Information Systems Frontiers

, Volume 13, Issue 1, pp 45–59

A microblogging-based approach to terrorism informatics: Exploration and chronicling civilian sentiment and response to terrorism events via Twitter


    • Faculty of ITMonash University
  • Vincent C. S. Lee
    • Faculty of ITMonash University

DOI: 10.1007/s10796-010-9273-x

Cite this article as:
Cheong, M. & Lee, V.C.S. Inf Syst Front (2011) 13: 45. doi:10.1007/s10796-010-9273-x


The study of terrorism informatics utilizing the Twitter microblogging service has not been given apt attention in the past few years. Twitter has been identified as both a potential facilitator and also a powerful deterrent to terrorism. Based on observations of Twitter’s role in civilian response during the recent 2009 Jakarta and Mumbai terrorist attacks, we propose a structured framework to harvest civilian sentiment and response on Twitter during terrorism scenarios. Coupled with intelligent data mining, visualization, and filtering methods, this data can be collated into a knowledge base that would be of great utility to decision-makers and the authorities for rapid response and monitoring during such scenarios. Using synthetic experimental data, we demonstrated that the proposed framework has yielded meaningful graphical visualizations of information, to reveal potential response to terrorist threats. The novelty of this study is that microblogging has never been studied in the domain of terrorism informatics. This paper also contributes to the understanding of the capability of conjoint structured data and unstructured content mining in extracting deep knowledge from noisy twitter messages, through our proposed structured framework.


TwitterMicrobloggingTerrorism informaticsVisualizationData miningSentiment analysisDemographic analysisCivilian response

1 Introduction

In terrorism informatics, tracking, location and time of activities vary significantly and thus become extremely hard to predict. Intelligent information sharing techniques, applied to unstructured content of texts, can lead to the discovery of hidden rare patterns for many real world disaster and crisis management situations.

One of the new innovations in Web 2.0 is microblogging, with Twitter (Makice 2009; O’Reilly and Milstein 2009) being the most popular of such services with an estimated 7 million users and growing exponentially. While concepts of microblogging was once confined to social networking (Cheong and Lee 2009; Erickson 2008; Java et al. 2009; Mischaud 2007) and discussing the minutiae of everyday life via the Twitter ethos “what are you doing?” (Twitter Inc. 2009a), it has of late become a medium of information sharing and dissemination, and also an avenue to break news faster than traditional news outlets. It is interesting to note that Twitter is not only potentially beneficial in terrorism informatics (The Associated Press 2009) and identifying threats but also has been identified as a potential facilitator for coordinating activities of terrorism (Musil 2008) and a threat to security (Entous 2009).

Twitter messages (or ‘tweets’) and their associated information (such as location, time, date, and user characteristics) though with noisy and unstructured content can be shown to exhibit certain emergent characteristics with regards to the social network dynamic (Goolsby 2009; Huberman et al. 2008; Java et al. 2009) and can be an indicator of sentiment and behavior of the user base contributing to a particular topic (Cheong and Lee 2009, 2010b; Shamma et al. 2009). Based on the above observations, this paper aims to focus on how Twitter with its 140-character limit can be effectively used in terrorism response informatics, specifically to track and visualize the reaction of the civilian population in the aftermath of terrorist activity. By analyzing both the visible and not-readily-apparent information from twitter feeds, knowledge on terrorist activities can be extracted and integrated with existing data sources to provide authorities with a richer source of information to both chronicle current threats and learn more about them. This approach of conjoint structured data and unstructured content of Twitter messages mining can produce deep knowledge discovery for many application contexts.

2 Related work

There is limited research on the usage of Twitter in terrorism informatics, however there are several academic studies regarding the properties of the Twitter user base and its goings-on. Analysis into the properties of the Twitter user base has been pioneered by researchers such as Krishnamurthy et al. (2008); Java et al. (2009), and Huberman et al. (2008) where they have studied aspects such as growth rate, geographic profile, and user habits, and the social network of the Twitter community as a whole.

Cheong & Lee have performed research on clustering Twitter user demography and habits narrowed down by topic as an indicator of sentiment (Cheong and Lee 2009, 2010b), where the emergent characteristics of the user base contributing to a certain thread of discussion is exploited to give an idea of the overall sentiment and demography. From a humanities perspective, Mischaud (2007) and Erickson (2008) have studied the motivations behind information sharing on Twitter and concluded that users generally want to express themselves and gain “visibility”; in other words using Twitter as an “extension of the self”. These imply that Twitter is used for information sharing and broadcasting of everyday goings-on; this leads us to postulate that Twitter can be studied to analyze the sentiment, current condition, and response of civilians affected by a sudden act of terrorism.

