How Terrorists May Abuse Micro-Blogging Channels Like Twitter

By Nitesh Dhanjani
December 18, 2008 | Comments: 9

A recent US Army intelligence report identifies Twitter as a potential communication channel for terrorist activities. I think it is fantastic that intelligence efforts like this have the foresight to recognize emerging channels of communication and that there is effort being put into proactively enumerating the potential use cases. Yet, I am not impressed with the limited case studies presented in the report (the obvious case of Twitter being used for communication in addition to extremely specific situations of Twitter being used to trigger explosive devices). I feel that the use cases presented in this report are a good start, but they do not go beyond the obvious scenarios. Therefore, in this article, I want to further the discussion on how micro-blogging channels may be leveraged by terrorist organizations to obtain real time surveillance and intelligence of their efforts. I feel this sort of a conversation will be beneficial to counter-intelligence efforts (I will write a separate article on how Twitter may be actively leveraged by counter-intelligence).

Twitter and the Micro-Messaging Revolution: Communication, Connections, and Immediacy--140 Characters at a Time

Twitter and other micro-messaging services are catching fire as people realize these lightweight applications can be powerful tools to communicate, connect, and learn. Read more.

Before I go any further, I want to get out of the way a probable knee-jerk reaction that I suspect some readers may have at this point. I am in no way proposing Twitter or social media as an evil (in fact I'm a huge fan of Twitter and I use it on a daily basis). That would be as absurd as saying that the Internet is evil because criminals can use it to communicate. Twitter is a channel of communication - my goal is to point out increased capabilities this channel may provide for criminal use.

I also want to point out that discussions like these are often brushed off as fantastical. Perhaps this response comes from the tendency to place too much weight on the (flawed) hypothesis that only past and known mechanisms are going to (re)occur in the near future. Consider 9/11: the incident would have been brushed off as fantastical had someone had the foresight to predict the scenario prior. Often, potential scenarios appear to be less probable not by rational conclusions, but because to the human tendency to believe that only past scenarios have the highest probability of occurrence. Nasim Nicholas Taleb makes this point, in addition to stating that impactful events are less predictable, in his his book The Black Swan: The Impact of the Highly Improbable - a must read for any security professional.

Terrorists in the recent Mumbai attacks were found to have used Blackberries to communicate and to check world news to measure the impact of their actions on a real time basis:

The heavily armed attackers who set out for Mumbai by sea last week navigated with Global Positioning System equipment, according to Indian investigators and police. They carried BlackBerrys, CDs holding high-resolution satellite images like those used for Google Earth maps, and multiple cellphones with switchable SIM cards that would be hard to track. They spoke by satellite telephone. And as television channels broadcast live coverage of the young men carrying out the terrorist attack, TV sets were turned on in the hotel rooms occupied by the gunmen, eyewitnesses recalled.

The authorities in India that responded to the attacks did not know about the Blackberries until after the fact. However, had the authorities known that the criminals possess Blackberries while the attacks were ongoing, they wouldn't have known how to leverage that knowledge. The point I'm trying to make here is that, in general, organizations that are responsible for researching and responding to incidents like these seem ill equipped because they do not know how to assess and leverage the increased utilization of information technology by criminals.

While the attacks in Bombay were ongoing, Twitter seemed to light up with conversations. From citizen journalists, to concerned individuals looking for relatives, to volunteers who attempted to orchestrate blood donations, there were approximately 80 new 'tweets' on the #Mumbai channel every five seconds!

It is clear how useful a micro-blogging channel like Twitter can be to the public during situations such as in the Bombay attacks. However, in the following list, I want to enumerate how potential terrorists may leverage a channel like Twitter to perform surveillance and mass manipulation, the sort of which were not possible prior to the micro-blogging medium. The list below is presented in the context of the recent attacks in Bombay but they can be applied for other situations as well. This is by no means an exhaustive list, but I think it is enough to get the conversation going.

Circumventing rescue efforts. Twitter was used by citizens in vicinity of Bombay to call upon the public for blood donations. Here is an actual Twitter message sent during while the attacks were ongoing:

This message was then immediately 're-tweeted' by many others, the following is a snippet of just 5 of such 're-tweets':

It is clear that Twitter messages can assist in rescue efforts, and in this case, they played a positive role in broadcasting details on where volunteers may help out by donating blood.

Now, consider a situation where a malicious party were to sign up for multiple Twitter accounts and Tweet messages similar to the one presented in this use-case but using non-existent phone numbers:

JJ hospital needs A-blood urgently. Please call Ashwin at 92331003351 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003352 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003353 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003354 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003356 #mumbai

The potential for abuse in this case relies upon the fact that, during emergency situations, people are likely to accept and re-broadcast messages without verification. The malicious Twitter messages above, with incorrect phone numbers, are just as likely to be re-tweeted. People who are able and want to donate blood will now no longer be able to effectively utilize the micro-blogging channel to contact the proper resources.

Group sentiment analysis. The genuine nature of micro-blogging channels makes them a powerful channel to capture genuine human feelings. In my previous article, Hacking the Psyche, I presented how individual feelings from the social web, including Twitter, can be captured to create an emotion dashboard depicting the past and current states of feelings.

