I've been running FotoForensics for over a decade, and I really thought I had seen it all. Before I wrote the first line of code for FotoForensics, I had consulted with friends, law enforcement, and attorneys about my various liabilities. This is why I don't allow things like pornography, identity cards, and other sensitive documents on the public web site. For example:

• Pornography is legal (1st Amendment, free speech). However, child pornography is illegal (18 U.S.C. 2251 , 2252 , 2258 , etc.). Sites that permit porn have a bigger problem with child porn. By forbidding all porn, I don't have to report as much child porn. In addition, I don't want my administrators to have to spend any time looking at the picture in order to determine if it is a young adult or a child.
  
• Public sites that permit identity documents (passports, drivers licenses, etc.) end up being used for fraud. There are also huge issues related to everything from harassment and identity theft to reporting responsibilities in case of a server compromise. To mitigate these issues, we block as many of these documents as possible. By blocking as fast as possible , we actively discourage this kind of use.
  
• Public sites that are widely used for illegal activities (drug distributions, identity theft, human trafficking, child porn, etc.) are often raided by law enforcement. Even if the owners were not directly involved in the crime, they may be changed with helping facilitate these transactions. Thus, if we see it on the public FotoForensics service, we block it .

As an aside: If you really feel the need to evaluate these kinds of images, then consider using the commercial FotoForensics Lab service ( lab.fotoforensics.com ). While Lab is not free, it does provide privacy for evaluating these photos. With private analysis, there is no risk from being associated with any kind of unlawful distribution. (The only forbidden content on Lab is child pornography.)

Hosting Sensitive Documents

Since the first day that the public site went live, the FAQ has warned against uploading any kind of sensitive images. For years, we've been actively banning people who upload drivers licenses, travel documents, bank statements, utility bills, and passport photos. However, after 11 years, we've had our first run-in with the widespread distribution of sensitive stolen documents.

Let me be blunt: FotoForensics is not Wikileaks. Wikileaks actively encourages people to upload stolen and highly sensitive documents for public distribution. In contrast, the public FotoForensics service does not solicit and does not want this type of content. Do not use the public FotoForensics service to evaluate or distribute known-stolen documents. Right now, I'm manually blocking access to a set of widely distributed documents that were clearly stolen. When I get a little more time, I'll automate this banning process.

What kind of documents triggered this most recent policy enforcement? As reported by NPR, " Top-secret Pentagon documents on Ukraine war appear on social media ". The Pentagon has reported that these documents were stolen and leaked.

Why are people uploading them to FotoForensics? It's the " Streisand Effect ". Specifically, the New York Times reported , "Military analysts said the documents appear to have been modified in certain parts." They used those magic words: "appear to have been modified." As soon as someone says a picture may be altered, people grab copies of the pictures and upload them to FotoForensics in order to check it themselves.

Again, let me reiterate: FotoForensics is not Wikileaks. Do not use upload or distribute known-stolen documents to my public service. I don't care if some news outlets are showing the images. I'm already spending way too much time blocking porn and fraudulent documents. I don't want to deal with the legal headaches related to hosting potentially stolen content. Moreover, I don't want the reputation of running a site that permits hosting stolen content. There are just too many liability issues in this legal minefield.

Variants and Sources

I'm not going to link to the pictures or even discuss the content in the photos. (There are plenty of news outlets who are doing that.)

Rather, I'm looking at the viral spread so that I can have a detector and solution in place the next time this happens. (Hopefully this will never happen again, but truthfully, I'm surprised it took 11 years.)

With these government images, the pictures went viral extremely fast. We've received over 300 unique copies of the documents in 3 days. Nearly all are variants of four base photos. They vary by dimensions (scaling), visual region (cropping), re-encoding (jpeg to jpeg), transcoding (png to jpeg to webp, etc.), augmenting with annotations, etc. I've seen variants of the images uploaded from 4chan, Twitter, Discord, Imgur, Reddit, the Washington Post, some Taiwanese news outlet, and more. It's everywhere. (And I'm doing my best to remove it from my servers.) If you do find some place hosting the pictures, be aware that the images are far from the camera originals. I doubt you'll find a version that is high enough quality to evaluate or that contains the original metadata.

The news first reported this information leak on 2023-04-06 . However, the earliest upload to FotoForensics came from Sweden a day earlier: 2023-04-05. This doesn't mean that it originated there; only that a person using an IP address in Sweden had come across the pictures. Shortly after that, it was uploaded from a link at Discord, then a 4chan-like site, and then 4chan. It took a day to really go viral; that's when it spread to Twitter. 4chan and Twitter have been the two primary distribution channels for these images. (I suspect that the pre-Musk Twitter would have cracked down on the images, but Musk's Twitter does nothing to proactively deter this distribution.) From there, it spread to other 4chan-like sites as well as Telegram, Imgur, and a variety of news outlets (2023-04-06 and 2023-04-07). The uploads initially came from Northern and Eastern Europe, but quickly spread to the rest of Europe, the Middle East, and Asia. North America didn't become active until hours later (when Twitter began distributing the images).

