Artisanal Intelligence and Information Triage
By: A. Aaron Weisburd
Social media hold out the promise of discovering previously unidentified threats, as well as the peril of information overload. It is possible to utilize social media to find the unknown unknowns, those violent extremists who we can assume exist but whose identities are not currently known to us. It is also possible to triage social media profiles in order to identify those most likely to generate useful investigative leads. As a practitioner of "artisanal intelligence," I collect, analyze, and report for further investigation social media data related to a broad range of violent extremist threats—by hand, not with software. While the work requires a certain attention to detail, the result is a high degree of familiarity with various threat groups. Most importantly, it is a method that works.
Consider the Princess.1 She presents herself on a prominent social media site as being in her mid-20s, an ethnic Somali who was raised in Nairobi. She very clearly self-identifies with the Somali insurgent group al-Shabaab, describes her favorite music as "Anasheed," and says her favorite movies are "Jihad Movies."2 This information may be of passing interest but is hardly actionable. However, the Princess also identifies herself as a "Cashier/Hostess" for an airline operating out of a country in the Arabian Peninsula. Even if it turns out the position only gives her access to an airport, and not to any of her employer's aircraft, that is a good lead.
The collection and analysis of social media profiles raises the specter of data mining, with its attendant controversy, methodological critiques, and negative public perceptions.3 In addition to the questionable efficacy and the political volatility of wholesale data mining, experience suggests that a more targeted approach to social media yields better results more quickly, with fewer false positives and less invasion of privacy.
This more targeted approach is a variation on snowball sampling, a technique that has long proven useful in the study of deviant behavior in small populations.4 Start with individuals who can be found on social media, and who are known to be involved in the movement or organization of interest. For example, upon hearing that Samir Khan had left for Yemen (and his ultimately fatal partnership with Anwar al-Awlaki and al Qaeda in the Arabian Peninsula),5 I began an analysis of the social networks of extremists who support al Qaeda in the United States by examining Samir Khan's profile on a popular social media site. Figure 1 is the initial social network diagram that came out of this investigation.
Typology of Samir Khan's Network
Samir Khan is the red node. Known U.S.-based associates of Khan are blue, and include people such as Proscovia Kampire Nzabanita (node 26), aka Umm Talha, wife of convicted Revolution Muslim activist Zachary Chesser, aka Abu Talha al-Amriki. Ordinarily the people to the right, with only one connection to the network, would be dropped. Given that their one connection is to Samir Khan, however, I left them in. The remaining nodes, in green, are believed to be outside the United States. The members of Samir Khan's network can be roughly divided by type, and this typology will characterize other networks of violent political actors, not only jihadist networks. Understanding these types can both help to understand the network and guide efforts to combat it.
In the case of Samir Khan's network, the celebrity is Moazzam Begg (node 24), a former Guantanamo detainee and self-described human rights activist. Begg has many thousands of friends online, from a broad range of backgrounds and political perspectives. While these virtual friendships likely have little meaning for Begg, for Samir Khan and his friends to be able to reach out and connect to a public figure may have been important to them in the course of their radicalization.
Leadership figures are in this case represented by Abdullah el-Faisal (node 11). Based in Jamaica, Sheikh Faisal has been imprisoned, detained, deported, and barred from flying or entering quite a few countries as a result of his frequent calls for violent jihad. Of note here is that while el-Faisal has almost as many connections to other network members as Moazzam Begg, el-Faisal's online friends number a few hundred rather than many thousands, increasing the likelihood that virtual friendship with Sheikh Faisal might be significant.
These are organizations, typically larger and less radical than the extremist groups that emerge from within them. For Samir Khan's network, the mobilizing structure was a Salafist study group that operates both online and from a suburb of London. The group itself does not espouse violence, and yet Samir and a number of his friends could be found there. This is node 20.
