Category: Islamic State

The Shift in Platform Exploitation Over Time

Session 1 of the Progressive Terrorism Studies Webinar Series. “The Persistent Online Presence: The Shift in Platform Exploitation Over Time”

How the Salafi-Jihadi movement has been able to exploit the internet to distribute their message has been a key concern of those seeking to challenge these narratives. The first webinar in the Progressive Terrorism Studies Webinar series provided a data-driven update on how the Arabic speaking core of the Salafi-Jihadi information ecosystem has continued to evolve. This is not a new phenomenon – nor restricted to the pop cultural and pseudo-scientific hype regarding al-Dawlat al-Islamiyya – rather, jihadists have been exploiting all means possible on the Internet for decades. 

This research comprises over 6.4 million Telegram updates collected in near real-time since June 2017. These updates were collected from channels and groups confirmed to be part of the Salafi-Jihadi movement, stemming from Jihadist exploitation of the internet for over a decade, but focused here on their operation on Telegram. From within this vast archive of material a collection of 4 million instances of URL sharing were recorded for analysis. 

The session emphasised the importance of robust design and data collection in the study of Salafi-Jihadi groups.  

The subject of study needs to be identified by someone able to:  

  • recognise the theological references and imagery,  
  • join online groups by passing the vetting conducted by the Salafi-Jihadi movement in Arabic. If a researcher cannot respond to Q&A in Arabic, it is a sure sign they cannot enter the core of the movement.      

Similarly, for analysis which examines change over time the data collection needs to occur in near real-time, as downloading weeks, months, or years after the event does not provide a credible dataset for analysis. This is because the attempted disruption from outside, internal purging of some groups, and the activity of bots, all combine to undermine confidence in time-series analysis of Telegram data collected using a retrospective approach.  

The large-scale analysis provides a strategic level overview of the way the Salafi-Jihadi movement has operated since Telegram became its primary platform for communicating with supporters and acting as a core platform for their media output – in combination with other platforms since Europol’s claim of they had removed IS from the internet in November 2019. By examining the URL they share, the analysis shows the breadth of the Salafi-Jihadi presence across platforms and provides an overview into whether there are detectable patterns in their use of different online services.  

A reduced version of the domain tool used in the time-series analysis shows the engagement profile of various domains in the study.   

The tool can be viewed here and more detail on the analysis can be found on github. 

The analysis showed:  

  • Some platforms experience persistent engagement profiles, while others experience sudden spikes in use, or short-term exploitation.  
  • Correlations between the use of different platforms could be used to develop a rapid alert system to locate material.  
  • Co-citation style network analysis can be used to detect clusters of platforms which are used collectively. This would allow clusters of platforms which are being exploited in a similar way to be supported or work collectively.  

The session built on 2019 the publication by Emily Winterbotham, Dr Ali Fisher and Dr Nico Prucha. This is the largest ever study of traffic between the online platforms that comprise the Jihadi information ecosystem. This study included 24 months of data from the core of the Salafi-Jihadi Telegram network and revealed the inner workings of their multiplatform communication paradigm. The paper demonstrated the different roles that platforms play within the multiplatform information ecosystem, including Telegram, Tamtam, and Matrix.  
 

Back to the Nashir – Total Decentralization and Enhanced Resilience

Much has been written – and claimed – about the importance of the “Nashir” setup for the online presence of IS. By its logo, most times despite some variations, Nashir is easy to identify, even for non-Arabic speakers. As outlined before, Nashir is part of the IS ecosystem of online operations, but by no means “the” core spine or the central hub. From the start of jihadist online operations in the pre-9/11 2001 era, they have been resourceful, creative, highly adaptive and keen to adapt to new possibilities showcasing a high degree of innovation of ensuring to fulfilling – in jihadist mindset – the divine command of militant actions in real-life and a coherent flow of content framed as da’wa for the electronic and non-electronic realms.

In short, whatever is possible online, jihadists have been keen and adventurous from start to tamper with and follow a best-practice use that develops from a user perspective to ensure their wide range of violent, pro-violent, non-violent content stays up for as long as possible. The same habitus accounts for jihadist battlefield experiments and making use of scarce resources – as in early of the Iraq war who remembers the handles of shovels re-used as butts for pieced-together Dragunov sniper rifles?

“For the time being, for as far as we know, IS is not present on the internet anymore and we will see how fast, if ever, they will regain service”, according to Belgian Federal Prosecutor Eric Van Der Sypt after a massive takedown of IS accounts and networks on Telegram, IS was quick to kick back into action within about twelve hours. As the Nashir accounts had been culled, a big fuss was being made of the importance of IS having lost its core network.

IS creates content and pushes it out via dispersed networks. While this was centered on Telegram as the main dissemination hub, the Europol-led takedown of IS networks on that platform had the consequence that the networks formerly confined to Telegram are now on over a dozen of platforms and services similar to Telegram. Needles to write, the use of ‘outside’ links to/for the ‘surface’ web continues uninterrupted – but you need to monitor a lot of platforms now to ensure collecting as much as possible IS hubs (from Telegram, yes IS was back quick, to TamTam, Hoop, BCM, etc. etc.).

Cross platform use furthermore has a higher level of resilience as links to respective platforms are exchanged and increasingly a need for a exchange of quick private messages is required to receive ‘trusted’ links, including selected Nashir channels to avoid further takedown (including a Facebook messenger link).

tg-coms

Back to the Nashir

With Nashir alive and kicking on over a dozen of platforms, posting/reposting ‘Amaq content, new videos, new written releases (al-Naba’, collected statement of Abu Bakr etc.), Nashir has regained a presence in the blogging sphere.

bitly-19k

Sharing a bit.ly link, first on December 18 within Tamtam and also within Telegram, this particular link was clicked over 19,000 times since its creation on December 10, 2019.

frontpage

up-to-date content, ‘Amaq statements claming various attacks in MENA, the Sahel, West Africa, the current al-Naba’ edition, martyr poster – screengrab of the Nashir site.

country

Where are consumers most likely located – VPN use distorts yet nobody uses a VPN to switch to a restricted country.

source

and another example of diversification – the problem with the very temporary inconvenience as an “IS user” on Telegram due to the end of November Europol cull has enabled to re-enable the Telegram network and over a dozen other platforms as back/ups / parallel use to decentralized da’wa operations online to ensure a persistent presence of up-to-date and ‘historical’ content of primarily Arabic sources that matter gravely to IS.