Tracking Terrorists Online

Yuki Noguchi
Washington Post Staff Writer
Wednesday, April 19, 2006; 11:00 AM

Washington Post staff writer Yuki Noguchi will be online to discuss increased Internet privacy concerns of terrorist groups.

Noguchi examined the issue in an article she wrote with Sara Kehaulani Goo about how terrorist groups are now advising members about online anonymity and avoiding intercepts.

Noguchi will be joined in the discussion by counterterrorism expert Evan Kohlmann , who runs the Global Terror Alert Web site. Kohlmann participated in an online discussion last August about al Queda and its use of the Internet. He was also featured in a video report on the topic.

A transcript follows .


Yuki Noguchi: Hello, all. Thanks for joining us today. With me is Evan Kohlmann, an expert in counterterrorism as well as technology. The Internet has become a vital networking and communications tool for the world over, including for terrorist networks. Security and privacy are also major concerns for all users of the Internet. Kohlmann knows a great deal more than I about operations of terrorist networks online, and I am grateful that he is here to field some of your questions.


Tampere, Finland: Combining ip-address ja usage logs and customer files from various online services, polls and "anonymous" sites can create powerful databases for further datamining and profiling. Isn't this all a bit out of control, since logs are collected and traded worldwide and throughout every nation by almost whoever figures out new ways to create profiles about whoever uses the net by ways most people never much think about possible and over long periods of time?

Evan Kohlmann: I agree, these sources of information can *potentially* be cross-linked and cross-referenced to create a virtual database of frequent visitors to terrorist websites and chat forums. The problem is, knowing where those websites and chat forums are, having access to them or to their usage logs, and still being able to sort through all that data in an efficient way. Surveillance systems like Carnivore have a very real limitation, in that they collect so much data it becomes somewhat overwhelming. The answer to your question is that a lot less aggressive surveillance and data mining goes on than you would imagine.


Silver Spring, Md.: One hears about denial-of-service and hacking attacks against websites. Why doesn't the CIA bring down some of the websites spewing hostile propaganda if they can't get useful information out of them?

Evan Kohlmann: There is a two part answer to your question:

1.) U.S. government agencies have had some difficulty, at least in the past, in identifying which extremist websites are "the most important" ones.

2.) They can and they do get useful information out of them. As noxious as it is to watch these folks spread their hateful message, there is a treasure-trove of information that can be mined from terrorist communiques and videos--and even casual online discussions among jihadi footsoldiers. One need only look to the CIA's Foreign Broadcast Information Service (FBIS), which was initially setup in the 1940s to collect and translate foreign open source intelligence information (mostly newspapers and magazines). These days, the FBIS service regularly includes translations from many terrorist or terrorist-linked websites and chat forums. They provide an unprecedented inside look at how modern terrorist groups function and operate. They also offer a possible chain of evidence that, if properly investigated, can lead back to important transnational terrorist operatives. In other words, don't shut the websites down, but rather use them as a means to shut the terrorist organization down instead.


New York, NY: How do you rate the significance of the recent arrest of Irhabi007? Are there dozens ready, willing, and able to fill the void or does his capture create a significant vacuum?

Evan Kohlmann: The recent arrest of Younis Tsouli (a.k.a. Irhaby007) in the United Kingdom was no doubt a significant victory in the war against online terrorism. Tsouli was one of a very select few individuals who have successfully used the Internet as a means to network and share resources with a host of Al-Qaida-linked terrorist organizations, most notably Abu Musab al-Zarqawi in Iraq. At the time of Tsouli's arrest, British investigators reportedly discovered photos of locations in Washington D.C. and instructions on how to produce a car bomb. In October 2004, Zarqawi's representative on the Internet Abu Maysarah al-Iraqi even wrote a public recommendation of Tsouli: "Bless the terrorist, Irhaby 007. In the name of Allah, I am pleased with your presence my beloved brother. May Allah protect you."