On a topic closely related to terrorism informatics, Hughes and Palen (2009) have surveyed the adoption and use of Twitter during mass convergence and emergency events, specifically those involving national security, in the perspective of “crisis informatics”. They allude that Twitter messages exhibit “features of information dissemination [supporting] information broadcasting and brokerage”, and that Twitter may be used as a tool for emergency response and communication by the authorities in order to provide aid and counter disinformation. Related research (Starbird et al. 2010) on the Canadian Red River Valley floods of 2009 have detected patterns of social information and self-organization by users discussing the flood. Most importantly Starbird and her team notice a pattern on “commentary and the sharing of higher-level information” and a combination of tweets with authoritative news sources (Starbird et al. 2010) in their research sample, solidifying the claim that Twitter can be used to get a feel for civilian response after an event of terror has occurred.

Jungherr (2009) detailed the role of Twitter in social activism and looked into case studies whereby Twitter was an instrumental tool in disseminating information on terrorist attacks, political dissent, and acts of oppression. Goolsby (2009) has also stated that Twitter can be used “[to] cover crucial events… [in situations like] state terrorism”; concisely exemplifying the role of Twitter in the apt quote:

Mumbai has shown the potential for using microblogging systems like Twitter in breaking events.

On a closely related topic, research by the US Geological Survey (Guy et al. 2010) have combined traditional monitoring of seismic (earthquake) activity with citizen-reported microblogging data mined from Twitter to “infer the public level of interest in an earthquake for tailoring outputs disseminated via social network technologies and… to explore the possibility of rapid detection of a probable earthquake.” Their proposed system is developed in 2009 and has been field-tested toward the beginning of 2010. (At time of revision of this manuscript, we include several findings from (Guy et al. 2010) to strengthen our framework in the next few sections, due to the unavailability of their findings at time of our initial manuscript submission).

Based on the above work, we propose a framework to adopt Twitter to a study on the reactions, sentiments, and communication of civilians in response to terrorist attacks. This paper describes a novel application in Twitter (microblog) demographic analysis with sentiment and opinion mining; in which we propose a four-phase framework for using Twitter in terrorism informatics for visualizing the civilian response to a terror attack. The resulting extracted information can then be used by the authorities for the purposes of rapid detection, response, and recovery; as posited by Tien’s decision informatics paradigm (Tien 2005).

3 Empirical observation

In preparing our framework, we draw upon existing empirical findings seen in civilian response to recent terrorism activity, with a main focus on urban terrorism as it “[produces] the most visible impact” (Tien 2005). We also capitalize upon the existing trend of information needs and sharing via microblogging and online social networks. We describe the motivation and foundation of our framework in this section.

Twitter has been known to be one of the channels where civilians break news of terrorist activities and use it as a method to notify the public of any latest updates, cries for help, and as an information source for the authorities. Such information can come in the form of a plain text tweet or even related content or media, for example, photos and video. Oftentimes, the peak of activity related to the sudden spike of a breaking news story can cause it to be promoted into the Twitter’s Trending topics list (Cheong 2009; Cheong & Lee 2009).

Examples would be:
  1. 1.

    An example of terrorist reporting on Twitter would be the 2008 Mumbai attacks, where news of the attacks were first reported by citizen journalists on location via Twitter (Beaumont 2008; Goolsby 2009)

  2. 2.
    A more recent example would be the Jakarta bombings in July 2009, where Twitter is the first medium that broke the news of the incident (Cashmore 2009a; Saputra and Leitsinger 2009). The first few images of the tragedy are broadcast to the general public via a user’s posting on TwitPic (Fig. 1).
    Fig. 1

    a Twitter post by user Daniel Tumiwa (left), and b TwitPic post by user Galuh Riyadi (right) chronicling the Jakarta bombings

Similar examples also show civilian reporting of accidents, crime, and other forms of disaster via Twitter and other Web 2.0 social networking, news aggregator, and media-sharing services. It is useful to gain an insight into such cases where terrorist activity does not impact the public directly; but rather in the form of collateral damage, which include:
  1. 3.

    Breaking the story of the airplane crash into the Hudson River (Terdiman 2009), where again, TwitPic is used to deliver the first few glimpses of the tragedy to the outside world.

  2. 4.

    The breaking of the news of the assassination of Neda, an Iraqi civilian, in response to the crackdown of the aftermath of the 2009 Iranian Election protests (Fleishman 2009). Immediately after the event, news spread through Twitter and other Web 2.0 channels such as YouTube which contains clips of the assassination and passing away of Neda, as opposed to the local mainstream media which is operating in a severely restricted environment.


Our proposed framework for information extraction from Twitter messages for terrorism informatics consists of four distinct phases.

4 The proposed framework

In this section, we describe the implementation of our proposed framework. We implement our framework in the Perl programming language using the Net-Twitter Perl module that connects to Twitter using the Twitter Application Programming Interface (API) (Cheong and Lee 2010b). A high-level overview of our framework is illustrated in the following figure (Fig. 2).
Fig. 2

The high-level view of our proposed framework

In the following sub-sections, we divide our proposed framework into the 4 individual phases and describe each phase in detail as per the preliminaries section.

