree,
or if it was covered in a fragmented manner throughout the dissertation. Then followed reviews
and summaries of individual theories and technologies, covered to a certain extent, matching
their role for this Ph.D. project. Hypertext, semantic web, human cognition, the creative process,
intelligence, and mathematical models therefore received the most attention. But theory from
information science, knowledge about simple tools for idea generation, case studies of individuals,
ethics, trust and user acceptance, and interaction and visualization have also played a role and
will play a role for future developments in criminal network investigation. This chapter illustrates
116
CHAPTER 5. THEORY AND TECHNOLOGY 5.13. SUMMARY
the many perspectives that a software systems engineer in criminal network investigation must
have, when developing tool support for criminal network investigation.
117
5.13. SUMMARY CHAPTER 5. THEORY AND TECHNOLOGY
118
CHAPTER 6
In Chapter 1 we reviewed criminal network investigation challenges, and selected to focus on three
of them (information, process, and human factors), arguing that investigator centric challenges
of a quantitative nature (i.e., suitable for modeling) would be addressable by software system
support. Based on the three selected challenges, we stated the following research hypothesis:
In this chapter we specialize our hypothesis and conduct a more detailed analysis of specific
problems associated with each challenge. Based on these problems (and our own knowledge and
ideas) we also formulate a research focus for each challenge, resulting in a list of requirements to
guide and evaluate our work (see Section 6.4 for more details on how we propose to do this). The
list of research focus requirements are considered software development requirements for developing
software tool support for criminal network investigation, while the criminal network investigation
tasks presented in Chapter 7 are considered criminal network investigation requirements, i.e.,
a list of tasks that investigators perform (for the majority) whether or not they use dedicated
tool support or not. Our review of criminal network investigation (criminal networks, structures,
processes, cognitive bases, and cases75 ), related work (commercial tools and research prototypes),
and relevant theories and technologies for tool support of criminal network investigation revealed
the following problems related to information (Section 6.1), process (Section 6.2), and human
factors (Section 6.3).
119
6.1. INFORMATION CHAPTER 6. PROBLEM DEFINITION
tion are limited, potential suspects might not be discovered. On the other hand, if information
is scarce, decisions might be based on uncorroborated intelligence later proved to be false.
Many techniques have been developed that can analyze large amounts of networked informa-
tion and applied during criminal network investigations. Most prominent is social network
analysis, the study of human relationship networks, or the application of statistical tech-
niques to the field of sociology (we review social network analysis in Section 5.9.1). Since
its beginning, the field has become more mathematical and rigorous, and has widened in
scope to encompass networks arising in other contexts. Today the field has become known
as network science [68].
The introduction of network science did not add to the network theory for detecting and
exposing hidden terrorist networks. Time-consuming manual tasks for synthesis of criminal
networks are still applied by law enforcement and intelligence services (e.g., [68, 139]). On
a concrete case, it took an experienced crime analyst six weeks to manually extract a fraud
link chart with 110 people, “even though most of the information in the chart came from
computerized records. [. . . ] The base network extracted for the [fraud] evaluation (all links
between all nodes connected within two associational hops of the targets) included 4,877
nodes and 38,781 reported associations” [139]. This example also illustrates why it has been
“estimated that police officers spend up to 40% of their time handling information, making
it one of the most extensive police activities” [20].
2. Information incompleteness (e.g., [39, 168, 183]) like variation in available meta data
(attributes) for entities or missing attribute values. Other incompleteness includes missing
links and missing network structure (nodes and links). It can be difficult to automatically
detect associations between entities when information is incomplete.
Once a criminal network is synthesized, its characteristics can be studied using standard
network measures such as centrality. However, the well-established techniques are not well
suited for the fragmented networks that organized crime and terrorism networks often are.
An intelligence analyst at the British Home Office, pointed this out, during a presentation
and talk there [167]. Researchers have started developing techniques take into account
incomplete information (e.g., [177, 183]). We have developed measures of performance for
transformative prediction algorithms, to see how they reacted when attributes where missing
from the data or the accuracy of information was not complete [176].
3. Information complexity (e.g., [20,116,128]) is typically caused by the emerging and evolv-
ing nature of information, especially within the counterterrorism domain. Information abun-
dance or scarcity on its own does not necessarily make the relations between entities in the
information more complex. The use of aliases, social complexity (e.g., culture and language)
and the mix of different information types (e.g., audio, images, signals, video) are all factors
that will increase the complexity of information.
Criminals prefer to remain covert, balancing secrecy and efficiency [244], e.g., by encrypting
their communication or keeping individuals and groups isolated from each other and on a
need-to-know basis in terms of communication. Or information is complex simply because
it is fragmented, as mentioned above. The use of deliberate (semantic) aliases, i.e. using
different names in different contexts, is a well known technique to remain covert. Omar Saeed
Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl, was
known to have used at least 17 aliases [128], and Khalid Sheikh Mohammad, who murdered
Daniel Pearl, and was the mastermind behind i.a., 9/11 (2001), used two dozen aliases [146].
Simon and Burns share their experiences from organized drug crime environments, where
the drug dealers are out in the open, but use for example encryptions of phone numbers
when paging each other, to setup business, schedule meetings, etc. [10, 206].
120
CHAPTER 6. PROBLEM DEFINITION 6.2. PROCESS
1. Supporting the emergent and fragile nature of the created structure and fostering its com-
munication among investigators.
2. Integrating with the information sources used by the investigators, permitting them to be
represented and structured in a common information space.
3. Supporting awareness of, and notification based on, linked information across information
source boundaries.
4. Permitting multiple directions of thought through versioning support. Supporting emer-
gent structure as a means for knowledge representation, communication, integration, and
awareness/notification has been and still is discussed in depth in hypertext research.
1. Incremental deterioration (e.g., [5,52,59,242]) often happens when following a linear pro-
cess, where investigators receive a mix of information (evidence) and interpretations of that
information, in the form of reports. Especially, if the institution is collaborating with other
institutions, information is exchanged in reports. Some law enforcement institutions and
intelligence services have as part of their intelligence process, to make clear the distinction
between information and interpretation. But that doesn’t stop the intelligence customer from
further interpretations of the analysts interpretations. And typically not all information is
included in reports for the customer, or collaborators.
The degree of incremental deterioration of information is different if the investigation is
solely within a single organization compared to (transnational) collaboration between agen-
cies, services, and law enforcement. However, while the problem is smaller, it is still there
and important to address. The most significant example we have come across is Curveball, in
which interrogation reports traveled from Germany through several compartments in agen-
cies and national security organizations in different nations, being translated from Arabic,
to German to English, before reaching CIA analysts and ultimately decision makers in the
121
6.2. PROCESS CHAPTER 6. PROBLEM DEFINITION
White House. Commercial tools for criminal network investigations recognizes this problem
and promotes their support of loss less data abstractions in commercial material [5].
2. Responsibility (e.g., [40,54,59]) often depends on whether a person has something personal
at risk, the esteem of colleagues or the consequences of bad or rushed decisions. When
following a process with many compartments, it becomes easier to push the work requiring
responsibility on to the people responsible in the next compartment. And the individuals in
that department might be reluctant to “ask back” into the compartment from where they got
the information, and instead forward it to someone else.
An example of responsibility, again from the Curveball case, is Alex Steiner76 , the United
States defense intelligence agency’s (DIA) liaison to the German federal intelligence service
(BND), receiving the incoming intelligence reports from BND. The Germans refused Steiner
or anyone else access to Curveball. Steiner didn’t mind, the case was very complex, and he
was looking forward to retirement. The case was as a “hot potato”, but he let other people
care about the details, his role was “to oversee things” [59]. The 22/7 (2011) commission
report points out that the Norwegian police security service (PST), had received information
about individuals suspicious purchases of chemicals in Poland, from the customs directorate
to which other authorities such as the national postal service had raised their concerns. PST
received this information on 6/12 (2010), but the lead had not been followed up on when
the attacks happened 22/7 (2011), because the different sections within the police security
service had spent five months deciding whose domain it was, and later when the case was
assigned to a section, the responsible case officer had to go on vacation for 10 weeks [153].
3. Overlapping processes (e.g., [170, 175]) becomes a software development problem, when
choosing a target-centric approach. The target-centric alternative to a linear process means
that criminal network investigation processes will be overlapping, i.e., the structuring of
information and algorithm-based computations has to be performed on the same model. With
a linear process, with process compartments, one compartment have one model to solve their
task, and another compartment uses a different approach to solve theirs.
Investigators move pieces of information around, they stop to look for patterns that can help
them relate the information pieces, they add new pieces of information and iteration after
iteration the information becomes increasingly structured and valuable. Synthesizing emerg-
ing and evolving information structures is a creative and cognitive process best performed
by humans. Making sense of synthesized information structures (i.e., searching for patterns)
is a more logic-based process where computers (tools) outperform humans as information
volume and complexity increases [175].
4. Information sharing (e.g., [40, 152, 242]) problems are often a consequence of the chosen
intelligence process, the culture of intelligence agencies and the trade craft of secret intelli-
gence. Several reports have concluded that information sharing between intelligence agencies
was the root cause of intelligence failure. The main objective of criminal network investiga-
tion research should be to understand the problems, processes, and tasks involved and then
develop tools assisting the people working with these processes and tasks every day to help
minimize the impact of the problems faced.
The wall between FBI and CIA before and after the investigations into 9/11 was high and
thick, and destructing for investigations: “The wall, as it was called, was often misunder-
stood and frequently interpreted too broadly. The agents assigned to collecting intelligence
sometimes couldn’t, or wouldn’t, talk to their colleagues who were working the criminal side
of the same cases. Big things – like leads and plots and potential sources – fell through
the cracks” [146]. On Baltimore police department’s homicide shifts, the numbers game of
open and closed investigations, readily available for everyone to see in the coffee room took
a toll on the investigators willingness to talk and discuss cases with detectives from other
shifts: “For the last several years, detectives from one shift had interacted with those from
the other only at the half-hour shift changes or on rare occasions when a detective pulling
122
CHAPTER 6. PROBLEM DEFINITION 6.3. HUMAN FACTORS
overtime on a case needed an extra body from the working shift to witness an interrogation
or help kick down a door” [204].
2. Supporting loss-less data abstractions, so that all investigators can see what has happened,
if information has to be shared between compartments.
3. Ensuring that all collectors, analysts, and customers become stakeholders in the success of
the criminal network investigation, whether working alone or as a team.
1. Human cognition and creativity (e.g., [9, 89, 165, 201, 239]) complicated tasks to support
and leverage for a software system. The human mind solves problems in certain ways and
creating new ideas is essential for problem solving, not similar to how a computer solves
problems. And there are different approaches to creativity, such as “free association” cre-
ativity and rational creativity produced by persistent, hard work. It is not enough to support
collaboration and group work, since real groups do not necessarily create more ideas than
nominal groups. Certain representational structures for cognitive space must be embedded in
tools supporting criminal network investigation.
Understanding the boundaries of human cognition is necessary for tool support of criminal
network investigation: “it is difficult for the human working memory to keep track of all
123
6.3. HUMAN FACTORS CHAPTER 6. PROBLEM DEFINITION
findings. Hence, synthesis of many different findings and relations between those findings
increase the cognitive overload and thereby hinders the reasoning process” [201]. Because
of this, humans often use simple physical tools when generating new ideas, but existing
software tools used for criminal network investigation usually don’t have the necessary ease-
of-use compared to scribbling ideas on a whiteboard or paper cards.
2. Making humans more capable (e.g., [33,62,130]) is the intended purpose of most software
systems, but when humans and tools have to cooperate, it becomes a difficult task. The
problem is how to make a software system augment human intellect, instead of trying to
mimic it, trying to make the computer think, which it cannot. It is necessary to understanding
what humans do well and what computers do well, to solve this problem.
“The human eye is enormously gifted at picking out patterns, and visualizations allow is to
put this gift to work on our network problems. On the other hand, direct visualization of
networks is only really useful for networks up to a few hundreds or thousands of vertices
[and] the number of edges is quite small” [155]. Visualizations on their own, whatever
layouts are applied, are not enough for. Bush (1945) [33] reasoned that since people use
associations to store and retrieve information in and from their own minds, a machine-
supported mechanism that provided this ability would be useful for organizing information
stored in external memory. Augmenting human intellect, i.e. increasing the capability of
man to approach a complex problem situation, to gain comprehension to suit particular
needs, and to derive solutions to problems [62].
3. Habitual and biased thinking (e.g., [8, 116]) Contextual pressures such as time con-
straints, dynamism, and changing goals affects criminal network investigators. Existing
evidence suggests that decision-making and information processing abilities are often not op-
timal because the informational complexity of the world overwhelms human cognitive abilities
and creates bias. The result being that known solutions are chosen and the problems remain
unsolved.
“Today functional problems are becoming less simple all the time. But designers rarely
confess their inability to solve them. Instead, when a designer does not understand a problem
clearly enough to find the order it really calls for, he falls back on some arbitrary chosen
formal order. The problem, because of its complexity, remains unsolved” [8]. Humans have
a tendency to rely on hierarchical tree structures, when faced with complex problems [9, 89].
Pressure could also make investigators fall back on often applied methods, e.g., homicide
detectives who are assigned to new crime scenes, having three open cases on their desks, and
continuously pressured to turn red cases into black by the public display of their stats in the
office [204].
4. Trust (e.g., [144, 175]) in information generated by software tools can be difficult to attain,
if it is not clear how that information was derived. For computational sense-making to
be effective, decision makers must consider the information provided by such systems to be
trustworthy, reliable, and credible. Trust is important for the adoption of software tools for
criminal network investigation.
Simply by turning to the computer when confronted with a problem, we limit our ability
to understand other solutions. The tendency to ignore such limitations undermines the
ability of non-experts to trust computing techniques and applications [193] and experienced
investigators would be reluctant to adopt them.
124
CHAPTER 6. PROBLEM DEFINITION 6.4. SUMMARY
1. Augmenting human intellect through knowledge about human cognition, creativity, and
problem solving theory and practice is essential.
2. Leveraging transparency and ownership through tailorable models to ensure the end user’s
trust in calculated information is an important step toward tool usage and output used for
decision-making.
3. Software tools used for analysis of criminal network investigation entities must have an ease-
of-use as close as possible to that of scribbling ideas on a whiteboard or paper cards.
4. Bridging the gap between conceptual and computational models to support cooperation
between man and software system tool, where humans think, make decisions, and fill the
gaps, while tools do routine calculations.
6.4 Summary
We started this chapter by repeating our hypothesis as formulated in Chapter 1. It was based
on the three criminal network investigation challenges, which we had chosen to focus on. In this
chapter, we have provided a more detailed analysis of those challenges and presented specific
problems related to each challenge. The problems have been used to create a set of research focus
requirements to guide our development of software tool support for criminal network investigation,
to address the problems and ultimately reduce the impact of the challenges significantly, supporting
our hypothesis. We will base our evaluation of whether or not the challenges are met and the
hypothesis supported, on the research focus requirements formulated for each challenge. In the
next part of our dissertation (Part III) we use the research focus requirements during analysis
and design, to ensure that our support of the criminal network investigation tasks will address the
challenges information, process and human factors. In Chapter 15, we present a mapping between
criminal network investigation tasks and research focus requirements.
From now on we will refer to information research requirements as information #1 (emerg-
ing and fragile structure), information #2 (integrating information sources), information #3
(awareness and notification), and information #4 (versioning support). We will refer to process
research requirements as process #1 (target-centric and iterative), process #2 (loss less data
abstractions), process #3 (make everybody stakeholders), and process #4 (integrate concep-
tual and computational models). Finally, we will refer to human factors requirements as human
factors #1 (augment human intellect), human factors #2 (transparency and ownership), hu-
man factors #3 (simple tools ease-of-use), and human factors #4 (human-tool synergy).
125
6.4. SUMMARY CHAPTER 6. PROBLEM DEFINITION
126
Part III
The tool
127
CHAPTER 7
That’s the trouble with the red-ball treatment, Pellegrini tells himself,
scanning one typewritten page after another. By virtue of their
importance, red balls have the potential to become [. . . ] four-star
departmental clusterfucks beyond the control of any single
investigator.
Homicide detective, in [204].
Criminal network investigations such as police investigations, intelligence analysis, and inves-
tigative journalism involves a number of complex knowledge management tasks such as collection,
processing, and analysis of information [173,174]. This chapter presents a human-centered, target-
centric process model for criminal network investigations that divides the investigative tasks into
five overall processes: acquisition, synthesis, sense-making, dissemination, and cooperation. Based
on case studies and observations of criminal network investigation teams, contact with experienced
investigators from various communities, examination of existing process models and existing tools
for investigation, as well as our own ideas for investigative tool support, we have generated a list
of tasks that a tool for criminal network investigation should support.
The process model first of all addresses the process challenge that we described in Chapter 6.
Specifically, the model fulfills process #1 (target-centric and iterative”) and process #3 (make
everybody stakeholders). We start out by presenting the process model in Section 7.1 and a list
of criminal network investigation tasks for each of the five overall processes in Section 7.2. We
conclude the chapter in Section 7.3 by summarizing the model and the tasks, we explain their role
for the remainder of the dissertation and explain how we intend to evaluate the process model and
the list of criminal network investigation tasks.
129
7.1. PROCESS MODEL CHAPTER 7. PROCESS MODEL AND TASKS
Criminal network investigation models include the following overall knowledge management pro-
cesses77 : acquiring the needed information (collection and processing), creating a model of the
target (synthesis), extracting useful information from that model (sense-making), and finally cre-
ating a representation of the results (dissemination). Based on a specific target-centric model for
intelligence analysis [40], we propose a generic model for target-centric criminal network investi-
gation to embrace police investigations, intelligence analysis, and investigative journalism (Figure
7.1).
The customer requests information about a specific target. The investigators request information
from the collectors (that may also be investigators). Information related to the target is acquired
in disparate pieces over time. The investigators use the acquired information to build a model
of the target (synthesis) and extract useful information from the model (sense-making). The
extracted information results in changes to the model (synthesis). The sense-making - synthesis
cycle is continued throughout the investigation as new information is acquired and extracted from
the model. The investigators both work individually and cooperatively as a team. The results of
the investigation are disseminated to the customer at the end of the investigation or at certain
intervals (or deadlines).
Investigation is a human-centered knowledge management process. Investigators (and collectors)
rely heavily on their past experience (tacit knowledge) when conducting investigations. Hence,
these processes cannot be fully automated and taken over by software tools. The philosophy is
that the humans (in this case the investigators) are in charge of the criminal network investigation
tasks and the software tools are there to support them [248]. The tools should be controlled by the
investigators and should support the complex intellectual work (e.g., synthesis and sense-making)
to allow the investigators to reach better results faster.
CrimeFighter Investigator focuses on providing human-centered, target-centric support for crimi-
nal network investigation (acquisition, synthesis, sense-making, cooperation, and dissemination).
Tool support for collection and processing is beyond the scope of this Ph.D. dissertation. The
CrimeFighter Explorer tool focuses on this type of tool support (see Section 1.4). Tool support
for advanced structural analysis and visualization of the generated target model is also beyond
the scope of this Ph.D. dissertation. The CrimeFighter Assistant tool focuses on this type of tool
support (see Section 1.4).
130
CHAPTER 7. PROCESS MODEL AND TASKS 7.2. TASKS
7.2 Tasks
Based on cases and observations of investigative teams, contact with experienced end-users (inves-
tigators) from various communities, examination of existing process models and existing tools sup-
porting criminal network investigation tasks (e.g., [2,5,7,19–21,25,39,40,53,83,84,101,136,178,254]
and [6,201,212,252]), and our own ideas for investigative tool support, we maintain a list of inves-
tigation tasks divided into five processes: acquisition, synthesis, sense-making, dissemination, and
cooperation. The list of tasks can be seen as a wish list of requirements for what an investigative
tool should support; the list serves as the basis for our tool development efforts. So far our require-
ment generation and development efforts have primarily focused on tasks related to acquisition,
synthesis, sense-making, and dissemination, while cooperation will be addressed in more detail in
future work. The list is not exhaustive; we expect to uncover additional requirements for all five
processes over time.
7.2.1 Acquisition
Acquisition. Some information may be available at the beginning of an investigation, but new
information tends to dribble in over time in disparate pieces. Information arrives from various
sources and should be easy to insert (import, drag-and-drop, cut-and-paste, etc.) into the in-
vestigation tool in a manner that is transparent to the investigator in order to keep trust in the
information.
Acquisition methods. Information arrives from various sources and should be easy to
insert into the investigation tool using methods such as import, drag-and-drop, and cut-and-
paste.
Dynamic attributes are required to support acquisition of various data sets formatted
using graph markup language (GraphML) or comma separated values (CSV).
7.2.2 Synthesis
Synthesis tasks assist investigators in enhancing the target model:
Creating, editing, and deleting entities. Investigators basically think in terms of people,
places, things, and their relationships.
Creating, editing, and deleting associations. The impact of association analysis on inves-
tigative tasks is crucial to the creation of the target model. Descriptive associations between
entities helps discover similarities and ultimately solve investigation cases.
Grouping. Investigators often group entities using symbols like color and co-location
(weak), or they use labeled boxes (strong). Groupings can be used to highlight and em-
phasize particular entities and their relations.
Collapsing and expanding information is essential since the space available for manipu-
lating information is limited physically, perceptually, and cognitively. Zooming is a way to
visually collapse or expand information in the space; however, depending on the zooming
degree, it facilitates information overview at the expense of information clarity.
131
7.2. TASKS CHAPTER 7. PROCESS MODEL AND TASKS
Brainstorming is often used in the early phases of an investigation to get an initial overview
of the target and the investigation at hand. Brainstorming is an example of a task that
involves both synthesis and sense-making activities. Brainstorming is often supported by
different types of mind mapping tools that allows the generated information elements to be
organized in a hierarchical manner.
Information types. Multimedia support is helpful when investigators want to add known
positions of persons to a map or link persons to different segments within an audio file. This
would support for example more intuitive storytelling.
Emerging attributes are needed to support import of data sets and emerging attributes
in investigations as well as imported algorithms.
7.2.3 Sense-making
Sense-making tasks assist investigators in extracting useful information from the synthesized
target model:
Retracing the steps. Criminal network investigators often retrace the steps of their inves-
tigation to see what might have been missed and where to direct resources in the continued
investigation. Walking through an existing recorded investigation is used by new team mem-
bers to understand the current status of the investigation and for training purposes.
Adaptive modeling. Representing the expected structure of networks for pattern and
missing link detection is a proactive sense-making task. Adaptive modeling embeds the tacit
knowledge of investigators in network models for prediction and analysis.
Prediction. The ability to determine the presence or absence of relationships between and
groupings of people, places, and other entity types is invaluable when investigating a case.
Alias detection. Network structures may contain duplicate or nearly duplicate entities.
Alias detection can be used to identify multiple overlapping representations of the same real
world object.
Exploring perspectives. To reduce the cognitive biases associated with a particular mind
set, exploring different perspectives (views) of the information is a key investigative task.
Social network analysis. Network centrality measures such as degree, betweenness, close-
ness, and eigenvector can provide important investigation insights.
Terrorist network analysis. A terrorist network is a special kind of social network with
emphasis on both secrecy and efficiency (especially covert terrorist networks. Operational
focus is on destabilization, and techniques include inference-based prediction, measures of
link efficiency and secrecy to determine link importance, and community and key players
detection.
132
CHAPTER 7. PROCESS MODEL AND TASKS 7.3. SUMMARY
7.2.4 Dissemination
Dissemination tasks help the criminal network investigators to formulate their accumulated
knowledge for the customer:
Report generation involves graphics, complete reports, subspaces, etc. Being able to
produce reports fast is important in relation to time-critical environments and frequent
briefing summaries.
7.2.5 Cooperation
Cooperation is a natural part of investigations. Cooperation leads to better synthesis and
sense-making that is informed by more perspectives. In addition, more advanced communication,
collaboration, and coordination support is necessary to support asynchronous and synchronous
cooperation among team members, situations where investigators are distributed in time and
space, as well as advanced investigation work flows.
Shared information space. Sharing of the target model among team members is the
starting point of cooperation.
Discover emergent collaboration. The discovery of emergent collaboration, would help
the coordination of resources by putting investigators analyzing similar or the same entities
in touch with each other.
Shared work flows. Sharing work flows, like sense-making work flows and custom algo-
rithms or mining work flow patterns from the previous use of intelligence information.
133
7.3. SUMMARY CHAPTER 7. PROCESS MODEL AND TASKS
134
CHAPTER 8
135
8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
Figure 8.1: Conceptual, structural, mathematical and computational models for support of in-
dividual synthesis and sense-making processes, but more importantly also for criminal network
analysis (both synthesis and sense-making).
and human factors research focus requirements, and relates these to specific software components.
Requirements for a selection of these components is given in Section 8.4 and their designs are
presented in Section 8.5. Finally, we give a short introduction to the basic concepts supported by
CrimeFighter Investigator in Section 8.6.
136
CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL
class entities that add depth to the information space. Navigable structures and entities (including
composites) are useful for investigative synthesis tasks such as manipulating, re-structuring, and
grouping entities [174]. The way a criminal network breaks down into subgroups can reveal levels
and concepts of organization and help us to understand how the network is structured [155].
An information entity comprises several components. Each entity has a set of dynamic attribute(s)
(meta data). Currently three types of attributes are supported: strings (single line of text), text
areas (multiple lines of text), and enumerations (a defined set of allowed values). The visual
abstraction of an entity is computed from it’s visual content and menu button(s). The visual
content is used to create the default information elements available in CrimeFighter Investigator,
which are all composed using geometric shapes (circles, lines, rectangles and polygons). A number
of menu buttons can be added to entities to create a link to a specific functionality. The examples
shown in Figure 8.3 are the delete button (X symbol) and the attributes button (A symbol).
Below, we summarize information elements, relations, and composites we have come across in our
studies of criminal networks, investigations thereof, and tool support therefor. See Chapter 3 on
criminal network investigation, our review of theory and technology in Chapter 5, and related
work on commercial tools and research prototypes for criminal network investigation in Chapter
4. We focus on the functional and visual parts of entities that are consistently there, but might
be positioned differently in relation to other elements/parts of the entities. Figure 8.5 shows some
examples of the different kind of entities we came across in our analysis and will be used as the
basis for our design below. But first a review of and our perspective on entity layers.
137
8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
relations, and composites can be created to serve the domain-specific information analysis tasks,
e.g. for criminal network analysis a person would be an obvious and often used information
element.
Information elements and relations are both associated with a set of entity specific attributes and
rules. Information elements are also associated with an adaptive graphical abstraction. In Figure
8.4 it is a stick man figure, but we also imagine a more detailed abstraction showing physical
characteristics of a group of people or maybe a photograph of the specific person. Relations are
associated with less adaptive graphical abstractions, only visual symbols such as color and line
thickness can be edited. Composites can be outlined, and either have a solid background of some
color, be transparent, or empty. Examples of visual abstractions can be seen in Figure 8.5.
The associative semantics of information elements, relations, and composites are embedded in
the structure layer. The structure layer is divided into two sub layers, the spatial and network
layers. The semantics of the spatial layer is based on the physical co-location of information
elements in the information analysis space. The semantics of the network layer is based on the
relations connecting information elements. The presentation layer facilitates visualization of and
the user’s interactions with the underlying layers. Interactions based on drag and drop gestures
and direct manipulation of information element and relation content are key to mimicking physical
cards-on-table information analysis.
138
CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL
Figure 8.5: Examples of entities that we have come across in our reviews and analyses.
information entities such as emails, articles, notes, reports, etc. (see Figure 8.5). A number of
default information elements should be default (i.e., some degree of domain-orientation assists the
user [91]). If a criminal network investigation team needs additional types of information elements
to better depict their case, new information elements should be easy to create and add to the
default list. Information elements must be component-based to make them dynamic and flexible.
A separation of content and human-computer interaction areas is preferred, as they have different
functional purposes. A content space contains the visual abstraction (i.e., a combination of graph-
ics and interactive areas with or without text). The menu space holds a number of menu buttons
that can access specific interactions (e.g., delete), or the content of the information element (e.g.,
attributes used for meta data). If we base the graphical abstractions of information elements are
on geometric shapes such as circles, rectangles, and triangles, it will be possible to make human
perception easier and faster, compared to more textual representations.
139
8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
140
CHAPTER 8. SOFTWARE COMPONENTS 8.2. COMPUTATIONAL MODEL
is visualized. Composites (groups) are first class entities that add depth to the information space.
For investigative purposes navigable structures and entities (including composites) are useful for
synthesis tasks such as manipulating, re-structuring, and grouping entities. Our understanding of
information links (relations) and groups (composites) is based on hypertext research [174].
CrimeFighter Investigator supports two structure algorithm types: measures (e.g., entity central-
ity), transformative algorithms (e.g., prediction of entities). Combinations of these are referred
to as custom algorithm types. Custom algorithms are templates of specific criminal network in-
vestigation work flows, e.g., understanding the secondary effects of entity removal or insertion.