The problem, of course, is that the vacuum left by Irhaby007 is quickly being filled by a larger, anonymous group of new cyberterrorists who are competing to follow in his legacy. Every day, people talk about the legend of Irhaby007 on the militant chat forums. He has become the inspiration for a second generation of "cyberterrorists" who are studying and learning from his mistakes. Yesterday, detailed instructions were posted on several such forums on how to use advanced e-mail encryption to conceal messages from law enforcement and intelligence agencies.


Jackson, Wyoming: We hear about so many terrorists moving about, living in remote mountains and deserts as well as in metropolitan areas ... how are they transfering and accessing data and communications in such a stealth system?

Evan Kohlmann: They transfer and access data in a number of ways. First, there is the everpresent cybercafe, widely accessible to anyone in cities like London, Paris, Milan, Baghdad, Riyadh, and Karachi. Naturally, cybercafes aren't found terribly frequently in deserts or mountains, so in these areas we typically see satellite internet access, where signals are beamed into space. In one case in Iraq during May 2005, the Islamic Army in Iraq (IAI)--the same group linked to the hostage ordeal of American reporter Jill Carroll--was beaming out a signal to the Internet using a satellite owned by IP Access International that was supposed to be exclusively "for U.S. military operations in Iraq... allow[ing] the U.S. military to communicate virtually anywhere in the Middle East." It is still not clear how the IAI was able to hijack bandwidth on this satellite.


Melbourne, Australia: What methods or practices can Counter-Terrorism researchers use to validate the truthfulness of 'open source' information/publicly available sources about terrorist cells, groups, and networks? Thanks for writing 'Al-Qaida's Jihad in Europe', which is used as a reference text in Australian CT university classes.

Evan Kohlmann: Thank you, and it is interesting that you ask that question...

In mid-2004, researchers were confronting a growing problem in studying terrorist activity on the Internet: the quick proliferation of fake communiques from non-existent groups. This was a problem shared by the real terrorists themselves, prompting Abu Musab al-Zarqawi to issue a statement in mid-2004 explaining that his only official representative on the Internet is known as Abu Maysarah al-Iraqi and to disregard anything else.

Lucky for us, it was the terrorists themselves who came up with a permanent solution. Starting in early 2005, new authentic communiques and videos from terrorist organizations were separated out from the "primordial soup" of general militant chat forums on the Internet, and were closeted in a read-only section of each forum. This way, only legitimate, authenticated militant groups would be able to publicize their material. Nowadays, it is a fairly simple task to determine what is real and what is not.


Munich, Germany: Leaving terrorist sites open with the objective of communicating with and identifying terrorists or terrorist sympathizers runs the risk of allowing terrorist ideas to be spread to perhaps more people then the CIA or FBI could track down, don't you think?

Furthermore, the people most likely to be tracked down by such methods would be novices or bumblers, and not the key members of al Qaeda.

It seems a certain thing that top terrorists use the web, but how can you get a bead on these guys? The amount of email written in Arabic must be small compared to English. Can't tools like Carnivore focus on Arabic language emails?

Yuki Noguchi: This assumes that the US has both the technical and diplomatic authority to shut down terrorist sites as they come up. Practically speaking, experts like Evan I talked to said this is not the case.

Also, technologically savvy e-mail users who suspect they might be under surveillance have discovered ways of covering their tracks. One example we cited in our story was how terrorist set up free e-mail accounts, write messages and then save them in draft form, so that other users with access to the same account can read the email without ever having to send it. Emails are only interceptable when in transit.


Washington, DC: Have you encountered an increased use of web-based social networking tools by terrorist organizations?

Evan Kohlmann: I think the answer to your question is that today, 90% of terrorist activity on the Internet takes place using social networking tools, be it independent bulletin boards, Paltalk, or Yahoo! eGroups. The most important terrorist communiques and videos are virtually all initially released on certain password-protected chat forums run by Al-Qaida supporters. These forums act as a virtual firewall to help safeguard the identities of those who participate, and they offer subscribers a chance to make direct contact with terrorist representatives, to ask questions, and even to contribute and help out the cyberjihad.