4.1 Phase 1: Breaking news

In this phase, topics and hashtags discussed on Twitter are analyzed by querying the Twitter Trending Topics list, a list of very frequently discussed topics updated on a regular basis. By monitoring the most talked about messages at any given time for signs of potential terrorist activity, we can use Twitter to chronicle the civilian response to such a threat from the moment news first breaks out. Figure 2 illustrates this phase of our framework.

Twitter has an API that allows tracking of the ten most talked about, or ‘trending’ topics. By analyzing this list of topics for breaking news stories regarding terrorist activity, we are able to identify potential mentions of civilian reaction towards terrorist activity using this list and narrow our processing those specific messages, as seen in the cases of the Mumbai (Beaumont 2008) and Jakarta (Cashmore 2009a; Saputra and Leitsinger 2009) bombings, where the keywords ‘Mumbai’ and ‘Jakarta’ quickly broke ranks to become one of the top trending topics.

In this initial phase, we propose the querying of the Twitter ‘trends’ API at a predetermined interval (for example every ten minutes). By scanning through the topics list for names of places and identifying trends which discuss about a flurry of activity at any single place (e.g. names of towns, cities), as in the case of the Mumbai and Jakarta bombings, we can isolate them as potential places where a terrorism attempt might have been executed. To back up our claims, we refer to the results in Guy et al. (2010) who used the notion that a “geographically concentrated spike of tweets” could draw focus on a certain location, indicating something major is happening there at a given point in time. To automatically analyze the names in trending topics, we use the Google Geocoder API as used in (Cheong and Lee 2010b) to find any mention of place names or geographic locations, which is also a similar methodology employed in (Guy et al. 2010).

The potential problem of disambiguating between proper names: e.g. between people, cities/location names could arise judging from the fact that certain human names (e.g. Victoria) double as a location name. To overcome this, we could look up the name in a simple frequency-based gender detection algorithm (Cheong and Lee 2010b) to ascertain its frequency of use as a person’s name. If the frequency of use as a proper male/female name falls below a certain threshold, we then check the result of geocoding via the Geocoding API first to see if it is indeed a geographic location.

Once a particular location (or locations) has been narrowed down, we retrieve a collection of recent posts that contains the location name in the message content. Then, the corpus of retrieved posts is scanned for terrorism-related keywords (covered in Phase 3) to positively identify a threat, as can be seen in our case studies of terrorist activity in Mumbai and Jakarta above.

To improve our findings from this phase, we also include the monitoring of trending topics with a list of keywords frequently mentioned during potential terror attacks (to be discussed in greater detail in Section 4.3). In our opinion, the mentioning of such keywords which are uncommon (Cheong 2009) in everyday trending topics but prevalent in terror attacks (The Sunshine Press 2009) could potentially reveal, without explicitly stating the exact location, a terror attack is occurring.

4.2 Phase 2: Data harvesting and spam filtering

Once the location for the threat has been identified, we perform message harvesting on all related Twitter messages. Figure 3 illustrates this process. For the harvesting, we use Twitter’s Search API and Streaming API as our data sources. Twitter Search is used to query the topic and its past discussion right up to the terrorist event; on the other hand the Streaming API is used to monitoring the real-time chatter on Twitter using their live HTTP stream to capture discussion about the event as it happens.
Fig. 3

Framework diagram illustrating the processing of breaking news

It is pertinent to note that related literature has determined that spam or unrelated noise (Cheong and Lee 2009, 2010a; Krishnamurthy et al. 2008; Pang and Lee 2008) and real-world case studies (Cashmore 2009b; Relax News 2009) are commonplace in Twitter and can thus pollute the content stream. An example would be keyword injection by ‘bot’ programs as part of spamming activity (Cheong and Lee 2009, 2010a). Thus, we require a method to dispose of messages with such characteristics.

Cheong and Lee (2010a, b) and Krishnamurthy et al. (2008) have identified characteristics of spammer users on Twitter. Studies have been conducted on how certain emergent properties and usage characteristics (Cheong and Lee 2009, 2010a) exhibited by certain classes of Twitter messages/users indicate that the user is likely to be contributing to noise or spam in the information stream. Examples of this include relative newness of the account (only a few days old), low degree of profile customizations, and omission of certain biographic data in the Twitter user profile (Cheong and Lee 2009, 2010a). Based on the above knowledge, we propose a novel noise-reduction filter to discard messages suspected of polluting the message stream with noise or ‘spam’. First of all, the user information of authors of each terror-response related message is found using Twitter’s User Search API. This data is then cached to allow us to retrieve information for multiple messages from the same author without having to re-access the data from API.

Based on prior work (Cheong and Lee 2010b; Dearman et al. 2008), we identify the client devices used to post Twitter messages that are least likely to contain spam would be from the web interface, mobile devices, and social media programs. This is in contrast with RSS feeds and other Twitter content generators which are highly likely to contain spam and contributes to overall noise in the Twitter feed, and hence would be removed from our message corpus. Our noise-reduction filter will also remove messages by users who have been on Twitter for less than a particular timeframe (in our simulation, we use the timeframe of a week). This is to filter out newly-created ‘bot’ accounts that are suspected of automatically generating spam on Twitter. By directly excluding the content generated by such users, and prioritizing the content created by de facto legitimate users, the percentage of spam is greatly reduced.

