Pattern of Life Analysis (POLA)
BLUF
Pattern of Life Analysis (POLA) is the systematic collection, documentation, and analysis of an entity’s routines, habits, associations, locations, communications, and behavioral patterns over time. Its purpose is to establish a behavioral baseline, predict future behavior with stated confidence, and detect anomalies that signal intent or operational planning. POLA is the connective tissue between raw OSINT collection and actionable intelligence — it transforms episodic data points into temporal behavioral intelligence. Originally a military targeting methodology (the “Fix” and “Track” components of F2T2EA), POLA is now applied across civil accountability journalism, corporate threat intelligence, law enforcement, and humanitarian monitoring. The ethical and legal constraints governing each domain differ materially; this methodology note addresses all four.
Scope, Domain, and Ethics
POLA is applied across four analytically distinct domains, each with different ethical obligations, legal frameworks, and operational standards:
| Domain | Primary subject types | Purpose | Ethical constraint | Legal framework |
|---|---|---|---|---|
| Military/targeting | Combatants, military commanders, armed groups | Pre-strike targeting verification; battle damage assessment | IHL (Additional Protocol I, Art. 57 precautions); LOAC distinction principle | Classified authority frameworks; CJCS targeting directives |
| Law enforcement | Suspects, organized crime networks, persons of interest | Criminal investigation; threat assessment | Proportionality; judicial authorization for covert surveillance | ECPA, RIPA, LGPD — jurisdiction-dependent |
| Civil/accountability journalism | Public officials, corporate actors, alleged perpetrators | Accountability reporting; conflict documentation | Berkeley Protocol proportionality; do no harm; minimum necessary | OSINT Legal Framework; journalism exemptions |
| Corporate threat intelligence | Executives, adversaries, supply chain actors | Insider threat; competitive intelligence; due diligence | Legitimate business purpose; employer-employee law | GDPR/LGPD legitimate interest; employment law |
Assessment: The same analytical methodology — temporal mapping of an entity’s behavior from open sources — produces radically different ethical assessments depending on domain. The Bellingcat team’s POLA-style reconstruction of Russian intelligence officers’ travel patterns is accountability journalism; an authoritarian state conducting equivalent POLA on opposition activists is surveillance. The technique is domain-neutral; the ethics are not.
Collection Vectors
POLA draws from multiple collection disciplines, weighted by analytical context and legal access:
| Vector | Source types | Confidence | Primary OSINT use |
|---|---|---|---|
| SOCMINT | Posting timestamps, platform regularity, linguistic shifts, network changes, location check-ins, publication patterns | High for social patterns; Medium for physical location | Social routine mapping, network change detection |
| GEOINT | Satellite imagery time-series, historical Street View, ADS-B flight tracks, AIS vessel tracks, drone footage | Medium (coverage gaps) | Movement pattern analysis, location anchoring |
| FININT | Transaction timestamps, regular payment recipients, ATM withdrawal patterns, crypto address activity cycles | High for financial routine; Low for physical location | Financial routine mapping, travel cost corroboration |
| Travel/border records | Passport stamps, airline manifests, hotel records (via court filings, leaked databases) | High | Route mapping, meeting pattern reconstruction |
| Open behavioral signals | Press conference schedules, public appearance patterns, publication rhythms, court filing dates, procurement cycles | High for institutional actors | Institutional routine analysis, schedule reconstruction |
| Physical surveillance (authorized only) | Direct observation logs | High | Ground-truth of all other vectors; legal authorization required in most jurisdictions |
| Communications metadata | Call duration patterns, contact frequency, roaming patterns — via lawful intercept or leaked datasets | High for network patterns | Network change detection; contact frequency analysis |
OPSEC note: The same collection vectors used for POLA are also the primary defensive intelligence vectors adversaries use to counter OSINT operations. An analyst building a POLA profile on a target who is themselves OPSEC-aware will encounter artificially modified patterns — deliberate routine variation, cash transactions, burner devices. Pattern absence or systematic variation is itself an analytical signal.
Six-Step POLA Methodology
Step 1 — Entity Anchoring
Confirm the target entity and its linked attributes:
- Identity confirmation: Legal name, aliases, transliterations, known pseudonyms. Cross-reference across social platforms, corporate registries, court filings.
- Associated entities: Family members, close associates, vehicles (plate numbers), residences, workplaces, regular locations.
- Device/account fingerprint (if accessible via open sources): Account creation dates, consistent usernames across platforms, device-specific posting patterns (iOS vs. Android metadata, posting-time signatures).