Since the goal of terror attacks is to cause terror - sentiment analysis can be a powerful tool for the terror agents to measure the impact of their attacks. A mashup of an automated sentiment analysis engine using the Twitter API coupled with the Google Maps API can easily give the agents a clear visual of how their terror attacks are impacting the emotional states of individuals in particular locations, for example, are people in target location location x upset / scared / worried / angry / happy in response to the ongoing or recently committed attack? What locations around the world have reacted negatively or positively to the attacks?

Following the news media. This is most likely to be one of the more obvious use cases. As mentioned earlier, the terrorists in the Bombay attacks were found to have used Blackberries to keep up with news websites to measure the impact of their ongoing efforts. Instead of having to surf to multiple news media websites, it is plausible that criminals can utilize traffic in the particular channel of interest, for example #Mumbai, to find pointers (URLs) to high quality reports pre-filtered by the Twitter community. The following is a screenshot of Twitter messages in the #Mumbai channel:

Leveraging and manipulating citizen journalists. Individuals in the vicinity of the ongoing attacks in Bombay were providing first hand reporting of police efforts. This information is likely to be extremely useful to the criminals.
Furthermore, individuals on the scene may be remotely manipulated to provide specific information that a criminal may be seeking, for example, the following message could be posed to the #Mumbai channel by a malicious entity seeking further details: "Can anyone on-site please confirm the number of choppers above Nariman house asap?"

Data poisoning police efforts. In a future article, I will attempt to enumerate ideas on how police may be able to utilize social media, one of the uses cases being the ability to leverage information from citizen journalists to strategize counter-efforts. A malicious response to this is likely to take the form of data poisoning, where the malicious party may post false information onto the micro-blogging channels while posing as citizen journalists.

Geo-locating and instigating further panic. One of the goals of terrorism is to instigate panic. Many Twitter clients, specially those that run on mobile platforms, allow users to tag their specific geo-location. These information can be queried and coupled with sentiment analysis discussed above to measure the level of panic based on geographical locations.

Further panic and unrest may be instigated by spreading false rumors. From the malicious party's perspective, it is a lot cheaper to create panic from spreading rumors than having to carry out physical activities. To illustrate, here is an example of messages that overwhelmed the #Mumbai channel by a single Twitter message from someone suggesting that the terrorists may be reading the information being posted. It was unlikely that the terrorists in the Mumbai incidents were reading Twitter, but the point I'm trying to make here is how fast such a rumor can snowball.

So what does all of this mean? The goal of this article is to spread awareness and raise consciousness. The ideas presented in this article may appear far fetched at the moment, but with the explosive growth and integration of social applications into the lives of the Generation Y culture, it is increasingly probable that malicious parties are likely to leverage social media channels as time progresses. I feel it is important that we have a good grasp of how criminals may utilize these channels so we better understand the tactics of enemies we are likely to deal with in the future.

Perhaps it may also be useful to extend this thought process to criminal use of social media in terms of cyber-warfare. Many people expect cyber-warfare tactics to be limited to defects in the network and application layers, yet it is increasingly plausible that government sponsored crime may take upon use cases that leverage social applications. I have discussed the abuse of sentiment analysis in my Hacking the Psyche article that illustrates one such example. If you are interested in this topic and if you are in New York during January 6 - 8, I will be speaking at the 2009 International Conference on Cyber Security.

You might also be interested in:


There are inherent risks with any emerging technology. I've been using examples of potential public exploitation through technology for years and there are always new scenarios to examine. I remember having similar discussions when flashmobbing via SMS emerged in urban areas.

In almost every case, the benefits outweigh the negative aspects of the technology. What is important is to raise awareness and also to depend on reputational aspects of these technologies, whether explicit or not. For example, would a Mumbai terrorist have a Twitter account with several hundred followers established in advance? Should you really re-tweet from someone you don't know in public safety circumstances?

Good article and much additional discussion and awareness needed.

It might be interesting to think about how the opportunity to spread misinformation might be mis-used by a government, as opposed to terrorists. I wonder if anyone's done a study on the decision making that goes into re-tweeting -- are people more likely to re-tweet a trusted source, or is there no real evaluation?

They could have set up cellphone transmission blocking devices. Police need communications that cannot be blocked, while carrying equipment that blocks other common communication equipment.

Don’t you think this type of paranoia induced coverage is exactly what leads to a society inhibited by fear and sceptical of new developments in technology?

This type of society is in turn easier to manipulate. I am not saying that terrorist attacks are not a real threat but the majority of people are unlikely to ever encounter one first hand.

The sensationalist journalism surrounding such issues makes them seem far more common place than they acually are and feeds a culture of anxiety which stops people from enjoying life.


If I wanted to promote sensational journalism, I would've toned my article a lot less academically. That said, the point here is to call upon the intelligence authorities to be more proactive. I wouldn't think this would ultimately have much effect on the citizens using social applications on a normal, daily basis.

Just a hint. France for example has now surveillance of teacher's activities on the net as a fact...

From a school based connection only, or from their home based connection??

@Esther Armstrong:

This article is not sensationalist in the slightest. In fact, case studies into the the power of social media will encourage more people to adopt the technology.

Very enlightening read, Twitter could react in such circumstances with a response messages.

In the mumbai case for instance the search page for "#mumbai" tweets could have a warning about the sensitivity of the information, tweets sent via text messages which include "#mumbai" should initiate an automated warning as well as a procedure for retracting the recent tweet.

News Topics

Recommended for You

Got a Question?