The sanitized pool of messages and the user metadata are then saved to disk for further processing.

4.3 Phase 3: Sentiment detection & demographic exploration of the message pool

In this phase, we propose a 2-step approach to exploring the latent information in the sanitized message pool, as illustrated in Fig. 4.
Fig. 4

Framework diagram illustrating data harvesting and the spam filtering process

The first would be performing sentiment analysis, where the reaction of the general civilian population would be monitored. Sentiment detection methods have been successfully applied to Twitter in prior work; an example would be to gauge the public sentiment (Shamma et al. 2009) and opinion in marketing (Jansen et al. 2009). In this paper, we devise a simple new sentiment detection mechanism that determines the keywords related to public reaction and descriptions of terrorism. This is done by feeding a list of potential sentiment-related keywords into our sentiment finder module which will then tag the messages based on category of the keywords detected in the incoming message (Fig. 5).
Fig. 5

Framework diagram illustrating sentiment detection and demographic exploration

The proposed list of categories together with example keywords is listed in Table 1 below.
Table 1

List of categories for sentiment analysis. (Keywords marked with * are common internet abbreviations related to the other keywords in the same category)



Emotion: fear/anxiety

anxiety/anxious, catastrophic, concern, disaster, emergency, fear, insecure, panic, scared, terror, threat, trouble, warning, worry

Emotion: shock

(taken) aback, floor, god bless, omg*, shock, stun, sudden, wtf*, wth*


act, asap*, escape, evacuate, flee, help, hide, run

Need for information and updates

breaking news, call, foul play, incident, phone, report, situation, unconfirmed

Assessment: threats

accident, attack, bomb, bullet, collapse, crash, explode/explosion, fire, fire, gun, hijack, hit, hostage, plane, responsibility/responsible, rifle, shot/shoot, struck, suicide, terrorist

Assessment: casualties

blood, body/bodies, corpses, dead, injury/injure, kill, wounded

Response and law enforcement

action, ambulance, command, medic, operation, planes, police/cops/FBI/security, recover, rescue, response, restore, safe, safety, save, shut, stay, survive, suspend

The keywords are based on common responses evoked in civilian survivors, first-responders, and people affected by the aftermath of terror activities (Beutler et al. 2006). Also, to provide a more systematic data set and to capture the real-world communication patterns by survivors and observers in a real-world terrorism scenario, we refer to research by Clark (2009) conducted on a corpus of 448,358 pager messages (The Sunshine Press 2009) captured during the 9/11 terror attacks, who ranked the most 100 frequently occurring key phrases in this data set. This data set, in our opinion, is a voluminous set of recent terror-related key phrases used by civilians in communication during/after a terrorist attack that describes their reaction and sentiments, justifying our use of Clark’s research (Clark 2009).

With the list from (Clark 2009) which we slightly expanded by adding related frequently-used keywords from the original 448,358 message dump, we can produce a set of systematic root words/phrases to capture terrorism-related sentiments. Our proposed list of keywords also has additional synonyms and related words derived using the WordNet lexical analysis tool (Miller et al. 1990). However, it is pertinent to note that the list of words here is by no means exhaustive; as prior research (Beutler et al. 2006; Neria et al. 2004) found that the difficulties of predicting the possible range of victims’ responses to terrorism is:

…the unavailability of systematic, empirical research on the events that immediately follow a terrorist attack [due to the fact that] these attacks are infrequent and unexpected.

The second step in this phase is to extract, filter and process metadata attached to the Twitter messages sent out. As identified earlier, several attributes can be used to identify physical properties of the Twitter message posters, as well as cull extra information (Cheong and Lee 2010b; Hughes and Palen 2009; Java et al. 2009; Krishnamurthy et al. 2008) related to the event that can be used to improve the assessment of the terrorism event and also to assist in immediate decision-support by the appropriate authorities.

In our proposed framework, derived attributes and properties we are acquiring from the sanitized corpus are divided into several categories, as listed below:

Once such attributes have been identified, they will be annotated (as with the sentiment analyses above). The resulting annotations from sentimental analysis and user metadata will be combined with the original message corpus and stored in a knowledge base ready for further reporting, visualization, or data mining.

4.4 Phase 4: Data mining and reporting

One of the important tasks of terrorism and disaster informatics is the mining of data to enable efficient decision-making by authorities in response to an act of terrorism. The resulting knowledgebase generated from Phase 3 can be fed into a data mining and warehousing package. Clustering and visualization methods can be employed to identify distinct clusters of civilians involved in the terrorism scenario based on extracted information and the integration of its desired knowledge of patterns (Fig. 6).
Fig. 6

Framework diagram for the reporting phase

In our study, we use the self-organizing map algorithm (Kohonen 1984) as a tool for efficient data clustering and visualization, as performed in (Cheong and Lee 2009, 2010a). Several other machine learning methods such as Bayesian networks, and Support Vector Machines could be employed in data mining packages such as Weka (Witten and Frank 2005) but are beyond the scope of this paper.