All algorithms implement the report interface, where an algorithms report elements and design is
defined. Rules are used to describe entity-to-entity relations, attribute cross products etc. Each
algorithm has a set of general settings and specific settings. Specific settings includes algorithm
hooks, i.e., the entity attributes that algorithms base their computations on, and customizable
algorithm parameters.
(d) link-link (e) empty endpoint I (f) node-sub node (g) empty endpoint II
Figure 8.6: Direct associations in our topology includes classic associations (a-c) and novel asso-
ciations in terms of centrality measures (d-g).
141
8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
Figure 8.7: Semantic associations in our topology include spatial associations (a-d) and hierarchical
associations (e-g).
Figure 8.6d to 8.6g shows four examples of direct associations that occur in criminal network
investigations, but are not included when entity centrality is computed. A link could be the
target of an investigation, e.g., Daniel Pearl was investigating whether or not there was a link
between Richard Reid (the shoe bomber) and the leader of a local radical Islamist group [162].
Other examples include knowledge about the money transfer between two individuals or that
one individual had seen them talk at the same location on numerous occasions (Figure 8.6d).
The empty endpoint is another example of a direct association that occurs in criminal network
investigations, but is not (directly) addressed by traditional centrality algorithms. The need to
include empty endpoints in centrality is straightforward: if investigators know that someone is
distributing drugs to three individuals, e.g., based on wire taps, but they don’t know who those
individuals are, then an empty endpoint can be used until it is clear. This could be the case for
both nodes and groups (see Figure 8.6e and 8.6g). Finally, direct associations between entities
outside groups to entities inside groups are needed (both for reference and inclusion composites,
see Figure 8.6f). When criminal network investigators start grouping entities, structures where
entities outside the group are linked to entities inside the group might emerge. But the relation
still has association to that entity in the subgroup.
The semantic co-location association should be used carefully by investigators. If the investigators
position entities near each other spatially because they are assumed to be related somehow, then
it will make sense to use spatially based associations. But if not, then it will simply clutter the
network with non-relevant relations. If entities are placed near each other or as overlapping entities
it could mean that they are forming a sort of clique (Figure 8.7a and 8.7b). Also, as it is the case
in the analyzed organized drug crime investigation board, position entities next to or around a
(centered) entity could mean that the information entities are meta data about the centered entity
(Figure 8.7c). Entities positioned next to each other horizontally or vertically, could mean that
the entities represent a sequence (Figure 8.7d).
Semantic hierarchical associations can occur either when composites are used or when information
entities are positioned spatially in a manner that resembles that of a hierarchy. If a group contains
single information entities and subgroups, the single entities must have some sort of relationship
to the entities in the subgroups since their overall classification is the same (Figure 8.7e). Also
it could be that a single entity is associated with a composite (group) and therefore might have
142
CHAPTER 8. SOFTWARE COMPONENTS 8.3. CONCEPTS AND COMPONENTS
some sort of relation with entities within that composite (Figure 8.7f). Finally, positioning entities
in spatial hierarchies as shown in Figure 8.7g indicates entities below other entities represent sub
entities.
The topology of associations can be seen as a wish list of requirements for what a computational
model for criminal network investigation should support in this regard. The topology is not exhaus-
tive; we expect to uncover additional associations over time. Especially new semantic associations
based on temporal distance (when individuals appear on an investigation time line together with
other individuals and events etc.), distance between entities in the real world, distance in family
ties, and so on.
Below is a selection of the concepts in Figure 8.8, and what we mean by each one, and what
individual research focus requirements they relate to (refer to Figure 8.8 for the name of research
focus requirements). The list contains concepts mentioned when presenting the CrimeFighter
toolbox, when reviewing hypertext structures,
143
8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS
1. Information A tool for criminal network investigation must encapsulate (pieces of) informa-
tion, making it available for interaction and manipulation. The information concept relates
to information #1 (emergent and fragile structures) and information #2 (integrating
information sources).
4. Storage The information and knowledge generated during investigations has to be saved
for later retrieval and continued investigation. Storage is a different kind of versioning, not
having the same conceptual meanings as the versioning concept above. With a knowledge
base in place, storage becomes a matter of being able to externalize or share (parts of)
a criminal network investigation. We do not consider storage to be related to any of the
research focus requirements.
6. Analysis refers to either the investigator organizing the available evidence in ways to make
associations between information pieces more clear, or the use of algorithm-based tools for
semi-automated analysis. The concept of analysis primarily relates to the research focus
requirements information #3 and human factors #1, #2, and #4.
It is tempting to start drawing lines between concepts and components in Figure 8.8, but it defeats
the purpose of focusing on individual components instead of a complete framework; as long as the
component interface is clearly defined (i.e., abstracted to a suitable level), there should be so
many possible combinations of these components, that drawing lines becomes pointless. Instead,
we present each mentioned software component and the knowledge management and hypertext
system concepts these components are intended to support in a software tool for criminal network
investigation. The components are listed according to their importance and focus for our Ph.D.
project (see the next section for component requirements).
1. Entity is the basic information component, a prerequisite for support of all concepts.
144
CHAPTER 8. SOFTWARE COMPONENTS 8.4. COMPONENT REQUIREMENTS
2. Interactive abstractions. All geometric shapes (e.g., circles and polygons) should be
interactive in the sense that clicking them creates an event, on which the spatial hypertext
can act. This also covers simple textual visualizations such as rectangular labels.
This is partly due to our positive experience with a board-based approach using direct-
manipulation techniques, as opposed to the more obstructive form-based approach where all
available fields has to be edited through a pop-up dialog box. Also it supports the creation
of yet-to-be imagined visual abstractions representing information elements.
5. Visual cues. Textual cues like text alignment, font, font size, number of lines of text, text
width. Graphic cues like background image, background/border color, transparency.
145
8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS
1. Event. The basic entities of criminal network investigation history are events. Events must
encapsulate the investigators interaction with information in the common information space,
as well as the tools interactions with that information (see algorithm requirements in Sec-
tion 8.4.3). Examples of criminal network investigator interactions are creating, deleting,
and updating entities, and moving entities. It would be relevant to record sense-making
interactions as well: the investigator requested betweenness centrality measures, the user
made the following updates in the time line view. Such information might be relevant for fu-
ture retracing the steps. Examples of tool interactions with information includes algorithms
transforming the criminal network.
2. Type of event. There are many type of basic history events, such as create, delete, move,
update, etc. Sense-making event types might include applied measure algorithm or applied
transformative algorithm. Such basic event types are required, to know what to do, when
navigating the history event, whether it is navigation of a linear or branched history.
3. Content of event. Some network content is associated with history events. If the type is
create, then the content might be a single information element, relation, or composite. If
the event is applied transformative algorithm, the content of the event might be a network
structure of information elements, relations, and composites all together. Again, information
about the content is required for navigating history.
4. Visual symbols. The type of event and content of event would benefit from visual sym-
bols, to be able to differentiate between them. Supporting user choice of symbol would be
preferred.
5. Editable. History must be editable. A fine grained history is often required to capture all
events, but this is not suitable for dissemination to intelligence customers or fellow investi-
gators. Grouping and annotation of events is therefore required.
6. Parser. A parser that search for patterns in history, e.g., these three events where created
within seconds of each other, and we therefore assume they are part of the same synthesis
action. The history parser should ask the user to approve history editing patterns before
applying them automatically to series of history events.
7. Structure. The history should support structure domains. We imagine that taxonomic
structure will be necessary to support a branched history [96, 117]. Navigational structures
would be necessary to present jumps between events in different branches of history. This
could be used for story telling, i.e. comparison of decisions made in different branches of
investigation history.
One particular parameter to consider related, is the amount of memory required to store the history
supporting the requirements we have described above79 , i.e., a fine grained, branched history,
supporting the investigator’s interactions with information in a common information space.
1. Types of algorithms. During analysis we have found a need to support three basic al-
gorithm types, namely measuring algorithms, transformative algorithms, and custom algo-
rithms. The measuring algorithms simply provide different measures for (parts of) criminal
146
CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN
3. Input and output. Algorithms for criminal network investigation take criminal networks
as input and outputs the same criminal network with the results of the algorithm augmented.
Algorithms must in other words be able to parse the conceptual model (i.e., traverse hierar-
chies and follow associations) prior to or during computation.
5. Tailorable. Both individual algorithms and custom algorithms should be tailorable. In-
dividual algorithms, in the sense that controlling the computational steps of the algorithm
could become useful in some situations. An example could be, letting the investigator sort
shortest paths between all vertice pairs, before running the remainder of the algorithm. For
custom algorithms, comprising more than one algorithm, it must be possible to tailor in
terms of the order of algorithms, as well as what to do with the output from one algorithm,
before forwarding it to the next.
1. Mapping to conceptual model. A datafile component must be able to map data to the
conceptual model of a tool. In relation to criminal network investigation, this is entities
(information elements, relations, composites).
2. Import data formats. The datafile component must have an abstract interface for im-
port of various data formats. This should ensure that the tool support remains open and
extensible, in order to be able to accommodate new data formats.
3. Export data types. The datafile component must also have an abstract interface for
exporting to various data formats.
147
8.5. COMPONENT DESIGN CHAPTER 8. SOFTWARE COMPONENTS
8.5.1 Entity
The design of the entity component is essential as the success or failure of all other components
and hence features relies on it. The design is presented in Figure 8.9.
Figure 8.9: Entity component design includes the component’s relations to the common informa-
tion space (left), the interrelationship of basic component elements (middle), and other elements
related to the component, but not directly part of it (right).
Figure 8.9 reflects how all entities should have a fixed absolute position in the common information
space. An entity has a number of visual elements, all positioned relatively to the absolute position.
A visual abstraction is at the center. This is a symbol informing the user in an intuitive what
the contents of the entity is. It will be encouraged to build the visual abstraction using geometric
shapes such as rectangles, circles, and triangles, since that would make possible later association
of specific semantics with individual areas of the visual abstraction. However, for criminal network
investigations, it would also be useful to use a picture as visual abstraction. Our analysis showed
that simple entity actions such as delete and edit should be visual elements positioned relatively
to the entity. These sort of manipulations concerns the entity as a whole.
Direct manipulation of content (or meta data, described below) is essential to keep interaction
simple. Important meta data that are often edited for a specific entity should be available for
direct manipulation as an visual element. Finally, an element that will allow both the resizing
of an entity and provide connection points between entities is necessary. For a relation, for
example, this element would be at either end of the relation. Initially empty, since the relation is
not connected to any other entities, but then grabbing and dragging the element (endpoint) would
resize the length of the relation (just as if an information element was connected to that end of
the relation).
Furthermore, the entity component must as a minimum include the following non visual elements:
Meta data are essential, and will be formatted according to a type (text, number), name (what
is this meta data called) and finally the actual value of the meta data. Some meta data will
be static for an entity and others will be dynamic. It should be possible to add new meta data
through out the life time of the entity. Included entities (or encapsulated entities) are required
to represent hierarchical structures in investigations. These entities will be grouped or classified
according to some parameters selected by the end user and they also have an entity to represent
them at a higher level, the entity that encapsulates them. It will be necessary to denote the type
of individual entities, in order to let the developers add functionality particularly developed for
a specific type of entity, e.g., relation or composite. The set of entity types should of course be
extensible.
148
CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN
8.5.2 History
Our history component is designed with the intend to support versioning, which in turn will
provide support for important criminal network investigation tasks based on versioning. The
history component design is shown in Figure 8.10.
Figure 8.10: History component design includes the component’s relations to the common informa-
tion space (left), the interrelationship of basic component elements (middle), and other elements
related to the component, but not directly part of it (right).
A criminal network investigation event is the basic element of the history component. The event
is created by some action in the common information space, either by the user (synthesis actions)
or by the tool (on behalf of the user, an algorithm based sense-making action). An event can
be of a specific type (create, delete, move, transform, etc.) and will have some information
content. Visual abstractions for event types and content must be supported, illustrated by the
link to geometrical shapes in Figure 8.10. Finally, events are to be stored either following an
associative structure, a hierarchical structure, or a combination of these. Provided that
storage is implemented in a suitable way, an editor can interact with the stored history events, to
group events, annotate events, or interact and present the events in ways required for the specific
criminal network investigation, intelligence customers, etc.
8.5.3 Algorithm
Our algorithm component is designed with the intend to support analysis (synthesis, sense-making,
and synthesis and sense-making), which in turn will provide support for important criminal net-
work investigation tasks depending on analysis support. The algorithm component design is shown
in Figure 8.11.
An algorithm is the central algorithm component element. This might be confusing, and requires
further explanation. The terminology is used to encapsulate our intended support for single, yet
customizable and tailorable, criminal network investigation techniques (e.g., see mathematical
models in Section 5.9) and custom algorithms which might refer to a combination of multiple
techniques or one or more techniques together with one or more custom algorithms. We will
also refer to the latter as sense-making work flows. As mentioned, an algorithm is the central
element, receiving its input from the common information space (i.e., criminal network entities
or structures), and returning output to the common information space as well. An algorithm,
whether custom or a single technique, will have a number of computational steps that must be
tailorable by humans (investigators). There will also be some general settings for all algorithms
149
8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS
Figure 8.11: Algorithm component design includes the component’s relations to the common
information space (left), the interrelationship of basic component elements (middle), and other
elements related to the component, but not directly part of it (right).
and some specific settings for the particular instantiation of the algorithm component, which
must be customizable by investigators. Finally, all algorithms must implement a report interface
to allow for the generation of reports based on the computational steps, customizations, inputs
and outputs, etc., of algorithms. Letting the user tailor what to put in these reports using a
report editor would be preferable.
150
CHAPTER 8. SOFTWARE COMPONENTS 8.6. SUMMARY
151
8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS
152
CHAPTER 9
Acquisition
Some information may be available at the beginning of a criminal network investigation, but new
information tends to dribble in over time in disparate pieces. Information arrives from various
sources and should be easy to insert into the investigation tool in a manner that is transparent
to the investigator. The remainder of this chapter is organized as follows: in Section 9.1 we
will analyze the acquisition tasks outlined in Section 7.2.1 and related CrimeFighter Investigator
concepts. In Section 9.2 we present the designs we have created for those tasks and concepts.
Finally, Section 9.3 describes implementations of tasks and concepts in CrimeFighter Investigator,
using tool and feature screen shots. Not all designs are implemented, and in general it should
be noted that acquisition has received less attention, compared to synthesis and sense-making.
We started out focusing on synthesis and sense-making, and later, following an agile and iterative
approach to software development, we found a need to also focus on acquisition, to be able to
ingest information.
9.1 Analysis
Based on cases and observations of criminal network acquisition, contact with experienced end-
users from various investigation communities, examination of existing tools that support acquisi-
tion of criminal network entities and structures (see Chapter 4), and our own ideas for acquisition
support, we maintain a list of acquisition tasks. Acquisition tasks primarily support the research
focus requirements information #1 (emerging and fragile structure) and information #2 (in-
tegrating information sources).
153
9.1. ANALYSIS CHAPTER 9. ACQUISITION
network investigation or to start a completely new investigation. See Chapter 8 for a requirements
list (Section 8.4) for the datafile component.
Figure 9.1: Methods for acquiring information includes import (left), drag-and-drop (middle), and
copy-and-paste (right).
Direct integration with other tools like for example CrimeFighter Explorer or Assistant would be
a fast way to import already processed data and information into CrimeFighter Investigator [245].
The research prototype POLESTAR supports direct import of text snippets using drag and drop
from web sites into the application [178]. Methods such as drag-and-drop and copy-and-paste are
especially relevant when working with open source intelligence (web sites, data bases, online news
papers, etc.), especially considering that open source intelligence have been found to provide 80%
of the value to criminal network investigations (see Section 5.8).
Having to match the newly acquired information (intelligence) into an existing data model (con-
ceptual model) could potentially inhibit creativity and the desire to use software tools for criminal
154
CHAPTER 9. ACQUISITION 9.2. DESIGNS
network investigation. Supporting dynamic attributes is one step on the way, but then intuitive
interaction with attributes for easier restructuring is necessary. In the Daniel Pearl investigation
we saw how there are initially only the names of individuals, but then gradually new meta data
(attributes) are added, such as telephone numbers and pictures [162]. See Section 3.5.1 for a
review of the Daniel Pearl kidnapping and murder.
Figure 9.3: Attribute to data model mapping (left) and attribute to algorithm mapping (right).
There are many examples where the attributes of imported entities do not match the entities in
the investigation’s conceptual model. In Sageman’s 2003 al-Qaeda data set80 , there are only short-
Name and fullName attributes (see the al-Qaeda related deployment of CrimeFighter Investigator
in Section 14.3 and development of measures of performance in Section 15.4, for more information
about the data set).
9.2 Designs
In this section we present designs for some of the acquisition tasks analyzed in the previous section.
155
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION
Figure 9.4: Entity visual abstractions and attribute editor - Options for editing the visual graphics
abstractions of entities, adding new attributes, mapping available attributes to visual abstraction
labels and deciding the order and positioning of menu buttons.
156
CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR
Figure 9.5: The CrimeFighter Investigator import dialog with options for importing just informa-
tion elements, or information elements, relations and composites.
The CrimeFighter Investigator information element editor has partial support of the design de-
scribed in Section 9.2.2. A screen shot of the current implementation of the information element
editor is shown in Figure 9.6: The drop down box at the top (A) lets the user select the entity
for editing. Possible visible settings are selecting which visual abstraction is to be shown when
creating new entities of the given type (B). Four categories have been created; maybe when there
are not many entities in the space, it is nice to use the a large visual abstraction, because it is
more descriptive, and then when the number of entities increases it could be beneficial to sac-
rifice some description for a small visual abstraction. Two other visual abstraction types that
can be useful depending on the investigation are the circle and label abstractions. Typically, if a
single attribute has been selected to represent the entity, then these abstractions can be useful.
Information about the currently selected visual abstraction is shown in the view to the left (C).
It indicates how the entity will appear in the common information space, and the placement of
different internal components. Refer to Section 8.4.1 and 8.5.1 for a more detailed description of
the entity component. Support for editing the visual abstraction is not implemented (D), but a
design of the intended feature is shown in Figure 9.2.2 (acquisition design, Section 9.2.2). At the
bottom the entity’s current attributes are shown in a table (E) and the input fields for adding new
attributes are just below the table (F). Attributes are deleted by deleting them from the table,
which is of course a cumbersome way to do it, and also not according to the intended design.
157
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION
Figure 9.6: CrimeFighter Investigator information element editor - options for adding new at-
tributes and deleting existing ones, as well as selecting between pre-defined visual abstractions for
entities.
158
CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR
Figure 9.7: (semi mock-up) Mapping information attribute to data person information element
label.
159
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION
160
CHAPTER 10
Synthesis
Criminal network investigators move pieces of information around, they stop to look for patterns
that can help them relate the information pieces, they add new pieces of information and itera-
tion after iteration the information becomes increasingly structured and valuable. Synthesizing
emerging and evolving information structures is a creative and cognitive process best performed
by humans. The nature of modeling something as complex and diverse as crime is an ongoing and
potentially open-ended process that demands for an interactive modeling approach [30]. What
complicates everything is that the picture constantly changes. With every interaction, people
change, group dynamics change, and social dynamics change [28]. If we are to think seriously
about this sort of complexity, and reason effectively about it, some sort of simplified map of
reality, some theory, concept, model, paradigm, is necessary [102]. The CrimeFighter Investiga-
tor approach to synthesis is based on three first class entities, which, combined with hypertext
structure domains (see Section 5.1) are used to support a set of synthesis tasks.
Criminal network investigators working in teams merge and organize pieces of information from
different sources in order to reason about them and support their decision making process. The
structure of the relationships between these pieces of information is fragile by nature, since new
information may change it substantially. Besides supporting the emergent nature of incoming
information, such structures should also be an appropriate medium for communicating with others
(see our introduction to dissemination in Chapter 12). Their presentation should foster awareness
and permit notification services that inform the investigator about potential unseen and non
obvious connections beyond the borders of individual information sources [20] (the synthesized
information should support sense-making, see Chapter 11).
The remainder of this chapter is organized as follows: analysis (Section 10.1) and design (Section
10.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 10.3) is
explained below.
161
10.1. ANALYSIS CHAPTER 10. SYNTHESIS
10.1 Analysis
Based on cases and observations of criminal network synthesis, contact with experienced end-users
from various investigation communities, examination of existing tools for synthesis of criminal net-
works, and our own ideas for synthesis support, we maintain a list of synthesis tasks. Synthesis
tasks assist criminal network investigators in enhancing the target model. The concepts of per-
spectives and versioning and their related component view and history support synthesis tasks
and are therefore analyzed first, followed by the synthesis tasks. Our analysis of synthesis tasks
is primarily based on criminal network investigation cases where simple physical tools (human
factors #3) are used such as the whiteboard in the Daniel Pearl investigations, and the boards
used in many investigations with paper based evidence, such as paper clippings, Polaroids, and
text cards etc. together with related work tools or prototypes who support the synthesis task in
a manner addressing our research focus requirements.
Taxonomic view
A taxonomic view for criminal network investigation has two main objectives. First of all, the
taxonomic view must visualize the created hierarchical structure as synthesized by the user using
composites with reference relations to information elements, or traditional sub-spaces attached
to single information elements accessed using expand and collapse functionality. Secondly, a
taxonomic view must support manipulation of the existing hierarchical structure, allowing for the
user to move information elements between composites, i.e. the spaces and sub-spaces that the
composites represent.
162
CHAPTER 10. SYNTHESIS 10.1. ANALYSIS
Figure 10.1: Creating entities can be done in multiple ways: information entities are created using
dragging gestures in the tool, drag-and-drop from other applications, clicks, import (all left), links
based on entity selection (middle), or grouping (right).
Creating entities can be done in multiple ways: information entities are created using dragging
gestures, drag-and-drop from other applications, clicks, or import of information from files. Linking
entities could happen using a dragging gesture, or selecting the two entities that are going to linked
and then activating linking functionality. Creating groups can be done by collapsing information
or using visual symbols (see Section 10.1.6 for analysis of grouping). Creating entities in the space
using a drag gesture or a click requires the user to first select the entity to create (if not already
selected), while drag and drop from another application would create the entity immediately, at
least with some initial entity encapsulation.
In the Daniel Pearl investigation new information pieces (entities) are added to a whiteboard by
drawing on it (see Section 3.5.1, resembling a dragging gesture. Police detectives often use boards
on which they pin evidence, typically written or printed on paper (see Section 3.5.4). In that case
new information pieces are created away from the board, resembling a drag-and-drop gesture from
somewhere else or a simple import of a few entities.
In the Daniel Pearl investigation, entities are deleted from the board by wiping (gesture) and in
the board-based police investigations pieces of paper with evidence are simply removed from the
board and thrown to the trash can (drag-and-drop).
There are typically two ways to editing entities, either in terms of using a form-based approach
such as a object inspector, listing the attributes and other adjustable meta data of the entity in
a tabular way, or alternative some meta data might be editable through direct manipulation in
the common information space. On a white board, like in the Daniel Pearl investigation, person
names are easily updated, a telephone number added, or a picture used as visual abstraction, in
a direct manipulation fashion.
163
10.1. ANALYSIS CHAPTER 10. SYNTHESIS
Figure 10.3: Associations between entities can be created, deleted, and edited using links, visual
symbols, co-location or attribute similarities.
Using spatial hypertext technology for information analysis, one can define relationships between
information elements, simply through the proximity and location of information elements. But
since relations within terrorist networks are much more complex than the simple indication of
belonging to a certain group, these relations must be weighted to match that complexity appropri-
ately. We suggest that providing a structured language to describe the inner complexity of these
weights, a language that is interpretable by both humans and computer algorithms.
There is a need to describe the nature of links and nodes, since “Without accounting for the
content of communication, social network analysis runs into the “pizza guy delivery problem”:
confusing regular contact with significant contact” [26]. A person A can be related to a person
B in a number of ways, and any subset of these relations can mean something within a certain
context, and hence would be weighted differently according to their importance. The complete set
of relations would constitute what is known about the relationship at that place in time.
Figure 10.4: Restructuring involves synthesis actions such as move entity, reconnect link, merge
entities, and group entities.
164
CHAPTER 10. SYNTHESIS 10.1. ANALYSIS
Restructuring of information structures happens during all criminal network investigations, except
maybe for the simplest of cases (e.g., the homicide dunkers described by Simon (1991) [204]).
Figure 10.5: Entities are often grouped either semantically by reference (left), or hierarchically by
inclusion of either nodes (middle) or links (right).
Often reference grouping is used, when the affiliations of entities with a certain group is not certain.
Then later when (maybe) more evidence backs up the grouping, the entities (nodes and/or links)
are grouped by inclusion.
165
10.2. DESIGNS CHAPTER 10. SYNTHESIS
Figure 10.6: Information types includes text, maps, images, audio, and video.
When previous Secretary of State Colin Powell presented the United States case on Saddam
Hussein’s alleged weapons of mass destruction to the United Nations in 2003 the evidence in-
cluded intercepted phone calls, augmented satellite photos, 3D sketches, etc. Tools and research
prototypes reviewed in Chapter 4 supports many different kinds information, e.g., Mindmeister,
an investigative journalism tool that supports embedding pictures and video in mind maps (see
Section 4.3.2).
10.2 Designs
We present our designs of key synthesis concepts and tasks. The designs that have not been
implemented support for are considered important areas of future work.
166
CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR
to decide the size of the relation and composite entities. For editing, we want to support direct
manipulation of often accessed meta data, alternatively editing using a form which is accessed by
a menu icon attached to the entity positioned at its outline. Deletion should be possible using
direct manipulation, i.e. direct interaction with therefore designated areas.
Taxonomic view
The taxonomic view (left hand in Figure 8.12) provides a hierarchical overview of the organization
of entities. The tree root reflects the name of the investigation, nodes in the tree are composites
and leafs in the tree are information elements. The taxonomic view and the spatial view are
synchronized in the sense that changes made in one view are instantly reflected in the other view.
There are no limitations to the number of nested hierarchies. The two views are separated by
a divider that can be moved left or right to expand/minimize the views depending on the users’
preference. Icons reflecting their space equivalents are used to make it easier for the investigators
to recognize the entities from the space in the taxonomic view. It is still the same information,
although offering a different perspective. A spatial parser algorithm is used to parse the entities
in the space and then create the structure shown in the taxonomic view.
An example of reference composite support is shown in Figure 10.9. In Figure 10.9a, Mr. X is
part of both Composite 1 (C1) and Composite 2 (C2). In Figure 10.9b, C2 is moved away and
now Mr. X is no longer part of C2, and this change is reflected in the taxonomic view to the left.
167
10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS
Figure 10.8: Screen shot (b) Reference composite example - non-overlapping reference composites.
of taxonomic view from the
Daniel Pearl investigation. Figure 10.9: History trees and navigation view.
history feature records all the interactions that investigators have with entities in the space as
events, e.g., “create information element”, “resize composite”, “move information element”, and
so on. Each event is given a time stamp and added to the sequential history. If the history bar is
not positioned at the end of the history when an investigator causes an event, the investigator is
prompted whether or not to delete all events after the current event, or canceling whatever action
that caused the event to happen.
168
CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR
information elements in the hierarchically displayed structure (see example in Figure 10.10).
169
10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS
170
CHAPTER 11
Sense-making
After all, no one has yet linked failure of intelligence to the fact that
the opponent had better equations.
Wirtz (2006) in his review [251] of Robert M. Clark’s book intelligence analysis: a target-centric
approach [40]
Criminal network sense-making is tightly coupled with criminal network synthesis as described in
the previous chapter; synthesis and sense-making are core analysis tasks. Synthesizing emerging
and evolving information structures is a creative and cognitive process best performed by hu-
mans. Making sense of synthesized information structures (i.e., searching for patterns) is a more
logic-based process where computers outperform humans as information volume and complex-
ity increases. CrimeFighter Investigator supports sense-making tasks through the application of
advanced software technologies such as hypertext, semantic web, well-known human-computer in-
teraction metaphors, and a tailorable computational model rooted in a conceptual model defining
first class entities that enable separation of structural and mathematical models (see Chapter 8).
Therefore, our modeling approach must embrace frequent customization and extension through
robustness and scalability of the underlying mathematical framework [30]. At the beginning of
an investigation it is not clear what sense-making approach will be required to understand and
reason about a certain criminal network. Sometimes more than one measure has to be calculated
for the criminal network or maybe some measures are used as input for an algorithm providing yet
another measure. It is impossible to know beforehand what information attributes (meta data)
will be the deciding factors for a criminal network investigation. First of all, information attributes
are emerging over time, just like the information entities. Second, investigators have to decide
if they will try to predict missing information entities in the network based on for example an
individual’s record of supplying weapons or a measure of each individual’s centrality in a criminal
network.