Failure mode: Misidentification at Step 1 invalidates the entire POLA. Confirm identity via minimum two independent primary sources before proceeding.
Step 2 — Baseline Collection Period
Define and execute the observation window:
- Minimum window: 30 days for individual entities with daily social media presence; 90 days for organizational entities or lower-frequency sources.
- Source diversity requirement: Minimum three independent collection vectors contributing to the baseline. Single-vector POLA produces a partial behavioral picture susceptible to vector-specific artifacts.
- Historical reconstruction: Where current observation is insufficient, reconstruct from archived sources — Wayback Machine captures, archived social media posts, historical satellite imagery time-series, court filings with dated events.
Step 3 — Temporal Mapping
Build a time-series calendar of observed activities:
- Granularity: Map events at the finest available temporal resolution. Social media posts to the minute; satellite imagery to the day; financial events to the day; press appearances to the time-of-day.
- Multi-source overlay: Plot events from all collection vectors on a single timeline. Convergence of multiple sources on the same event increases confidence; divergence signals either collection artifact or deliberate behavior modification.
- Calendar structuring: Identify daily, weekly, monthly, and seasonal cycles. Mark gaps — confirmed absence of activity is analytically distinct from unobserved periods (data gap vs. behavioral gap).
Tool options: Timeline.js (open source, web-based visualization), Airtable (structured timeline with filter), Obsidian with the Timeline plugin, MISP timeline module (for CTI applications).
Step 4 — Pattern Extraction
From the temporal map, identify:
- Routine anchors: Fixed-time, fixed-location activities — daily morning posting, weekly meeting attendance, monthly report publication, annual conference appearance.
- Habitual associations: Regular co-occurrence with specific individuals, locations, or communications partners.
- Cyclical patterns: Behavioral rhythms that predict future occurrences — if the target posts at 08:00 BRT on weekdays, absence on a Tuesday is an anomaly worth flagging.
- Operational signatures: Patterns that signal specific activities — a pattern of international travel before major organizational decisions, for example, or communication spikes preceding public announcements.
Assessment: The analytical value of POLA is not any single observation but the deviation from established pattern — anomalies are the intelligence signal.
Step 5 — Anomaly Detection
Define what constitutes a significant anomaly against the established baseline:
- Threshold: Minor deviations (one missed post in a 30-day series) are noise. Sustained deviation (three-day posting gap from a daily poster) is signal. Set statistical thresholds before the collection period — post-hoc threshold selection enables confirmation bias.
- Anomaly types:
- Temporal anomaly: Behavior at unexpected times (posting at 03:00 from a target with a consistent 08:00-22:00 posting window)
- Location anomaly: Presence in an unexpected location (geolocated post from a city inconsistent with established travel patterns)
- Network anomaly: New contact appearing in a target’s social network not previously present
- Communication anomaly: Shift in posting frequency, platform preference, or linguistic register
- Financial anomaly: Transaction to a new recipient, withdrawal in an unusual location, crypto address activity inconsistent with prior pattern
Step 6 — Predictive Assessment and Confidence Calibration
Derive forward-looking behavioral assessments:
- State the basis: “Subject is likely (65–80%) to attend the [annual conference] during [date range], based on four years of confirmed attendance and no observable indicators of changed circumstances.”
- Specify confidence: Apply Intelligence Confidence Levels calibration. High confidence requires convergent multi-source corroboration over a long baseline. Low confidence may result from short observation window, single-vector collection, or known OPSEC behavior by the subject.
- Define tripwires: Specify observable indicators that would change the assessment. “Confidence would decrease to Low if: (a) subject publicly announces travel conflict, (b) satellite imagery shows venue security changes inconsistent with public event preparation.”
POLA in Military Targeting
POLA is the core methodology underlying the “Fix” and “Track” phases of the F2T2EA targeting cycle (Find, Fix, Track, Target, Engage, Assess):
- Find: Initial identification of the target entity
- Fix: POLA anchors the target to specific locations and routines, reducing positional uncertainty
- Track: Continuous POLA maintains location and behavioral awareness through the targeting process
IHL constraints: Military POLA for lethal targeting must satisfy:
- Distinction (AP I, Art. 48): POLA data must establish that the target is a legitimate military objective — combatant status or direct participation in hostilities. POLA on civilian activities does not satisfy distinction.
- Proportionality (AP I, Art. 51(5)(b)): Incidental civilian harm (from targeting based on POLA that includes civilian household members) must not be excessive relative to the military advantage anticipated.