Also, directly from the knowledgebase itself, we could identify particular features or ‘perspectives’ such as the rate of communication in terms of messages per unit time, time since first attack, and location of first attack (‘ground zero’), simply by using data filtering tools to view the data in the required perspective such as spreadsheet and data analysis packages).

This can be further filtered in order to narrow down the scope of the required information—for example, limited to a particular slice of time, or limited to users discussing about damages resulting from the incident—and also visualized for example in terms of charts, timelines, or social network graphs, as employed in other related research on Twitter (Huberman et al. 2008; Java et al. 2009; Krishnamurthy et al. 2008). A discussion on several examples of visualization techniques is discussed in Section 5.2.3 in detail.

5 Experimental simulation and discussion

5.1 Simulation setup

Real-world terrorism scenarios are rare and unpredictable, as indicated by Beutler et al. (Beutler et al. 2006) and Neria et al. (Neria et al. 2004) above. As such, we are not able to predictively test our framework on a real-life terrorism scenario. The data for prior events such as the Jakarta bombings, and Mumbai bombings mentioned earlier could not be used, as Twitter limits archival search to approximately 2 months maximum due to resource limitations (Section 6 discusses this further).

Therefore, we propose an experiment of our framework on synthetic datasets. The datasets are harvested with keywords of real-world events, but modified to include randomly distributed terrorism-related keywords as in Section 4.3 above. These real-world events are chosen for our simulation as opposed to running a live version of phases 1 and 2 of our framework due to the scarcity of real-world data and the difficulty in obtaining real-life Twitter communication on urban terror situations.

This is performed to simulate a terrorism-response Twitter messaging scenario involving a highly localized urban user base contributing to the Twitter chatter. These events are chosen for the simulation due to their nature of “mass convergence” of people (Hughes and Palen 2009), which is likely to manifest in a hypothetical real-world terror scenario. It is pertinent to note that none of these real-world events involve real-world terrorism scenarios; the Twitter message stream in these simulations is synthetically modified for illustrating a hypothetical scenario and it is by no means a hoax.
  1. 1.

    Cuban Peace without Borders Concert/Paz Sin Fronteras II (keyword: Paz Sin Fronteras), captured 20th September 2009.

    This dataset was chosen as this real-world event is reported by Twitter users from a localized Cuban user base. Users exhibit emergent characteristics (e.g. geographic location, gender, and information sharing patterns) similar to those of real-world terrorism and crisis events which take place in a localized urban context. It is interesting to note that there are minor political controversies attributed to this concert.

  2. 2.

    AFL preliminary finals, captured 21st September 2009.

    This data set represents the chatter collected on the 19th September weekend where the AFL preliminary finals are being held. This dataset was chosen as it, too, had characteristics of a localized event in an urban setting. The amount of noise in this dataset is rather low; as our data is freshly harvested after the event has finished and narrowed down to the day of the event itself.


We are able to perform a simulation of Phases 2 through 4 (with the exception of Phase 1’s real-time Twitter trend monitoring and part of Phase 2’s online stream capture) as we are operating on synthetic offline data that cannot be generated on-the-fly.

Synthetic messages are created by injecting the original message database with randomly distributed terrorism-related keywords (as per Section 4.3, Table 1) using a Perl script that randomly includes such keywords in the message body. The distribution of keyword injection is based on the frequency of such words existing in the 448,358-message data set (The Sunshine Press 2009) as discussed prior in Section 4.3. For example, the keyword ‘call’ occurs 34,552 times, or a frequency of 7%; compared to ‘alert’ (5,839 times) with approximate frequency of 1%. Again we use the relative keyword frequency with respect to this data set due to the fact that it’s a real-life capture of communication in a real terror scenario. All other metadata are unaltered by the script so as not to alter the emergent properties as exhibited, per Table 2.
Table 2

List of properties and derived attributes from the available user metadata


Attributes sought

Spatiotemporal properties

1. Time and date of Twitter message by a user. Because the time and date is stamped by the Twitter service consistently using GMT as its reference offset, the accuracy of individual computer/device clocks does not matter.

2. As for the location information, messages can be used as real-time source of geographic information in tracking the aftermath of terrorist threat if location information about the user corresponds to the location of terrorist activity or collateral damage. The most credible messages among these are geo-tagged (with GPS coordinate information published). This data is published by Twitter clients which support GPS technology, for example mobile devices.

(NB: As of press time, Twitter is proposing the addition of metadata that pinpoints the location of the user, which can also be used as an alternative to geo-tagging).

The spatiotemporal properties mentioned above enable pinpointing of first-responders and civilians immediately after a terror event has occurred.