Taking a computational approach to criminal network sense-making, claiming that investigators
will benefit from the information provided, raises concerns about user acceptance of this com-
171
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING
puted information81 . Experienced investigators with the skills to manually derive the computed
information (given more time) might question how exactly the information has been automati-
cally computed and they might be inclined not to trust this computed information enough to base
their decisions on it [193]. For computational sense-making to be effective, decision makers must
consider the information provided by such systems to be trustworthy, reliable [144], and credible.
The calculations are not the hard part; the challenge is to find a good way to use the data and
understand them. This is very well described by the following story by Stoll (1995) [217]:
Computer security expert Clifford Stoll spent a year studying at a Chinese observatory
with Professor Li Fang. Li studied star observations and used a Fourier transform, the
standard tool of astronomers everywhere, to hunt for periodic motions. Li, however, did
the Fourier transform completely by hand! Stoll decided to show Li how his new Hewlett
Packard HP-85 could be used to calculate some 50 coefficients for the polar wandering
in under a minute. The task had taken Professor Li 5 months. When presented to the
computer’s results, Li smiled and said: “When I compare the computer’s results to my
own, I see that an error has crept in. I suspect it is from the computers assumption
that our data is perfectly sampled throughout history. Such is not the case and it may
be that we need to analyze the data in a slightly different manner”. Stoll realized that Li
had not spent 5 months doing rote mechanical calculations. Instead, he had developed a
complex method for analyzing the data that took into account the accuracy of different
observers and ambiguities in the historical record.
Simply by turning to the computer when confronted with a problem, we limit our ability to
understand other solutions. The tendency to ignore such limitations undermines the ability of
non-experts to trust computing techniques and applications [193] and experienced investigators
would be reluctant to adopt them.
In this chapter, we focus on criminal network sense-making and how tailoring can leverage trans-
parency and ownership, increasing trust in information provided by sense-making algorithms.
CrimeFighter Investigator [169, 173, 174] is based on a number of sense-making related concepts
(see Figure 11.1). At the center is a shared information space. Spatial hypertext research has
inspired the features of the shared information space including the support of investigation his-
tory [174]. The view concept provides investigators with different perspectives on the information
in the space and provides alternative interaction options with information (hierarchical view to
the left (top); satellite view to the left (bottom); spatial view at the center; algorithm output view
to the right). Finally, a structural parser assists the investigators by relating otherwise unrelated
information in different ways, either based on the entities themselves or by applying algorithms to
analyze them (see the algorithm output view to the right). In the following, central CrimeFighter
Investigator sense-making concepts and tasks are presented.
11.1 Analysis
Based on cases and observations of criminal network sense-making, contact with experienced end-
users from various investigation communities (intelligence, police, and journalism), examination
of existing process models and existing tools for making sense of criminal networks (e.g., [7,20, 21,
25, 35, 40, 53, 59, 110, 116, 128, 152, 162, 212, 244]), and our own ideas for sense-making support, we
maintain a list of sense-making tasks. The list of tasks can be seen as a wish list of requirements
which the sense-making part of a tool for criminal network investigation should support; the list
serves as the basis for our tool development efforts. The list is not exhaustive; we expect to uncover
additional sense-making requirements over time. We provide examples for each sense-making task
to emphasize the many different applications. Sense-making tasks assist investigators in extracting
useful information from the synthesized target model [175].
172
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS
Figure 11.2: Algorithm types for sense-making, includes measure algorithms providing metrics for
entities such as links and nodes (left); transformation algorithms alter the structure of criminal
networks by either adding or removing entities (middle); custom-made algorithms encapsulate
multiple measure and transformation algorithms (right).
Measure algorithms provide metrics for entities such as links and nodes, and examples includes
centrality measures from social network analysis [155, 195, 240] and link importance from terrorist
network analysis [80, 245]. Transformation algorithms alter the structure of criminal networks by
173
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING
either adding or removing entities. Prediction techniques [183, 184] transform criminal networks
by predicting missing links or covert structure (nodes and links). Finally, custom-made algorithms
encapsulate multiple measure and transformation algorithms to represent tailored algorithms for
more complex sense-making tasks, such as node removal in criminal networks [169] (see analysis
of sense-making work flows below).
We outline the typical work flow of applying algorithm-based sense-making to a criminal network
as described below. The steps are at the same time the requirements for software support of such
work flows:
1. Work flow input. The input for a sense-making work flow is a criminal network of entities
(information elements, relations, and composites) forming structures through associations.
2. Need for sense-making. (e.g., [168,169,175]) The investigator wants to ask some question
about the criminal network, such as ‘what if’ questions or questions related to a network
measure, i.e. ‘measure’ questions. An example of a ‘what if’ question could be: What will
happen if we remove these two nodes from the network? Followup questions could be are any
new relations between remaining nodes forming? or are other information elements going
to take the place of the removed ones? Questions related to measures could be: who control
communication in this network? or what individuals in the network are connecting to the
key individuals in the network?. The purpose of such questions is typically to determine
weak points in a network, where infiltration would be feasible.
3. Tailoring desired sense-making work flow. Tailoring a desired work flow for a specific
sense-making task has many steps: (a) involves selecting what algorithms to run to match
the desired questions. (b) When running multiple algorithms in a work flow it should be
possible to decide the order they run if sequential. If the algorithms on the other hand are
set to run parallel then order does not matter. (c) Customizing each individual algorithm
according to visual symbols, associations, reports, etc. (d) Deciding the input and output
of each individual algorithm. The output of the final algorithm will be the output of the
sense-making work flow.
4. Run the sense-making work flow Starting the sense-making work flow must also be a
user controlled process. If the work flow produces one or several network measures as output,
the measure can be computed on every event that occurs in the common information space.
But the system should also consider another type of algorithm, which changes the structure
of entities (editing, adding, or removing).
5. Results. Deciding what to do with the results, should they be discarded from or appended
to the investigation. Typically a lot of sense-making synthesis are required to reach a cer-
tain point of clarity. The importance of keeping a record (history) of such discard and
append actions (events) is illustrated by investigators often needing to retrace the steps of
investigations to see if something was missed [128, 162, 204].
6. Retrieve a report. If interesting results are yielded, the end user can decide to retrieve a
report with the information, analysis, and results aggregated.
7. Save sense-making work flow. Finally, the user could want to save a work flow, if it
might be useful for future investigations, or if it is to be shared with other investigators.
174
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS
other hand, the user can tailor the algorithm to the available data and customize the generation of
a specific output structure for results, then the user is controlling the algorithm, and the algorithm
is merely assisting the investigator, functioning as a tool. The algorithm is not in control of the
sense-making work flow, forcing the investigator to do additional conversions of the output to be
useful for an intended analysis.
Figure 11.3: A structural parser must be able to: tailor algorithms of different types (e.g., the
order of algorithms - see left); customize the settings and inputs for algorithms (middle); and
create new algorithms by combining the existing ones (right).
Examples of parsers responsible for specific tasks within a certain structure domain, includes
the spatial parsers in VKB [198] and ASAP [170]. The social network analysis tabbed pane in
Analyst’s Notebook [2] (see Section 4.1.1) has an ‘Options’ tab for customization, where the user
can tick off the centrality measures they want to include, together with other options such as
normalization of results and whether or not to use the directions of links [107].
175
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING
Figure 11.4: To be able to utilize history for sense-making purposes, the history of user actions
must be recorded (left), it should be possible to navigate the history (middle), and editing the
history is essential (right).
Figure 11.5: Retracing the steps of investigations is often used when an investigation has stalled
(i.e., no new leads are generated) or for training or explanatory purposes (see Section 12.1.1 in
the chapter on dissemination).
Maneuvering through the evening traffic on Liberty Road, he runs two weeks of investigation
through his mind” [204].
Figure 11.6: Creating new hypotheses using argumentation and alternatives, or retracing the steps
of existing hypotheses.
Journalist Daniel Pearl was kidnapped in Karachi in early 2002 and the criminal network in-
vestigators followed the hypothesis that the leader of a radical islamist group, Shaikh Gilani,
masterminded the kidnapping, since Pearl was scheduled to meet him on the day of his disappear-
ance. One day the investigative team receives an email, profiling a shadowy character suspected
176
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS
of having bankrolled the 9/11 attacks, Omar Saeed Sheikh: “Omar has a particular specialty: he
kidnaps Westerners”. But the team finds nothing linking Omar to Daniel’s disappearance (be-
sides this specialty), and the current state of their hypothesis has a lot more supporting arguments
pointing towards Gilani. [128, 162, 227]
On February 5, 2003, secretary of state (Colin Powell) presented to the United Nations council the
US hypothesis on Saddam Hussein’s weapons of mass destruction program. The supporting argu-
ments were primarily based on one human intelligence source, an Iraqi defector who manufactured
a story based on open source United Nations reports and his work as a chemical engineer. [59,242]
Figure 11.7: Extracting a model from a criminal network investigation, adapting the model to a
new situation, and then applying the model to the same or another criminal network.
Several studies have described the structural evolution of terrorist networks and cells related to al-
Qaeda and affiliated movements (AQAM), and plotting to hit targets in Europe. This structural
evolution has gone through four phases. Vidino 2011 outlines the evolution of these European
networks during the first three phases, and provides a detailed description of the fourth phase
including characteristics in terrorism related to AQAM [236] and resembling a model. Sageman
(2004) found in his work on structural patterns in “terror networks” [188] that people had joined
the jihad in small groups (called cliques, where every node is connected to every other node).
Several individuals lived together for a while and had intense discussions about the jihad. When
one of the friends were able to find a bridge to the jihad, they often went as a group to train
in Afghanistan. Nesser (2006) models the structures of jihadist terrorist cells in the UK and
Europe [154]. Nesser identified a distinct set of profiles: a typical cell includes an entrepreneur,
his protege, misfits and drifters which also explains the Sageman 2004 concepts of cliques (network
cells), bridges and hubs (the entrepreneur). The relations among cell profiles as well as meta data
characteristics for each profile (e.g., education, marital status, children, age) are described.
177
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING
Figure 11.8: Predicting missing information entities: links, structures, key players, and subgroups.
the 15 individuals they thought were a threat to national security, missing key individuals behind
the July 7th bombings [110]. The links between Operation Crevice and the July 7th bombings is
something that is still investigated by the British Home Office [167].
In an 2011 interview, Alex Strick van Linschoten [134] suggested prediction of missing links between
Afghan Taliban members based on knowledge about their andiwali1 system, “where groups tend
to gather based on prior connections. Young men from the same village could group together in
one cell; madrassas also allow young men to form ties. Some groups may have blood relations that
bring them together in a group of andiwali” [137, 166].
Figure 11.9: Detecting semantic and orthographic aliases to analyze if two entities are in fact the
same, or if a single entity was in fact two different entities.
An extreme example is the mastermind behind the kidnapping of journalist Daniel Pearl, Omar
Saeed Sheikh, who used up to 17 aliases [128]: “You run up against the eternal problem of any
investigation into Islamist groups or al-Qaeda in particular: the extreme difficulty of identifying,
just identifying, these masters of disguise, one of whose techniques is to multiply names, false
identities, and faces”. Khalid Sheikh Muhammad used more than two dozen aliases [146]. In
the UK investigation of whether or not the July 7th bombings in London 2005 could have been
prevented based on information from the prior Operation Crevice, MI5 had come across different
variations of the name “S. KHAN” (the name of the plot ringleader, Mohammed Siddique Khan).
They consequently believed the name could have been an alias “due to a combination of both the
multiple spellings and lack of traces on databases” [110]. Aliases are inherently also a problem
when analyzing on line violent radical milieu’s: “the Internet allows for the virtual construction
1 “Andiwal” is the Pashto (Afghani language) word for “friend”.
178
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS
and projection of personalities that may or may not be accurate reflections of the physical lives
controlling those avatars” [29].
Figure 11.10: Alternatives to the often used navigational (link) perspective are the spatial, taxo-
nomic, time line, map, and audio perspectives.
During the Daniel Pearl investigation a chronology of events (time line) is created simultaneously
with the criminal network (link chart) of involved individuals who were potentially linked to the
crime [162]. A time line perspective could also be used for temporal organization of previous
investigations, e.g. terrorism plots in the European Union [236] (see also Figure 14.10).
When Colin Powell presented United States’ hypothesis on Saddam Hussein’s weapons of mass
destruction program, he used both augmented satellite photos (images/maps) and recordings of
intercepted phone calls (audio) with subtitles [238, 257].
As mentioned, a list with 55 individuals was created after Operation Crevice, and it had to be
decided how to focus limited resources [110, 252]. In the case of CIA’s investigation into possible
weapons of mass destruction in Iraq, the CIA based their decision on uncorroborated evidence
(arguments) [59, 242]. The team investigating the kidnapping of Daniel Pearl decides to focus
resources on the alleged mastermind Sheikh Gilani, the man who Pearl was scheduled to interview
on the day of his disappearance [128, 162, 227].
179
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING
Slate reporter Chris Wilson has described how the US military used social network analysis to
capture Saddam Hussein [250]: “In Tikrit, players were captured, killed, and replaced at a low
enough rate that the network was able to cohere. The churn rate is likely much higher in an
extremist group like al-Qaeda”. In one assessment of destabilization tactics for dynamic covert
criminal networks, it is pointed out that in standard social network analysis node changes are the
standard approach to network destabilization [35].
“MI5 [. . . ] decided not to continue surveillance of Khan and Tanweer because the quantity of
Khan and Tanweer’s links to the fertilizer bomb plotters targeted in Operation Crevice were less
than 0.1 percent of the total links. Their argument failed to take into account the betweenness
centrality of Khyam. Betweenness centrality refers to relationships where one individual provides
the most direct connection between two or more groups. These individuals bridge networks, or
subnetworks. In the case of Khan and Tanweer, Khyam was likely serving a liaison role rather
than a broker role, meaning his betweenness was not likely critical to their plot but was indicative
of Khan and Tanweer’s intelligence value” [111].
Figure 11.13: Terrorist network measures includes secrecy and efficiency for measuring link impor-
tance, and detection of key players and communities (subgroups). Terrorist network destabilization
criteria are often used to determine the success or failure of such measures.
180
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS
The link importance measure has been shown to offer new insights into the 9/11 and Bali bombing
terrorist networks by pointing out links that are important to the network [244]. Community
(subgroup) detection has been applied to a network of 60 criminals dealing with drugs [255] and
prediction of missing key players has been tested on the Greek terrorist network November 17 [182].
11.2 Designs
In this section, we present designs for criminal network sense-making tasks supported by Crime-
Fighter Investigator but also ideas that remained ideas, yet found useful by criminal network
investigators we have discussed them with or through investigations of our own.
Based on literature reviews (e.g., [35, 36, 40, 174, 183]), feedback from intelligence analysts and our
own ideas, we propose a node removal algorithm involving the following eight steps. The two
perspectives (steps 5 and 6) are exchangeable and adaptive by adjustment of their settings:
1. Define ‘what if’ question(s), thereby focusing on specific secondary effects of node removal.
Investigators typically frame these ‘what if’ questions that they want to ask using natural
language, for example: “what network paths with a change in distance from 2 to 1 will
emerge when the node is removed”. This could point out individuals gaining direct access
to key individuals after node removal, if the investigators have prior knowledge about who
these key individuals are. The ‘what if’ questions are framed by the investigators.
2. Select nodes of interest. All nodes are not necessarily relevant for the defined ‘what if’
question(s). The investigators will decide which individuals it would make sense to include
based on their tacit knowledge and other preconceived notions or experience.
3. Select node to remove. Although the algorithm lets the investigator see the probable effect
of removing any node from the criminal network, network information such as social network
measures, predicted future states, and destabilization criteria are considered when selecting
which node to remove.
4. Remove selected node and all associated links. Removing a node with more than a few links
can be a cumbersome synthesis task to perform manually, i.e., removing the links one by
one without accidentally deleting other individuals’ links.
5. Perspective 1: predict new links. Prediction of new probable links between the remaining
individuals in the network based on for example open source information and the tacit
knowledge of the investigators. The predicted links are input data for the processing of
‘what if’ questions.
6. Perspective 2: changing degree centrality. Displaying the changing degree centrality of each
node will disclose changes in node importance to the investigator.
7. Discard or append new links. The investigator might want to follow some leads based on
the links predicted after the node removal. Or maybe some settings need to be adjusted,
and the investigator will discard the results.
181
11.2. DESIGNS CHAPTER 11. SENSE-MAKING
8. Dissemination of secondary effects. Before the algorithm results are appended or discarded,
a report which outlines the secondary effects of the node removal, listing the current setting
and how the algorithm reached its conclusions would be helpful for (easy) dissemination to
intelligence customers or other investigative team members who did not participate in the
reasoning session.
We present a node removal scenario in Section 14.2 describing how the CrimeFighter Investigator
supports the above defined algorithm steps.
The list below outlines our design for how we believe criminal network investigators should be
able to work with algorithms, to define so-called work flows. The design of the CrimeFighter
Investigator Algorithm component is described in greater detail in Section 8.5.3. Here we describe
the design for each of the steps for creating sense-making work flows, as outlined in Section 11.1.1
(analysis):
1. Work flow input. Input is either based on a series of synthesis and sense-making iterations
or imported from a previous investigation. A design is therefore not created for this step.
2. Need for sense-making. This is a decision made by the investigator based in the current
state of the criminal network in the common information space. The need for sense-making
cannot be decided by software.
3. Run the sense-making work flow. There is a need to differentiate between transforma-
tive algorithms and measures. The created work flow(s) should be added to a list that is
available from the common information space. That is, (parts of) the network must be visi-
ble, simultaneously with the list of created sense-making work flows. We suggest to embed
a view for algorithms in the common information space.
4. Results. As described in the analysis, there is only a need for deciding what to do with
results produced by algorithms that transform the network. A pop-up should ask the user
whether or not to deal with all results at once or each individual result (i.e., each predicted
link or information element). If all results is selected, then all entities related to the trans-
formation are highlighted, to inform the user what entities precisely the decision to discard
or append those results concerns. If possible, display additional information about the re-
sults, e.g., number of information elements, relations, and composites, or perhaps the link
importance measure for all relations should be displayed. Whether the results are appended
or discarded, the action (event) should be appended to the criminal network investigation
history.
Alternatively, if individual results is selected, iterate through each result action and perform
the following for each one: highlight the entity related to the transformation, to inform
the user what precisely the decision to discard or append that entity concerns. If possible,
display additional information about the entity, e.g., what caused the entity to be predicted,
what is the centrality of the entity, or general meta data information about the entity such
as attributes or the entity’s visual abstraction. This could be displayed in a so-called object
inspector, or in the specialized sense-making view. Again, the append or discard action
(event) should be appended to the criminal network investigation history.
5. Retrieving a report. When a sense-making work flow has been executed, this should be
indicated somehow in the specialized sense-making view. It should also be indicated whether
or not the execution produced any results. If a sense-making work flow is marked as executed
and the work flow produced results, then a selection of that button should make available a
button that the user can push to extract the report (if multiple reports are available, then
the user should be given the choice between these options). The analysis and design of the
actual report generation process is described in Section 12.1.2 and Section 12.2.2.
182
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS
6. Save sense-making work flow. Option to save the sense-making work flow must be
available through the specialized sense-making view. Another option could have been the
spatial parser, but since it is unclear at the point of customization of the algorithm, this
could potentially inhibit the creativity involved in tailoring an algorithm. The process of
saving the work flow will be controlled by a dialog, asking for various information about the
work flow. Minimally a name, but a description of the type of criminal network sense-making
that the work flow is suitable for could also be relevant.
We divide our design of the creating hypothesis task into reasoning using issue-based argumenta-
tion and reasoning by creation of alternated interpretations using structural capabilities to create
e.g., branched information structures (lines of reasoning or thinking).
Investigators use evidence (i.e., facts) or inferential judgments to reason about the issues they
come across in their work. Inferential judgments typically require detailed reasoning involving
several positions and even more “pro” and “con” arguments, while fact-based reasoning typically
is done by creating relations to pieces of evidence in the space. Algorithms for machine inferential
judgments exist; such functionality would be helpful for investigators.
Besides creating the link chart and a chronology of events, the Daniel Pearl investigative team also
continuously updates the thoughts and evidence about “Who kidnapped Daniel Pearl?” (i.e., who
are the master mind(s) behind the kidnapping). The most wicked problem of an investigation is
always “Who did it?” or “Who are going to do it?” - and part of that problem is the acknowledg-
ment of “Who didn’t do it.”, as a result of listing pros and cons regarding the suspects. A sketch
of the intended issue-based argumentation interface is shown in Figure 11.14.
183
11.2. DESIGNS CHAPTER 11. SENSE-MAKING
3. Models as input for sense-making. Profiles of individuals based only on relational and
biographical data (that is disregarding the psychological part of their profile), can be connected
together in networks representing expected cell structures (like Nesser did in [154]), and then
re-used for sense-making in other criminal network investigations.
Our design for support of computations over adaptive network structure is as follows: a
parser must be implemented to handle the processing of rules, running against the complete
network structure. The network structure analyzer and parser must be able to cooperate
184
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS
with a parser analyzing spatial structures in order to create a combined presentation and
analysis within the criminal network investigation tool.
Rule design
Since rules are the conditional logic of adaptive models, we will focus the design in this section
on those rules. It is important to distinguish semantically between information element, relation,
and composite rules. Information element rules are used to described attributes that applies to
profiles of individual persons, locations or organizations etc. Relation rules associate information
elements, forming the criminal network structure of the model. In this section, we will discuss
some observed general characteristics of the intended CrimeFighter Investigator rules and then
give examples of both information element and relation rules.
The general rule format used for both information element and relation rules is given in Figure
11.15. Attribute name indicates which information element or relation attribute (Figure 11.16)
this rule is targeted at. Attribute type is information about the type of the attribute content,
i.e. is it an integer number, a text string or an array of text strings. The rule operators function
is to provide the conditional logic that will decide if a rule is evaluated true or false based on
the rule attribute name and the provided rule parameters if any. A criminal network investigator
must offer a number of both boolean operators (SmallerThan, BiggerThan, EqualTo etc.) and text
string operators (EqualsIgnoreCase, SubStringOf, MinimumOccurences(#) etc.). Rule parameters
is an option to add some additional parameters to be included in the rule evaluation. It could
be an integer number, text string or an array of text strings. It could also another attribute of
the information element that this rule is attached to. And finally, it could be a classification
(or taxonomy) on a certain topic as described by the criminal network investigation team or an
individual team member. As an example, if the team builds a taxonomy of militant religious
groups, it would be possible to use classes of that taxonomy as a parameter for rules.
Before giving rule examples, we would like to discuss the attributes associated with person in-
formation elements and person-to-person relations by the Investigator tool (Figure 11.16). The
list of attributes is partly based on (Gniadek 2010) [80] and partly our own experiences gained
from studying Nesser’s 2006 model (see Section 14.1.1) together with our analysis of the crimi-
nal network involved in Daniel Pearls kidnapping (see Section 3.5.1 and Section 14.1). General
attributes like ‘Source of information’, ‘Time of entering data’, ‘Source reliability’ and ‘Date of
relation creation’ etc. have been disregarded for the sake of simplicity, but are of course important
steps of the intelligence gathering process.
As described in Section 14.1.1, it was part of the profile of jihadist terrorist cell leaders in the
UK and Europe that they typically have participated in jihad in their original home country (or
Afghanistan, Pakistan, Chechnya, Bosnia). A prerequisite of participating in jihad in a country
must be to have visited that country, and it could also be useful information even though the ‘par-
ticipation in jihad’ might not show any matches. Aiming at analyzing large amounts of data, we
cannot know if a persons home country is part of the list {Af ghanistan, P akistan, Chechnya, Bosnia}
and we have to make two rules in order to be sure (shown below).
185
11.2. DESIGNS CHAPTER 11. SENSE-MAKING
Figure 11.17 shows an example of a person-to-person relation rule, where the aim is to determine
whether or not the person on the left is older than the person on the right. The direction of
a relation plays a key role when defining relation rules, since it indicates how the comparison-
operator is applied. The algorithm parsing this rule simply takes the age of the person attached
to the left side of the relation. If one end of the relation is not connected to an information
element, (or if the information element does have the requested attribute) that specific rule should
be disregarded during analysis, but will be invoked immediately when relation endpoints become
connected again. Please note that in the example given in Figure 11.17, the rule parameters are
not used and therefore set to null.
186
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS
in Karachi, who is also known as Hafiz or Chotto, Chotto being one of the pseudonyms of Mazhurul
Islam as well, the latter also known as Dhobi.” (see Figure 11.20).
Figure 11.20: It can also complicate an investigation significantly, if two persons are using the
same alias. In this case Muhammad Nagar and Mazhurul Islam both use the alias Chotto.
187
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
1. Pre-analysis; In this step the algorithm analyzes whether or not the included association
types appear in the criminal network. If they do then changes are temporarily made to the
network accordingly.
2. List all entity pairs; This step creates a list of all entity pairs that exists in the network,
again based on the included associations. This means that if the direct node-group asso-
ciation is included, then all entities that are directly or indirectly (by association through
intermediary entities) associated to the group with links are added to the list of entity pairs.
3. List all shortest path(s) for each entity pair; We calculate the shortest path(s) for all
entity pairs without considering the cost-efficiency of our algorithm: we take a breadth first,
brute-force approach [207], visiting all nodes at depth d before visiting nodes at depth d +
1, removing all loops and all paths to the destination node longer than the shortest path(s)
in the set, until only the shortest path(s) remain.
4. Node occurrence; We calculate the ratio by which each node in the network appear in the
accumulated set of shortest path(s).
5. Bubble sort; The results are sorted according to the user’s choice, usually descending with
the highest centrality first.
6. Generate report; If the user requests it, a pdf report is generated for easy dissemination of
the results of the centrality measure. The user can decide what report elements to include.
Pre-analysis is the algorithm step of primary interest to the work presented here. For the di-
rect empty endpoint association, pre-analysis involves adding temporary information elements as
placeholders of empty endpoints. For the semantic co-location association, we create a temporary
relation between two entities if they are not already related and they are within the user-defined
boundaries of each other (see Figure 11.21).
188
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
the secondary effects of entity removal or insertion. All algorithms implement the report interface,
where an algorithms’ report elements and design is defined. Rules are used to describe entity-to-
entity relations, attribute cross products, etc. Each algorithm has a set of general settings and
specific settings. Specific settings include algorithm hooks, i.e., the entity attributes that algorithms
base their computations on, and customizable algorithm parameters.
We refer to Section 11.3.2 (structural parser) for the descriptions of how to use different algorithms,
since it is the role of the structural parser to tailor, customize, and run sense-making algorithms.
Furthermore, Chapter 14 describes three different deployments of CrimeFighter Investigator where
a variety of the discussed algorithms are used.
The user can customize when and how often a prediction algorithm should compute (Figure
11.22a). One option is to automatically run the algorithm every time a change is made to the
criminal network. But the predict missing links algorithm is a transformative algorithm, and
would continue to predict missing links, since each transformation of the network would start the
Figure 11.21: The two implemented algorithm extensions, the empty endpoint association and
the co-location association are explained. Without the empty endpoint association, the link from
the empty endpoint to the connected entity is not included in measures of betweenness centrality
and degree centrality is not calculated for the empty endpoint (a) and with that association the
link is included (b). Without the co-location association entities positioned near each other in
the information space are not included in measures of centrality (c), but if entities fall within the
boundaries defined by the investigators and the association is included, then those entities are
included in measures of centrality (d).
189
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
Figure 11.22: The structural parser (left) and the predict missing links algorithm customization
window (right).
algorithm again. Therefore, an option to run algorithms when clicking a button has been added
(see Figure 11.1, right side).
Next is the selection of algorithm hooks (Figure 11.22c). A special drag and drop view is used
for this task (Figure 11.23). Both entity attributes and centrality measures can be selected as
algorithm hooks.
Numerical algorithm variables are customized using standard input fields such as text fields (any
number or text), sliders (bounded numbers), and drop down boxes (enumerated values) as shown
in Figure 11.22d. Network information (evidence) is what the prediction algorithms base their
inferences on (Figure 11.22e). For predict missing links, it will be all entities currently in the
network.
The network layout drop down box (Figure 11.22f) can be used to select one of several default
layout algorithms that will be applied after the prediction. Finally, the investigators can customize
what visual symbols (color, thickness, etc.) to apply to the predicted links (Figure 11.22g).
The interface for customizing measures of centrality is structured in the same way as the inter-
face for transformative algorithms described above (Figure 11.24). There are however a couple
of important differences which we would like to emphasize, using betweenness centrality as an
example:
Entities? The investigator should decide which entities to include for the calculation of
betweenness centrality, all or only selected entities (e.g., persons)? If not all entities are
included, what should the algorithm do if it encounters a non-included entity when tracing
shortest paths? Should it skip the entity and then continue on the other side if the path
190
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
Figure 11.23: Selecting algorithm hooks for the predict missing links algorithm.
