1st Branch : The Coordination assessment
The coordination of accounts and adoption of techniques to publish, promote and spread false content is being referred to as “Coordinated Inauthentic Behaviour” (CIB). Coordinated Inauthentic Behaviour definition may vary from a platform to another.
Although a clear and widely accepted definition of CIB is currently missing, the concept is growing consensus among the platform, especially because it allows the platform to work on account removal without looking at and judging the content. Non-platform researchers and investigators are also doing more work in exposing CIB and we can observe an understanding emerging around the concept.
The approach of the EU Disinfo Lab as part of the WeVerify project is to deliver a set of tools, criteria, OSINT techniques and methodology that will help researchers to detect or to prove CIB activity.
The tools we propose are in the form of a CIB detection tree. It has four main branches that will correspond to a series of four blogpost published in the next months. Here is the first one: The Coordination Assessment branch.
Why and where to look? Suspicious timestamps
Examining the timestamps and time of posting is one of the best indicators to assess automation, or Coordinated Inauthentic Behaviour done by a human artificially pushing for content or copy-pasting the same content, or several accounts coordinated to push a narrative. Suspicious timestamps can appear in various places and, yes, in various times. It can be the posting time, it can be the creation date of multiple accounts, it can be the first post of a series of accounts, or it can be a series of accounts all following the same target at the same time.
Check for authentic coordinated behaviours
In this branch, we will try to assess if a specific network is engaged in coordinated behaviours, and if coordinated behaviours can be tied to a specific network. some CIB can in fact be organized by real accounts coordinating to manipulate, to harm or to push a narrative. It is also crucial to make the distinction between a CIB campaign and authentic coordination and normal social networking.
Identify a Network
Once the network has been identified, one can try to assess if there is coordination among the networks. Assessing the coordination of a network and identify the network coordination must go hand in hand. A “network”, or people grouping on a social network will always be found and identifying a network without assessing coordination can lead to false positive results.
There are three main way for assessing a network.
Assess Network via Interacting Accounts
For example by examining the interactions between users, most retweeted users on Twitter.
Check if the network is already known or some accounts already appear in previous fact-checking archives
CIB accounts are often re-used or repurposed. It is therefore useful to check if a CIB account or network is related to previously known accounts or already fact-checked material.
Identify Networks through Timestamp and similar Behaviour
Similar behaviour, if checked against similar timestamps, can lead to identify a network. For example if accounts are switching from using Twitterfeed to using Twitter Web Client at the same time.
Check for Network Coordinated Behaviour
If a network has previously been identified, then we must look for any behaviour adopted by the network. If no network has been identified, then the similar behaviour adopted around the same time should trigger the look for a network.
Coordinated behaviour can be the sharing of the same or similar material, the change of profile picture, the renaming of the accounts or adopting repurposing behaviour around the same time (erasing previous post, renaming etc.)
Attempt to assess the intent
Intent can be determined by various means, investigation of a network, suspicion of the aim of a campaign, or suspicion of renewed activity from a network previously identified. Once the intent of a CIB has been determined or suspected, it is possible to track back the intent from the results and effects of a CIB campaign to its origins with checking some specific features.
Check for context of suspicious activity
Once a suspicious timestamp, activity, network or coordinated behaviour is identified, it should be checked against a particular context or event.
In a CIB campaign, there can be intent and a purpose behind a campaign. This purpose and intent will appear if suspicious activity around a network is properly contextualized.
Check for outside calls for coordination
In some cases, it is possible to look for calls for coordination done outside the platform where the CIB will happen. Some studies working on fake reviews, were able to find outside calls for coordination and Facebook groups, sat up to engage in coordinated inauthentic behaviour on another platform. It is also possible to identify the keywords used to rally for a campaign and use it to detect outside calls for coordination on other platforms.
Detect Cluster or Groups by tracking back the intent
Reversely it is possible to check for the results, the intent or goals of a suspected CIB and, from there, to trace back the group or cluster of its origin and prove the CIB existence. If one has determined a CIB campaign goal was to harm a particular target or group, it is possible to track back the origin or networks of the campaign by tracking bad mention of the target or content trying to harm the targeted group.
Check for Similar Content
It is also crucial to check for Similar Content but this will be detailed in a subsequent blogpost.
In the other branches, we will explore other criteria that can be used to assess authenticity, source of the CIB or their potential impact.
This tree was elaborated through careful study of the methodology used by non-platform actors to track CIB and the study of the takedown reports and anti-CIB policy used by the platforms. As with any tool involving assessment, OSINT techniques or open-source investigation methodology, entering the world of assessing CIB is entering a world of false positive, misleads and second guessing. This tree is designed to assist researchers and non-platform actors in their investigation. It was designed with automation in mind, part of the tasks described here could be automated or designed to assist human investigations. However, this tool was designed bearing in mind that humans are doing the hard work and only humans can eliminate false positives and misleads. We do believe that even completed with all 4 branches the CIB detection tree will be perfectible. We also believe it will help researchers to populate their report with a language and example that the platforms can speak and understand. Because platforms engaged themselves in removing and acting against CIB, this is why this tree can be used as a detection tool and as a tool for proving CIB in a particular network already under scrutiny.