3. A message author’s gender can be predicted by running the name provided on his/her Twitter user profile (Cheong & Lee 2010b) through a frequency-based ranking algorithm. This is useful in identifying the general demographic of civilians affected by a terrorism scenario.

User mobility state

4. Deduced based on the Twitter client used to publish the data, to determine whether the user was mobile or in a fixed location (Dearman et al. 2008). This allows us to determine the situation of the message author (e.g. safely hiding, on the move).

By studying several past cases of terrorism and crisis response by civilians via Twitter (Beaumont 2008, Cashmore 2009a, Terdiman 2009), we find that breaking news on Twitter can be attributed to the usage of mobile devices or social media publishers as civilians would be using it on the move to broadcast the situation or their current feelings/sentiments about it. This in conjunction with the findings in (Dearman et al. 2008) where it is observed that users tend to share “time-critical information” about half the time when they are in the ‘mobile’ state (on the move).

We postulate that the majority of the updates will take place when civilians are in the ‘mobile’ state and possibly from home (Dearman et al. 2008) when civilians tend to feel safe from any direct threat.

Communication patterns

5. Presence of the reply ‘indicator’ (“@username message”); which shows a strong pattern of interpersonal communication (Honeycutt & Herring 2009) in crisis events (Hughes & Palen 2009).

6. Presence of message forwarding or ‘retweet’ (“RT @originaluser message”). This behavior suggests the need for information sharing (Boyd et al. 2010) among civilians (Dearman et al. 2008) to disseminate more information.

The dynamics of message threading and grouping behavior as above have been studied in prior work; examples are the intentions of message replying (Honeycutt & Herring 2009), retweeting (Boyd et al. 2010), and user clustering based on communication styles (Cheong & Lee 2010a). Related information about the dynamics of Twitter-mediated communication is available in (Honeycutt & Herring 2009).

Information collation

7. Presence of a hashtag (“#hashtag”) signifying message grouping and categorization, allowing easy culling of additional information by just looking up the hashtag (Cheong 2009, Starbird et al. 2010), and allowing decision makers to know what potential aggregate information the belligerents might have.

Links to additional information

8. Presence of information sharing in the message indicated by the sharing of web links (or URIs, Uniform Resource Identifiers).

This complements the Twitter-based discussion with other news sources (e.g. mainstream media coverage), or simply to ‘convey larger amounts of information’ such as in forum posts or conventional blog posts due to the constraint of the 140 character limitation (Hughes & Palen 2009, Starbird et al. 2010).

User-generated multimedia content

9. Determines the presence of links to user-generated content, such as TwitPic/Flickr pictures and YouTube videos that might be a wealth of information to authorities seeking to chronicle such activities, as exhibited in prior terrorism events (Beaumont 2008, Cashmore 2009a) and similar disaster and crisis situations (Fleishman 2009, Terdiman 2009)

Information sharing behavior among users can be used to discover user-generated content about the terrorist activity (for example the extent of damage and casualties, possible identification of suspected perpetrators, newswire coverage, etc.).

Next, we run our framework on the dataset using a slightly-modified Perl implementation, adapted for use with offline, synthetic data. The User API is used online to query the user information as per the framework to facilitate our spam removal algorithm as described in Phase 2. The demographic analyzer and sentiment analyzer in Phase 3 is run against our user data corpus and the synthetic message dataset.

5.2 Simulation results

5.2.1 Phase 2 results

We captured 1,500 messages for both the aforementioned events via the message harvesting module of our framework in Phase 2. The details of harvested messages, including spam/noisy messages removed are as follows (Table 3):
Table 3

Number of messages harvested for the two simulations


Total messages

Removed noise

Sanitized messages

Paz Sin Fronteras II

1,500 (limit of the Twitter API)



AFL preliminary finals

1,500 (limit of the Twitter API)



5.2.2 Phase 3 results

The user and message data acquired above is annotated (via the custom-made sentiment analyzer and demographic analysis part of our framework). The annotated knowledgebase is then fed into a few separate visualization and analysis methods to demonstrate the richness of data obtained via our proposed civilian-response informatics framework.

The following is a screenshot of the annotated knowledgebase imported into a spreadsheet package. From this, we can easily see the properties of a collection of tweets in a quantitative form, ready to be parsed (Fig. 7).
Fig. 7

Screenshot of the raw simulation data in the annotated knowledgebase—in this case (from left-to-right): the source Twitter client, device type, quantified message length, Retweets, replies, hashtags, presence of pictures, presence of URLs

5.2.3 Phase 4—simulation setup

In our information reporting and visualization phase, we choose 3 simple techniques to present our data collected from the simulation in an easy to understand manner. This list is just a representation of how data from this setup can be represented depending on the information needs of the viewer, and how information from the framework can be visualized with any given perspective.
  1. 1.

    First is a simple timeline analysis by using Weka’s (Witten and Frank 2005) built-in analyzer to show the progression of the timeline with respect to user mobility state generated from Phase 3. This method displays states of user mobility (along the y-axis) with respect to time (the x-axis), allowing one to easily distinguish groups of people discussion the event, based on their mobility state as the event progresses.