Specifically, with regards to services such as that have received much publicity lately, not so much... mainly because they are Western-oriented sites that are not generally popular in the Middle East. There is certainly a growing use of MySpace-like sites published in Arabic by ground-level jihad supporters--but this may simply be an indication how thoroughly the Internet has penetrated all of our lives, rather than evidence of any particular terrorist strategy.


Rockville, Md.: One would expect that the key word on data mining is "think" not "gather." Should it be done by a group of people with language skills and an understanding of the cultures involved, they could pull the "diamonds' from the piles of dirt. I would ask people doing that work to think first and pay attention only to "serious" sources. Let the flakes go.

Just my opinion.

Evan Kohlmann: Yes, you've hit upon an important point here. Systems like Carnivore are simply designed to collect information, not targeted information. At least as far as Al-Qaida-linked terrorist websites go, there are only about four or five that are "must-see" on a daily basis. It is a task that could be accomplished with only a small group of well-trained Arabic-proficient analysts. Unfortunately, that's not really how the U.S. government works. What's more, the issue has been further clouded by frequent mis-reporting in media about alleged terrorist activity on the Internet. At one point in time during 2004, almost anything posted on the Internet seemed to find its way into a Reuters or Associated Press feed, no matter how ridiculous or nonsensical it was.


Yuki Noguchi: Evan, how much does the US government pay attention to the kind of chat sites you're constantly reading? Is it your sense that they're pretty plugged in?

Evan Kohlmann: The U.S. government is gradually homing in on the more important chat forums and websites. The problem is, by now, many of these sites have gone underground--in some cases, changing their names and domains--adding logins and passwords, and locking out anyone who doesn't speak Arabic. No doubt, U.S. law enforcement and intelligence agencies are (slowly) getting better at this, but, in many cases, they still are relying on secondary and tertiary websites presumably because they have limited or non-existent access to the main set of chat forums. Government bureaucracies are simply not agile or adept enough to keep up with this constantly evolving challenge.


Toronto, Canada: Yuki, in your article you mentioned privacy policies. The presence of a privacy policy seems pretty standard among professionally run sites. Are all US government sites obliged to have a privacy policy? If so, would intelligence organizations which run bogus sites have to get an exemption from? Who would they get it from?

Would co-operating with, or sponsoring, amateur, volunteer sites that track extremist sympathizers allow a loophole through the privacy policy rules? Terrorists'  Web Chatter Shows Concern About Internet Privacy

Yuki Noguchi: The Privacy Act of 1974 addresses issues of privacy as it concerns computers. That law requires government agencies to disclose the data it keeps on individuals, and lays out rules as to how that information might be used, or shared between agencies.

As with many things, including wire tapping of phones, law enforcement agencies can get exceptions to these rules. How far this exemption goes as far as setting up bogus Web sites with the purpose of trapping terrorists, I am not sure.


Washington, D.C.: Do you see any commonalities among this "second generation of cyberterrorists" inspired by Irhabi007 (location, skills, education, etc.)?

Evan Kohlmann: We are certainly seeing a greater diversification of origin... it used to be that the best trained terrorist cyberfacilitators were living in Pakistan, Saudi Arabia, or Western Europe. These days, we are seeing increasing numbers of such individuals from North Africa and what I like to term "Greater Syria"--Lebanon, the Palestinian territories, Jordan, and Syria itself.


Yuki Noguchi: Alas, our time is up. A few good questions went unanswered, but perhaps we can address them another time. Thank you all for submitting questions, and thanks very much to Evan Kohlmann who is a trove of knowledge on the subject.


Editor's Note: moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. is not responsible for any content posted by third parties.

© 2006 The Washington Post Company