Figure 11.24 shows the interface for customizing SNA measures of centrality (left) and the sub-
interface for setting up visual symbols for visualization of results in the information space (right).
CrimeFighter Investigator algorithms are managed using a structural parser, where investigators
can select different algorithms to run and control the order in which they are executed, for ex-
ample either simultaneously or sequentially. Figure 11.25 (left) shows how individual centrality
algorithms can be customized by the user. The user must decide how to run an algorithm (Figure
11.25a) and what entities to include for the respective centrality algorithm (Figure 11.25b). This
is done using drag and drop between two defined areas as shown in Figure 11.25 (right, top frame).
For included entities the user can set a weight (maybe a location counts less than a person for a
measure of betweenness centrality) and for excluded entities the user how the algorithm should
deal with it, e.g., when tracing a shortest path. Should it not include the shortest path or simply
ignore this entity and continue along the path? Direct and semantic associations are included
or excluded using the same drag and drop approach as for entities (see Figure 11.25c and 11.25d).
Again, weights can be setup for included associations and the algorithms action(s) for excluded
associations. Finally, we imagine many settings for how to format and list results (Figure 11.25e).
Typically, normalization is important for comparison of results. If an investigation has many of the
included entities it can be useful only to display for example 10 results based on some parameter,
e.g., highest centrality.
191
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
Figure 11.24: The user can customize which entities and associations to include, how to display
results, and the visual symbols for betweenness centrality.
192
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
Figure 11.25: Setting up centrality algorithms using structural parser windows: the centrality
algorithm settings window is shown on the left, and the window for inclusion and exclusion of
entities together with specific settings for each of those entities is shown on the right.
It is currently possible to set the visual symbols for the information space and the algorithm view
(see Figure 11.25f). For the information space the user can decide whether or not to overlay
entities with a geometric shape (circle, square, or rectangle) containing the calculated centrality
(instead of just showing the results in the algorithm view). The color, size and outline of the shape
can be decided together with the font and font size of the printed centrality. For the algorithm
view it can be decided how to display the results textually in a list. Maybe a certain attribute
should be printed (e.g., person ’name’ or email ’date’). And the font (type, size and color) can be
set.
CrimeFighter Investigator supports a node removal approach with two perspectives: an inference-
based prediction of new probable links and changes in standard social network degree centrality.
In this section we demonstrate how to tailor node removal work flows. In Chapter 14 we go
through such a node removal work flow and test the tailored algorithm on a criminal network
aggregated from open source reports, creating hypotheses based on path distance and degree
193
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
centrality changes. Figure 11.26 (right) shows the algorithms selected by the investigators to run,
in this case ‘CustomNodeRemoval’ and ‘DegreeCentrality’. As mentioned above, the structural
parser will indicate if there is a potential conflict between the selected algorithms. Algorithm
settings, both general and specific, are accessed by clicking on the ’options’ button shown in
Figure 11.26 (left). Selected parts of the node removal window are shown in Figure 11.27. Specific
visual symbols can be added and edited, in the case of node removal visual symbols are associated
with the different ‘what if’ questions.
The ‘what if’ question editor is shown in Figure 14.7, with the settings for the following ques-
tion: “what if individuals who didn’t interact directly before the node removal start to interact
afterwards?”. In order to visualize the links that match the ‘what if’ question constraints, the
question has been setup as follows: the question is focused on Relation entities (links), and will
run computations between all combinations of connected nodes (individuals) in the given criminal
network. The before constraint that has to be fulfilled, is that path distances between individuals
should be of length greater than 1 and the post prediction constraint is that path-length should
now be exactly 1. If these conditions are fulfilled, then those links will be colored red.
194
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
grouping the space-level events into the steps telling the story. This will allow the investigator to
disseminate only the most important points to the customer (see Chapter 12 on dissemination).
Simply replaying all the space-level events could be very confusing to the customer, if there are
many.
Reasoning can be done using the issue-based argumentation feature of CrimeFighter Investigator.
The example presented in Figure 11.29 is based on what is known 60 hours into the Daniel Pearl
investigation, when the team receives an email from a colleague at the Wall Street Journal London
bureau, which the bureau received from Andrea Gerlin of the Philadelphia Inquirer. Attached to
the email is an article from the January 24 Independent, profiling a shadowy character suspected
of having bankrolled the 9/11 attacks, Omar Saeed Sheikh. But what disturbs Andrea is that
“Omar has a particular specialty: he kidnaps Westerners”. However, the team finds nothing
linking Omar to Daniel’s disappearance (besides this specialty), and given the current state of the
issue chart where a lot more ‘Pro’-arrows (i.e., supporting arguments) are pointing towards Gilani
(the person that Daniel was supposed to meet on the evening of his kidnapping).
Reasoning can be attached to any entity in the criminal network. A small hexagon icon with the
195
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
text “IPA” is used to show that reasoning is attached, and clicking the icon opens the issue-based
argumentation view. Reasoning can be used for several purposes: (1) to capture and visualize
disagreement in an analysis situation, ensuring that all positions and arguments are heard; (2) to
reason argumentatively during storytelling (e.g., a senior police officer is creating a briefing based
on an investigation); and (3) to create and explore (competing) hypotheses. According to the IBIS
model [47], we have adopted the following predefined relations: is-suggested-by (←), responds-to
(→), supports (+), objects-to (−), questions (?), and generalizes or specializes (
). The relation
direction can be both ways in all cases. These predefined relations aids the investigative team in
controlling the mapping of their dialog about issues, positions, and arguments.
Figure 11.29: CrimeFighter Investigator - Issue-based argumentation view from the Daniel Pearl
investigation.
The predict covert network structure algorithm works computationally like the predict missing
links algorithm, the main difference being the inclusion of individuals in the (Bayesian) evidence,
not already in the criminal network.
196
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
Figure 11.30: CrimeFighter Investigator rule editor for creating and updating rules.
In the following example, we describe CrimeFighter Investigator support of the Bayesian inference
method described in [183]. As discussed in analysis, the network nodes and attributes used in
this example are inspired by the Greek criminal network November 17 (see [183] for more details).
The major steps involved in the calculation are shown in Algorithm 1 and the network we predict
missing links for, is shown in Figure 11.31. The network has six nodes and seven (positive) links.
Part of the customization of this algorithm (see Section 11.3.2) is to select the entity attributes
(algorithm hooks) for the prediction algorithm. Only enumerated attributes are accepted as
algorithm hooks, i.e., name is not eligible since it can have basically any value.
The first step of the algorithm (line 1), is to calculate the contingency table for each of the selected
algorithm hooks. We will explain how to calculate the contingency table for a role hook which
can have one of two enumerated values: leader (L) or operational (O). The faction can have one
of three enumerated values (G, S, or K), each named after an individual within that respective
faction. The contingency table records the relation between positive and negative links in the gold
standard (purple nodes in Figure 11.31).
197
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
The second step is to calculate the products of different hook relations if more than one hook is
added to the inference. Only the products above a cut-off value of 2,14 are included. The cut-off
value is calculated as the total possible links in the gold standard divided by the existing links
(see line 2):
L − L × G − S = 3, 00 × 1, 14 = 3, 42
L − L × S − K = 3, 00 × 3, 43 = 10, 29
O − L × S − K = 0, 75 × 3, 43 = 2, 57
O − O × S − K = 0, 75 × 3, 43 = 2, 57
The third step is the actual prediction of missing links based on the likelihood products calculated
above together with the likelihoods for individual algorithm hooks (line 3). The second input to
the prediction of links is the evidence, that is the attributes and their values for all individuals
in the network. If we chose to apply the predict covert network structure algorithm then the
evidence could also be information about individuals not in the network. These individuals would
be added if a link (relation) to them is predicted from within the gold standard network. From
the likelihoods we see that L − L and S − K relations are above the cut-off value, together with
the products mentioned under the second step above. We see that entities sharing both L − L and
S − K relations are especially likely to be connected, hence the thicker red line between C and H
in Figure 11.31.
198
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
The fourth step is a simple clean-up function which will remove those links already in the network
prior to the prediction, leaving only new (missing) links (line 4).
The result of a missing links prediction on a sampled version of 20 individuals from the al-Qaeda
network is shown in Figure 11.32. The investigator can decide to append the predictions to the
network or simply discard them.
Figure 11.32: The result of a missing links predic- Figure 11.33: Betweenness centrality for the indi-
tion on a sampled version of 20 individuals from viduals in Figure 11.32, with 4 added links (thick
al-Qaeda central staff [188]. Blue solid lines are blue).
true positives while green dashed lines indicate
false positives.
The betweenness algorithm starts by creating a set of all entity pairs in the criminal network (line
1). Then the shortest path between each pair of entities is calculated (line 2). For each entity pair,
199
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
we determine the fraction of shortest paths that pass through each entity on those paths (line 3).
The betweenness of each entity is the sum of all these fractions across the entire network. The
results are bubble sorted with for example highest centrality first before it is presented to the user
(line 4).
The betweenness centralities of a sampled version of 20 individuals from Sagemans al-Qaeda
network [188] are shown in Figure 11.33. The investigator has decided to append the predicted
links shown in Figure 11.32 to the network before calculating the centralities.
200
CHAPTER 12
Dissemination
Dissemination tasks help the criminal network investigators to formulate their accumulated knowl-
edge for the customer. As previously mentioned, dissemination has not received the same amount
of attention as synthesis and sense-making.
The remainder of this chapter is organized as follows: analysis (Section 12.1) and design (Section
12.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 12.3) is
explained below.
12.1 Analysis
Based on cases and observations of criminal network dissemination, contact with experienced
end-users from various investigation communities, examination of existing tools supporting dis-
semination of criminal network investigations or parts thereof, and our own ideas for dissemination
support, we maintain a list of dissemination tasks.
12.1.1 Storytelling
Investigators ultimately “tell stories” in their presentations when disseminating their results. Or-
ganizing evidence by events and source documents are important tasks, so that the story behind
the evidence can be represented. Storytelling can be useful for different purposes such as briefings,
learning, and training.
Report generation involves graphics, complete reports, subspaces, etc. Being able to produce
reports fast is important in relation to time-critical environments and frequent briefing summaries.
It will be necessary to support the generation of reports for complete investigations, algorithms,
and sense-making work flows.
201
12.2. DESIGNS CHAPTER 12. DISSEMINATION
Figure 12.1: Mock-up showing algorithm report elements, that can be dragged to report template
(right).
12.2 Designs
Our designs for story telling and report generation are outlined below.
12.2.1 Storytelling
Storytelling is based on versioning concepts and the history component, which we presented a
design for in Chapter 8. The intended support for storytelling is an editor of history events inspired
by the one supported by visual knowledge builder (VKB) [198], a spatial hypertext system. Once
the history events have been edited, the story can be told using navigable history.
12.3.1 Storytelling
Storytelling is done using the History Editor (Figure 12.2). The granularity of system level history
events is often too fine grained for telling a story. The history editor allows the investigators to
group history events that are relevant for the story individually, but when grouped together they
explain one important step of the investigation. The investigators can delete events (if an entity
was created by mistake and then deleted), they can annotate events or groups of events if they feel
that the system generated description is not sufficient, and finally events can be moved up and
down in order to match a time line of events (a person’s association with a group in a criminal
network investigation can easily be different from when that person became associated with the
group in real time).
202
CHAPTER 12. DISSEMINATION 12.3. CRIMEFIGHTER INVESTIGATOR
203
12.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 12. DISSEMINATION
204
CHAPTER 13
Cooperation
They begin to order the network. They have stepped out of normality
and into the exciting world of counterterrorism.
Television and terror: conflicting times and the crisis of news discourse [94]
Cooperation is a natural part of investigations. Cooperation leads to better synthesis and sense-
making that is informed by more perspectives. Sharing of the target model among criminal network
investigators is the starting point for such cooperation, and is possible with the current setup. But
for further support, the CrimeFighter toolbox knowledge base mentioned in Section 1.4 will be key
to cooperation support. Assuming that such a knowledge base is in place, we will analyze the
cooperation tasks defined in Chapter 7.
13.1 Analysis
Sharing of the target model among collaborating criminal network investigators or colleagues
in other organizations, who might be interested in the particular target or entities related to
it, is the starting point of cooperation. Sharing work flows, like sense-making work flows and
custom algorithms, or mining work flow patterns from the previous use of intelligence information
(history), would lead to shared knowledge and potentially also cooperation. The discovery of
emergent collaboration, would help the coordination of resources by putting investigators analyzing
similar or the same entities in touch with each other. Such cooperation requires support of a
common knowledge base (see Figure 13.1).
Investigators often share their findings with colleagues or other organizations (agencies, services, or
departments), who might have an interest in the findings. Prior to the terrorist attacks on Norway
22/7 (2011), the Norwegian customs directorate and the postal service had shared findings related
to, what they found to be, suspicious purchases of chemicals in Poland. They forwarded their email
correspondence to the liaison at the Norwegian police security service (PST), who unfortunately
took a long time to assign that particular lead to a specific section [153]. Based on the interroga-
tions of the Iraqi defector Curveball, information was shared between many agencies, services, and
departments, but the original information was not shared, only selected parts, translations, and
interpretations [59]. Finally, in criminal network investigation environments, work flow sharing of-
ten occurs in the sense that experienced investigators might educate less experiences investigators
how to do certain work [204].
205
13.2. CRIMEFIGHTER INVESTIGATOR CHAPTER 13. COOPERATION
Figure 13.1: Supporting cooperation by sharing the information space (criminal network) (left) or
sharing work flows, e.g. sense-making work flows such as node removal (right), and discovery of
emerging collaboration based on a common knowledge base (middle).
We did not find specific examples of emerging collaboration notifications within the same organi-
zation (agency, service, or department), places where it would be reasonable to have established
a common knowledge base, like the one described for the CrimeFighter toolbox in Section 1.4.
The examples described above for sharing of findings and work, could to a certain degree be con-
sidered emerging collaboration. To establish tool support, it would be necessary to define the
levels of awareness and notifications, i.e. how fine grained notifications do we want to send to the
investigators. If too many notifications are sent out, it might become an annoying feature for the
investigators and there could be a risk they would turn it off. If too few notifications are sent im-
portant emergent collaborations could be missed. Emergent collaboration notifications might be
a way to break down the wall of secrecy discussed throughout this dissertation. If an investigator
he receives a notification that a colleague in a different section of the secret service is actually
investigating the same individuals, but has some other information as well, the investigator might
be more willing to approach the colleague to start a collaboration, rather than asking around at
meeting or conferences, if anybody else are looking at the same things.
206
CHAPTER 14
In this chapter, we demonstrate that the premise for testing (evaluating) our main hypothesis (i.e.,
a software tool “that is useful for criminal network investigators in their work”) is in place. In
Chapters 9 to 13 we focused on support of individual criminal network investigation tasks. Here
we describe three deployments of CrimeFighter Investigator supporting a specific work flow. We
define a work flow to be a process that involves multiple criminal network investigation tasks,
processes, and techniques (but not all of them). Our descriptions of work flow support are based
on relevant criminal network investigation scenarios, sometimes using mock-up figures indicating
how we suggest the implementation of the intended feature. This could indicate a need to place it
in design sections of previous process chapters. However, we find it is necessary to first describe
the intended work flow, to be able to find out how to design experiments that could be used to
evaluate the individual tasks within each work flow.
We have deployed CrimeFighter Investigator in the following work flow settings: An example of
adaptive modeling of Omar Saeed Sheikh and his kidnapping network is given in Section 14.1. A
complete work flow for how to apply the implemented node removal algorithm to a criminal network
is given in Section 14.2. Finally, we demonstrate the deployment of CrimeFighter Investigator
in a setting where a team of investigators are interested to know whether domestic (Danish)
fundamental Islamists are linked up with global al-Qaeda and affiliated movements (see Section
14.3). Section 14.4 summarizes the conclusions and suggestions of future work that the deployment
sections have introduced.
207
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT
Figure 14.1: Omar Saeed Shaikh and four of the cells involved in the kidnapping and murder of
Daniel Pearl Nomani et al. (2011) describes two more cells, responsible for distributing the murder
video and baiting Pearl [227].
208
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING
The entrepreneur is the crucial profile; he is the person who makes things happen. No jihadist
cell forms without him. The entrepreneur has an “activist mindset”, being driven by ideas rather
than personal grievances. He is interested in and committed to social issues and politics, he
demands respect from his surroundings and he has a strong sense of justice. Table 14.1 shows
biographical and relational characteristics of the entrepreneur profile that we have found most
suitable for modeling. As our understanding of the modeling technique is further developed we
believe more complex relational and biographical characteristics could be added.
The ‘Links to’ column indicates where information about this characteristic could be found, e.g.
deciding whether or not a person is a senior compared to the other operatives of a terrorist cell
would be based on a comparison of age. The ‘Bio/rel’ column indicates the nature of the profile
characteristic: Is it relational, biographical or a combination? This classification can be quite dis
ambiguous, since, e.g., a persons record of failed ambitions (characteristic #3) would be related
to projects he or she failed to succeed with, but in terms of an ongoing investigation it would be
background information, hence biographical information (e.g., “the individual had the role of [role]
in project [project], back in [year ]”). That being said, considering our network approach, other
persons associated with those past projects could very well be playing a key role in the current
investigation as well, but if the link charts of those projects does not exist83 , the incident reports
209
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT
would be of a biographical nature. Finally, the ‘Rule input’ column indicates the type of the rule
parameters used to search for the information indicated in the ‘Links To’ column (see Section
14.1.2 for rule examples). When the profile characteristic is of a relational nature, we could argue
that the rule parameter type would be an information element (e.g., a person or a group) to allow
for more sophisticated rules. But to keep things simple we have decided to use text strings as the
most advanced input parameter type for rules.
The protégé profile appears to hold a special position vis-á-vis the cell leader (i.e. the en-
trepreneur). The protégé is someone the leader respects and trusts with important tasks. He
admires and looks up to the leader. The presence of such a character in the cell tells us something
about the sophistication of the entrepreneur and the ideology that he offers his young accom-
plices. It means that jihadism appeals to highly intelligent, socially skilled and well-off people,
social segments that, according to rational choice arguments, would have much to lose by engag-
ing in terrorist activity. The misfit is someone who performs less well socially, and often has
a troubled background as well as a criminal record. He differs from the entrepreneur and the
protégé because he is not an idealist, appearing to have a somehow “weaker” and more hesitant
personality. The drifter is not a clear-cut profile. He tends to be someone who is ‘going with the
flow’ rather unconsciously. He does not appear to be very ideologically committed when he joins
the jihadist group. He becomes part of the cell by being in the wrong place at the wrong time, or
having social ties with the wrong people. Since drifter characteristics are not easy to define, we
have decided to exclude this profile from further modeling considerations, except for the possible
relation with the misfit profile.
As mentioned above, it is relation rules that glue together the information elements (and each
information element’s rules) to form criminal network structures. The rules representing Nesser’s
structure of profiles as modeled using CrimeFighter Investigator are reviewed in the next sec-
tion. Our rule design is described in Section 11.2.3 and the CrimeFighter Investigator rule editor
approach to creating the rules is discussed in Section 11.3.6.
210
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING
relation between the entrepreneur and the protégé is symbolized by a thicker line. Based on the
number of relations it is actually not possible to say who is the cell leader and who are the foot
soldiers, it can however be deducted based on the profile names.
We have listed the relations found suitable, in terms of the abstractions embedded in our current
rule design (see Section 11.2.3), to be described using relation rules in Figure 14.4 (disregarding
relation 4 between the misfit and the drifter). We found seven relations to be suitable for modeling.
And only the ‘recruited’ relations would have the potential to distinguish any average group of
friends from the jihadist terrorist cells described by Nesser.
In order to make such a differentiation it is clear that the relation rules must be combined with
information element rules describing the individual profiles of the model. A set of information
element rules, corresponding to the 10 characteristics of the entrepreneur listed in Table 14.1 are
shown in Figure 14.5.
211
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT
Figure 14.3: Nesser’s jihadist cell structure modeled using CrimeFighter Investigator (screen shot
from early version of tool).
Figure 14.4: (semi-mockup) CrimeFighter Investigator with Nesser model relation rules.
212
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING
Figure 14.6: Mapping part of the entrepreneur profile to Omar Saaed Shaikh.
entrepreneur profile in this case would be a matter of deleting the rules associated with these four
characteristics, and potentially add new ones. But again, during a real investigation these changes
would not have been made before this “new trend” had occurred in more cases.
14.1.4 Discussion
Our first deployment demonstrated difficulties with modeling some characteristics, initially thought
to be suitable for modeling. It became clear that a lot the rule complexity was embedded in the
operator part of rules, when attempting to describe more complex relational or biographical char-
acteristics. However the complexity could be decreased by dividing profile characteristics into a
number of sub-characteristics and then describe each of these using the rules. Another option
would be to allow for a combination of multiple boolean and text string operators within one
single rule. But that would go against the system requirement stating that the building blocks of
rules should be based on natural language, as we expect more math-based rules would be created,
if multiple operators are supported for rules. The rules would over time become interpretable only
by the investigator who initially created them not adhering to the principles of simplicity and
transparency (human factors #2 and human factors #3).
Since rules are associated with specific characteristics and relations they can be adapted indepen-
dently without affecting the remaining part of a model. The separation of rules and target-model
synthesis is convenient as they can then be developed independent, but in the shared information
space. A single rule (or a set of rules) can be updated or deleted using the CrimeFighter Investi-
gator rule editor (see Section 11.3.6). And new rules can be added using the same rule editor, if
new profile characteristics or relations are discovered.
213
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT
1. We have described first results with converting textual descriptions of terrorist profiles into
computerized models based on relational and biographical characteristics. We have visual-
ized how relation rules can be used to glue the terrorist profiles together to form network
structures which can be processed by computer algorithms.
2. We have demonstrated support of 2 steps out of 3, for an adaptive modeling work flow:
(1) acquiring a model and (2) adapting the model. Application of the model to a criminal
network for analysis (step 3), is still not implemented, and will be the subject of future work.
We plan to investigate the following topics in relation to the further development of CrimeFighter
Investigator support for adaptive modeling work flows:
1. Proper test data. In order to appropriately evaluate the usefulness of rule-based criminal
network analysis, we need proper test data. It would be highly relevant to follow ongoing
investigations, and create models of expected targets and emerging cells based on previous
cases as well as the investigation teams experience and ideas.
2. Extending rule-based criminal network analysis with weights. The concept of rule-
based terrorist network analysis could be improved on a number of parameters. First of
all, in order to determine more accurately whether or not a relation exists, it is necessary
to have individual rule weights. When editing and creating rules in the relation rule editor
visual weights should be applied (similar to adjusting the thickness of relations, depending
on how important, specific, verified the relation is). A semantic weight could also be added
in terms of a number (e.g. 1-10). Rule weights should be used to indicate the importance
of each individual rule in terms of deciding whether or not the relation (as described by the
rules) exists or not.
4. Missing model structure detection. The described rule format can be used to model
relational and biographical characteristics of profiles. CrimeFighter Investigator implements
a structural parser that can handle the comparison of the rules with a criminal network,
but the options are many. If for example 75% of a criminal network cell model is matched
with some criminal network information by the structural parser, then it could be useful to
inform the investigator about this. We imagine using a visual approach, where the already
confirmed information elements and relations are shown in their normal colors, and the
missing parts would be shown using for example a gray color. It would then be possible for
the investigator to determine whether or not this could be a forming criminal network cell,
and if it is, what individuals (according to profiles) are still missing from cell.
214
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL
We review this theory here, as it is important for understanding the aspects involved in the work
flow. As a consequence of the complexity of criminal networks, investigators need more than one
perspective to assist them when asking ’what if’ questions about the probable secondary effects
of removing a node from a criminal network. Many analysis measures and techniques can provide
such relevant perspectives, including:
Network node and link measures [240,245,248] are used to analyze and make sense of criminal
networks. Standard social network centrality measures are useful for node analysis of complete
static social networks and can indicate the importance of individual nodes in the network. Social
network measures include degree, closeness, betweenness, and eigenvector centrality (see Section
5.9 for more details). Eigenvector centrality is particular interesting in the context of this work
flow, since a node is considered central to the extent that the node is connected to other nodes
that are central (i.e., high degree centrality). For link analysis, measures such as link betweenness
and link importance have been suggested. Link importance measures how important a particular
link is in a criminal network by measuring how the removal of the link will affect the performance
of the network.
Prediction techniques [40, 182–184] include extrapolation, projection, and forecasting based
on past and current states of a criminal network. These three predictive techniques follow the
215
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT
approach of assessing forces that act on an entity. The value of prediction lies in the assessment
of the forces that will shape future events and the state of the criminal network. An extrapolation
assumes that those forces do not change between the present and future states; a projection
assumes that they do change; and a forecast assumes that they change and that new forces
are added. Bayesian inference is a (forecasting) prediction technique based on meta data about
individuals in criminal networks. A statistical procedure that is based on Bayes’ theorem can be
used to infer the presence of missing links in networks (see Section 11.3.7 for more details). The
process of inferring is based on a comparison of the evidence gathered by investigators against a
known sample of positive (and negative) links in the network, where positive links are those links
that connect any two individuals in the network whereas negative links are simply the absence of
a link. The objective is often to assess where links may be present that have not been captured
in the collected and processed criminal network information.
Destabilization criteria [35,36] are established by investigators to have a measure of the success
or failure of an operation involving destabilization. Criteria includes ’the rate of information flow
through the network has been reduced (perhaps to zero)’, ’the network, as a decision making
body, cannot reach a consensus’, and ’the ability of the network to accomplish tasks is impaired’.
These destabilization criteria could provide useful perspectives on the secondary effects of node
removal. Although they seem eligible for framing as ’what if’ questions, we have focused on
analysis measures and prediction techniques in this work.
In this section, we describe a CrimeFighter Investigator usage-scenario following the steps pre-
sented in Section 11.2.1. The ‘what if’-question the investigators want to follow in this scenario is:
“what if individuals who didn’t interact directly before the node removal start to interact after-
wards?” (step 1 ). The ‘what if’ question editor setting for this question is shown in Figure 14.7. In
order to visualize the links matching the ‘what if’ question constraints described above, we setup
the question as follows: the question is focused on relation entities (links), and will run compu-
tations between all combinations of connected nodes (individuals) in the given criminal network.
The before constraint that has to be fulfilled is that path distances between individuals should
be of length greater than 1 and the post prediction constraint is that path-length should now be
exactly 1. If these conditions are fulfilled then those links will be colored red. For testing purposes
we have inserted a second ‘what if’ question asking the algorithm to color the true-positive links
green, i.e., links occurring in the full N17 network but not in the sampled N17 network currently
being investigated.
The investigators are prompted to select which nodes (individuals) they find relevant for the node
removal (step 2 ). They have three choices: include all nodes, select the nodes individually by
clicking on individuals, or drag a square to select a subset of nodes (useful if the criminal network
is large with many nodes). Then the investigator is requested to select the node to remove (step
3 ). We base this decision solely on degree centrality within the partially observed N17 network
as shown in Figure 14.9; we choose Pavlos Serifis, since he is observed to have the highest degree
centrality (Table 14.4, second column). In reality, more analytical techniques are needed to make
a decision about a networks’ vulnerabilities [35, 36]. After the removal of Pavlos Serifis and his
links (step 4 ) the updated degree centralities are as described in Table 14.4 (third column).
The node removal algorithm starts predicting missing links [183] based on the new network struc-
ture following the node removal (step 5 ). The likelihood of a link being present between all pairs
in the network is calculated based on the attribute data of the remaining individuals. Links that
are higher than a pre-determined likelihood level (calculated from the product of individual at-
tribute likelihoods) are accepted as representing predictions of new links [183]. Constraints on how
to visualize the predicted links are used to emphasize paths, previously reaching the leadership
figures through Pavlos Serifis and predicted links not directly related to the removal of Pavlos
Serifis. The evidence that the inferences are based on includes all the individuals in the sampled
network as well as other individuals that the investigators might think could be related to N17,
216
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL
but are not sure how and who specifically are related to.
When the predicted links are shown, the investigators will evaluate whether or not this was a
useful result. The evaluations is based on the change in degree centralities (step 6 ) and their
general observation of changes. The investigators are prompted to either append the predicted
links to the network or simply discard the results as shown in Figure 14.8 (step 7 ). If satisfied
with the result, the investigators can retrieve a pdf report from system, as documentation of their
work and as background for dissemination of the results (step 8 ).
To demonstrate the implementation of the developed algorithm, we use a criminal network of the
(believed defunct) Greek terrorist group November 17 (N17) that was derived from open source
reporting [112]. The N17 group was a small close knit organization of 22 individuals with 63
links out of a potential 231 links. There were three main factions within the organization; 1st
Generation Founders faction, the Sardanopoulos faction, and the Koufontinas faction. The links
of the dataset indicate that open source reporting has demonstrated some connection between the
two individuals at some point in the past, but no specific weightings of the links are indicated.