- Precautions (AP I, Art. 57): All feasible precautions must be taken to verify POLA conclusions before strike authorization — POLA-based targeting cannot be executed without confirmation of current targeting criterion satisfaction.
AI-POLA in the IDF — Lavender and Gospel systems: The IDF Kill Machine investigation documented that Israel’s AI-assisted targeting systems (Lavender, Gospel) used automated POLA — principally communications metadata and social network analysis — to generate targeting recommendations for air strikes in Gaza. The systems reportedly assigned confidence scores to POLA-derived targeting candidates, with human review compressed to seconds per recommendation. The investigation identified cases where POLA confidence scores were based on behavioral overlap with known Hamas members rather than positive combatant identification. This represents the most consequential and contested operational deployment of AI-POLA in the publicly documented record.
Signature strikes: From 2008–2016, CIA and JSOC drone operations in Pakistan, Yemen, and Somalia authorized strikes against individuals fitting a “signature” — a behavioral profile consistent with militant activity — without positive identity confirmation. The signature was effectively a POLA-derived profile applied to an individual never individually identified. The Brennan Doctrine (2011) formalized signature strikes under the Obama administration. Post-hoc analyses found significant civilian casualty rates from signature-based targeting, attributed to POLA indicators that were shared by civilians and combatants in the same operational environment.
POLA in Civil OSINT
Accountability journalism: The reconstruction of Russian intelligence officers’ activities in the Salisbury poisonings (Bellingcat, 2018) and the Navalny poisoning attempt (Bellingcat/The Insider, 2020) is the methodology’s highest-profile civil application. In both cases, the teams:
- Anchored cover identities via passport/FSB database leaks
- Mapped travel patterns from flight manifests, hotel records, and credit card traces
- Established co-location of operatives with targets at critical time windows
- Identified routine deviations in cover identities (legend maintenance inconsistencies)
The result was attribution-grade evidence for state-directed assassination attempts, produced entirely from open sources. POLA was the organizing methodology.
Oligarch asset tracking (post-2022): Following the Russian invasion of Ukraine and resulting sanctions, investigative networks (OCCRP, Bellingcat, The Insider) mapped oligarch asset movements — yachts, aircraft, property — using AIS maritime tracking, ADS-B flight tracking, company registry analysis, and historical satellite imagery. POLA of physical assets produced evidence of sanctions evasion and pre-sanction asset concealment.
Conflict zone monitoring (ACLED, UNOSAT): Non-governmental monitoring organizations use POLA-equivalent methodology applied to armed groups — tracking unit movements, weaponry patterns, and incident frequency over time to produce conflict maps and escalation assessments.
Failure Modes and Adversarial Countermeasures
| Failure mode | Mechanism | Mitigation |
|---|---|---|
| Pattern injection | Adversary deliberately creates false routines to mislead POLA | Cross-vector corroboration; seek behavioral inconsistencies across sources (a pattern that appears in one vector but not others) |
| Compartmentalization | Operational movements are insulated from routine life (different devices, cash transactions, dedicated vehicles) | Extend observation window; add physical/satellite vectors; look for infrastructure patterns rather than personal behavior |
| Digital hygiene | VPN, Tor, burner phones, cash payments defeat FININT and COMINT vectors | Shift to GEOINT and SOCMINT vectors; look for behavioral artifacts that survive digital sanitization (physical appearance patterns, writing style, posting time zones) |
| Pattern of avoidance | Excessive caution creates a meta-pattern — the target’s absence from expected locations is itself a signal | Flag sustained absence from expected locations as a positive indicator, not a data gap |
| Misidentification | POLA built on the wrong subject | Verification of identity at Step 1; maintain identity corroboration throughout the observation window |
| Baseline contamination | Target becomes aware of surveillance and modifies behavior during the baseline period | Use historical sources to establish pre-awareness baseline; treat post-awareness behavior as separate analytical dataset |
Key Connections
Parent discipline: OSINT
Primary collection vectors used: Social Media Intelligence | Financial Intelligence | GEOINT | Attribution
Methodological complements: Geolocation Methodology — verifies location claims in POLA timelines Source Verification Framework — applies to every POLA evidence item
Analytical frameworks: ACH — for competing behavioral explanations Intelligence Confidence Levels — for calibrated predictive assessments
Key investigations applying POLA: The IDF’s Kill Machine — AI-POLA in military targeting Palantir Intelligence Dossier — corporate behavioral intelligence
Legal and ethical constraints: OSINT Ethics — proportionality, do no harm, special vulnerability categories OSINT Legal Framework — GDPR/LGPD implications for systematic personal data processing