On Bellingcat and Echosec
Despite Flashpoint publishing a case study in November 2022 on Bellingcat's usage of its Echosec internet surveillance platform, Bellingcat states that its usage mostly stopped in 2015.
[2023-04-18, 11:56am ET] Added a post-publication comment from Flashpoint’s Director of Content Marketing & Communications confirming our reporting.
[2023-04-15, 1:54pm ET] A post-publication quote from Bellingcat contributor Nick Waters describing Echosec as “expensive” and ineffective was also added.
[2023-04-15, 1:11pm ET] Further information on Bellingcat’s 2015-era usage of Echosec for geolocation was added, as was a footnote on New York Times correspondent Philipps deleting his previous tweet.
The investigative nonprofit Bellingcat has become so synonymous with ‘open source intelligence’ that it has been recently promoted by former CIA staffers as the model for a new U.S. intelligence agency. And, two days ago, Bellingcat’s director of research and training was given lead authorship in the New York Times investigation fingering airman Jack Teixeira as the source of a major national security leak.
The partnership between Bellingcat and The New York Times in frontrunning the FBI investigation into Teixeira has elicited significant public outcry. New York Times military correspondent David Philipps even publicly lamented (in a now deleted tweet) that “The NYT worked feverishly to find the identity of the guy leaking TS docs on Discord. Ironically, if they [sic] same guy had leaked to the NYT, we'd be working feverishly to conceal it.”1
But Bellingcat’s usage of ‘publicly available information’ is serving as a broader bellwether for civil society and intelligence agency norms, including through their usage of artificial intelligence for facial recognition and internet forum monitoring. One prominent private intelligence firm, Flashpoint, advertised as recently as November that its Echosec internet surveillance product was ‘the '“Best Tool” for Citizen Journalist Website Bellingcat’ and that Bellingcat had trained 20 journalists from Radio Free Europe/Radio Liberty on the usage of Echosec.
According to the case study:
“Echosec gives users the ability to draw a geofence around a particular location of interest—as large as a country or as small as a building—and then search keywords within the chosen area to mine any publically-available social media data. Bellingcat contributor Ruslan Leviev says that Echosec has proved very useful for breaking news situations and being able to find information as it’s being posted online. He notes it has assisted in various investigations as well—not only in finding evidence, but also in referencing images for geolocation.”
Flashpoint’s advertisement strongly suggested Bellingcat’s ongoing usage of the platform. But, according to Bellingcat’s director of research and training, Aric Toler — the lead author of the New York Times piece exposing Teixeira — his own usage of Echosec ended in 2015 “because it got insanely expensive” and “its service significantly downgraded when it lost access to the Instagram API and some other services”. (Though Toler noted Bellingcat founder Eliot Higgins continued to occasionally use Echosec, albeit with no significant investigatory outcomes.)
The timeline matters significantly, as Echosec was acquired by Flashpoint in August 2022 — roughly seven years after Toler asserts Bellingcat’s usage of Echosec wound down. As a private intelligence firm founded by former NBC Terrorism Analyst turned FBI contractor Evan F. Kohlmann, Flashpoint has become a standard tool for the U.S. Defense Department’s tactical information warfare and has advertised commercial services for subverting both “anti-pollution” and “anti-vax” protestors (such as Airline Professionals for Justice).2
When asked about Flashpoint’s subversion of oil pipeline and anti-pollution protestors, Toler responded that he was “not surprised, [as] these private intel companies are pretty nasty“ and asserted that:
“Basically: We haven't…had any real use for Echosec, used it in any workshops, or done anything else fruitful with Echosec since before the Flashpoint acquisition. Literally everything mentioned in this press release was before Flashpoint bought it, and outside of a legacy free account (which may not be active anymore, we're not sure) for our founder Eliot Higgins, we have had no relationship or use for Echosec/Flashpoint since ~2015/2016. Apparently Flashpoint bought Echosec in 2022 (!), so this is far, far, far beyond any time we actually used Echosec.”
After publication of this article, Bellingcat contributor Nick Waters further noted that “We haven’t used Echosec for ages (since 2016 or maybe before). It’s expensive and wasn’t very effective. I wouldn’t recommend it.”
Beyond the private intelligence services of Flashpoint, Echosec received $1.6 million between 2020 and 2021 as a subcontractor underneath ECS Federal on a data fusion contract within the U.S. Army’s Secure Unclassified Network (SUNet) which was closely associated with the Pentagon’s Project Maven AI drone surveillance effort.
Three days after publication, Flashpoint’s Director of Content Marketing & Communications, Jonathan Zalman, replied:
The case study you reference was originally published on Echosec.net in 2015, then migrated to Flashpoint.io in 2022 after the acquisition. To clear up any ambiguity, we've also added a note to the PDF and landing page to make sure the publication date is clear. Bellingcat is correct in their timelines of not having used Echosec meaningfully in many years.
After significant public pressure, Philipps stated that he deleted his previous tweet because it ‘lacked nuance’ and published the following article on the subject: https://www.nytimes.com/2023/04/15/us/jack-teixeira-pentagon-leak.html
In the same webinar that Flashpoint advertised its monitoring of the Telegram channel of Airline Professionals for Justice, it noted its usage of Bellingcat’s Telegram phone number tool.