Besides recording the IP address that identifies who did the upload to FotoForensics, we also record the timestamps from any web-based submissions. If you supply a URL to a picture, that web server does not just return a picture. It also returns the picture's timestamp on the web server. This often denotes when the file was uploaded to the server or became accessible from the server. Most of these pictures have web server timestamps that match the viral distribution (2023-04-05 or later, often minutes or hours before being submitted to FotoForensics). However, one URL at Discord has a web server timestamp that is nearly a month earlier: 2023-03-06 23:55:25 GMT. This means:

• The pictures were stolen, leaked, and quietly distributed via Discord at least a month before they went viral.
  
• Discord has many channels where people discuss topics. There's a user in Europe who knows this how to find this older Discord channel. (I know he's in Europe because of his IP address, and he has to know the Discord channel since he knew the URL to provide to FotoForensics.)

There are a few news outlets that claim that the pictures were first distributed on Telegram on 2023-04-06. That's just wrong. FotoForensics started receiving them on 2023-04-05 and the Discord server timestamp dates the leak to at least a month earlier.

Unusual Trends

I've previously written about my trend detector . It looks for widespread variants of the same pictures and where they are being uploaded from. Interestingly, these sensitive documents are not spreading like your typical viral pictures. For example:

• Typical viral images start at publicly accessible sites: media outlets, meme sites, 4chan, Twitter, Facebook, Instagram, etc. From there, copies of the pictures spread to other social media services. That's how the various floods at FotoForensics featuring One Direction , Taylor Swift, BTS, " Amazing Fried Rice Wave ", Kim Jong Un , etc. have started. They rarely start at Discord. And if you think about it, this makes sense: Discord channels are closed forums. The public can't access the content so the content rarely spreads virally.
  
• When pictures go viral, they usually have a single identifiable starting point and then blossom to other social media outlets. (Eleanor Calder's viral dog photo started on her Instagram feed. The flood of face photos coincided with the release of "This Person Does Not Exist".) The total time from the initial seed to the viral dissemination may be measured in hours or days (or maybe a week), but not much longer. It's very uncommon for a picture to exist on one social media service for a long time before suddenly going viral. However, the earliest timestamp I've seen with these pictures shows that they were on Discord for a month before being distributed.
  
• Facebook and Instagram usually play a big role in viral disseminations. However, I've only seen one of these sensitive pictures uploaded from Facebook, and that happened 3 days after the images went viral (2023-04-08). Either Meta (Facebook's parent company) is cracking down on the images or it's just not there.
  
• Unlike typical viral content, these sensitive pictures initially spread through the troll networks (4chan, kohlchan, endchan, etc.) and Twitter. There was not much delay between these sightings. It's almost as if one person said "Now!" and then the postings happened in a coordinated fashion.
  
• The countries uploading to FotoForensics are also not distributed like normal viral imagery. There initially were a lot of uploads from Sweden, Finland, and the Netherlands. (The Netherlands is a founding NATO member. Sweden is trying to join NATO, and Finland joined NATO the day before the viral spread.) The uploads also quickly appeared in other pro-Ukraine countries, including Poland and Germany. Then it spread through the Middle East and China. The widespread viral access from the UK and US only happened after the pictures showed up on Twitter and in the media. As I mentioned, the dissemination wave went from Europe to the Middle East and Asia before hitting the United States. Typical viral pictures go country-to-country with a timeline that follows the sunrise. That didn't happen here.

And then there's the timing... The timestamp says that the leak first appeared on Discord, but then it sat there. It didn't go viral until a month later, almost to the day. That seems too coincidental to me. I wouldn't be surprised if this was a foreign (non-US) government disinformation or propaganda operation. If I had to guess, I'd say that someone was intentionally planting the images in a coordinated effort to generate a viral distribution. (This also brings up any alterations that the US Government suggested might be present. If this was a foreign propaganda operation, then the images would almost certainly be altered to maximize the social impact.)

One More Thing...

When a high-volume trend hits FotoForensics, there are usually 3 separate waves. First comes the visual copies (variants) of the pictures. Just as the first wave begins to ebb, the porn people start showing up. These are people who learned about FotoForensics from the previous viral news and then decided to upload prohibited pictures. The third and smaller wave has the child porn people who follow the porn people (who followed the first viral wave). These waves are each 2-3 days apart and are so predictable that I can know when a wave of porn uploads will be coming. (This is why I built the trend detector.)

Oddly, the viral distribution of these sensitive photos coincided at the same time with an unexpected rise in pornography. There was no delay between these two waves and they followed the exact same volume curves. I can't help but wonder if sites that permit stolen and sensitive documents also have a larger problem with pornography. I tried to search for any public stats related to Wikileaks and pornography, but the Google results almost entirely referenced child pornography and related associations with Wikileaks. Even more unusual: the expected third wave of child porn never appeared at FotoForensics (whew).

