How does an analyst catch a terrorist?

Last Updated: 08 Jun 2016
One of GCHQ’s most important tasks is to identify and analyse the international dimensions of terrorist threats to the UK.

Every GCHQ operation will be different.

Follow our example of how a potential threat might be identified, what a GCHQ intelligence analyst will do to learn more about it, and what that analyst will do with the information uncovered in the process.

Step 1: The initial lead


Big Ben


We are rarely given the full name, address and contact details of those who are behind a threat to the UK.  Right from the very beginning we must work to piece together information to help us uncover the facts.

The first indication might arrive in a number of ways...

  • somebody might contact the police or MI5 to alert them to something they have seen or heard
  • existing surveillance of a known extremist might reveal a new set of contacts, or some new activity
  • a foreign partner may pass on information they have received from their sources

Example case study

An MI6 source based overseas has seen an individual (whom we’ll call the facilitator), known to be a member of ISIL leadership (Islamic State in Iraq and the Levant), passing an envelope containing pages of handwritten Arabic text to a stranger along with the message that it contained "information for the brothers in the United Kingdom that will cause carnage across London". 
The source reports that all he knows about the stranger is that he spoke in English as well as Arabic. The stranger had a mobile phone – nothing fancy – and a tablet, which the source recognised as being a fairly new model of a high-end brand.  
The combination of the ISIL facilitator, what looked like operational instructions and the reference to the UK are enough for MI6 to pass the details on to GCHQ and MI5 urgently for investigation. MI5 can’t at this stage link the activity to any on-going operations, so they ask GCHQ to see what they can find out about the facilitator, the stranger overseas and the possible threat.

Key Fact - Sampling and Auditing

GCHQ is staffed by human beings and mistakes can happen. However, we have checks in place so it is hard to break the rules, either by accident or on purpose.

Critically, all our systems generate IT logs which are retained and can be audited if we ever need to make sure that an analyst has followed procedures.

GCHQ is also overseen by independent commissioners. These are senior judges who have complete access to personnel and paperwork to monitor our compliance with the law.


Step 2: Follow up detective work




We are rarely given the full name, address and contact details of those who are behind a threat to the UK.  With knowledge that there is a potential threat, our analysts work with what scant details they have, coupled with the data available to them, to piece the jigsaw together.

Example case study continues

We have no telephone numbers and no email addresses for the stranger seen at the overseas meeting but knowledge that there is a potential threat to the UK.  Sounds like an impossible task? Not quite the case...

While we know nothing about the stranger, GCHQ knows a bit about the facilitator; as part of ISIL, he’s on our radar. The team monitoring the facilitator have however not seen anything that can be connected to the meeting with this stranger.

After justifying why we need to investigate the data associated with the facilitator’s number, and recording that justification, we can search our data.  We get initial results: we now have the telephone activity of the facilitator‘s phone in the days around the meeting.

Even though the facilitator is known to be an ISIL member, many of his contacts could be innocent. How do we zero in on the phone number that could shed light on the potential threat we are investigating?

Key Fact - Justifying Investigations

Before being able to use any of our databases, we must be able to justify our detective work. For each query that is run, the justification is recorded and can be audited.

Our analysts must think about the threat they are investigating, which of GCHQ’s missions does it relate to? Is the investigation proportionate? Can they demonstrate the search is necessary to advance the investigation?

Example: This number has been used previously by a known ISIL facilitator. Search is in order to identify an unknown contact who is suspected of being involved with a terrorist plot in the UK.


Step 3: Analysis options – phone related


Old Mobile Phone


After following initial leads, we extract a relevant pool of data to work with.  By looking at the other fragments of information we have, we focus in on just the intelligence relating to the threat we have been asked to investigate.

Example case study continues

We need more pieces of the jigsaw to extract anything useful from our data.  With work on the facilitator drawing a blank at this stage, can we find anything out about the stranger overseas?