  2. 2.

    The second method is clustering geographic location obtained from the Twitter message authors on a Google Maps ‘mashup’ to illustrate the locations of users who have contributed to chatter about a topic. This simply visualizes the location of users who have GPS geo-tagging capability (i.e. annotating tweets with exact geographic coordinates) on an overlay of the real topological map, making it easy to separate groups of users based on their immediate location at time of tweet broadcast. Examples of similar Twitter visualizations using maps include analysis of sentiment during sports events (Bloch and Carter 2009) and more recently to detect earthquakes (Guy et al. 2010).

  3. 3.

    Third is the unsupervised clustering and visualization of the annotated knowledgebase using Kohonen’s self-organizing map to cluster users based on the annotated properties from Phase 3, to reveal any possible connection or similarities behind the messages (and their authors) in our corpus. A Kohonen self-organizing map (Kohonen 1984) is a visual clustering technique projecting input from multiple-dimensions into maps of 2-dimensions where similar features are spatially close by on the map, which is an effective method of clustering and visualizing clustered data, especially when dealing with microblog messages (Cheong and Lee 2010a).


5.2.4 Phase 4a—Weka timeline analysis

Using the visualizer tool found in Weka (Witten and Frank 2005), we are able to come up with an interesting example of timeline analysis of a terrorism event based on the findings from our knowledgebase.

A scenario we tested is the proportion of users contributing to Twitter chatter via ‘fixed’ (non-mobile) devices e.g. computers, versus mobile devices (mobile phones, PDAs, smart phones) over the progression of a particular event. The following figure illustrates the distribution of messages submitted using both kinds of devices versus the progression of time. Time is measured using the message Unique ID—UID—where approximately 111 UIDs constitute one second, which is found to be an effective measure of time (Cheong and Lee 2009) (Fig. 8).
Fig. 8

aAbove—timeline analysis of the ‘Paz Sin Fronteras II’ scenario; and bbelow—the ‘AFL preliminary finals’ scenario

From the observations above, we notice that during the time of the main event, users tend to contribute less sporadically from mobile devices, whose frequency tends to trail off after the event finishes. This more or less reflects the pattern of information sharing found in prior literature (Cheong and Lee 2010b; Dearman et al. 2008) A significant number of users contribute from ‘fixed’ devices, indicating that they may not be at the events themselves, suggesting that their usage of Twitter as a method of expressing views or communicating with the people ‘on the ground’.

5.2.5 Phase 4b—Google Maps geolocation mashup

From our simulations’ annotated knowledgebase, we also came up with an interesting finding. A proportion of users contributing using mobile devices have enabled their GPS coordinate tagging system on their mobile Twitter client, allowing their precise geographic location to be visualized on a Google Maps interface. Figure 9 (a and b) show the geolocation data from our simulation scenarios plotted on Google Maps.
Fig. 9

aAbove—Google Maps mashup for the ‘Paz Sin Fronteras II’ scenario; and bbelow—the ‘AFL preliminary finals’ scenario

As can be seen in Figure 9(a) and (b), the locations of participants of Twitter conversations in the two simulation scenarios above are pinpointed using markers in the Google Maps API. This information is potentially beneficial to decision-makers and the authorities to model and chronicle civilian response to terrorist activity.

5.2.6 Phase 4c—self-organizing map clustering and visualization

Data can also be plugged into a Kohonen Self-organizing map (Kohonen 1984) for unsupervised clustering and visualization of any trend patterns that might not be readily obvious from the data. We selected a subset of demographic attributes as input to the SOM clustering algorithm. In this case study we choose only the following: user mobility state, retweet/reply communication habits, hashtagging, photo/URI sharing, gender, and geographic location.

We chose the above subset (rather than the full list of attributes) as in this case study we merely study the habits and basic demography of user communication without taking into consideration the sentiments or mood of the affected Twitter users (bearing in mind that this is synthetically generated data and that the sentiment analysis is inaccurate due to artificially introducing terror-related keywords).

The results of SOM unsupervised clustering of our two knowledge bases generated from the simulation are as follows (Fig. 10).
Fig. 10

SOM clustering for the ‘Paz Sin Fronteras II’ simulation data

For the ‘Paz Sin Fronteras II’ simulation, the SOM algorithm managed to segment the users into several different clusters, each with distinctive properties.
  1. 1.

    Blue cluster: the majority of users, contributing from both mobile and fixed (non-mobile) devices, with properties of chatter (as indicated by the abundance of replies), comprising both genders. This is visible in communication patterns involving information seeking and enquiring about the situation amongst people in the affected area; prior work discussing this ‘social life’ of information has been done by (Hughes and Palen 2009; Starbird et al. 2010).

  2. 2.

    Red cluster: contains hashtags and URLs in the message, reflecting the message sharing characteristics of the users by contributing links to additional information during a potential terrorism scenario. Again, actions like these in the context of a serious event illustrate the need for microbloggers to share and receive additional information (Starbird et al. 2010).