In any case, this association between sensitive photos and prohibited (pornographic) imagery is yet another reason why I don't want that content on my servers. Here's to hoping that I don't have this problem again for another 11 years.

---

Značky: #Politics, #Forensics, #Network, #FotoForensics

Enlarge / Forensic facial reconstruction of the "Connecticut vampire" (aka JB55), accounting for known tooth loss and inferred health issues. Hair is based on 19th-century styles. Skin, hair, and eye color are based on phenotype predictions. (credit: Parabon NanoLabs )

Thanks to the efforts of Parabon NanoLabs and the Armed Forces DNA Identification Laboratory, we now know what the so-called "Connecticut vampire" probably looked like. Using DNA analysis and a 3D scan of the skull, the two labs collaborated to digitally reconstruct the face of the 19th-century man whose remains were discovered more than 30 years ago. The image was revealed earlier this month at the International Symposium on Human Identification conference in Washington, DC. The work also builds on earlier DNA analysis to strengthen the evidence that the man in question was a former resident named John Barber.

As we've reported previously , children playing near a gravel pit in Griswold, Connecticut, back in 1990 stumbled across a pair of skulls that had broken free of their graves in a 19th-century unmarked cemetery. Subsequent excavation revealed 27 graves—including that of a middle-age man identified only by the initials "JB55," spelled out in brass tacks on his coffin. Unlike the other burials, his skull and femurs were neatly arranged in the shape of a skull and crossbones, leading archaeologists to conclude that the man had been a suspected "vampire" by his community.

Analysis of JB55's bones in the 1990s indicated the man had been a middle-age laborer, around 55 when he died. The remains also showed signs of lesions on the ribs, so JB55 suffered from a chronic lung condition—most likely tuberculosis, known at the time as consumption. It was frequently lethal in the 1800s due to the lack of antibiotics, and symptoms included a bloody cough, jaundice (pale, yellowed skin), red and swollen eyes, and a general appearance of "wasting away." And the sickness often spread to family members. That could be why local folklore suspected some victims of being vampires, rising from the grave to sicken the community they left behind.

Enlarge / The body of Ruth Marie Terry as she was found in 1974 in Provincetown, Massachusetts. (credit: Public domain )

A 12-year-old chasing after her barking dog discovered the mutilated body of a woman in the Race Point Dunes of Provincetown, Massachuestts, on July 26, 1974. Law enforcement was unable to identify the victim, who became known as the "Lady of Dunes." Nearly 50 years later, on October 31, the FBI announced it finally identified the woman as Ruth Marie Terry , a native of Tennessee who was 37 at the time of her death.

The identification was made via genetic genealogy methods: a combination of DNA testing and profiling with traditional genealogical analysis to trace family trees—the same approach used to identify the Golden State Killer (former police officer Joseph James DeAngelo) in 2018. According to the FBI, Terry was born in 1936; had "connections" to the states of California, Massachusetts, and Michigan; and was a "daughter, sister, aunt, wife, and mother." Further details have not been released out of respect for her family—and also because the murder investigation is ongoing.

“While we have identified Ruth as the victim of this horrific murder, it does not ease the pain for her family—nothing can," Joseph Bonavolonta, a special agent from the Boston branch of the FBI, said at a press conference announcing the identification. "But hopefully, they answer some questions while we continue to look for her killer. This is, without a doubt, a major break in the investigation that will hopefully bring us all closer to identifying the killer.”

Enlarge / The Morning after the Battle of Waterloo , by John Heaviside Clark, 1816. (credit: Public domain )

When Napoleon was infamously defeated at Waterloo in 1815, the conflict left a battlefield littered with thousands of corpses and the inevitable detritus of war. But what happened to all those dead bodies? Only one full skeleton has been found at the site, much to the bewilderment of archaeologists. Contemporary accounts tell of French bodies being burned by local peasants, with other bodies being dumped into mass graves. And some accounts describe how scattered bones were collected and ground up into meal to use as fertilizer.

It's that last claim that particularly interests Tony Pollard, director of the Center for Battlefield Archaeology at the University of Glasgow. He has examined historical source materials like memoirs and journals of early visitors, as well as artworks, to map the missing grave sites on the Waterloo battlefield in hopes of finding a definitive answer. He recently provided an update on his efforts thus far in a recent paper published in the Journal of Conflict Archaeology.

Napoleon had initially been defeated and deposed as emperor of France in 1813, ending up in exile on the island of Elba in the Mediterranean. He briefly returned to power in March 1815 for what is now known as the Hundred Days . Several states opposed to his rule formed the Seventh Coalition, including a British-led multinational army led by the Duke of Wellington, and a larger Prussian army under the command of Field Marshal von Blücher. Those were the armies that clashed with Napoleon's Armée du Nord at Waterloo.