We use a sampled version of the N17 network in which 50 percent of the links are removed (Figure
14.9). Relevant hindsight about N17 is that Nikitas, Alexandros Giotopoulos, and Anna were
leaders and key individuals within the 1st Generation Founders faction. We want to test if indi-
viduals connected to key individuals through one or more go-betweens will be directly connected
after removal of the go-between node(s). Figure 14.9 shows three individuals indirectly connected
with the three key leaders.
The attribute data for each individual is presented in [184]; the missing links algorithm [183] has
been extended by the addition of a degree centrality attribute. This additional attribute is a
measure of how many links each individual node in the network has. Individuals are classified
according to their level of degree centrality (high, medium, or low).
Results
The removal of Pavlos Serifis from the partially observed N17 network resulted in the criminal
network shown in Figure 14.8. Red lines indicate predicted links that previously were indirect
(length 2), with Pavlos Serifis as the go-between. In this case only two of them are present in
the complete N17 network (see [184]) and could indicate a change in the network structure where
Anna plays a more important role: Anna is now directly connected with five additional individuals
(L = leader, O = operational): Nikitas (L), Dimitris Koufontinas (L), Christodoulos Xiros (L),
217
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT
Figure 14.8: Secondary effects and new degree centralities caused by the removal of Pavlos Serifis
from the N17 network.
218
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL
Constantinos Karatsolis (O) and Sardanopoulos (L). Constantinos Karatsolis is connected to three
more individuals: Sardanopoulos (L), Patroclos Tselentis (O), and Anna (L). Green links are true
positives according to the full N17 network and we therefore consider these links unrelated to the
removal of Pavlos Serifis. However, the true positives have an impact on the degree centrality of
the nodes they connect and they could be valuable as potential new leads.
The degree centrality of each node is displayed in the algorithm view on the right in Figure 14.8 -
initially to decide which node to remove and later to show the change in degree centrality of each
node after node removal. The evolution of degree centrality for each node is shown in Table 14.4.
The red square indicates the individual with the highest degree centrality at network changing
steps of the node removal algorithm, including that of the full N17 network, from which the
sampled version used in this paper, was created.
Table 14.4: Degree centrality of each node after network changing steps of the node removal
algorithm.
Generating hypotheses and possibly competing hypotheses is a core task of criminal network in-
vestigation that involves making claims and finding supporting and opposing evidence [174]. In
the presented scenario, we were interested in individuals who utilized one go-between to connect to
leadership individuals, but after removal of the go-between node they would be directly connected.
Without considering the hindsight information about the leadership individuals, we create a hy-
pothesis based on our interpretation of the centralities presented in Table 14.4 and the probable
new links in Figure 14.8.
Constantinos Karatsolis achieves the third highest centrality, and inherits three of Pavlos Serifis’
previous links significantly increasing his importance within the network and he could potentially
be upgraded from an operational member of N17 (his original role) to leadership member (maybe
inherited after Pavlos Serifis). Anna’s degree centrality changes from the second lowest (2) to the
second highest (7), and she apparently inherits four of Pavlos Serifis’ previous leadership links
as well as one inferred link to an operational individual. We conclude that Anna is part of the
highest ranking leadership individuals as compared to the partially observed N17 network where
she might be considered a simple operational person, if no other information than the criminal
network is available.
219
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT
To summarize, Anna and Constantinos Karatsolis are two individuals we would subject to further
surveillance after removing Pavlos Serifis. As mentioned earlier, decision-making with the severity
and impact of removing an individual will not be made based on for example a single centrality
measure. However, the purpose of this work was to demonstrate CrimeFighter Investigator support
of investigators asking ‘what if’ questions about node removal in criminal networks.
Discussion
A number of problems related to the current approach need to be discussed. First of all, the
N17 criminal network data is more or less complete (only three attribute values are missing).
Feedback from intelligence analysts working with ongoing investigations informs us that attribute
information is typically much sparser (see end user interviews in Section 15.2) and the overall
number of attributes is lower than for the N17 criminal network. We are making a prediction
that we currently cannot test or validate against any (open source) ground truth data. Currently,
we have no assessment of the performance of the custom node removal algorithm84 . Whilst the
results are plausible, and the prediction part of the algorithm has produced good results in other
contexts [183,184], a direct measure of the veracity of the node removal predictions is lacking. The
issue of scalability is particularly relevant for the open source intelligence community where larger
networks are often the consequence of web harvested data sets. Larger networks present different
challenges. The number of individuals, links between them and attributes are much larger. The
prediction algorithm is scalable, but there will be additional difficulties arising from visualizing
the results of computations on larger networks than the example in this work flow.
This work on node removal is based on bits and pieces of other work and it would be fair to ask
the following question: “What are the benefits of a node removal algorithm versus predicting new
links when analyzing criminal networks?” The main difference is the specification and management
of criminal network investigation work flows using the question editor. The custom made node
removal algorithm represents a more specialized work flow compared to the prediction algorithms.
The option to select the specific nodes that the investigator wants to include in the analysis of
secondary effects is an example of this. Furthermore, we consider the work with node removal
the first steps toward combining existing algorithms into new custom made algorithms, which is
an important criminal network investigation task assisting criminal network investigators to build
support for more specialized work flows themselves.
Link weights. All links are not equally important and with weights investigators could
discuss “broader theories as to the impact of culture on social relationships, and narrow
220
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE
theories concerning the definitions of specific relationship indicators, like what should be
weighted more; relations based on common economy between two actors or common blood”,
as one reviewer of our node removal support noted.
Missing key players. An algorithm, to predict the presence of missing key players has
been proposed by Rhodes (2011) [182]. It is planned to include this in a future version of
CrimeFighter Investigator.
Removing multiple nodes. Supporting the removal of node groups would be an inter-
esting and relevant feature. In larger networks it may be desirable to focus attention on a
larger number of specified individuals in sub-networks or communities.
Report generation. Generation of a report with all node removal results and calculations
is required to support step 8 of the proposed node removal algorithm (dissemination of
results).
Furthermore, requirements for evaluation of the node removal algorithm will also be addressed in
future:
Scalability. In order to evaluate the relevance of this work for the open source intelligence
community, we have to test scalability of the proposed method. With its 22 nodes, the N17
network is far from the sizes that are to be expected.
Datasets. We will test node removal on more realistic versions of the N17 dataset as well as
other open-source datasets with varying attributes, size (in terms of nodes and links), and
other complexity (such as aliases, etc.
Human-computer interface. CrimeFighter toolbox philosophy [14] and our research focus
requirements dictate that humans (investigators) must control the tools. Adhering to this
philosophy, we will improve the interface of the ‘what if’ question editor by adopting the
spatial drag-and-drop approach normally utilized by CrimeFighter Investigator.
221
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT
The AQAM data set contains elaborate meta data information on 366 individuals. It is a 2003
snap shot of AQAM and is not updated according to the time of the scenario (January 2011). The
network information was gathered from public domain sources: “documents and transcripts of legal
proceedings involving global Salafi mujahedin and their organizations, government documents,
press and scholarly articles, and Internet articles” [188]. We have included acquaintance, friend,
and post joining jihad relations, all with the same weight. In total, the AQAM network used has
999 links.
It is important to note that the vast majority of EU-wide terrorist attacks in 2010 were carried
out by traditional separatist terrorists and not violent radical Islamists [49]. More precisely, three
Islamist terrorist attacks were carried out within the European Union. However, 249 terrorist
attacks in total were reported, and of 611 arrests for terrorism-related offenses, 89 individuals
were arrested for the preparation of attacks. Islamist terrorists continue to undertake attack
planning against member states, as Europol concludes in their EU Terrorism Situation and Trend
Report 2011 [67].
222
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE
Figure 14.10: (mock-up) CrimeFighter Investigator timeline view with all plots against targets
inside Denmark, Sweden, Norway, United Kingdom, and Germany from January 1, 2006, to
December 31, 2010 [236].
223
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT
likely-minded friends and relatives, other members for a future network cell could come from that
group of people. Mark decides to use a measure of betweenness centrality as an extra condition
for predicting links between two individuals in adjacent bridges. He thinks that if an individual
is peripheral to a network in terms of betweenness centrality, the probability of linkage from this
individual to an individual in the bridge above is low.
Mark starts creating his prediction model by first dividing the violent radical part of the DNRI
network under surveillance into three bridges. He places the relations (who are not known to be
violent radicals) of these individuals in a fourth bridge. Mark thinks there is a potential for top-
down recruitment, where violent radical Islamists could radicalize family, friends, or colleagues in
Bridge 4 because of their close ties. Mark’s classification of individuals in Bridge 1 to 3 is shown
below.
Bridge 1 contains individuals that can provide ideological approval of violent radical Is-
lamism and linkage to AQAM. Mark places known radical Islamic scholars in this bridge.
Retired violent radicals and other individuals who received operational training could provide
linkage to AQAM because of their skills or knowledge about previous operations. Established
al-Qaeda media individuals are also placed in Bridge 1.
Bridge 2 is the radical violent milieu in Denmark - self-proclaimed imams, online “celebrity
shayks” who preach violent radical Islamism, and individuals who sell radical Islamist propa-
ganda like books, magazines, CDs, and DVDs etc. Finally, self-established online recruiters
are also made members of this bridge.
Bridge 3 is by volume the largest. Individuals aspiring to become violent radical Islamists
are placed here. This aspiration may have been externalized through online expression of
desire to contribute violently. It could be individuals somehow alienated from society or
otherwise non-integrated (e.g., a group of young individuals living together or meeting in
an apartment). Bridge 3 individuals are often rather entrepreneurial in their approach.
They might be consumers of violent radical online and printed propaganda, or they might
be creating such propaganda themselves, pretending to be an established al-Qaeda media
organization.
AQAM and the four bridges in the DNRI network constitute four sub-networks each containing two
bridges: the ‘Bridge 1 → AQAM’, ‘Bridge 2 → Bridge 1’, ‘Bridge 3 → Bridge 2’, and ‘Bridge 3 →
Bridge 4’ networks. The four networks are encapsulated in collapsed composites. For each of these
sub-networks Mark defines a set of attributes he believes could enable linkage from individuals in
the lower bridge to individuals in the upper bridge:
224
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE
Figure 14.12: Mark’s prediction model: the DNRI bridges with linkage and recruitment attributes
in between adjacent bridges.
Bridge 3 → Bridge 4: Mark defines key recruitment attributes from Bridge 3 to Bridge
4 to be: school, hobby, workplace, mosque, and current residence. Mark’s argument is that
the aspiring violent radical Islamists might meet and influence individuals at these places.
Mark decides to use the Oslo, London, and Denmark/Sweden networks, whose plots were thwarted
in late 2010, as the gold standard for his predictions. After feeding these networks to his predic-
tion model, he predicts missing links for each of the four sub networks, and asks CrimeFighter
Investigator to merge individuals with the same names to see if there is probable linkage which
forms networks spanning all bridges. A mock-up of predicted links between the four collapsed
bridges is shown in Figure 14.13.
Mark’s prediction model computes four cells (the second cell is shown in Figure 14.14) to have
linkage potential with AQAM. Before retrieving a pdf report with the information he has requested,
he marks the second cell as being of particular interest, since the predicted links here have the
highest likelihoods of linkage. Plus, the individuals in the network seem to have skills necessary to
carry out a small scale attack. Mark summarizes his findings in an email to his decision-making
superiors and attaches the computed pdf report.
14.3.2 Summary
Mark used his knowledge about terrorist networks in Europe to design a prediction model that
could solve the specific problem at hand. Later, he tailored existing CrimeFighter Investigator
functionality to actually apply his sense-making approach to a network of established and aspiring
violent radical Islamists living in Denmark from which future (terrorist) networks could form and
pose a threat to Danish society.
Mark’s first step towards applying his understanding of these networks was to use CrimeFighter
Investigator synthesis functionality to divide the DNRI network and related individuals into four
bridges, that he believed were actually functioning as linkage bridges. The CrimeFighter Investi-
gator tool helped Mark apply prediction to two bridges at a time, and then compare a centrality
measure of betweenness for each individual in the (possibly) transformed network and in the
original DNRI network.
To disseminate his findings according to his prediction mode, Mark used the CrimeFighter Inves-
tigator report generation feature to create documentation of relevant parts of the sense-making
process and the computed information.
225
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT
Figure 14.13: (semi mock-up) CrimeFighter Investigator showing the AQAM and DNRI bridges
and predicted links between them.
Figure 14.14: (mock-up) One of the predicted network structures as shown in the report generated
based on the prediction model.
226
CHAPTER 14. WORK FLOW SUPPORT 14.4. SUMMARY OF DEPLOYMENTS
The novelty of the CrimeFighter Investigator approach to criminal network analysis (synthesis
and sense-making) is the underlying tailorable computational model. Tailorability was (partially)
achieved with a structural parser that provides the user with an interface to customize and com-
bine sense-making algorithms. The approach introduces transparency of the sense-making process
and ownership of the computed information. In our comparison of state-of-the-art commercial
tools and research prototypes and the models they support in Section 15.3, we find that Crime-
Fighter Investigator has better support of first class entities (conceptual model), structure domains
(structural models), and transformative and measuring algorithms (mathematical models).
227
14.4. SUMMARY OF DEPLOYMENTS CHAPTER 14. WORK FLOW SUPPORT
228
Part IV
229
CHAPTER 15
Dr. John McKittrick: “I think we ought to take the men out of loop.”
General Beringer: “Mr. McKittrick, you are out of line Sir!”
WarGames (1983)
Look after the customer and the business will take care of itself.
Ray Kroc, founder of McDonald’s.
We have used three methods for our evaluation: first method is capability comparisons of criminal
network investigation task support and support of conceptual, structural, and mathematical mod-
els. The second method is interviews with potential end users providing feedback on relevance of
tasks (usability for their particular work), and the third method is measures of performance for
our developed techniques.
To understand how we have evaluated our developed processes, tools, and techniques for criminal
network investigation, it is necessary to first understand the relations between criminal network in-
vestigation challenges, our main hypothesis, the research focus requirements, the criminal network
investigation tasks, and the evaluation methods. The relation between challenges, hypothesis, and
requirements is straight forward: we chose three criminal network investigation challenges, based
on which we framed our hypothesis. For each of the three challenges we defined a set of require-
ments to guide our research - if those requirements are met, the problems associated with each
individual challenge would be met, and ultimately the impact of the related challenge on criminal
network investigation would be reduced. Now, some of our evaluation methods evaluate support
of criminal network investigation tasks and others evaluate support of research focus requirements
(explained below). We therefore need a mapping between the tasks and the requirements, since we
would like to summarize all three evaluation methods according to their support of the research
focus requirements. Our task to requirement mapping is presented in Figure 15.1, where a line
between a task and a requirement indicates that support of the task is equal to support of the
requirement. It should be noted, that support from more than one task is typically required to
achieve the desired support of the research focus requirement.
As mentioned, the evaluation methods evaluate either criminal network investigation tasks or
research focus requirements. One capability comparison focuses on support of criminal network
investigation tasks (see Section 15.3.1), and we interpret support across tasks as support of the
hypothesis (which we tested in Chapter 14). A second capability comparison evaluates support
of conceptual, structural, and mathematical models (see Section 15.3.2). The mapping between
231
CHAPTER 15. EVALUATION
232
Figure 15.1: Mapping research focus requirements to criminal network investigation tasks: a line between a task and a requirement indicates that
support of the task is support of the requirement.
CHAPTER 15. EVALUATION
Figure 15.2: Mapping research focus requirements to conceptual, structural, and mathematical
models: a line indicates that support of the model is support of the requirement.
each model and our research focus requirements is shown in Figure 15.2, where a line indicates
that support of the model is equal to support of the requirement.
End user interviews provided us with an initial qualitative evaluation of criminal network investi-
gation tasks (see Section 15.2). Measures of performance for our extension of centrality algorithms
and the transformative predict missing links algorithm evaluate research focus requirements, and
the mapping between requirements and measures of performance can be seen in Figure 15.3, where
a line indicates, that if a measure of performance is good, then it is supporting the requirement.
Our research has focused on developing new concepts for criminal network investigation, and
our methods for evaluation have been designed to evaluate those concepts. Consequently, our
software development approach has been based on “proof-of-concept” prototyping, and involved
the integration of criminal network investigation processes (primarily synthesis and sense-making)
by applying a variety of technologies, such as software systems engineering, hypertext and various
mathematical models for computational support. Because of this integration of processes, we
apply the three mentioned evaluation methods (end-user interviews, capability comparisons, and
measures of performance). But we also review the importance post-crime data sets because they
have been our main source of evaluation data (both for synthesis and sense-making evaluation)
and we therefore found it necessary to describe their relevance as opposed to pre-crime or real-time
crime criminal networks (see Section 15.1). We present usability feedback gathered from semi-
structured interviews with a number of end-users from various criminal network investigation fields
(see Section 15.2). We have compared the capabilities of CrimeFighter Investigator with other
leading commercial tools and research prototypes for criminal network investigation (see Section
15.3). Finally, we have evaluated the sense-making algorithms using measures of performance
found relevant for the intended use of CrimeFighter Investigator (see Section 15.4).
233
15.1. POST-CRIME DATA AND INFORMATION CHAPTER 15. EVALUATION
Figure 15.3: Mapping research focus requirements to measures of performance. A line indicates,
that if a measure of performance is good, then it is supporting the requirement at the other end
of the line.
234
CHAPTER 15. EVALUATION 15.1. POST-CRIME DATA AND INFORMATION
Figure 15.4: How post crime data and information can be used for two very different types of
evaluation, either directly for computational evaluation, or indirectly for usability testing through
the synthesis of the post crime data and information as the data and information emerged and
evolved in the criminal network investigation.
the first place? Because we use post-crime data, often referred to as data sets, for evaluation of
acquisition and algorithm based sense-making investigation tasks. These data sets are, to a certain
extent, synthesized, complete data sets. We use post-crime information about how information
structures emerged and evolved throughout the criminal network investigation for testing the
synthesis functionality of our tool. Finally, we use post-crime information about investigations for
requirement generation (i.e., criminal network investigation tasks) as well as validation (evaluation)
of requirements.
To be able to say that a tool can be used for usability testing through the synthesis of the post
crime data and information as the data and information emerged and evolved in the criminal
network investigation, we would first have to establish that synthesis is equivalent to a certain
degree to the actual real-time synthesis of criminal networks (illustrated in Figure 15.4). We
describe our first steps toward establishing this below, in Section 15.1.1.
1. Outline the chronology of events as they were revealed to the investigation team (for each
source independently).
2. Synthesize the networks as presented by each source, together with a network based on all
three sources.
235
15.2. END-USER INTERVIEWS CHAPTER 15. EVALUATION
We have done much of this work ourselves and using CrimeFighter Investigator, but doing it in a
more structured way, would allow us to make conclusions about synthesis of post crime criminal
networks and tool support therefore.
236
CHAPTER 15. EVALUATION 15.2. END-USER INTERVIEWS
Figure 15.5: A snapshot of Linschoten’s investigation in Tinderbox [24]: “Taliban fronts, com-
manders and fighters in Panjwayi/Zheray during the 1980s” [134].
to see if there are any important observations that he has missed. Alex mentions that different
layout functionality would be useful for this, e.g., laying out nodes according to betweenness
centrality. Finally, if Alex exports information from Tinderbox [24] to import it into Analyst’s
Notebook [2] to create a special visualization, it is not possible to get that visualization back into
Tinderbox. The interchange of information is not facilitated both ways.
IA1: “We typically have much less data, or not so many attributes, as it was the case in
the November 17 network you presented”.
IA2: “Would it be possible to do predictions on hierarchical links (i.e., links from a space
237
15.3. CAPABILITY COMPARISONS CHAPTER 15. EVALUATION
IA3: “We would really like to be able to process large amounts of data and generate networks
based on that.”
IA3: “What I have seen the last five to six months, was a tool where you could link a person
to a location and say, okay this person participated in a meeting here, and this other person
was on the location in this and that time span; what is it the chance that they have spoken?”
IA3: “It is a bit mischievous, but it could be interesting to import the information about 7/7
which we had back then about individuals in the milieu to see if the algorithms could predict
what would happen, that is, what individuals where involved in the planning”.
IA4: “Is it possible to collect network information from youtube and other accounts?”.
Based on this, we found it interesting that, given the current focus areas of the British Home
Office, they seemed very interested in the adaptive modeling approach, rather than the prediction
techniques presented at the meeting.
15.2.3 Summary
Besides the two usability feedback interviews described in Section 15.2.1 and 15.2.2, we also had
unstructured interviews with Danish law enforcement police detectives, intelligence analysts, and
a financial fraud expert at the i2 end user conference in Brussels 2010. Finally, we had discussions
and talks with high-level researchers at security informatics and hypertext conferences. The end
user interviews are summarized in Figure 15.2, where it is indicated whether or not each individual
criminal network investigation task was found to be relevant for support in a tool for criminal
network investigation. The end user interviews are discussed and further summarized in Section
15.6.3.
238
ACQUISITION
Acquisition methods
Dynamic attributes
Attribute mapping
SYNTHESIS
Entities
Associations
Re-structuring
Grouping
Collapsing & expanding
Brainstorming
Information types
Emerging attributes
SENSE-MAKING
Retracing the steps
Creating hypotheses
Adaptive modeling
Prediction
Alias detection
Exploring perspectives
Decision-making
Social network analysis
Terrorist network analysis
DISSEMINATION
Storytelling
Report generation
COOPERATION
Shared information space
Emergent collaboration
Shared work flows
CAPABILITY COMPARISON
Analyst’s Notebook 8.5 3 2 1 3 2 ◦ ◦ ◦
Palantir Government 3.0 4 3 3 4 4 ◦ ◦ ◦
CHAPTER 15. EVALUATION
Xanalys Link Explorer 6.0 4 2 1 2 3 ◦ ◦ ◦
COPLINKa 4 2 1 2 2 ◦ ◦ ◦
Namebase.org 0 1 1 1 0 ◦ ◦ ◦
Mindmeister 2 4 1
2 4 ◦ ◦ ◦
Simple tools 1 3 1 1 2 ◦ ◦ ◦
Aruvi 2 1 2 3 2 ◦ ◦ ◦
239
Sandbox 2 3 2 2 3 ◦ ◦ ◦
POLESTAR 3 2 2 1 3 ◦ ◦ ◦
CrimeFighter Investigator 2 4 4 3 2 ◦ ◦ ◦
END USER INTERVIEWS
Investigative journalism + + + − + + − − + − − − + − + − − − + ◦ + − ◦ ◦ ◦
Counterterrorism + + + + + + − + − + + + + + + + + − + ◦ − − ◦ ◦ ◦
Policing + + + + + − − − − + − + + − − − + + + ◦ + + ◦ ◦ ◦
Researchers & Industry + + + + + + + + + + + − − − + − − − − ◦ − − ◦ ◦ ◦
Capability Comparison legend - investigative processes (0: no support, 1: fragmentary support, 5: full support) investigative tasks (: supported, :
partially supported, : not supported). ◦ indicates that specific cooperation tasks were added after the capability comparison was complete.
End user interview legend indicates criminal network investigation tasks not relevant for the evaluation method. + indicates the relevance of supporting
the task for the given profession and a − indicates the opposite. ◦ means that the task was added after the interviews
Table 15.2: An overview of the capability comparison of CrimeFighter Investigator, the end user interviews, and the criminal network investigation
processes and tasks the tool was evaluated against.
a Based on a combined evaluation of the three modules COPLINK Connect, Detect, and Collaboration as well as the COPLINK criminal network analysis tool CrimeNet
240
CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE
POLESTAR
COPLINK
XLE 6.0*
CFI 1.0*
Sandbox
AN 8.5*
PG 3.0*
Aruvi
Conceptual model 5 7 5 2 5 7 7 8
First class information elements
First class relations
First class composites
Structural models 4 7 5 2 5 6 7 8
Navigational structure
Spatial structure
Taxonomic structure
Mathematical models 5 5 5 0 2 0 0 7
Transformative**
Measuring
Table 15.3: The authors’ assessment of computational modeling concepts *(AN = Analyst’s Note-
book, PG = Palantir Government, XLE = Xanalys Link Explorer, CFI = CrimeFighter Investi-
gator), **(Filtering is not included).
flow.
1. When node-link-node associations are not dominant, then semantic associations will reduce
investigation uncertainty by computation of extended centrality measures.
2. Centrality measures for criminal network entities, must support empty endpoint associations
for more accurate results.
3. A combination of several direct and semantic associations can be necessary to support when
computing centrality measures for criminal network entities.
Method
We have tested CrimeFighter Investigator’s support of three tool requirements on a filtered version
of the investigation of an organized drug crime network [10], and a semi-altered version of the same
investigation. We calculate two centrality measures, degree and betweenness, for two conditions,
with and without two designed and implemented associations.
We test the co-location association on an investigation inspired by an organized drug crime network
to evaluate the requirement for support of semantic associations. The investigation had no direct
associations between entities prior to the test. We have filtered out all entities except the close-
up photos (i.e., the blue rectangles) and created an investigation using CrimeFighter Investigator
where individuals are positioned with the same relative distance. All individuals are given numbers
or letters as name, except for the two lieutenants Anton Artis (A.A.) and Roland Brice (R.B.).
The network with the semantic co-location association included is shown in Figure 15.7a and the
calculated centralities are shown in Figure 15.7b.
We have defined the following four information entities used on the investigation board and use
colored rectangles to represent them in Figure 15.8: portrait pictures are blue, large surveillance
241
15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION
photos are orange, text cards with meta data about individuals are green, and header text cards
with red text are dark red. Based on this augmentation of the investigation board we observe a
number of semantics. Most obviously all portrait Polaroid pictures are placed below a meta data
text card. Sometimes a surveillance photo is placed next to the portraits. Finally, the investigation
board is divided horizontally into areas by the header text cards placed at the top.
Prior to testing the empty endpoint association we found that empty endpoints rarely occurred
in the investigation we analyzed. Links are used to connect two entities, and even if the contents
of one entity is unknown it is still created as a placeholder. It is unclear whether this is simply
because it does not make sense to work with empty endpoints or if it is because of a structural bias
toward links as simple entity connectors. To test the influence of the empty endpoint association
we have used some of the links from the previous test to create a new test case (see Figure 11.1).
We assume that a number of subgroups have been detected (the four colored composites) and that
the investigators know there is some connection from the main network to each of these subgroups
but it is unclear how and therefore an empty endpoint is positioned next to each subgroup.
To test the requirement for centrality measures to consider multiple associations, we use the same
network as for the empty endpoint requirement (see Figure 11.1). However, this time we test
both the empty endpoint association and the co-location association together. The with condition
therefore means that the algorithm replaces empty endpoints with actual nodes (placeholders) and
creates links between co-located nodes that are not already directly associated.
Summary of results
Testing the requirement for semantic associations illustrated how centrality measures can be ap-
plied to spatial network structures using a co-location association. It is evident that when no
relations exist in an investigation prior to analysis, there is a need to define associations between
entities in a different way if the investigators want to calculate node centrality to deal with the
uncertainty of an ongoing investigation. We see that degree centrality indicates the individuals
on the right hand side in Figure 15.7b as central to the network (e.g., 9, 6, 8, and 10), but they
are of little importance, when considering betweenness. At the same time degree doesn’t point
to the two lieutenants A.A. or R.B. as key players like we expected. We therefore find that one
should be careful with considering spatial co-location as a measure for network degree centrality.
Betweenness centrality clearly points to A.A. and R.B. as key players in the network together
with individual 2. Given the results of our two other tests it is also interesting that individual 5
is placed in top four in terms of betweenness.
When we tested the empty endpoints requirement we found that the measure of degree centrality
provides investigators with no clear tendencies, although it more strongly indicates individual F, D,
A.A., and 3 as central to the network. The betweenness results more distinctly point to A.A. and
R.B. when including the empty-endpoints association. We also observe that individual 2 is ranked
as fourth instead of seventh which is a more realistic depiction of this individual’s betweenness in
the network. Individual 5 has the highest change in betweenness when including empty endpoints,
making him an interesting subject for further investigation. As mentioned earlier, it would be
possible to model empty endpoints using information element placeholders until the content of the
empty endpoint is known. This also means that traditional social network analysis measures of
centrality could be applied. We therefore recommend to test if empty endpoints have higher value
for restructuring tasks during synthesis than for centrality algorithms.
