Islamic State’s (IS) propaganda campaign in 2014-2015 marked a turning point in the history of digital jihad. The quality and scope of its activities on the Internet proved to be unprecedented. Other Salafi-jihadist violent extremist organisations (VEOs) followed in the footsteps of IS and quickly upgraded their propaganda capabilities. Nevertheless, 2015 marked the beginning of a crisis in Islamic State’s Internet campaign. This process corresponded with increased attention from governments, law enforcement agencies and Internet companies, as they were ramping up their online countering violent extremism (CVE) programs. Effectively, due to the dropping presence of IS on the surface, deep and dark web between 2015 and 2019, many stakeholders and experts believed that content takedown policies were the solution. However, there is not enough evidence to support this claim. In fact, it is quite the opposite, given that we have witnessed the ongoing reinvigoration of militant Islamist propaganda activity on the Internet for at least two years, despite the increasingly strict CVE strategies introduced worldwide. Why do online countering violent extremism strategies not work as intended?
This Insight summarises some of the core findings of an OSINT-based research project that was discussed in detail in an article published recently by Terrorism and Political Violence. This study examines the current shape of online countering violent extremism programs and their consequences (or lack thereof) for the digital jihadist information ecosystems on the surface web. It explores the reasons why CVE programs are not as efficient as widely believed and suggests some alternative solutions to curb digital jihadist activities.
The primary objective of content takedown programs is to prevent Internet users from accessing terrorist propaganda. Thus, to verify whether the CVE strategies work as intended, this study aimed to map the scale of militant Islamist information ecosystems detectable at the turn of 2020/2021, i.e., six years after the launch of major CVE strategies. In order to reach this objective, open-source intelligence means were utilised.
The OSINT investigation consisted of three phases. The first was based on exploiting advanced options and operators in the Google search engine. They were combined with keywords related to Salafi-jihadist ideology (in English and Arabic), terms associated with various VEOs, their media offices or titles of their most prominent productions. The second phase of the investigation was focused on extracting external links from the identified domains that led to other militant Islamist communication channels. In order to do so, a SpiderFoot web scraping application was utilised. Moreover, the study also employed a reverse IP lookup to find other VEO-affiliated websites that were co-hosted on the same server. Subsequently, four types of interconnectedness between the detected militant Islamist webpages were registered in the database: advertisement, external links, similar hosting server, and the presence of similar content. In the third phase, each newly discovered Internet address was a subject of web scraping. Each detected and positively verified Internet address was coded in four categories:
- standalone website (including blogs and message boards),
- microblog or social media profile,
- file-sharing and streaming service,
- other means of communication (Whatsapp, Telegram channel etc.)
Deep web and dark web locations, such as social media accounts or TOR domains, were mapped only if they were advertised or linked by the identified surface web locations.
Mapping the Militant Islamist Information Ecosystems
An OSINT investigation carried out at the turn of 2020 and 2021 mapped 331 communication channels engaged in disseminating militant Islamist propaganda, including 99 standalone websites, 30 social media and microblog accounts, 152 file-sharing services and 50 other means of communication. The most significant part of this environment consisted of Islamic State’s information ecosystem composed of 130 addresses and profiles (Figure 1). The propaganda activities of IS proved to be concentrated around one webpage – Elokab – that served as a cornerstone of its presence on the surface web. It also constituted a repository of its propaganda. Aside from standalone web pages, the group frequently used file-sharing services, including Internet Archive. Information ecosystems maintained by other significant VEOs were much less developed. For instance, only 12 detected addresses were affiliated with al-Qaeda, while Harakat ash-Shabaab al-Mujahidin utilised 19. The Taliban’s presence proved to be unique, as it was primarily founded on 22 standalone websites in multiple languages, combined with several – popular – Twitter profiles. More than 100 identified communication channels were associated with other militant Islamist groups, such as Hayat Tahrir al-Sham or the Chechen extremist network.
Figure 1. One of the Islamic State-affiliated websites on the surface web, as of May 2022
Overall, the open-source intelligence investigation demonstrated that the militant Islamist information ecosystems were extensive despite the launch of major online CVE programs. They enabled quick and easy access to propaganda for all interested Internet users.
Why Don’t Online CVE Programs Work?
This study offers several potential explanations for the fact that content takedown policies have not been as efficient as widely believed. First of all, the Internet architecture enables banned communication channels to be reestablished with little effort. This feature of Internet communication is obvious but frequently overlooked by stakeholders. It means that while law enforcement, NGOs and Internet companies may report and block hundreds or even thousands of terrorist domains or profiles per month, they typically reemerge on other platforms. Therefore, this trend makes online CVE programs similar to combating a Lernaean Hydra, as the blocked communication channels are subject to continuous ‘regeneration’.