The stranger’s mobile phone was described as "nothing special", which doesn’t seem in keeping with somebody who owned a top-of-the-range tablet. Our analysts have considerable experience in how extremists behave. We can use this knowledge to build and test theories around suspected travel and behaviour patterns to try and find the stranger in our data.

The type of search that is required to explore this theory is more complex than the average ‘tell me who was in contact with this number’ query.  We have specialist, skilled data experts to handle such requests.

One candidate telephone is found. The pattern of calls it has made are consistent with how we believe the stranger is likely to have behaved. What do we do next to confirm or dismiss this lead?

Key Fact - Data Experts

Sometimes a fragment of information on its own isn’t enough to help us find our target and progress our understanding of a situation.

But if we have enough fragments...

For example:

  • been at a particular location
  • on a particular day
  • around a specific time
  • been in contact with a defined group

...we can build a set of complex queries to extract the intelligence we need from our data. We have experts trained in analytics who specialise in this technique.


Step 4: Another approach - tablet related


Generic Tablet


Going back to the original starting information, we look for additional details that could provide an alternative start point for further investigation.  By looking at the problem from all angles we can put together the fullest picture possible.

Example case study continues

One of the few distinguishing features of the stranger overseas was his tablet. Is it possible to identify it?

Using additional data-mining techniques we can identify activity on the internet that might relate to the stranger’s tablet. For each query we must supply a justification as outlined previously.

The results show twenty one tablets fit our theory. This is still too many to work with. But comparing what we know about the tablet and the telephone suggests that one is of particular interest.  A coincidence perhaps, or evidence that the suspect phone and tablet are connected.

We still have no name for our stranger but we have a potential phone and tablet that fit what we know about him. All of this is written up into a report, checked for accuracy by an experienced analyst, and issued to a small number of relevant people at MI5 and MI6

Key Fact - Training

Operational Legalities training is mandatory for anyone who accesses, handles or makes decisions about operational data at any GCHQ site. It covers the legal and policy framework within which we operate and the fundamental principles that we must apply to our operational activities.

Training must be re-taken every two years.

There is a strong culture and ethos of personal accountability amongst staff.


Step 5: Digging deeper – finding a real world identity


Tablet highlighted


Working from the initial fragments of information we started with, we have built theories and looked within our data for potential leads that fit.  We now have a small number of leads to investigate further to rule them in or out.

Example case study continues

Now we have narrowed our leads down to just those that fit the information we have about our suspect stranger seen at the overseas meeting, we can justify taking the next step and searching through the associated content data we hold.

Looking at the user of the tablet we have identified, we see indications of online extremist behaviours. We also spot that this individual has accessed an account for a particular internet service. 

Running the details of the internet service account against GCHQ’s database of known targets we find it has come up in connection with a previous investigation and the user has been identified. We now have a name that could belong to our stranger.

Key Fact - Communications Data vs content?

Communications data is simply information about communications, including information used to route your communication. Content is what was said or written.

E.g.  If you make a phone call, what you say is content while the information around the call (the date, the time, duration, numbers involved) is communications data.

Analyst access to communications data and content is subject to stringent controls and must always be clearly justified.




ID Card


Signals Intelligence can be a powerful tool to answer seemingly impossible questions. The ability to use fragmentary information to build theories and perform complex searches against our communications data can narrow down thousands of options quickly. We can hone in on the most likely targets and only when we have sufficient justification that a lead is suspicious do we have the ability and resource to dig deeper and look at content to progress our investigations.

Example case study continues

Although still at the theory stage, we now have a possible real life identity for our stranger overseas. We can report the findings so far and pass the information to MI5 as an investigative lead. There is a good chance that the stranger is still abroad, but he might travel to the UK at any time.

From the original information supplied by MI6, there was no name and only a sketchy physical description, MI5 would have been unable to progress.   After GCHQ’s investigation, a possible identity has been supplied which is enough to let MI5 pick up the trail. It is by no means the end of the investigation but it is where we’ll leave this example for now.