Our test of the requirement for support of multiple associations was successful in terms of extending
two measures of centrality with more than one association from our topology. But for the test
investigation the test results did not add much investigative value. The inclusion of both empty
endpoint and co-location associations connects all entities in the criminal network through the
empty endpoints (individual 5 is connected to individual 6 and 12, individual F to individual H,
and individual A.A. to individual M). This makes the degree and betweenness centrality of key
nodes without the associations less distinctive. The numbers are flattened because the information
242
CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE
al-Qaeda November 17
version → full full id 1-20 full full
sampling → 100% 25% 50% 100% 50%
Nodes 366 256 15 22 17
Attributes 17 17 17 11 11
Complexity* 9.53 9.53 9.53 2.09 2.09
Links 999 249 18 63 32
Link density 0.015 0.008 0.17 0.27 0.24
*Complexity indicates the average number of
enumerated values for each entity attribute.
elements in the subgroups achieve higher measures of betweenness centrality with the associations
included. The most interesting result for this final test was that the degree and betweenness
centrality of individual 5 is increased considerably when the associations are added. Together,
our three requirement tests have shown that measures of centrality extended with novel types of
associations provided new insights into two organized crime networks that traditional centrality
measures could not provide. Most important result was that the centrality of individual 5 was
increased in all three tests. Individual 5 was not known to be a central entity in the network
before the tests.
243
15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION
Data set Version Sampling Time (s) TP*# TP% FP*# FP%
“Original” data set
November 17 (full) (50%) 0.219 9 42.9 12 57.1
100% al-Qaeda (id 1-20) (50%) 0.078 7 35.0 13 65.0
al-Qaeda (full) (25%) 63.093 288 4.9 5547 95.1
Attribute accuracy
November 17 (full) (50%) 0.235 5 35.7 9 64.3
90% al-Qaeda (id 1-20) (50%) 0.79 6 46.2 7 53.8
al-Qaeda (full) (25%) 37.562 165 5.1 3052 94.9
November 17 (full) (50%) 0.124 1 16.7 5 83.3
70% al-Qaeda (id 1-20) (50%) 0.62 5 45.5 6 54.5
al-Qaeda (full) (25%) 24.656 167 5.0 3171 95.0
Attribute completeness
November 17 (full) (50%) 0.282 5 45.5 6 54.5
90% al-Qaeda (id 1-20) (50%) 0.094 7 41.2 10 58.8
al-Qaeda (full) (25%) 41.344 197 4.8 3939 95.2
November 17 (full) (50%) 0.531 5 45.5 6 54.5
70% al-Qaeda (id 1-20) (50%) 0.079 5 41.7 7 58.3
al-Qaeda (full) (25%) 24.328 146 4.4 3167 95.6
* TP = true positives, FP = false positives.
Table 15.6: Measures of performance for the ’predict missing links’ algorithm. This algorithm is
at the core of the predict ’covert network structure’ and ’custom node removal’ algorithms.
per attribute. Link density is the ratio between the number of links and the number of potential
links and indicates for example how connected and covert the given network is.
We logged three variables for each test. Time is the seconds it takes to predict missing links.
True positives are predicted links that exist in the non-sampled version of the data set. False
positives are predicted links that do not exist in the non-sampled version of the data set. The
’predict missing links’ algorithm was customized in the same way for each sampled data set before
each test as described in Table 15.5. The al-Qaeda attributes are selected to match the number
of enum values for each November 17 attribute.
We evaluate the ’predict missing links’ algorithm against all the data sets using the three measures
of performance. The results listed in Table 15.6.
Information volume. This measure of performance is based on an evaluation of the change in
processing time and true and false positive ratios when the number of nodes and links increases
across the three sampled data sets.
We observe that the sampled al-Qaeda data set increases the time required to process the prediction
significantly (as expected). However, in the worst case the logged time is only 63 seconds and it
does not raise any operational concerns for most criminal network investigations. We realize that
the network can be much larger, and expect the required time to increase also for the tested data
set if attributes with more enumerated values were selected. But it is our experience that for very
244
CHAPTER 15. EVALUATION 15.5. SUMMARY
large networks, criminal network investigators will request predictions within subgroups mostly
and not the whole network.
Attribute accuracy. The ‘missing links’ prediction algorithm is based on that attribute val-
ues are machine-recognizable, i.e., the value should be one of a list of predefined enumeration
values (e.g., Role [leadership, operational] or Degree centrality [high, middle, low]). We
have decreased the attribute accuracy of the sampled data set by scrambling a percentage of the
enumeration values.
The decreasing accuracy of enumeration values clearly impacts on the number of predicted links,
but the ratio between them does not change indicating some robustness of the ‘missing links’
algorithm. The time actually decreases together with the decreasing accuracy of attribute values;
a decrease in predicted links can more easily be processed by the algorithm. One interesting
observation here is that the ratio of true positives dropped significantly for the November 17 data
set at 70% accuracy to 1 (from 5 at 90%). We expect this is caused by the less attributes compared
to the al-Qaeda data set, making it more vulnerable to the random scrambling of attribute values.
Attribute completeness. End user requirements and usability feedback have indicated a need
to support dynamic and emerging entity attributes, since limited information is typically available
about the individuals in criminal networks. To simulate this we delete attribute values from the
data sets by replacement with empty values.
Like attribute accuracy the total number of predicted links decreases as the number of non-empty
attribute values increases but the ratios stay more or less the same. We anticipated this similarity
between the accuracy and completeness MoPs as the CrimeFighter Investigator does not support
technology that could improve the attribute accuracy by correcting for example typographical
spelling errors.
15.5 Summary
To summarize our evaluations, we have used three different methods for evaluating our developed
tool support for criminal network investigation: capability comparisons, end user interviews, and
measures of performance. The use of multiple of multiple evaluation methods was necessitated by
the different nature of different criminal network processes embedded in our target-centric model.
Our three methods gave us good evaluation coverage across all of them, from acquisition to coop-
eration. Acquisition and synthesis tasks maps to evaluation of information #1 (emerging and
fragile structure). Acquisition tasks, information types, and emerging attributes maps to evalua-
tion of information #2 (integrating information sources). Sense-making tasks maps to human
factors #1 (augment human intellect) and human factors #4 (human-computer synergies).
Dissemination tasks maps to evaluation of human factors #2 (transparency and ownership),
and so forth.
A couple of requirements were found not to be covered by the selected evaluation methods, this was
however expected. Observing the mapping figures for requirements to tasks (Figure 15.1), measures
of performance to requirements (Figure 15.3), and models to requirements (Figure 15.2), we see
that Process #1 (target-centric and iterative) and Process #3 (make everybody stakeholders)
are not covered by our evaluation methods. Only argument for coverage would be that support of
the retracing the steps task, and hence information #4 (versioning support), would reveal who
take e.g., early decisions in an investigation and hence their responsibility for the final outcome
would stay throughout the investigation and they would be stakeholders. But we find that to be
a rather weak argument for coverage. As mentioned, this was expected. Our process model was
developed to address these two research focus requirements, and our arguments for designing the
process model in this particular way based on literature studies, expert end users, and our ideas
for how to design such a process.
In summary, for the evaluations presented in this chapter of a tool for criminal network investiga-
tion, CrimeFighter Investigator, we find it has strong support for information #1, information
245
15.6. DISCUSSION CHAPTER 15. EVALUATION
#3, process #4, human factors #1, and human factors #4, medium support of infor-
mation #1, human factors #2, and human factors #3, and weak support of information
#1 and process #2. This summary is visualized in Table 15.7. Comparison of CrimeFighter
Investigator with other tools was covered in Section 15.3.
15.6 Discussion
We will discuss the implications of the evaluation results for CrimeFighter Investigator above in
Section 15.2, 15.3, and Section 15.4. But first we discuss visualization as a lead-in to discussing
who are treated as the customer, when it comes to tool support for criminal network investigation,
and who really are the customer(s). A second discussion before that of the evaluation results, is
about end user involvement in evaluation of criminal network investigation tools, the problems we
faced in relation to this and our suggestions for how to get the end users from the security domains
and law enforcement (police officers, detectives, intelligence analysts) involved in the evaluation,
but also development, of tool support for criminal network investigation.
246
CHAPTER 15. EVALUATION 15.6. DISCUSSION
many important applications in relation to security informatics and criminal network investigation.
Nonetheless, we discuss it, and we use Ray Kroc’s quote from the beginning of this chapter, as a
basis of our discussion, and to indicate the non-scientific nature of the discussion. When Ray Kroc
talks about “looking after the customer”, he is most likely referring to customer service: smiling
service; fast service; and a nice, clean, and well kept establishment. In the documentary SuperSize
Me, the implication is that McDonald’s is looking after the customer by providing them with well
tasting food that to some extend makes them addicted to that same food; or the amount of sugar
it contains. In combination, looking after the customer, becomes excellent service, a nice, clean,
and (might we add) colorful restaurant, together with selling the customer something that tastes
very good, but ultimately is not good for the customer.
For companies that sell criminal network visualization software, the customer is first of all the
individuals who pay the large license fees, typically managers in companies and organizations
requiring such software. We believe that the true customer of criminal network investigation tools
are the investigators who are going to use the tools. The questions is now, how best to look after
this customer? We should surely not inhibit the investigator in any way, not inhibit the sense for a
specific emerging structure, the investigator’s imaginativeness and creativity, when an idea makes
the investigator draw a row of two story houses, before asking a tool which of those houses have
roof access to a certain back alley. When the investigator thinks of new and innovative ways to
fill the negative (void) space in a criminal network investigation, producing new leads and solving
cases. That is our point of view, and it is the point of view we have had throughout this work and
which we have been developing tool support for.
Naturally, when all that is said, visualization is important in a tool box for fighting crime (e.g.,
criminal network investigation). And there is a tool in the CrimeFighter toolbox which focuses
on visualization (see Section 1.4 in the introduction). Maybe, if we could call it something like
visual filtering, indicating a more active involvement on the part of the investigator, rather than
just selecting between a variation of layouts and color schemes, it would be a better match, and
also become useful for the tasks of the criminal network investigator.
247
15.6. DISCUSSION CHAPTER 15. EVALUATION
customer as a stakeholder together with the developers and their managers, in order to produce
a product with the required level of maturity, suitable for testing on classified data. We suggest
that collaboration is established between the Danish intelligence services or the less secretive parts
of law enforcement, such as police, with domestic research institutions. Such collaborations exists
in other countries: at Simon Fraser University the Institute for Canadian Urban Research Studies
(ICURS) based in the School of Criminology has a secure crime lab, where researchers can test
their algorithms on police data. At Arizona University’s AI lab, 300 police officers participated
in a survey-based evaluation of the COPLINK software92 . Naturally, it takes time to build the
required level of trust between academia and law enforcement, once your software tool is mature
enough. Our three years in the security informatics research community helped us reach a point
where we now find ourselves knowledgeable enough to ask these questions. But if was not required
to experience the classical “oops, I tripped and spilled your wine on you (to test if you are wearing
a wire)” before gaining access to knowledge from intelligence service agents, we might have been
able to ask these questions earlier.
Before discussing the results in Table 15.2, it makes sense to ask the question whether the tasks
used for evaluation and comparison are the right tasks to support by software tools? The goal
should be that the investigators can use the tools to reach better results faster. We have interacted
with investigators when compiling the task list. The task list has subsequently been confirmed
by investigators as important tasks to support in a software tool. The investigators also noted
the absence of details regarding tasks in the acquisition and cooperation processes. We intend to
address this in future work and constantly expand and revise our list of tasks to be supported
based on interactions with end-users.
The results in Table 15.2 are not surprising. Our focus on synthesis, sense-making, and dissemi-
nation have resulted in relatively good support for these processes ranging from 3 (dissemination)
over 4 (sense-making) to 4 (synthesis). On the other hand, our tool scores somewhat low on
acquisition (2) and cooperation (2) as expected.
Compared to the other tools, CrimeFighter Investigator is the only tool that supports the majority
of the envisioned synthesis tasks. Other tools support the synthesis tasks to a varying degree.
Regarding sense-making, our tool scores higher than the other tools except for Palantir that
received the same score. Our plans for future work (see Section 6) will result in a tool that
fully supports the envisioned tasks related to synthesis, sense-making, and dissemination. Our
conclusion is that our tool currently provides the most comprehensive support for synthesis and
248
CHAPTER 15. EVALUATION 15.6. DISCUSSION
sense-making.
It can be observed from Table 15.2 that the tools used in watchdog journalism are not as elaborate
as the commercial tools for policing and counterterrorism. The market for policing and countert-
errorism tools are much bigger than the market for watchdog journalism tools. We envision that
our tool can be useful to investigative journalists due to the supported tasks.
It can also be observed from Table 15.2 that the commercial tools provide good support for
acquisition and dissemination. Acquisition is essential for a commercial tool, since many of their
customers have enormous amounts of data that needs to be made available to the investigations.
Dissemination is also essential for a commercial tool, since the investigation results needs to be
communicated to the customer in a comprehensive manner. In the longer term, our future work
will also address the acquisition and dissemination issues, but not to the extent of what commercial
tools do. Our long term research goal is to provide the most comprehensive support for synthesis,
sense-making, and cooperation.
Commercial tools provide many powerful features for the synthesis tasks that they support, while
there seems to be an increased focus on supporting sense-making tasks in research prototypes
like Sandbox, POLESTAR, and CrimeFighter Investigator. For example, Analyst’s Notebook is
very strong on visualization as part of its synthesis support, but lacks many of the features for
sense-making. Wright et al. states that Analyst’s Notebook seems better suited as a report tool
than a thinking tool since it does not encourage various alternative thinking [254]. This claim was
supported by end-users we met at an i2 user conference93 : “I typically use Analyst’s Notebook
to generate a report for the state attorney handling the case in court. I do not use Analyst’s
Notebook before I am done with my analysis”.
The comparison of supported tasks is made based on whether a particular feature is supported
or not - not how well it is supported. Commercial tools are by nature more mature and typically
provides qualitatively better features than research prototypes (which often aim at providing proof-
of-concept implementations of features). CrimeFighter Investigator has so far only been evaluated
based on the existence of support for tasks, not how well end-users feel they are supported in
practice. This type of evaluation involving investigators from the three overall areas is planned to
start, when the envisioned list of tasks have been implemented.
CrimeFighter Investigator uses well-known (and tested) hypertext concepts and structuring mech-
anisms that have proved useful to solve similar knowledge management tasks. In fact, the tool
builds on previous work by the authors on the use of multiple hypertext structures to support
knowledge management tasks related to agile planning [170]. Thus, we are confident that the
provided support to a large degree will be conceived as useful by the end-users in supporting the
investigative tasks. Further evaluation results will help fine-tune the usability of the provided
features.
249
15.6. DISCUSSION CHAPTER 15. EVALUATION
element attributes for different parts of the network. He also extended the actual prediction of
links to be conditioned by the betweenness centrality of the individuals between who links where
predicted, prior to that prediction. The tailoring in CrimeFighter Investigator made the process
transparent and helped Mark to gain a feeling of ownership toward the information provided. In
other words, he trusted the sense-making provided information enough to forward his findings to
his decision-making superiors.
250
CHAPTER 15. EVALUATION
251
(c) empty endpoint results (d) two associations results
Figure 15.7: The organized drug crime investigation with links representing co-location associations (a). The degree and betweenness centralities for
15.6. DISCUSSION
each of three tests: co-location association (b), empty endpoints association (c), and both co-location and empty endpoints associations (d).
15.6. DISCUSSION CHAPTER 15. EVALUATION
Figure 15.8: Augmented version of an organized crime investigation showing a shared information
space and various content. Close-up pictures are blue, surveillance photos are orange, text cards
with meta information about individuals are green and text cards functioning as headers are dark
red.
252
CHAPTER 16
Criminal network investigation involves a number of complex knowledge management tasks such
as collection, processing, and analysis of information. Synthesis and sense-making are core analysis
tasks; analysts move pieces of information around, they stop to look for patterns that can help them
relate the information pieces, they add new pieces of information and iteration after iteration the
information becomes increasingly structured and valuable. Synthesizing emerging and evolving
information structures is a creative and cognitive process best performed by humans. Making
sense of synthesized information structures (i.e., searching for patterns) is a more logic-based
process where computers outperform humans as information volume and complexity increases.
CrimeFighter Investigator is a novel tool that supports a target-centric and iterative criminal
network investigation process and related tasks through the application of advanced software
technologies such as hypertext structure domains, semantic web concepts, known human-computer
interaction metaphors, and a tailorable computational model rooted in a conceptual model defining
first class entities that enable separation of structural and mathematical models.
As a result of numerous commission reports evaluating the efforts of counterterrorism and police
(e.g., [110, 152, 153]), there is a growing request for more openness in intelligence agencies and law
enforcement in general, especially close to home (e.g., Norway [153] and Denmark [27]). As we have
mentioned, these Commission Reports often presents how the information was there, available and
linkable, and therefore resorts remedies such as information sharing, joint intelligence units, merged
databases etc, but does little to improve on the intelligence process [32] (analytical methods). The
22 July Commission Report concluded, among other things, that following a different methodology
could have changed if not the final outcome, then the outcome of sub-parts of the Norwegian
tragedy. Intelligence services in Denmark, such as the danish defense intelligence service have
made organizational changes and talked about more openness94 , and the author has through
interviews and meetings learned that new technologies such as semantic web technology, and ideas
such as intelligence in the cloud, readily retrievable by phones and tablets in the field1 . We believe
that the Danish intelligence services are moving in the right direction, with an increased focus
on utilizing available information and communication technologies. But in terms of tool support
1 This information is based on classified interviews and meetings, held between the author and the anonymous.
253
16.1. SUMMARY CHAPTER 16. CONCLUSION
16.1 Summary
We started out as engineers, with the goal to engineer a software system for criminal network
investigation. We studied our domain, we talked with the end users, we analyzed related work,
theory and technology, and generated requirements. We created designs for those requirements,
and implemented software prototypes as proof of the concepts we had developed. We did so,
following an agile methodology, iteration by iteration, release by release. We incrementally built
Crimefighter Investigator one proof-of-concept prototype at the time, from a pilot system to an
actual criminal network investigation tool, assisting investigators when investigating their genuine
mysteries and hunts for ghosts. As software systems engineers, we succeeded early.
But as we got further into the research, we discovered a need to develop a new criminal network
investigation process, new concepts and models as the foundation for tools and techniques. Three
criminal network investigation challenges that had been found to result in (tool supported) crimi-
nal network investigation failure, either separately or together, where being addressed in a manner
suitable for the tasks of the criminal network investigator. We noticed that existing software sys-
tems were only in part guided by requirements addressing problems related to information, process,
and human factors challenges. We identified these problems, formulated such requirements, and
adopted some concepts from knowledge management and hypertext theory and technology. Based
on those concepts we developed models and software components for support of criminal network
investigation. We found, that no matter what ill-structured problem an individual or a group of
individuals are trying to solve, there are some basic concepts, structures, and components that
can be applied. Some basic building blocks from which to build software systems.
In summary, we first took in the scattered particulars related to criminal network investigation
under one idea, so that everyone understood what we were talking about. Second, we separated our
idea into parts, by dividing it at the joints (information, process, and human factors), as nature
directs, not breaking any limb in half as a bad software systems engineer might Phaedrus (265D).
254
CHAPTER 16. CONCLUSION16.2. REQUIREMENTS, CHALLENGES, AND HYPOTHESIS
16.2.1 Requirements
The research focus requirements we listed in Chapter 6 were evaluated using three different meth-
ods in Chapter 15. A summary of the evaluation is shown in Table 16.1, indicated whether
evaluations found that we had strong, medium, or weak support of each research requirement,
through our developed processes, tools, and techniques. Our evaluation methods were found to
provide good coverage of the research focus requirements, except for process #1 (target-centric
and iterative) and process #3 (make everybody stakeholders). However, this was expected, and
our process model was found to cover those two requirements.
The results in Table 16.1 shows that we have provided strong to medium support of all require-
ments, and we can therefore conclude that we have addressed the problems associated with each
individual criminal network challenge. Furthermore, the strong to medium support of the require-
ments also leads us to conclude that we chose the right challenges to focus on, as our developed
processes, tools, and techniques were found to address and have an impact on those challenges.
16.2.2 Challenges
Following the conclusions on research focus requirements above, we conclude on the degree to
which we have addressed each challenge in more detail. Below we present our conclusions on each
of the three criminal network investigation challenges:
Information. We conclude that the weak support of information #2 (integrating information
sources) is because this requirement has not been prioritized. We focused on the development of
a conceptual model with first class entities, then it would later have been easier to provide e.g.,
images as visual abstractions for information elements. The same is the case for information #4
(versioning support), which development was dependent on strong support of information #1
(emergent and fragile structure), and as a consequence a well developed conceptual model. We
can conclude that key information challenge requirements have strong support, and that the less
supported information challenge requirements still require further development to be finished.
Process. Our developed process model provides the strong support of process #1 (emergent and
fragile structure), while support of process #3 (make everybody stakeholders) is considered weak,
although closely related to the choice of process model. However, limited support of cooperation
tasks has inhibited the development of support for process #3. Process #2 (loss-less data
abstractions) is supported by the design of our entity software component, but due to the lack of
support for the information types task, process #2 support is not strong. Finally, the process
#4 (integration of conceptual and computational models) has strong support, and given the
amount of attention, this is not surprising to us. Again, process challenge requirements have
strong support, and those less supported requirements still require further development to be
supported (or are related to investigation tasks, which require further development).
Human factors. The research focus requirements human factors #1 (augment human intel-
lect) and human factors #4 (human-tool synergy) were evaluated to have strong support by
the developed processes, tools, and techniques. They are also closely related, as human intellect is
255
16.3. CONTRIBUTIONS CHAPTER 16. CONCLUSION
augmented using advanced software technologies, thereby increasing the capabilities of man (i.e., a
synergy effect). Human factors #3 (simple tools ease-of-use) has medium support, mainly due
to the common information space where entities can be organized in different structures, like paper
cards or similar on a table. Human factors #4 (transparency and ownership) receives support
from our dissemination tasks, as well as the investigators options for tailoring sense-making work
flows for their particular needs. It seems that human factors are often not considered when tool
support is developed for criminal network investigation. Our human factors requirements have
been evaluated with a positive outcome, and the decision to also focus on the human factors
challenges, has proved to have a positive impact on criminal network investigation.
Based on the conclusions for the individual criminal network investigation challenges, we will make
our final conclusions about support of our hypothesis below.
16.2.3 Hypothesis
Our hypothesis was formulated based on three criminal network investigation challenges:
16.3 Contributions
The CrimeFighter Investigator approach for criminal network investigation has been developed
based on different types of analysis work:
Involving end users. We have interacted with investigators from various communities to
get their input on what kind of tool support is needed.
Exploring methods. We have explored analytical practices, processes, and techniques
related to policing, counterterrorism, and watchdog journalism.
Studying related work. We have found inspiration from existing tools supporting criminal
network investigation as well as from various existing hypertext systems.
Together, this analysis work resulted in a list of tasks that guided our development. Currently,
most of the envisioned tasks are supported. In general, our work has resulted in the following
contributions:
256
CHAPTER 16. CONCLUSION 16.4. FUTURE WORK
Process model. We have developed a target-centric and iterative criminal network investi-
gation process model to address problems associated with a linear approach to investigation,
with a particular focus on the compartment problem. More specifically, the model provides
support of process #1 (target-centric and iterative) and process #3 (make everybody
stakeholders).
Task list. To support the acquisition, synthesis, sense-making, dissemination, and coop-
eration processes of our model we developed a list of criminal network investigation tasks,
based on the three types of analysis work described above.
Tool support for criminal network investigation. We have developed a tool to support
criminal network investigation and assist investigators in creating target-centric models for
their customers. The tool provides more comprehensive support for synthesis and sense-
making tasks than existing tools. Furthermore, evaluation has shown that we are on the
right path to integrate a broad range of investigative synthesis and sense-making tasks in
one tool to support target-centric criminal network investigation. We have observed that
existing tools typically are strong on either synthesis or sense-making tasks.
Components for tool support. We have developed generic software components for
support of criminal network investigation. The components have helped develop support
research focus requirements such as human factors #2 (transparency and ownership)
and process #4 (integration of conceptual and computational models). Furthermore, the
software components are applicable to similar knowledge management problems.
Publications. Our work has been published in peer-reviewed international conference pro-
ceedings published by ACM, Springer, and IEEE. Parts of our work is accepted for publi-
cation in Springer handbook of computational approaches to counterterrorism and Springer
journal on security informatics (special issue on criminal network investigation). See Ap-
pendix A for further details.
While these are individual and important contributions to the field of criminal network investiga-
tion, proof-of-concept prototypes are not proof in the generic sense, further evaluation is required
in order to advance the research both academically and commercially. It is important that we
have implemented proof-of-concept prototypes to further enhance our understanding of analyzed
and design conceptual ideas (concepts), but quantitative empirical evidence for effect to measure
the impact of our conceptual ideas on criminal network investigation, together with the measures
of performance we have developed and tested on some algorithms in CrimeFighter Investigator
would be crucial. In essence, our work presents the guidelines for how to start a research project
on criminal network investigation. We will discuss future research and other perspectives in future
work (section 16.4).
257
16.4. FUTURE WORK CHAPTER 16. CONCLUSION
would be willing to test it within their organization95 , using it on a real investigations and the
(often) classified information related to these investigations. The future work described in this
chapter is our suggestion of how to reach that point of maturity.
The literature studies will focus on topics primarily related to technology adaptation, human cog-
nition, and creativity, like for example “how does ‘trust’ affect the adaptation of new technology?”
(see Section 16.4.1). In terms of future software development, it would be important to test for
example the extensibility of our developed framework, by the addition of new synthesis structures
such as the semi-lattice (discussed in Section 3.2). We outline that and other relevant future
software development tasks in Section 16.4.2. As described in Chapter 15, we have evaluated our
approach with a number of different methods. Future evaluations and methods are described in
Section 16.4.3.
1. Drag and drop. Acquiring information using drag and drop from other applications is
essential for fast and easy synthesis of information in the common information space. It
would also mean that support for information #2 (integrating information sources) would
be significantly improved.
2. Import. Providing support for import of basic network formats beyond comma separated
values would increase the options for integrations with other tools, and increase support of
information #2 (integrating information sources).
CrimeFighter Investigator currently has strong support for synthesis tasks, but increased focus
on the following tasks would make the support more complete, and make the tool more ready for,
e.g., usability experiments:
1. Branched history. It will be necessary to extend the navigable history feature to also
support branched history [96,117]. In terms of synthesis, this means development of methods
for recording and navigating branched history. This would result in stronger support of
versioning (information #4).
2. Information types. Extend support of information types beyond text snippets and meta
data information to also include pictures, maps, audio, etc. (information #2).
258
CHAPTER 16. CONCLUSION 16.4. FUTURE WORK
Although CrimeFighter Investigator has good support for sense-making, there are some criminal
network investigation tasks that should get more attention in the future, and new concepts would
have to be developed accordingly:
1. Branched history. Overlaps with branched history support for synthesis (above). Branched
history would leverage creating hypotheses using information structures (as opposed to us-
ing argumentative structures). The Visual Knowledge Builder (VKB) [198] introduced the
concept of navigable history [96, 117].
3. Filtering. We have found that once networks grow to a certain size in CrimeFighter In-
vestigator, filtering becomes a key sense-making task. We can think filtering features in
two categories: visual filtering, using colors, size, and positioning, and actual filtering, i.e.,
taking a subpart of network into a separate space to work with it there or alternatively
the removal of entities from the space, in both cases based on entity attributes or patterns.
Commercial state-of-the-art tools (reviewed in Section 4.1) such as Analyst’s Notebook and
Palantir Government are very strong on visual filtering, and we therefore suggest to focus
on actual filtering to think some of the challenges associated with such an approach. As an
example, what if a sub-part of network is filtered out and placed in a new space to work on
it there, and then later after the work is complete, the analyst wants to merge the results
back into the original network?
4. Custom algorithms and sense-making work flows. Future work for custom algorithms,
includes saving sense-making work flows and later application of saved work flows together
with a dedicated editor for building these work flows in a more intuitive manner, rather than
having to use list boxes, sliders, and check boxes to tailor the work flows.
5. Prediction. When developing the support for the transformative inference-based prediction
algorithms at Imperial College in London, a range of interesting future work was discussed
with Dr. Christopher J. Rhodes, e.g., how would variations in the gold standard impact the
measures of performance for the covert network structure and missing links algorithms. It
was also discussed to add support for analyzing the secondary effects of agent insertion into
a criminal network (i.e., the opposite of the already supported node removal algorithm).
Dissemination has received some attention in this Ph.D. dissertation and interesting further
development for both story telling and report generation is mentioned below:
1. Story telling. To further enhance story telling beyond simple navigation of history, e.g.,
by letting the user attach specific views to the history to show how the betweenness between
entities at that particular point or maybe an animation of the evolution of the criminal
network so far.
Finally, providing better support for cooperation, human-computer interaction, and visualization,
is part of our longer term goals.
259
16.4. FUTURE WORK CHAPTER 16. CONCLUSION
1. Usability experiments would involve finishing up experiment designs and then actually
executing the experiments to get quantitative evaluation of our approach, i.e. our approach
to synthesis. We plan to involve researchers and end-users in these capability comparisons
in the future. We are currently designing structured usability experiments following [18, 69]
for evaluation of specific CrimeFighter Investigator features.
2. Capability comparisons. A logical next step for our capability comparisons of both
criminal network investigation tasks and conceptual, structural, and mathematical models
would be to provide professional end users of the commercial tools and research prototypes
with surveys where they could indicate the support of individual tasks or models.