Secondly, there are always convenient alternatives for extremist communication on the Internet. Even if some technologies or platforms succeed in removing most militant Islamist content, there are plenty of other convenient communication channels that can be used in their stead. This trend is similar to a digital arms race. For instance, when VEOs experienced their first serious problems with maintaining their presence on Twitter or Facebook, they shifted to Telegram, a more secure and anonymous alternative. And when the first content takedowns on Telegram took place, violent extremists started to increasingly utilise other encrypted communication apps, such as Riot or Threema. In this context, even if some states introduce controversial legislation related to installing backdoors in communication apps, this would make little sense, as open-source or unofficial pieces of software would instantly emerge. Furthermore, the rapidly developing dark web (Freenet, ZeroNet, I2P, TOR) still offers great opportunities for safe communication.
The third explanation is related to the fact that there are overlapping jurisdictions on the Internet and the CVE legislation is frequently impractical or controversial. For instance, the European Union is one of the first entities that employed rigorous CVE standards, including a one-hour window to remove illicit content after being notified by authorities. On the one hand, it creates enormous challenges for administrators of less popular or developed websites, which cannot afford 24/7 content moderation. On the other, due to the global nature of the Internet, non-EU web pages can simply ignore these referrals. After all, other states may adopt different approaches to, for instance, the definition of free speech on the Internet.
Last but not least, strict content moderation procedures may trigger the “Streisand effect” related to terrorist propaganda. This already happened in the past, at the apogee of Islamic State’s campaign in 2014 and 2015. Despite the fact that Internet companies and law enforcement paid particular attention to removing its most shocking videos as soon as possible, they frequently went viral due to activities of ordinary Internet users that independently disseminated them through social media and encrypted communication apps. Nowadays, this phenomenon may be observed again, although with a slightly different specificity. Analysis of Islamic State’s communication hotspots proves that its followers are frequently engaged in disseminating its productions via file-sharing services. Overall, this situation shows that stricter CVE programs may force Internet users to reshare militant Islamist content, which, in turn, strengthens the online resonance of VEOs.
Combating Digital Jihad with Non-CVE Means
In this context, it seems that some non-CVE means are more likely to decrease the scale and efficiency of digital jihad. Existing data suggest that the first CVE programs, introduced in 2014, had little influence on the scope of IS’s presence on social networks. However, IS’s activities significantly dropped when the group started to suffer its first serious military defeats. Moreover, there is noticeable evidence indicating that US airstrikes that specifically targeted key propagandists of IS had a tremendous impact on its online capabilities. This shows that kinetic activities targeting media operatives may be the key to decreasing the scale of digital jihad. In this context, offensive cyber operations may be considered. In 2016, the United States carried out a series of cyber-attacks against the digital infrastructure of Islamic State – codenamed Glowing Symphony – which also played a particular role in downgrading its online capabilities.
Alternatively, law enforcement can use digital forensics to track and apprehend individuals responsible for producing and distributing militant Islamist propaganda materials. Such an approach also provides significant effects in downgrading VEOs’ presence on the web. This was proven in the case of Ahlut-Tawhid Publications (ATP), an unofficial pro-IS cell that was active on the Internet back in 2018. After a series of apprehensions in Australia and the United States, the group went inactive.
The aforementioned considerations enable four conclusions to be made. Firstly, even though CVE programs on the Internet have been conducted for years, militant Islamist propaganda is still easily available on the surface web. This means that the current content takedown policies are not as efficient as was widely believed. Secondly, judging from the scope and specificity of information ecosystems detected by this study, online CVE programs have been unevenly applied to militant Islamist groups. While some of them, such as IS and al-Qaeda, constituted a priority for the law enforcement agencies and Internet companies, others – such as the Taliban – attracted very little interest from stakeholders. Thirdly, current online CVE strategies do not adequately address the core features of digital jihad. Their efficiency is significantly decreased by the relative ease of reestablishing banned communication channels, impractical legislation introduced by, for instance, the European Union, and overlapping jurisdictions on the Internet. This means that other methods of curbing online propaganda should be considered. This paper argues that the most efficient approach should combine online and offline activities that frequently fall outside of the remit of CVE. This does not mean that stakeholders should resign from content takedown policies, especially on social media. Still, online CVE should be considered as a secondary, not a primary, means of combating militant Islamist activities on the surface web.