Anomalies are individuals who associate with extremists while presenting a reassuringly peaceable face to the world. Here the anomalous individual is node 23. The reasons for this apparent disconnect between how someone presents themselves in public and who they associate with are many. One obvious scenario is that they feel a need to hide how they view events in the world, or what activities they may be involved in. While it is possible that a person happens to be friends with only likeminded individuals, Samir Khan's network, like all such networks I have examined, was composed of people linked to Khan for a variety of reasons. Some were clearly relatives, or people Khan went to high school with. There was no need to collect any information about them. Often this type, the people of no interest to us, may be the largest part of the network.
Social media profiles alone are unlikely to provide evidence of an imminent terrorist threat. We can assess profiles using an assortment of measures in order to focus further investigative work on a smaller pool of individuals more likely to be involved in extremist activity. The following is not a complete list of the components of a social media profile, but it might be used to start a discussion of these elements and their assessment or measurement.
While a subject's social network can be quantified, graphed, and analyzed, the analyst also needs to make a qualitative assessment of the subject's associates. Success as a terrorist is a function of whom one associates with, and whom or what those associates know. Although violent extremists are often inclined to share their political opinions and concerns, experience says this is not always the case. Taimour al-Abdaly, for instance, launched a complex attack on Christmas shoppers in Stockholm, an attack that fortunately resulted only in his own death when his suicide vest exploded prematurely. Arid Uka opened fire on a U.S. military bus at the Frankfurt airport, killing two service members and wounding two others before being captured. Neither man displayed anything on their social media sites that would suggest they saw themselves as part of the global jihad, let alone that they were preparing to carry out an attack. Both were, however, openly associating with networks of known extremists: al-Abdaly with Samir Khan's network and Uka with radical Salafist/jihadist activists in Germany—the very network that also included the Princess. There is no reason to think the Princess was previously known to any security service, nor might she have been suspected of links to a known network of violent extremists, yet human judgment and information triage identified her as a potential threat where data mining and its algorithms may have overlooked her. The presence or absence of visible support for violent extremism needs to be assessed in light of the quantity and quality of known associates.
While in theory the internet enables globe-wide communications and the development of long-distance relationships, in practice the most gain is seen in local relationships.6 Existing social ties are strengthened more than new ties are formed, and real-world proximity appears to be a determining factor in the development of online ties. There are many reasons why people may be friends on the internet, but more often than not, the reason is that they already know each other. Online social networks tend to mirror real-world social networks.7 One consequence is that even when a subject declines to reveal his or her location, the location of friends can be used to discover where the subject is now, or was in the past. Conversely, if we are looking for unknown agents from a particular country who may be "sleepers" in our country, we could scour social media for any citizen of that country now living here. We could, for example, try to identify every Iranian-American and/or every Iranian national living in the United States who has a social media account, and then examine each one in the hopes of finding those who self-identify with some element of the Iranian Revolutionary Guard Corps (IRGC). But there is a better way. A more targeted approach would start with individuals in Iran who are known to be involved with the IRGC, and work outwards searching for associates who are now in the United States.
Analysis of the text presented on a social media profile can at least place the subject somewhere on the ideological spectrum. The problem with focusing on what people say online is that, while it might provide some indication as to their intent, it is unlikely to shed light on their capabilities. In practice, people who become involved in terrorism may actually state their desire to be a terrorist; may say quite a lot without providing any clear expression of terrorist intent; or may say nothing at all.
Even when subjects self-censor the text they post to their profile, the political nature of extremists means they will often communicate through imagery what they might not verbalize. The Princess of jihad who worked for the airline made no explicit threats on her social media profile, but her profile picture was of a group of women who were members of al-Shabaab, holding AK-47 assault rifles and copies of the Qur'an in the air. In the case of someone linked to the IRGC, imagery associated with recent events may support an assessment that the connection is more, or other than, a reflection of a personal relationship. Many people may support the uprising of Shi'a Muslims in Bahrain, and some may support the Ba'athist regime of Bashar al-Assad of Syria. But someone who simultaneously supports protesters in Bahrain and the slaughter of protesters in Syria is reflecting the current political objectives of the most radical elements in the Islamic Republic of Iran. The visual elements in this case will typically be the prominent display of images of Bahraini protesters being beaten or killed, side by side with Syrian flags and flattering images of Assad.