260
Notes
1 We find reconciliation in the fact that even a multi million dollar company like Palantir Technologies have found
it necessary to start with disclaimers in some of their presentations. One presentation, Palantir as Intelligence
Infrastructure [191, 192], has a slide with the header ‘What Palantir ISN’T!’, and then lists (1) A Visualization
Tool, (2) A closed environment, and (3) One database to rule them all.
2 We recognize that some investigations can be solved using e.g., social network analysis, if the investigators
have a hairball of 100.000 phone calls and 10.000 people and you want to learn if these guys are calling the same
group of people. This was an example given at the i2 EMEA user conference 2010 in Brussels, Belgium. But, when
investigating Operation Crevice and the 7/7 (2005) bombings in London, there was a lot of registered phone calls,
but one individual appearing in Operation Crevice, was missed because of slight variations in his name.
3 Professor Hsinchun Chen (AI lab, University of Arizona) gave a talk about his health informatics research at a
workshop on information and knowledge management for welfare technology. Chen has given keynote talks on the
big data analytics topic in the security informatics domain (dark web), e.g. at EISIC 2011 and EISIC 2012. EISIC
stands for European International Security Informatics Conference.
4 The user conference mentioned, was the 2010 i2 EMEA user conference held in Brussels, Belgium.
5 Sometimes the term ‘compartmentation’ is used instead of compartmentalization.
6 The July 22nd Commissions report was made public and presented on August 13th 2012. The original text of
our translation is (PST the Norwegian Police Security Service: Med en bedre arbeidsmetodikk og et bredere fokus
kunne [Politiets sikkerhetstjeneste] PST ha kommet på sporet av gjerningsmannen før 22/7. Kommisjonen har
likevel ikke grunnlag for å si at PST dermed kunne og burde ha avverget angrepene.
7 Petter Gottschalk has done police research for years and written several books on the subject, e.g. [53]. His
comment as it was printed in Information on August 13 is [78]: Politiet har i 10 år isoleret sig og afvist al kritik.
Norsk politi har været meget lukket og ikke villet forandre sig. Kommissionen gentager kritik, som har været rejst
mange gange før, men denne gang kan de ikke afvise det
8 The 2010 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2010), held
9-11 of August 2010 in Odense, Denmark, jointly with the International Symposium on Open Source Intelligence
and Web Mining 2010 (OSINT-WM 2010).
9 The work to make criminal network investigation a separate area within security informatics has begun, e.g.,
with the call for papers for a special issue of the security informatics journal on criminal network investigation
(see http://www.springer.com). We hope that by presenting our own boundaries for the field of criminal network
investigation, we can help shape and position the area even better within the field of security informatics research
10 The term security informatics was coined by Hsinchun Chen (2006) initially as Intelligence and Security In-
formatics (ISI): “development of advanced information technologies, systems, algorithms, and databases for inter-
national, national and homeland security related applications, through an integrated technological, organizational,
and policy-based approach” [37]. Terrorism informatics is another related field that was also coined by Hsinchun
Chen (2008): “application of advanced methodologies and information fusion and analysis techniques to acquire,
integrate, process, analyze, and manage the diversity of terrorism-related information for national/international
and homeland security-related applications” [1, 38]
11 Our analysis of commercial tools and research prototypes used for policing, intelligence analysis, and investiga-
paper, adaptive counterterrorism tools over silver bullets (see Appendix A).
13 See Appendix A for further information on our published papers and other work.
14 Our model for criminal network investigation published at Hypertext 2011 is described in Chapter 7.
15 Figure adopted from the following url: http://www.mikesmart.com/application_development/agile_development.
htm.
16 The metrics have been calculated using the Metrics plugin (version 1.3.6) for Eclipse [source: http://metrics.
261
NOTES NOTES
sourceforge.net/update].
17 Information acquired by means of observation or experimentation [61].
18 By post-crime data sets and investigations we mean simply data sets and investigations that have been aggre-
gated and described after a criminal offense has been committed, and typically also prosecuted in court. This is
explained in greater detail in Section 15.1
19 This statement was initially made in relation to terrorist networks in [244], but we believe that the same applies
tures in particular criminal network domains such as terrorist networks (e.g., [92, 122, 188, 189]), many of which are
focused on the organization of al-Qaeda (e.g., see the discussion between Hoffman and Sageman (2008) [93, 190]).
22 The term cell is also often used about cliques and tight-knit groups [128, 188, 227].
23 Two
triad configurations are considered isomorphic, if they share dyadic features (i.e., the number of null dyads,
asymmetric dyads, and mutual dyads).
24 Standard MAN labeling is described by Wasserman and Faust (1994) [240].
25 This compartmentalization problem has also been recognized by software development experts [43, 54]
26 Our account of the assessment processes of Curveball reports is primarily based on Drogin (2008) [59].
27 Similar observations have been made for software development processes [43].
28 AbuZubaydah was one in a group of global jihadists believed to have “holed up” in Punjab (Pakistan). Abu
Zubaydah “had long-standing and close ties to [al-Qaeda’s] inner circle of leadership” [146], and CIA therefore
thought he could have information about the next attack.
29 National Security Agency.
30 Jaishe-Mohammad (JEM), “Army of the Prophet”. The police man, Adil Mohammad Sheikh, claimed in court
that he did not know the purpose of the operation he was involved in [162].
31 Omar Saeed Shaikh, the mastermind of the plot, used at least seventeen aliases himself: Mustafa Ahmad,
Mustafa Ahmed al-Hawsawi, Mustafa Sheikh Saeed, Omar Saiid Sheikh, Shaykh Saiid, Chaudry Bashir, Rohit
Sharma, Amir Sohail, Arvindam, Ajay Grupra, Raj Kumar, R. Verma, Khalid, P. Singh and Wasim! [128]
32 The primary writers are David Simon and Ed Burns. Burns has worked as a Baltimore police detective for
the homicide and narcotics divisions. Simon is an author and journalist who worked for the Baltimore Sun city
desk for twelve years. He authored homicide: a year on the killing streets and co-authored the corner: a year
in the life of an inner-city neighborhood with Burns [10, 204–206]. We have previously focused on policing and
investigative journalism as two investigation types that could benefit from the concepts we develop and implement
in CrimeFighter Investigator [174].
33 We have previously described the advantages of a board-based approach for the planning domain, where infor-
gradually come to follow the key player strategy” [150]. Morselli follows up by stating that “a more accurate
appraisal of the social organization of drug-trafficking [. . . ] would follow a resource-sharing model in which collab-
oration among resourceful individuals would be at the base of coordination in such operations” [150]. We find that
this is also the approach taken by the investigators in The Wire by targeting not only Avon Barksdale but a range
of important individuals in and around the decision-making body of the organization.
35 Secret intelligence includes human intelligence (humint), signal intelligence (sigint), imagery intelligence (imint),
italization, Compress Repeated Characters, Copy Value from Previous Row, Extract Portion of Text, Find and
Replace Text, Prefix with Another Column, Remove Characters, Remove Prefix. The source of this information is
hands on lab handouts [107], on file with the author.
40 After submission of the dissertation, we have become aware that IBM i2 iBase also has support for creation of
262
NOTES NOTES
content”.
48 The review of NoteCards was to some extent also part of our master thesis [165].
49 ASAP is an acronym for advanced support for agile planning. See Section 2.2.3 for more information on this
tool, or refer to [165, 170, 171]
50 Tim Berners-Lee gave a “talk a[t] the very first International World Wide Web Conference, at CERN, Geneva,
Switzerland, in September 1994. This was the conference at which the formation of W3C was announced” [23]
51 We would like to point out that the link to the ‘Enneagram of Personality’ for deciding peoples personality has
on January 1st 2010, the right wing parties, has suggested that further tightening of law might be necessary. [88]
73 For Brennans complete speech, please refer to [William J. Brennan Jr., 1987. ‘The Quest to Develop a Ju-
risprudence of Civil Liberties in Times of Security Crisis.’ Speech, December 22, 1987, at the Law School of Hebrew
University, Jerusalem, Israel.]
74 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK
[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However,
none of these studies ask the users to what degree they trust the information provided by the systems and how
that affects their acceptance of the technology.
75 Criminal network investigation cases other than those presented in Section 3.5 have been analyzed, e.g., the
263
NOTES NOTES
intelligence used for the United States case against Iraq concerning their (alleged) weapons of mass destruction
program [59,242], and the links between Operation Crevice and the 7/7 bombings in the United Kingdom [110,252].
Studies of the Afghan Taliban network (based on literature (e.g., [134]) and an interview (Section 15.2.1)) and al-
Qaeda and affiliated movements (AQAM) (Section 14.3).
76 Alex Steiner is a pseudonym for a DIA (defense intelligence agency) officer [59].
77 Many abbreviations are used in the literature for the described criminal network investigation steps. Processing
is also referred to as triage [7]. Synthesis [40] was chosen over foraging [25,254], collation [83], and textualization [20].
Sense-making over analysis [40]. Dissemination over presentation [25].
78 Structural models are typically embedded in mathematical models (e.g., see Brantingham (2009) [30]).
79 Theamount of memory required to store branched history is an important concern that was raised by Dr.
Atzenbeck during the authors visit to institute for information systems (iisys) at University of Hof.
80 The Sageman (2003) data set was provided by a classified source and is on file with the author.
81 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK
[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However,
none of these studies ask the users to what degree they trust the information provided by the systems and how
that affects their acceptance of the technology.
82 Sageman (2004) discusses the concept of a bridge to jihad [188], Veldhuis and Staun (2009) reviews the root
causes for radicalization of European minorities [234], and many researchers have studied online radicalization
[29, 48, 49, 236, 241]
83 The link charts could of course be automatically generated based on these incident reports, as it has been
suggested for organized crime using a so called importance flooding technique [139].
84 However, we have developed and tested measures of performance for the predict missing links algorithm in
Section 15.4. The predict missing links algorithm plays an important role in the custom node removal algorithm.
85 The Danish CTU is “invented” for this scenario and is not related to the Danish Security and Intelligence
efficiency of their algorithms on and then compare it to the efficiency of other researcher’s algorithms (e.g., see [55])
87 We have built our own data sets and investigation information from the Daniel Pearl investigation [128,162,227].
Sageman (2004) aggregated his al-Qaeda network from open sources [188], as was the November 17 data set [184].
88 Several criminal network investigations have inspired our work. The investigation of Daniel Pearl’s kidnapping
and murder was target-centric and used large pieces of paper on a wall to synthesize information entities as they were
discovered [128, 162, 227]. The investigation to locate and arrest the 9/11 mastermind Khalid Sheikh Mohammed
(both before and after the attacks), was, by the Federal Bureau of Investigation, conducted in a target-centric
manner and always with a focus on gathering evidence both for later potential trials but also to map and understand
the network of individuals, events, and places that was emerging [146]. Researchers and writers Strick van Linschoten
and Kuehn have been mapping a network of Afghan Talibans to investigate their associations with the Afghan Arabs
from 1970 to 2010 [134]. They use Tinderbox for their mapping efforts [166]. Tinderbox is a software tool that
takes a board-based approach to synthesis of networks and supports multiple structures [24].
89 In Danish ‘Politiets efterretningstjeneste’, PET in short.
90 In Danish ‘Forsvarets efterretningstjeneste’, FE in short.
91 See
Steele (2009) discussing secret intelligence vs. open source intelligence [214], and a recent article by
Bonnichsen (2012), previous DSIS director of operations [27].
92 Professor Hsinchun Chen (AI lab, University of Arizona) told author this during an informal conversation,
August 2012. Professor Chen also mentioned that it had taken about two years to establish the required trust with
law enforcement, before law enforcement let the 300 police officers participate in the survey.
93 The 2010 i2 EMEA user conference held in Brussels, Belgium.
94 During the spring of 2011 DDIS restructured their organization in order to shape and streamline the service,
to be better equipped to manage future tasks (see [52] and Appendix B.2 (danish text).
95 A classified source has told the author during an informal conversation that maturity was a key criteria within
the source’s organization, that has to fulfilled before they would take a look at any new technology.
264
Bibliography
[1] Terrorism informatics - knowledge management and data mining for homeland security.
Springer (2008)
[4] Npr: Ted radio hour podcast - where ideas come from (2012)
[7] Adderly, R., Musgrove, P.: Police crime recording and investigation systems - a user’s view.
International journal of police strategies and management 24(1), 100–114 (2001)
[8] Alexander, C.: Notes on the Synthesis of Form. Harvard University Press (1964)
[9] Alexander, C.: A city is not a tree. Architectural Forum 122(1), 58–62 (1965)
[10] Alvarez, R., Simon, D.: The Wire: Truth Be Told. Pocket Books (2004)
[11] Ambler, S.: Agile Modeling. John Wiley & Sons inc (2002)
[12] Amland, B.H.: 2 convicted in al-Qaida terror plot in Norway. Associated Press (2012)
[14] Anonymous: The legal framework of pets workspaces: The penal code chapter 12 and
13 (danish) URL http://www.pet.dk/Arbejdsomraader/Lovgrundlaget/Straffeloven.
aspx
[16] Anonymous: Assesment of the terror threat against denmark (2009). October 27
[18] Atzenbeck, C.: Wilddocs - investigating construction of metaphors in office work. Ph.D.
thesis, Aalborg University (2006)
265
BIBLIOGRAPHY BIBLIOGRAPHY
[19] Atzenbeck, C., Hicks, D.L., Memon, N.: Emergent structure and awareness support for
intelligence analysis. In: Proceedings of the conference on information visualization, pp.
326–332. IEEE Press (2008)
[20] Atzenbeck, C., Hicks, D.L., Memon, N.: Supporting reasoning and communication for intel-
ligence officers. International journal of networking and virtual organisations 8(1/2), 15–36
(2011)
[21] Badalamente, R.V., Greitzer, F.L.: Top ten needs for intelligence analysis tool development.
In: proceedings of the 2005 international conference on intelligence analysis (2005)
[22] Bardram, J.E.: The art of doing a phd. online (2007). URL http://www.itu.dk/people/
bardram/pmwiki/pmwiki.php?n=Main.ArtPhD. Last consulted: Jan 28th 2010
[23] Berners-Lee, T.: W3 future directions. Plenary at International World Wide Web Confer-
ence, CERN, Geneva, Switzerland (1994)
[25] Bier, E.A., Card, S.K., W, B.J.: Principles and tools for collaborative entity-based intelli-
gence analysis. IEEE transactions on visualization and computer graphics 16(2), 178–191
(2010)
[26] Bohannon, J.: Counterterrorism’s New Tool: ’Metanetwork’ Analysis. Science 325(5939),
409–411 (2009). DOI 10.1126/science.325\ 409. URL http://dx.doi.org/10.1126/
science.325_409
[27] Bonnichsen, H.J.: Man skal kunne være sine hemmeligheder bekendt (2012). September 20
[28] Brachman, J.M.: Global Jihadism: Theory and Practice. Routledge (2009)
[29] Brachman, J.M., Levine, A.: You too can be awlaki! Fletcher Forum of World Affairs 35,
25–46 (2011)
[30] Brantingham, P., Glässer, U., Jackson, P., Vajihollahi, M.: Modeling criminal activity in
urban landscapes. In: N. Memon, J.D. Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical
methods in counterterrorism, pp. 9–31. Springer, Wien (2009)
[31] Børsting, M., Østergaard, M.: Politikere er klar til at stramme terrorloven (2009). October
28
[32] Bruce, J.B., George, R.Z.: Introduction: intelligence analysis - the emergence of a discipline.
In: R.Z. George, J.B. Bruce (eds.) Analyzing intelligence - origins, obstacles, and innovations,
pp. 1–15. Georgetown University Press (2008)
[33] Bush, V.: As we may think. Atlantic Monthly 176(1), 101–108 (1945)
[34] Capers, B.: Crime, legimaticy, our criminal network, and the wire. Ohio state journal of
criminal law 8, 459–471 (2011)
[35] Carley, K.M.: Destabilizing dynamic covert networks. In: Proceedings of the 8th interna-
tional command and control research and technology symposium. Evidence Based research
(2003)
[36] Carley, K.M., Lee, J.S., Krackhardt, D.: Destabilizing networks. Connections 24, 31–34
(2001)
[37] Chen, H.: Intelligence and Security Informatics for International Security - Information
Sharing and Data Mining. Springer (2006)
266
BIBLIOGRAPHY BIBLIOGRAPHY
[38] Chen, H.: Terrorism informatics. In: Dark Web, Integrated Series in Information Systems,
vol. 30, pp. 31–41. Springer New York (2012)
[39] Chin, G., Kuchar, O.A., Wolf, K.E.: Exploring the analytical processes of intelligence ana-
lysts. In: proceedings of the international conference on human factors in computing systems,
pp. 11–22. ACM Press (2005)
[40] Clark, R.: Intelligence analysis: a target-centric approach. CQ Press (2007)
[41] Cockburn, A.: What the agile toolbox contains (2004)
[42] Cockburn, A.: Crystal Clear - A human-powered methodology for small teams. Addison
Wesley (2005)
[43] Cockburn, A.: Agile Software Development: The Cooperative Game (2nd Edition) (Agile
Software Development Series). Addison-Wesley Professional (2006)
[44] Cohn, M.: User stories applied - for agile software development. Addison Wesley (2004)
[45] Commission on the Intelligence Capabilities of the United States Regarding Weapons of
Mass Destruction, Washington DC: Report to the President of the United States (2005)
[46] Conklin, J.: Dialogue Mapping. John Wiley and Sons Ltd (2006)
[47] Conklin, J., Begeman, M.L.: gibis: a hypertext tool for exploratory policy discussion. ACM
Trans. Inf. Syst. 6(4), 303–331 (1988)
[48] Conway, M.: Jihadi video and auto-radicalisation: evidence from an exploratory youtube
study. In: Intelligence and Security Informatics. Lecture Notes in Computer Science (LNCS),
pp. 108–118. Springer, Wien (2008)
[49] Conway, M.: From al-zarqawi to al-awlaki: The emergence of the internet as a new form of
violent radical milieu (2012)
[50] Custers, B.: Effects of unreliable group profiling by means of data mining. In: Discovery
Science, pp. 291–296 (2003)
[51] Davis, F.: Perceived usefulness, perceived ease of use and user acceptance of information
technology. MIS Quarterly 13, 319–340 (1989)
[52] DDIS: Danish defense intelligence service website (2012). [url:http://fe-ddis.dk/Pages/
Default.aspx, last visited September 2012]
[53] Dean, G., Gottschalk, P.: Knowledge management in policing and law enforcement. Oxford
University Press (2007)
[54] DeMarco, T., Lister, T.: Peopleware: Productive Projects and Teams (Second Edition).
Dorset House Publishing Company, Incorporated (1999)
[55] DeRosa, M.: Data Mining and Data Analysis for Counterterrorism. Center for Strategic
and International Studies (CSIS) (2004)
[56] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. abdur rehman hashim syed’,
also known as “pasha,” “major,” and “abdur rahman” (2009)
[57] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. david c. headley, also known
as “daood gilani”’ (2009)
[58] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. tahawwur hussain rana’ (2009)
[59] Drogin, B.: Curveball. Ebury Press (2008)
267
BIBLIOGRAPHY BIBLIOGRAPHY
[60] Ellis, C.A., Gibbs, S.J., Rein, G.: Groupware: some issues and experiences. Commun.
ACM 34(1), 39–58 (1991). DOI 10.1145/99977.99987. URL http://doi.acm.org/10.
1145/99977.99987
[61] Empirical: The american heritage dictionary of the english language (4th ed.) (2000)
[62] Engelbart, D.C.: A conceptual framework for the augmentation of man’s intellect. In:
Computer-supported cooperative work, pp. 35–65. Kaufmann (1988)
[63] Erétéo, G., Buffa, M., Gandon, F., Grohan, P., Leitzelman, M., Sander, P.: A state of the
art on social network analysis and its applications on a semantic web (2008)
[64] Erétéo, G., Limpens, F., Gandon L., F., Corby, O., Buffa, M., Leitzelman, M., Sander, P.:
Semantic social network analysis: a concrete case. In: Handbook of Research on Methods
and Techniques for Studying Virtual Communities: Paradigms and Phenomena, pp. 122–
156. IGI Global (2011)
[65] Europol: TE-SAT 2009: EU Terrorism Situation and Trend Report 2009 (2009)
[66] Europol: TE-SAT 2010: EU Terrorism Situation and Trend Report 2010 (2010)
[67] Europol: TE-SAT 2011: EU Terrorism Situation and Trend Report 2011 (2011)
[68] Ferry, J.P., Lo, D., Ahearn, S.T., Phillips, A.M.: Network detection theory. In: N. Memon,
J. David Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical Methods in Counterterrorism,
pp. 161–181. Springer Vienna (2009)
[69] Field, A., Hole, G.: How to Design and Report Experiments. Sage Publications Ltd (2003)
[70] Floyd, C.: A systematic look at prototyping. In: B. et al. (ed.) Approaches to Prototyping,
pp. 105–122. Springer-Verlag (1984)
[71] Flyvbjerg, B.: Five misunderstandings about case-study research. Qualitative Inquiry pp.
219–245 (2006)
[72] Flyvbjerg, B.: Case study. In: N.K. Denzin, Y.S. Lincoln (eds.) The Sage Handbook of
Qualitative Research, pp. 301–316. Sage (2011)
[74] Gabora, L.: Cognitive mechanisms underlying the creative process. In: Proceedings of the
4th conference on Creativity & cognition, C&C ’02, pp. 126–133. ACM, New York, NY, USA
(2002). DOI 10.1145/581710.581730. URL http://doi.acm.org/10.1145/581710.581730
[75] Gerber, A.J., Barnard, A., var der Merwe, A.J.: A semantic web status model (2006)
[76] Gill, J.: Building theory from case studies. Small business and enterprise development 2,
71–75 (1995)
[77] Gill, P.: Rounding up the usual suspects? Developments in contemporary law enforcement
intelligence. Ashgate Pub Ltd (2000)
[78] Gjerding, S., Toft, S.B.: Ansvarlige for utøya-svigt er for længst gået af (2012). August 13
[79] Gloor, P.A., Zhao, Y.: Analyzing actors and their discussion topics by semantic social
network analysis. In: Proceedings of Information Visualization (IV 2006), pp. 130–135
(2006)
[80] Gniadek, J.: Destabilizing terrorist networks through link importance analysis. Master’s
thesis (2010)
268
BIBLIOGRAPHY BIBLIOGRAPHY
[81] Graber, D.A.: Terrorism, censorship and the 1st amendment: In search of policy guidelines.
In: P. Norris, M. Kern, M. Just (eds.) Framing Terrorism - The News Media, the Government
and the Public, pp. 27–42. Routledge (2003)
[82] Halasz, F.G.: Reflections on notecards: seven issues for the next generation of hypermedia
systems. Commun. ACM 31(7), 836–852 (1988)
[83] Harper, W.R., Harris, D.H.: The application of link analysis to police intelligence. Human
Factors 17(2), 157–164 (1975)
[84] Hauck, R.V., Chau, M., Chen, H.: Coplink: arming law enforcement with new knowledge
management technologies. In: Advances in digital government: technology, human factors,
and policy, pp. 163–179. Kluwer Academic Publishers (2002)
[85] Havaleschka, L.: Tidslinje: Glasvej-sagen dag for dag (2008). October 28
[86] Heer, J., Card, S.K., Landay, J.A.: prefuse: a toolkit for interactive information visualiza-
tion. In: Proceedings of the SIGCHI conference on Human factors in computing systems,
CHI ’05, pp. 421–430. ACM, New York, NY, USA (2005). DOI 10.1145/1054972.1055031.
URL http://doi.acm.org/10.1145/1054972.1055031
[87] Hemmingsen, A.S.: Anti-demokratiske og voldsfremmende miljøer i danmark, som bekender
sig til islamistisk ideologi - hvad ved vi? Research report for the danish ministry of social
affairs and integration, DIIS - Danish Institute for International Studies (2012)
[88] Henriksen, M.: Venstre åbner for terrorstramninger (2010). URL http://www.berlingske.
dk/danmark/venstre-aabner-terrorstramninger. January 3
[89] Hirtle, S.: Representational structures for cognitive space: Trees, ordered trees and semi-
lattices. In: A. Frank, W. Kuhn (eds.) Spatial Information Theory A Theoretical Basis for
GIS, Lecture Notes in Computer Science, vol. 988, pp. 327–340. Springer Berlin / Heidelberg
(1995)
[90] Hjarvard, S.: Den politiske presse - en analyse af danske avisers politiske orientering. Jour-
nalistica (2007)
[91] Hjørland, B., Albrechtsen, H.: Toward a new horizon in information science: Domain-
analysis. Journal of the American Society for Information Science 46(6), 400–425 (1995)
[92] Hoffman, B.: Inside Terrorism. Columbia University Press (2006)
[93] Hoffman, B.: The myth of grass-roots terrorism. Foreign Affairs 87 (2008)
[94] Hoskins, A., O’Loughlin, B.: Television and Terror: Conflicting Times and the Crisis of
News Discourse. New Security Challenges. Palgrave MacMillan, Basingstoke, Hampshire,
U.K. (2007). [Chapter 7: ‘Drama and Documentary: The Power of Nightmares’]
[95] wei Hsieh, H., III, F.M.S.: Supporting visual problem solving in spatial hypertext. J. Digit.
Inf. 10(3) (2009)
[96] Hsieh, H., Shipman, F.: Activity links: supporting communication and reflection about
action. In: Proceedings of the sixteenth ACM conference on Hypertext and hypermedia,
HYPERTEXT ’05, pp. 161–170. ACM, New York, NY, USA (2005)
[97] Hsieh, H., Shipman, F.M.: Manipulating structured information in a visual workspace. In:
Proceedings of the 15th annual ACM symposium on User interface software and technology,
UIST ’02, pp. 217–226. ACM, New York, NY, USA (2002)
[98] Hüttemeier Christian og Børsting, M.: Afghanerne skal selv overtage ansvaret om 2 år
(2009). URL http://politiken.dk/politik/article844927.ece. November 26
269
BIBLIOGRAPHY BIBLIOGRAPHY
[99] Hu, P.J.H., Chen, H., Hu, H., Larson, C., Butierez, C.: Law enforcement officers’ accep-
tance of advanced e-government technology: A survey study of coplink mobile. Electronic
Commerce Research and Applications 10, 6–16 (2011)
[100] Hu, P.J.H., Lin, C., Chen, H.: User acceptance of intelligence and security informatics tech-
nology: A study of coplink. The American Society for Information Science and Technology
56, 235–244 (2005)
[101] Hunter, M.L., Hanson, N., Sabbagh, R., Sengers, L., Sullivan, D., Thordsen, P.: Story-based
inquiry: a manual for investigative journalists. UNESCO (2009)
[102] Huntington, S.P.: The Clash of Civilizations and the Remaking of World Order. Simon &
Schuster (1996)
[103] Ib, H.: Ledende artikel: Fjenden på besøg (2009). October 28
[104] IBMi2: i2 analyst’s notebook 8. What’s New (technical report) (2009). [issue 1, downloaded
from company website]
[105] IBMi2: i2 analyst’s notebook product video. i2 EMEA user conference (2010). [on file with
author]
[107] IBMi2: Training team: hands on lab handouts. i2 EMEA end user conference (2010). [on
file with author]
[108] IBMi2: Ibm i2 analyst’s notebook premium. Handout at IBM i2 intelligence analysis seminar
(2012). [on file with author]
[109] III, J.O.E.: Countering terrorism with knowledge. In: H. Chen, E. Reid, J. Sinai, A. Silke,
B. Ganor (eds.) Terrorism Informatics - Knowledge Management and Data Mining for Home-
land Security. Springer (2008)
[110] Intelligence and Security Committee, United Kingdom: Could 7/7 have been prevented?
Review of the intelligence on the London terrorist attacks on 7 July 2005 (2009)
[111] Irons, L.R.: Recent patterns of terrorism prevention in the united kingdom. Homeland
Security Affairs 4 (2008)
[112] Irwin, C., Roberts, C., Mee, N.: Counter terrorism overseas. Defence Science and Technology
Laboratory (Dstl/CD053271/1.1), UK (2002)
[114] Jonker, D., Wright, W., Schroh, D., Proulx, P., Cort, B.: Information triage with trist. In:
Proceedings of the International Conference on Intelligence Analysis, (2005)
[115] Grø nbæk, K.: Composites in a dexter-based hypermedia framework. In: Proceedings of the
1994 ACM European conference on Hypermedia technology, ECHT ’94, pp. 59–69. ACM,
New York, NY, USA (1994)
[116] Kebbell, M.R., Muller, D.A., Martin, K.: Understanding and managing bias. Dealing with
uncertainties in policing serious crime pp. 87–97 (2010)
[117] Kim, D., Shipman, F.M.: Interpretation and visualization of user history in a spatial hyper-
text system. In: Proceedings of the 21st ACM conference on Hypertext and hypermedia,
HT ’10, pp. 255–264. ACM, New York, NY, USA (2010)
270
BIBLIOGRAPHY BIBLIOGRAPHY
[118] Kitchenham, B., Pickard, L., Pfleeger, S.L.: Case studies for method and tool evaluation.
