Analytic thinking: Examining claims about Twitter spam and protests in China
In my last blog post, I outlined a few of the qualities and skills I’ve found useful as a digital investigator who’s worked in human rights investigations and Trust and Safety, with a focus on influence operations. In this post, I want to expand on one of those qualities — analytic thinking — using a recent example that generated great fanfare.
Last week, media outlets reported about an uptick in spam that apparently targeted Chinese city names amid protests against COVID measures. Several Twitter users also tweeted about the spam, with their threads racking up thousands of retweets; experts and commentators weighed in and casted blame, given the timing, on the Chinese government.
Quoted in The Guardian, an analyst at Recorded Future claimed that the spam was likely “a large-scale operation either sponsored by the Chinese government or outsourced by the state to a surrogate like a well-resourced troll farm.” This claim bounced through various media outlets, with Nisos asserting that the spam was designed to prevent information about the protests “from reaching western audiences” and Recorded Future finding it difficult to imagine who other than China could “conduct such a large-scale campaign.”
In this post, I want to outline how an analyst might use analytic thinking to assess all this using a bit of devil’s advocacy and a competing hypothesis. I have my own views on this incident as well, informed by investigative experience, but the exercise here is based entirely on publicly available information about Chinese influence operations (CNIO) to date, including findings from activity like Spamouflage and Dragonbridge.
So the main hypothesis is…
The Chinese government, or an actor sponsored by the government, is responsible for a surge of escort spam targeting Chinese city names to flood the information space and drown out protests.
Some key assumptions are that…
- The Chinese government wants to prevent external audiences from being able to see evidence of the crackdown on protests
- The Chinese government have the capacity and expertise to conduct such a “large-scale operation”
The evidence is that…
- Spam-like accounts have been used often in CNIO reported by Twitter and the research community
- The accounts purportedly bear some similarity to accounts used in previous CNIO reported by Twitter and the research community
As far as I could tell, this is all the evidence for this hypothesis. I have not seen a detailed analysis of the account traits to fully examine the ostensible similarities, but from the reporting, they seem to amount to general descriptions of “bot” accounts, such as: “newly created accounts with zero or low follower numbers; accounts created in blocks of hundreds or thousands; using similar account name structures”.. “identical text content; and sharing photos or videos of young Asian women.”
Now for a bit of devil’s advocacy
- CNIO is notoriously low-effort, but an obvious “operation” like this simply created a Stresand effect. Why be this sloppy when you want to draw attention away from the content of the protests? (Unless the point, of course, is for the media to focus on the sloppy spam and not the protests).
- This activity was not of a “large-scale” so that only a government could be responsible. You would not even need a “troll farm” to do this given sufficient automation. Indeed, Meta and Twitter have regularly accused commercial entities of conducting actual, large-scale operations of this nature.
- It is also insufficient to exclude other actors given the prevalence of porn and escort spam appearing often on Twitter, without any link to political activity. There is no public evidence where crypto, coupon, and Ray-Ban spam have been used by state-backed adversaries (even if they might’ve repurposed old accounts that were used for those purposes).
- Literally anyone can buy spam accounts to tweet content and target trending topics to drive traffic to their services or products. Twitter has policies prohibiting this behavior and researchers, marketers, and others have long used the phrase “hashtag hijacking” to describe it.
- The accounts bear only a few signals similar to those of previously identified CNIO efforts, namely, default generated screen names, a first name and last name pattern, low followers/following, and stock photos. This isn’t very distinct from other kinds of spam accounts though (any thread by @conspirator0 could show you that) and on their own are insufficient signals for attribution.
- Previous CNIO has consistently used such accounts to spread counter, or undermining, narratives rather than pure chaff. Why wouldn’t they do that here?
What could be a competing hypothesis?
The escort spam targeting Chinese city names is an example of hashtag hijacking, which is an evergreen problem on Twitter and not limited to China.
Some key assumptions are that…
- Spam, of all varieties, regularly target trending topics or keywords to direct people to their payload, whatever it may be
- There is a spam marketplace where anyone can buy services, such as a spam-driven influence campaign and/or advertisement of products
The evidence is that…
- You can type Seoul (서울) or Busan (부산시) into Twitter search and browse the Latest tab to see accounts that are highly similar to those found targeting Chinese cities. They have similar naming conventions in screen names and names (Table 1), advertisements, and imagery. But there are no protests in Seoul or Busan.
- Spam accounts are activated based on keyword detection and rising topics. You can see this by typing a word like “metamask,” which can trigger spam replies like the one below, payload and all.
- There is ample evidence of marketplaces where you can buy services like fake engagement, fake or real compromised accounts, fake followers, and more.
Wrapping up
Analytic thinking requires us to look at assumptions and their underlying premises. We need to consider alternative hypotheses and think adversarially about the claims we are making.
For example, is it true that only the Chinese government could conduct this activity? What can we say about similar spam targeting other cities and its relation to the protests? Would this kind of spam actually “prevent” people from seeing the protests? Do we know the prevalence of such spam across all Twitter surfaces, so that we can say it would even be effective in such an aim? Given everything we know about reported CNIO activity thus far, does this make sense?
Our analysis depends on the validity of certain assumptions and those assumptions should be challenged. As in most cases like this, though, it’s incredibly difficult for external researchers to make claims of attribution without access to internal signals.
