Analysis: ISIS use of smaller platforms and the DWeb to share terrorist content - April 2019

ISIS use of smaller platforms and the DWeb to share terrorist content

Summary of Tech Against Terrorism's analysis:

• Analysis of more than 45,000 URLs since 2014 across more than 330 platforms shows that smaller platforms are heavily targeted by ISIS and that 49% of all URLs were found on just eight of these platforms.

Key Conclusions:

• ISIS experimentation with small social media platform Koonekti is the most recent case of the group experimenting with new and small-sized platforms in an attempt to find a viable alternative to Telegram.
• The decentralised web (DWeb) - an alternative to the current world wide web - appears to have proved a stable alternative to Telegram and the smaller platforms in some cases. Nevertheless, we are unlikely to see a transition from Telegram to DWeb services unless Telegram becomes substantially more hostile towards ISIS and its supporters or DWeb services more user-friendly.
• Any alternative to Telegram - including DWeb services - will require specific characteristics in order to be widely adopted by terrorists. These factors are: Security, Stability, Usability and Audience Reach.
• Continued monitoring of ISIS "media experiments" is crucial for identifying platforms that require support - this monitoring effort should include the broader propaganda distribution ecosystem and the dynamic and complex interactions between larger and smaller platforms.
• Any successful disruption operation must be based on evidence-based research that learns lessons from Systems Theory in order to avoid like-for-like displacement of activity from one platform to another. Likewise, it is important to emphasise that any action against terrorists could lead to unwanted consequences, such as a ‘mass migration’ to the DWeb which is inherently more difficult to understand, influence, and disrupt.

ISIS continues to experiment with new smaller platforms

On 14 April 2019, the ISIS-linked propaganda disseminator group Nashir News Agency promoted its new social media page on a relatively new social media platform called Koonekti. Within thirteen hours, the page had gathered 28 Likes and received the verified status, symbolised by the blue tick next to the page name and handle (see Fig.1). A few hours later, the page had been removed and has not reappeared since.

This is not the first case of ISIS experimenting with relatively small and lesser known social media platforms. According to BBC Monitoring jihadism specialist Abdirahim Saeed, ISIS recently tested a social media platform called Go Like, which was similarly unsuccessful. When looking at past attempts, a pattern emerges, namely the use of small- to medium-sized apps, platforms and services. Past examples are Baaz, Viber, Kik, Ask.fm, Discord and others, including micro-platforms run by a single individual.

Successful exploitation of smaller platforms depends on the platform's Security, Stability, Usability, and Audience Reach

Following the key conclusions of the European Counter Terrorism Centre's (ECTC) Advisory Network Conference at Europol, experts agree that terrorist groups carefully assess platforms and choose to settle on those that offer maximum:

• Security: high-security standards (e.g. end-to-end encryption) to increase operational security (OPSEC) for ISIS media operatives and end-users
• Stability: to what extent are ISIS media operators and supporters protected from any interferences by the platform owner and/or third parties (e.g. content and account removals or D/Dos attacks)?
• Usability: how easy is it to install apps or sign up on platforms? And, how usable is it on a daily basis?
• Audience Reach: how many users can be reached when using this particular platform or service?

When assessing the level of risk a tech or social media company faces from exploitation by terrorists, these factors should be considered.

ISIS is also experimenting with DWeb platforms and apps

Besides exploiting non-decentralised platforms, there are also more sophisticated efforts aimed at exploiting the benefits of emerging, data privacy-focused trends, such as the decentralised web (DWeb) and decentralised applications (DApps). The aim of these experiments is to find out whether the DWeb and DApps could provide a stable and viable alternative to Telegram. In this regard, it should be noted that decentralised platforms are inherently more difficult to monitor because the DWeb promises control and privacy for anyone using it.

Successful adoption of the DWeb could prove significant for ISIS

Decentralised services have already been exploited by ISIS and its supporters. Examples include DWeb services Riot, ZeroNet and most recently Minds, an open source and decentralised platform. If implemented successfully and accepted by the wider pro-ISIS audience, it will become difficult - if not impossible - to tackle ISIS presence on these decentralised services. That is because these services are independent from any intermediary or ‘middle man’ for receiving and sending messages.

Quantitative analysis: ISIS preference for small-sized platforms

Exploiting medium- to large-sized platforms as well as DWeb services is not the only problem. In fact, there are hundreds of small- and micro-platform exploited by ISIS. From file-sharing and streaming services to pastebins, these sites have become an integral part of the propaganda distribution ecosystem. Unlike the larger platforms, small- and micro-platforms lack the required resources to tackle this exploitation alone.

At Tech Against Terrorism*, we have monitored terrorist use of the internet since 2016, and have collected more than 45,000 URLs that lead to numerous websites hosting terrorist material. Whilst this material is not a comprehensive collection of terrorist content disseminated on the internet, it provides several important diagnostic insights. Based on our analysis, we have found evidence of more than 330 platforms being used by terrorist groups within this timeframe. These platforms differ in terms of size and use-case, e.g. communication, file sharing, hosting, etc. Most importantly, we have found a stark over-representation of small- and micro-platforms amongst terrorists’ platforms of choice. For example, out of the top 50 most used platforms identified in our data, half are small- or micro-platforms (Fig.2). Also, 44% of the top 50 most used sites are file-sharing sites and other cloud storage services.

Terrorist groups have also favourite platforms: 49% of URLs were found on just eight platforms (Fig.3). The remaining 50% of content is spread across the remaining 322 platforms (98% of the long tail). This wide distribution and fragmentation of content has become more prominent in recent years, especially as some of the larger platforms have made strides in removing terrorist content and accounts from their sites.

There is a need for systems-based approach to tackling terrorist use of the smaller platforms

While larger platforms have undoubtedly improved their response in tackling content created by ISIS and its supporters, the smaller platforms now require significantly more support. As our analysis has shown, 25 of the top 50 most-used platforms are small- or micro-platforms. Put simply, half of ISIS’ favourite platforms (since 2016) were created and run by individuals or a small group of individuals, who often lack the financial and technical resources required to make their platforms less appealing to ISIS. This is why any response to terrorist use of the internet will need to be a systems-based approach. In other words, any response needs to view the problem as a whole and must not reduce it to just a few specific platforms.

To identify those that need support it is crucial to continue monitoring ISIS’ media operations. In doing so, research needs to focus more on the distribution ecosystem and its individual components than on the propaganda material itself. This does not mean that ISIS material should not be subjected to critical scrutiny or exploited for intelligence analysis purposes; however, to successfully disrupt the propaganda distribution system, a thorough understanding of the ecosystem, its single components and their complex, dynamic interactions is required. Any successful disruption operation would then need to target these key components of the ecosystem which have been identified as most influential in terms of containing the spread of terrorist material. However, it is important to stress that any action against ISIS media ecosystem could lead to unwanted consequences, such as a ‘mass migration’ to the DWeb or other services and apps. Additionally, the current debate around terrorist use of the internet has to be broadened to include the DWeb and its use by terrorists.

The Tech Against Terrorism team, London

*With special thanks to Hiroyasu Nagata for advice about URLs
and the data science team at QuantSpark