IEEE Software pp. 52–62 (1995)
[119] Kleine, D.: The capability approach and the ‘medium of choice’: steps towards conceptual-
ising information and communication technologies for development. Ethics and Inf. Technol.
13(2), 119–130 (2011)
[120] Klerks, P.: The network paradigm applied to criminal organizations: Theoretical nitpicking
or a relevant doctrine for investigators? Connections 24(3), 53–65 (2001)
[121] Kolb, D.: Other spaces for spatial hypertext. Journal of Digital Information 10(3) (2009)
[122] Krebs, V.: Mapping networks of terrorist cells. CONNECTIONS 24(3), 43–52 (2002)
[124] Kumar, R., Novak, J., Tomkins, A.: Structure and evolution of online social networks. In:
Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery
and data mining, KDD ’06, pp. 611–617. ACM, New York, NY, USA (2006). DOI 10.1145/
1150402.1150476. URL http://doi.acm.org/10.1145/1150402.1150476
[125] Larman, C.: Agile & Iterative Development - A Managers Guide. Addison Wesley (2004)
[126] Laville, S.: Al-Qaida-inspired plotters planned attacks on high-profile London targets. The
Guardian (2012)
[127] Levine, C.: Artful accuracy and the problem of form: Why the wire feels real Unpublished
manuscript
[128] Levy, B.H.: Who killed Daniel Pearl? Melville House Publishing (2003)
[129] Lichter, H., Schneider-Hufschmidt, M., Züllighoven, H.: Prototyping in industrial software
projects - bridging the gap between theory and practice. In: Proceedings of the 15th in-
ternational conference on Software Engineering, ICSE ’93, pp. 221–229. IEEE Computer
Society Press, Los Alamitos, CA, USA (1993). URL http://dl.acm.org/citation.cfm?
id=257572.257623
[130] Licklider, J.C.R.: Man-computer symbiosis. IRE transactions on human factors in electronics
pp. 4–11 (1960)
[131] Lillie, B.: Human-machine synergy: Shyam sankar at tedglobal 2012. TED (2012). [blog,
http://blog.ted.com/, last visited September 2012]
[132] Lim, Y.K., Stolterman, E., Tenenberg, J.: The anatomy of prototypes: Prototypes as fil-
ters, prototypes as manifestations of design ideas. ACM Trans. Comput.-Hum. Interact.
15(2), 7:1–7:27 (2008). DOI 10.1145/1375761.1375762. URL http://doi.acm.org/10.
1145/1375761.1375762
[133] Lindhardt, C.: Al-qaeda står bag ambassadebombe (2008). URL http://politiken.dk/
udland/article518880.ece. June 5
[134] Linschoten, A.S., Kuehn, F.: An enemy we created: the myth of the Taliban/Al-Qaeda
merger in Afghanistan, 1970-2010. Hurst (2012)
[135] MacDougall, I.: Norway ’bomb plot’ highlights al-Qaida problems. Associated Press (2012)
[136] MacFadyen, G.: The practices of investigative journalism. In: H. De Burgh, P. Bradshaw
(eds.) Investigative journalism, pp. 138–156 (2008)
[137] MacKensie, J.: The battle for aghanistan: Militancy and conflict in helmand (2010)
271
BIBLIOGRAPHY BIBLIOGRAPHY
[138] Maltesen, B.: Tunesersag skal for højesteret (2009). URL http://politiken.dk/indland/
article852324.ece. December 4
[139] Marshall, B., Chen, H., Kaza, S.: Using importance flooding to identify interesting networks
of criminal activity. J. Am. Soc. Inf. Sci. Technol. 59(13), 2099–2114 (2008). DOI 10.1002/
asi.v59:13. URL http://dx.doi.org/10.1002/asi.v59:13
[140] Marshall, C.C., Halasz, F.G., Rogers, R.A., Janssen Jr., W.C.: Aquanet: a hypertext tool
to hold your knowledge in place. In: Proceedings of the third annual ACM conference on
Hypertext, HYPERTEXT ’91, pp. 261–275. ACM, New York, NY, USA (1991)
[141] Marshall, C.C., Shipman III, F.M.: Spatial hypertext: designing for change. Commun. ACM
38(8), 88–97 (1995)
[142] Marshall, C.C., Shipman III, F.M., Coombs, J.H.: Viki: spatial hypertext supporting emer-
gent structure. In: Proceedings of the 1994 ACM European conference on Hypermedia
technology, ECHT ’94, pp. 13–23. ACM, New York, NY, USA (1994)
[143] Mason, R.O.: Four ethical issues of the information age. MIS Q. 10(1), 5–12 (1986)
[144] McBride, M., Morgan, S.: Trust calibration for automated decision aids (2010)
[145] McCall, R.J., Bennett, P.R., D’Oronzio, P.S., Oswald, J.L., Shipman III, F.M., Wallace,
N.F.: Hypertext: concepts, systems and applications. chap. PHIDIAS: integrating CAD
graphics into dynamic hypertext, pp. 152–165. Cambridge University Press, New York, NY,
USA (1992)
[146] McDermott, T., Meyer, J.: The Hunt for KSM - Inside the Pursuit and Takedown of the
Real 9/11 Mastermind, Khalid Sheikh Mohammad. Little, Brown and Company (2012)
[147] Memon, B.: Identifying important nodes in weighted covert networks using generalized
centrality measures. In: European Intelligence and Security Informatics Conference 2012,
Odense, Denmark. Odense, Denmark (2012)
[148] Memon, N., Wiil, U.K., Alhajj, R., Atzenbeck, C., Harkiolakis, N.: Harvesting covert net-
works: a case study of the iminer database. Int. J. Netw. Virtual Organ. 8(1/2), 52–74
(2011)
[149] Moore, R.K.: The life cycle of creative endeavors. Enneagram Monthly (1997)
[150] Morselli, C.: The criminal network perspective. In: Inside criminal networks, Studies of
organized crime, vol. 8, pp. 1–21. Springer New York (2009)
[151] Mortensen, M.N., Bangsgaard, J.: Tidligere pet-chef: Uværdig tuneser-sag (2008). URL
http://www.berlingske.dk/danmark/tidligere-pet-chef-uvaerdig-tuneser-sag.
November 15
[152] National commission on terrorist attacks upon the United States, United States: The 9/11
Commission Report (Executive Summary) (2004). URL http://www.9-11commission.
gov/report/911Report_Exec.pdf.
[153] National commission on terrorist attacks upon the United States, Norway: The 22/7 Com-
mission Report (2012). URL http://22julikommisjonen.no/Rapport
[154] Nesser, P.: Structures of jihadist terrorist cells in the uk and europe. In: Proceedings of the
Joint FFI/King’s College Conference on “The Changing Faces of Jihadism” (2006)
272
BIBLIOGRAPHY BIBLIOGRAPHY
[156] Nørgaard Kristensen, N., Ørsten, M.: Danish media at war - the danish media coverage of
the invasion of iraq 2003. Journalism : theory, practice and criticism 8, 323–343 (2007)
[157] Nürnberg, P.: Structural computing and metadata management. In: Proceedings of the 2nd
Conference on Knowledge Management and Knowledge Technology (2002)
[158] Nürnberg, P.J., Leggett, J.J., Schneider, E.R.: As we should have thought. In: Proceedings
of the eighth ACM conference on Hypertext, HYPERTEXT ’97, pp. 96–101. ACM, New
York, NY, USA (1997). DOI 10.1145/267437.267448. URL http://doi.acm.org/10.1145/
267437.267448
[159] Nürnberg, P.J., Wiil, U.K., Leggett, J.J.: Structuring facilities in digital libraries. In:
Proceedings of the Second European Conference on Research and Advanced Technology for
Digital Libraries, ECDL ’98, pp. 295–313. Springer-Verlag, London, UK, UK (1998)
[160] Park, A.J., Tsang, H.H., Brantingham, P.L.: Dynalink: A framework for dynamic criminal
network visualization. In: Proceedings of European Intelligence and Security Informatics
Conference, pp. 217–224. IEEE (2012)
[161] Payne, J., Solomon, J., Sankar, R., McGrew, B.: Grand challenge award: Interactive vi-
sual analytics - palantir: The future of analysis. In: Proceedings of Symposium on Visual
Analytics Science and Technology, pp. 201–202. IEEE (2008)
[163] Penfold-Mounce, R., Beer, D., Burrows, R.: The wire as social science-fiction? Sociology
45(1), 152–167 (2011)
[164] Perlez, J., Shah, P.Z.: Embassy attack in pakistan kills at least 6 (2008). URL http:
//www.nytimes.com/2008/06/03/world/asia/03pakistan.html. June 3
[165] Petersen, R.R.: Asap: Agile planning in future creative room. Master’s thesis, University of
Southern Denmark (2008)
[166] Petersen, R.R.: Interview with alex strick van linschoten. A discussion of CrimeFighter
Investigator, Tinderbox, Gephi, Analyst’s Notebook in relation to Alex’s work with mapping
the temporal evolution of Afghan Taliban., Trafalgar Square, London, United Kingdom
(2011)
[167] Petersen, R.R.: Presentation of crimefighter investigator. Presented and demonstrated work
on prediction of covert network structure and missing links to a group of British intelligence
analysts, British Home Office, London, United Kingdom (2011)
[168] Petersen, R.R.: Association and centrality in criminal networks. In: Proceedings of European
Intelligence and Security Informatics Conference. IEEE (2012)
[169] Petersen, R.R., Rhodes, C.J., Wiil, U.K.: Node removal in criminal networks. In: Pro-
ceedings of European Intelligence and Security Informatics Conference, pp. 360–365. IEEE
(2011)
[170] Petersen, R.R., Wiil, U.K.: Asap: a planning tool for agile software development. In:
Proceedings of the nineteenth ACM conference on Hypertext and hypermedia, HT ’08, pp.
27–32. ACM, New York, NY, USA (2008)
[171] Petersen, R.R., Wiil, U.K.: Asap: A lightweight tool for agile planning. In: Proceedings of
the 4th International Conference on Software and Data Technologies (ICSOFT), pp. 265–272
(2009)
273
BIBLIOGRAPHY BIBLIOGRAPHY
[172] Petersen, R.R., Wiil, U.K.: Analysis of emergent and evolving information: the agile plan-
ning case. In: J. Cordeiro, K. Ranchordas Alpesh, B. Shishkov (eds.) Software and data
technologies, Communications in computer and information science, vol. 50, pp. 263–276.
Springer Berlin Heidelberg (2011)
[173] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: A novel tool for criminal network
investigation. In: Proceedings of European Intelligence and Security Informatics Conference,
pp. 360–365. IEEE (2011)
[174] Petersen, R.R., Wiil, U.K.: Hypertext structures for investigative teams. In: proceedings of
the 22nd ACM conference on hypertext, pp. 123–132. ACM Press (2011)
[175] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: Criminal network sense-making. In:
V.S. Subrahmanian (ed.) Computational Approaches to Counterterrorism (2012). Accepted
for publication
[176] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: Integrating synthesis and sense-
making for criminal network investigation. Security Informatics (special issues on criminal
network investigation) (2012). [Accepted for publication]
[177] Pinto, P.C., Thiran, P., Vetterli, M.: Locating the source of diffusion in large-scale networks.
Phys. Rev. Lett. 109, 068,702 (2012). DOI 10.1103/PhysRevLett.109.068702. URL http:
//link.aps.org/doi/10.1103/PhysRevLett.109.068702
[178] Pioch, N.J., Everett, J.O.: Polestar: collaborative knowledge management and sensemaking
tools for intelligence analysts. In: proceedings of the international conference on information
and knowledge management, pp. 513–521. ACM Press (2006)
[179] Popp, R., Poindexter, J.: Countering terrorism through information and privacy protection
technologies. IEEE Security and Privacy 4(6), 18–27 (2006)
[181] Reuters: Two chicago men charged in connection with alledged roles in foreign terror plot
that focused on targets in denmark (2009). October 27
[182] Rhodes, C.: The use of open source intelligence in the construction of covert social networks.
In: U.K. Wiil (ed.) Counterterrorism and Open Source Intelligence. Lecture Notes in Social
Networks (LNSN 2), pp. 159–170. Springer, Wien (2011)
[183] Rhodes, C.J., Jones, P.: Inferring missing links in partially observed social networks. Journal
of the operational research society 60(10), 1373–1383 (2009)
[184] Rhodes, C.J., Keefe, C.M.J.: Social network topology: a bayesian approach. Journal of the
operational research society 58(12), 1605–1611 (2007)
[185] ritzau: Fængslet for terror mod dansk ambassade (2009). URL http://politiken.dk/
udland/article763350.ece. August 5
[187] Robinson, L.: Information science: communication chain and domain analysis. Journal of
Documentation 65(4), 578–591 (2009)
[188] Sageman, M.: Understanding Terrorist Networks. University of Pennsylvania Press (PENN),
Philadelphia, Pensylvania (2004)
274
BIBLIOGRAPHY BIBLIOGRAPHY
[190] Sageman, M.: The reality of grassroots terrorism. Foreign Affairs 87 (2008)
[191] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [video, http://youtu.
be/jTnDyLndIqI, last visited September 2012]
[192] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [Powerpoint Presenta-
tion, on file with author]
[193] Saunders-Newton, D., Scott, H.: “but the computer said!”: Credible uses of computational
modeling in public sector decision making. Social Science Computer Review 19, 47–65 (2001)
[194] Schimpf, B.: Data integration platform. Palantir Technologies (2011). [online video, http:
//www.palantirtech.com/government/videos/whitevideos, last visited 2011]
[195] Scott, J.: Social network analysis, a handbook (second edition). Sage (2000)
[196] Security, D., (PET), I.S.: Terror arrests in Copenhagen (undated). URL http://www.pet.
dk/Nyheder/morkhoj-uk.aspx
[197] Shipman, F., Moore, J.M., Maloor, P., Hsieh, H., Akkapeddi, R.: Semantics happen: knowl-
edge building in spatial hypertext. In: Proceedings of the thirteenth ACM conference on
Hypertext and hypermedia, HYPERTEXT ’02, pp. 25–34. ACM (2002)
[198] Shipman III, F.M., Hsieh, H., Maloor, P., Moore, J.M.: The visual knowledge builder:
a second generation spatial hypertext. In: Proceedings of the 12th ACM conference on
Hypertext and Hypermedia, HYPERTEXT ’01, pp. 113–122. ACM, New York, NY, USA
(2001)
[199] Shipman III, F.M., Marshall, C.C.: Formality considered harmful: Experiences, emerg-
ingthemes, and directions on the use of formal representations ininteractive systems. Com-
put. Supported Coop. Work 8(4), 333–352 (1999). DOI 10.1023/A:1008716330212. URL
http://dx.doi.org/10.1023/A:1008716330212
[200] Shrinivasan, Y., van Wijk, J.: Supporting exploration awareness for visual analytics. In:
Visual Analytics Science and Technology, 2008. VAST ’08. IEEE Symposium on, pp. 185
–186 (2008). DOI 10.1109/VAST.2008.4677378
[201] Shrinivasan, Y.B., Wijk, J.J.: Supporting the analytical reasoning process in information
visualization. In: proceedings of the 26th conference on human factors in computing systems.
ACM Press (2008)
[202] Sifakis, J.: A vision for computer science - the system perspective. Central European Journal
of Computer Science 1, 108–116 (2011)
[203] Silber, M.D., Bhatt, A.: Radicalisation in the West: The Homegrown Threat (2007)
[204] Simon, D.: Homicide - a year on the killing streets. Picador (1991)
[205] Simon, D., Burns, E.: The corner - a year in the life of an inner-city neighbourhood. Broad-
way Books (1997)
[206] Simon, D., Burns, E.: The wire (the complete first season) (2002)
[207] Sipser, M.: Introduction to the theory of computation. PWS Publishing Company (1997)
[208] Skjoldager, M.: Truslen indefra: De danske terrorister. Lindhardt & Ringhof (2009)
[209] Skjoldager, M., Holst, N.: Landsretten dømmer to for terror (2009). June 26
275
BIBLIOGRAPHY BIBLIOGRAPHY
[210] Skøt, J.: At løse et svært ingeniørproblem er som at spille på et instrument. Ingeniøren pp.
14–15 (2012). Translated title: “Solving a difficult engineering problem is like playing an
instrument
[211] Smith, E.A.: Complexity, networking, & effects-based approaches to operations. CCRP
(2006)
[212] Sparrow, M.K.: The application of network analysis to criminal intelligence: An assessment
of the prospects. Social Networks 13, 251–274 (1991)
[213] Sørensen, L.M.: Al-qaeda-leder trænede dansk terrorist (2009). URL http://politiken.
dk/indland/article807742.ece. October 11
[214] Steele, R.D.: Human intelligence (humint): All humans, all minds, all the time (2009).
[Draft 3.7 Article 11 Jul 09 APPROVED By DoD and CIA PRB. On file with author.]
[215] Steele, R.D.: Open source intelligence. In: L.K. Johnson (ed.) Handbook of intelligence
studies, pp. 129–147. Routledge (2009)
[216] Stenbit, J.P., L, W.I., Alberts, D.S.: NATO code of best practice for C2 assessment, [Chapter
5: Measures of Merit]. CCRP (2002)
[217] Stoll, C.: Silicon snake oil: Second thoughts on the information highway (1995)
[218] Sullivan, K.: Denmark tries to act against terrorism as mood in europe shifts (2005). August
29
[219] Taarnby, M.: Jihad in Denmark: am overview and analysis of jihadi activity in denmark
1990-2006. Danish Institute for International Studies (2006)
[220] Tanfani, J., Shiffman, J., Shea, K.B.: American suspect in mumbai attack was dea informant
(2009). December 14
[221] Taniguchi, T.A., Ratcliffe, J.H., Taylor, R.B.: Gang set space, drug markets, and crime
around drug corners in camden. Journal of research in crime and delinquency 48, 327–363
(2011)
[222] Technologies, P.: Hard technical problems in civil liberties protection. Tech. rep. (2011).
Whitepaper
[223] Technologies, P.: Privacy and civil liberties are in palantir’s dna. Tech. rep. (2011). Whitepa-
per
[224] Thomas, G.: A typology for the case study in social science following a review of definition,
discourse, and structure. Qualitative Inquiry 17(6), 511–521 (2011)
[225] Thompson, J., Hopf-Weichel, R., Geiselman, R.E.: The cognitive bases of intelligence anal-
ysis. Tech. rep., U.S. Army, Research Institute for the Behavioral and Social Sciences (1984)
[226] Thomsen, C.B.: På sporet af to terrormistænkte (2009). November 15
[227] Todd, B.F., Nomani, A.: The Truth Left Behind: Inside the Kidnapping and Murder of
Daniel Pearl (2011)
[228] Tusikov, N.: The godfather is dead: A hybrid model of organized crime. Aprehendiendo al
delincuente: crimen y medios en América del Norte pp. 143–160 (2010)
[229] Unavailable: Big data: crunching the numbers. The Economist (2012)
[230] Unknown: Palantir counterterrorism demonstration. Palantir Technologies (2009). [video,
http://www.palantir.com/2009/03/fullct/, last visited September 2012]
276
BIBLIOGRAPHY BIBLIOGRAPHY
[231] Unknown: London terror bomb plot: the four terrorists. The Telegraph (2012)
[232] Van Dyke Parunak, H.: Don’t link me in: set based hypermedia for taxonomic reasoning.
In: Proceedings of the third annual ACM conference on Hypertext, HYPERTEXT ’91, pp.
233–242. ACM, New York, NY, USA (1991)
[233] Vedder, A., Custers, B.: Whose responsibility is it anyway? dealing with the consequences
of new technologies. In: P. Sollie, M. Düwell, A.M. Cutter, B. Gordijn, G.E. Marchant,
A. Pompidou (eds.) Evaluating New Technologies, The International Library of Ethics, Law
and Technology, vol. 3, pp. 21–34. Springer Netherlands (2009)
[234] Veldhuis, T., Staun, J.: Islamist Radicalisation: A Root Cause Model (2009)
[235] Vidino, L.: Al Qaeda in Europe: The New Battleground of International Jihad. Prometheus
Books (2005)
[236] Vidino, L.: Radicalization, linkage, and diversity: Current trends in terrorism in europe
(2011)
[237] Vijaykumar, S.: Object model. Palantir Technologies (2011). [online video, http://www.
palantirtech.com/government/videos/whitevideos, last visited 2011]
[238] Vogel, K.M.: ‘iraqi winnebagosT M of death’: Imagined and realized futures of us bioweapons
threat assessment. Science and Public Policy 35, 561–573 (2008)
[239] Warr, A., O’Neill, E.: Understanding design as a social creative process. In: Proceedings of
the 5th conference on Creativity & cognition, C&C ’05, pp. 118–127. ACM, New York, NY,
USA (2005)
[240] Wasserman, S., Faust, K.: Social Network Analysis: Methods and Applications. Cambridge
University Press (1994)
[241] Weiman, G.: Terror on facebook, twitter, and youtube. Brown Journal of World Affairs 16,
45–54 (2010)
[242] Weiner, T.: Legacy of Ashes: The History of the CIA. Anchor Books (2008)
[243] Wiil, U., Hicks, D., P., S.: Vision and progress towards structural computing support for
knowledge management. UCS 9 (2003)
[244] Wiil, U.K., Gniadek, J., Memon, N.: Measuring link importance in terrorist networks. In:
Proceedings of the international conference on advances in social networks analysis and
mining, pp. 225–232. IEEE (2010)
[245] Wiil, U.K., Gniadek, J., Memon, N., Petersen, R.R.: Knowledge management tools for
terrorist network analysis. In: Knowledge Discovery, Knowledge Engineering and Knowl-
edge Management. Lecture Notes in Communications in Computer and Information Science
(LNCCIS). Springer, Wien (2011)
[246] Wiil, U.K., Hicks, D.L.: Tools and services for knowledge discovery, management and struc-
turing in digital libraries. In: Proc. 8th Conf. Concurrent Engineering, pp. 580–589 (2001)
[247] Wiil, U.K., Memon, N., Gniadek, J.: Knowledge management processes, tools and techniques
for counterterrorism. In: K. Liu (ed.) KMIS, pp. 29–36. INSTICC Press (2009)
[248] Wiil, U.K., Memon, N., Gniadek, J.: Crimefighter: A toolbox for counterterrorism. Lec-
ture notes in communications in computer and information science (Knowledge discovery,
knowledge engineering and knowledge management) 128, 337–350 (2011)
277
BIBLIOGRAPHY BIBLIOGRAPHY
[252] Woo, G.: Intelligence constraints on terrorist network plots. In: N. Memon, J.D. Farley,
D.L. Hicks, T. Rosenorn (eds.) Mathematical methods in counterterrorism, pp. 205–214.
Springer, Wien (2009)
[253] Wright, D.: A framework for the ethical impact assessment of information technology. Ethics
and Inf. Technol. 13(3), 199–226 (2011)
[254] Wright, W., Schroh, D., Proulx, P., Skaburskis, A., Cort, B.: The sandbox for analysis:
concepts and methods. In: Proceedings of the conference on human factors in computing
systems, pp. 801–810. ACM Press (2006)
[255] Xu, J., Chen, H.: Criminal network analysis and visualization. Commun. ACM 48(6),
100–107 (2005)
[256] Yalcinkaya, R.: Police officers’ adoption of information technology: A case study of the
turkish polnet system. Ph.D. thesis, University of North Texas (2007)
[257] Youtube: General colin powell un speech on iraq part 1of5 (2012). URL http://www.
youtube.com/watch?v=Nt5RZ6ukbNc. Last visited on February 19th 2012
278
APPENDIX A
This appendix lists all our published work (Section A.1) together with unpublished papers and
manuscripts (Section A.2).
279
A.3. PRESENTATIONS APPENDIX A. PUBLICATIONS AND OTHER WORK
A.3 Presentations
1. Petersen, R.R., and Wiil, U.K., “Adaptive Counterterrorism Tools over Silver Bullets”, at the
International and Interdisciplinary Terrorism and New Media Conference, Dublin, Ireland,
2010.
280
APPENDIX B
The Danish Defense Intelligence Service intelligence cycle in Danish text is repeated below [52].
B.1 Efterretningskredsløb
Sammenhængen mellem indhentning, bearbejdning og analyse samt rapportering er central for
efterretningsarbejdet. Vi beskriver det ved den såkaldte efterretningskredsløb. Kredsløbet beskriver
en sammenhængende arbejdsproces, som gentages løbende.
Udgangspunktet er en prioritering. Den fastsættes med udgangspunkt i tjenestens opgaver og
ressourcer samt efter drøftelse med vores kunder - både i og udenfor forsvaret. Styrende er hensynet
til Danmark og danske militære styrkers sikkerhed.
Dernæst gør vi os klart, hvad vi allerede ved, og hvad vi gerne vil vide. Det sker ved, at vi
formulerer et såkaldt efterretningsbehov - en liste over de spørgsmål, som vi gerne vil have besvaret,
og de oplysninger, som vi mangler. De er udgangspunkt for indhentningen.
Indhentningen søger at besvare de stillede spørgsmål ved at skaffe oplysninger fra kilder - det
kan være både lukkede og åbne kilder. Åbne kilder er kilder, som alle kan skaffe sig adgang til,
som f.eks. Internet, aviser og andre publikationer. Lukkede kilder kræver en efterretningsmæssig
indsats. Det er adgangen til lukkede kilder, som er et særkende for den efterretningsmæssige
vurdering. Oplysninger fra både åbne og lukkede kilder skal vurderes og analyseres. Er oplysningen
og/eller kilden troværdig? I den forbindelse er det en styrke i analysen at kunne sammenholde
oplysninger fra åbne og fra lukkede kilder.
I analysen tager man udgangspunkt i en forestilling om, hvordan situationen er - en såkaldt
hypotese - som man afprøver mod de oplysninger, man har. Det, som er interessant, er om der er
oplysninger, som ikke passer med ens forestilling. Så er der måske en anden hypotese, som passer
bedre på de oplysninger, man har. Dette er ikke et arbejde, som én medarbejder kan gøre alene.
Det er i høj grad et holdarbejde, hvor man afprøver sine hypoteser og analyser med sine kolleger.
I den forbindelse kan analytikeren støde på nye spørgsmål, som vedkommende ønsker besvaret,
eller oplysninger, som er mangelfulde. Så formulerer analytikeren et nyt efterretningsbehov.
Når en analyse er færdig, skal den omsættes til en rapport. I den forbindelse er det vigtigt
at videregive vurderingen så præcist som muligt. I rapporteringen skelner vi normalt skarpt
mellem oplysninger og vurdering. Vi gengiver oplysninger, så det ikke fremgår, præcist, hvorfra
de stammer. Det er nødvendigt for at beskytte kilderne og FE’s indhentningskapacitet. Af samme
281
B.2. FE FORETAGER OMPRIORITERINGER APPENDIX B. DDIS WEB DOCUMENTS
årsag er FE’s rapporter normalt klassificeret. Det gælder også de rapporter, som FE modtager
fra udenlandske samarbejdspartnere.
FE ser behov for at foretage en række omprioriteringer. Dette indebærer nedlæggelse af nogle af
tjenestens nuværende indhentningskapaciteter og samtidig en styrkelse af andre. Konsekvensen
er, at FE’s station ved Dueodde på Bornholm lukkes, ligesom der sker ændringer på FE’s indhent-
ningsstationer i Nordjylland og på Amager. Det er forventningen, at der vil skulle afskediges 27
medarbejdere, heraf 17 på Bornholm. Samtidig er det hensigten at ansætte ca. 20 nye medarbe-
jdere med andre kompetencer.
Årsagen til disse omprioriteringer er behovet for at tilpasse FE til den teknologiske udvikling
kombineret med udviklingen i det samlede trusselsbillede, holdt op imod de samlede økonomiske
rammer.
FE gennemfører således omprioriteringerne med henblik på at styrke indhentningen inden for de
områder, der vurderes at være mest relevante for Danmarks sikkerhed. Det kræver en fortsat
tilpasning af kapaciteter og kompetencer.
I foråret 2011 gennemgik FE en større reorganisering for at målrette og effektivisere tjenesten, så
den er rustet til at håndtere fremtidens opgaver. Den nye organisation udspringer af kravet om,
at organisationen til enhver tid skal understøtte og afspejle FE’s prioriteter og opgaveløsning. Det
samme krav gælder for FE’s indhentningskapaciteter.
Trusselsbilledet rettet mod Danmark samt behovet for støtte til forsvarets udsendte styrker,
kræver, at vi hele tiden har en tidssvarende indhentning, der kan agere fleksibelt.
282