  3. 3.

    Yellow cluster: mainly fixed device users, where the gender of the users cannot be readily predictable. This might be due to the publishing of tweets by groups, corporations or agencies, which use the name of the organization as their Twitter username. This clearly distinguishes this cluster from the blue and red clusters above, as the users in the preceding clusters have readily-identifiable human names from both genders (Cheong and Lee 2010a). In real-world terrorism events, groups or organizations which would have a direct need for a ‘social’ information presence (Cheong and Lee 2009) would be aid agencies and organizations affected (e.g. the Hilton Hotel, which was directly sending Twitter messages offering advice to its customers during the Jakarta attack (Cashmore 2009a)).

  4. 4.
    Green cluster: users directly contributing user-generated content in the form of pictures or videos via YouTube, TwitPic or Flickr (Fig. 11).
    Fig. 11

    SOM clustering for the ‘AFL Preliminary Final’ simulation data

As for the ‘AFL preliminary final’ simulation, the results of SOM segmentation and clustering are as follows:
  1. 1.

    Blue cluster: users from both mobile and fixed (non-mobile) devices, with tendencies to reply messages, from both genders.

  2. 2.

    Red cluster: predominantly users of fixed (non-mobile) devices, having the tendency to ‘retweet’ other people’s messages, and share information based on hashtags.

  3. 3.

    Yellow cluster: predominantly users of fixed (non-mobile) devices, with tendency to post URLs as a method to share information.

  4. 4.

    Green cluster: predominantly users of fixed (non-mobile) devices, who share information via user generated content on sites such as YouTube, Flickr, and TwitPic.


6 Discussions

Due to the constraints imposed by the underlying technology which we apply this framework on, there are indeed several limitations that need to be discussed.

The Twitter API (Twitter Inc. 2009a) has API limitations intended to conserve server resources. As of press time, they are:
  1. 1.

    Searching for backdated tweets: the Search API returns up to a hard upper bound of 1,500 most recent tweets, or a dynamic backdated range of approximately 20 days, whichever first (Cheong and Lee 2010b).

  2. 2.

    Polling current tweets: the Stream API returns only a subset of all the Twitter messages. We have applied for permission to acquire a slightly higher rate of messages; this covers only “a proportion more suitable for data mining and research applications that desire a larger proportion to be statistically significant” (Twitter Inc. 2009b). However, Twitter does not generally provide the entire Twitter message stream to third-parties.

  3. 3.

    Looking up user information: the REST (Representational State Transfer) ‘users: show’ API is limited to 20,000 user searches/lookups per hour after having granted white-listing permission from Twitter. However, the disadvantage is that due to the potentially high number of user lookups that have to be conducted in the short span of an hour, this limit may very well fall short, and there will be a subset of messages in the captured data set with not enough corresponding user metadata.


The ideal scenario is for Twitter Inc. to provide unlimited access to the above data; however it is highly unlikely due to constraints such as resources and legal issues. We suggest several workarounds to overcome this hurdle. For the search problem, the workaround is to use a third-party archive of Twitter data, either by using a commercial Twitter archival service such as TweetScan,1 or a corpus of ongoing Twitter captures such as the proposed US Library of Congress Twitter Archive project (Raymond 2010). Unfortunately, for the Stream API, there is no other way to increase the proportion of streamed messages other than the elevated proportion granted to researchers. As for the third problem of harvesting user information from tweets, we could utilize a few more client computers for distributed user lookup.

Another identified potential limitation in our framework is that it is preferable to include human observers to better pinpoint cases may otherwise escape automated detection. For example, if a terror threat is written in another language other than English, our framework does not fully work due to our sentiment analyzer being seeded with English key phrases. Also, it is better to have a human user ‘tweak’ the framework (e.g. prioritize certain attributes in the detection such as geographic location while putting less emphasis on retweet frequency) based on the needs of the different possible scenarios.

Lastly, phases 1 and 2 of our proposed framework are hard to test in a real-world situation due to the unpredictability of real-world events. In future work, we hope to improve the validity of the aforementioned phases in our framework; this can be achieved by deploying the proposed framework for continuous monitoring of the live Twitter stream data over a long period of time.

7 Conclusion

In this paper, we have proposed a novel framework utilizing the Twitter microblogging service as a multifaceted data source for harnessing sentimental data and demographic analysis in civilian response to terror scenarios. The novelty in this is that Twitter is rich in data for such applications, but not much work has been done in exposing the latent patterns and emergent properties in the context of terror informatics. Our experimental results provide insight as to how our framework can be used in real-world settings by homeland security authorities and law enforcement agencies to immediately chronicle and respond to terror threats. We also shed light into the understanding of our obtained data, by coupling the harvested information with visualization and intelligent data mining techniques. The limitation of this kind of study is the lack of real-world data for robust analysis.


TweetScan ( is a third-party Twitter data backup service.


Copyright information

© Springer Science+Business Media, LLC 2010