The hyperlink is at the heart of the Web, and extremists can be counted upon to link to both what they like and what they hate. It is common, for example, that jihadists will list the forum they spend most of their time on as "their" website, even though they are not involved in the site's management. In this regard, as in many others, violent extremists are not significantly different from the rest of us.
Focus on the Network
The objective of this analytical triage is to seek out both exculpatory and inculpatory information. It seeks to identify patterns and assess the degree to which these elements all point in a similar direction, and to identify anomalies or breaks in the pattern. It makes note of people who present as non-extremist, or who reveal little or nothing about themselves, but who are found to be associated with extremists all the same. It also notes those who, while linked in some way to known extremists, are not themselves a threat. As one pursues first the friends, and then the friends of friends, of people already involved in terrorism, this triage technique helps maintain the focus of the investigation. The end result is a network of weakly tied but like-minded people. Given that this network was mapped out based on the social media profiles of bona fide terrorists, it is likely that from within it individuals and strongly-tied groups will emerge and try to involve themselves in terrorism. While we can identify the components of such networks, and map out their interrelationships and locations, there are too many other factors involved for us to be able to predict who the next terrorist will be. Unable to know exactly who will emerge from the network and strike, we therefore need to undermine the network of extremists as a whole. The strength of weak ties is in their ability to move information from ideology to actionable intelligence.8 The weakness of weak ties lies in their vulnerability to infiltration. A strongly tied group may constitute an operational unit, but in becoming so it invariably breaks the weak ties to the community it emerged from. Successful counterterrorism exacerbates this process, causing the network itself to wither.
An artisanal approach to social media analysis bypasses the various problems inherent in a big-data approach, and bears fruit more rapidly by developing a context in which to assess an individual as a potential target for investigation or recruitment. It also places individuals in a network that may be observed for evidence of impending violence; infiltrated and exploited; or undermined and dismantled.
About the Author(s): A. Aaron Weisburd is a node in a global ad hoc network of counterterrorism and intelligence professionals. He is the founder of watchdog group Internet Haganah, and a recipient of an FBI Director's Commendation. In addition to research and operational activities, Weisburd instructs on the behavioral aspects of extremist use of the internet to elements of the intelligence community. He has a Bachelor of Science degree in Information Systems Management, and an MA in Criminology.
1. The individual's real name is not known to me, and particular details of her employment and location have been redacted. Her profile is no longer publicly available.
2. Anasheed, commonly referred to as nasheeds, are a cappella songs of jihad and martyrdom favored by jihadists.
3. Bruce Schneier, "Data Mining for Terrorists," Schneier on Security website, March 9, 2006: http://www.schneier.com/blog/archives/2006/03/data_mining_for.html; accessed June 12, 2012.
4. Patrick Biernacki and Dan Waldorf, "Snowball Sampling: Problems and Techniques of Chain Referral Sampling," Sociological Methods Research vol. 10, no. 2 (November 1981): 141–163.
5. At the time, Khan was a central figure in a loosely knit confederation of activists who operated under the rubric Revolution Muslim, and made vigorous use of social media. Investigations and arrests across the United States following Khan's departure led to the dissolution of Revolution Muslim. The remnants now operate in several states under the banner of "Sharia4–," e.g., Sharia4Kentucky, Shariah4NewMexico, etc. Khan himself was killed along with his mentor al- Awlaki in a September 2011 U.S. drone strike in Yemen.
6. Jacob Goldenberg and Moshe Levy, "Distance is Not Dead: Social Interaction and Geographical Distance in the Internet Era," Hebrew University, Jerusalem, 2009.
7. A. Aaron Weisburd, "Jihadist Use of the Internet and Implications for Counter-Terrorism," in Terrorism and Political Islam: Origins, Ideologies, and Methods 3rd edition (Washington, D.C.: FBI Counter-Terrorism Division, forthcoming).