Tools + Tech: How DFRLab cracks cases of disinformation
Constant innovation has allowed DFRLab to stay ahead of disinformation campaigns
By Tessa Knight
Less than a week before the January 14 presidential elections in Uganda were set to be held, Facebook removed a network of assets linked to the Government Citizens Interaction Center at the Ministry of Information and Communications Technology. The accounts, which included those of government employees, were being used to mislead, target and manipulate public debate ahead of the elections. Facebook’s decision to remove the government-linked assets followed an investigation into inauthentic accounts by the Atlantic Council’s Digital Forensic Research Lab (DFRLab.
The Ugandan government retaliated by denying citizens access to all social media platforms ahead of the election. Soon after, the government shut down access to the internet entirely.
This was just one of the many instances where the DFRLab exposed coordinated inauthentic behaviour online. The global team of experts uses open source investigative tools and techniques to research disinformation and digital propaganda. The team has been at the forefront of exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.
The DFRLab Africa team is incubated by Code for Africa (CfA) and forms part of the network working to provide citizens with actionable information. With exposés and reports ranging from Russian influence in Sudan to unveiling the truth behind the #EndSARS protests, the digital sleuths stop at nothing to reveal the truth.
As influence operations are constantly evolving, using more advanced techniques to spread false narratives, so too is the open source intelligence (OSINT) community constantly working to upgrade, advance and improve the repertoire of tools and technology used to expose disinformation campaigns.
What has the DFRLab been up to?
DFRLab investigations into politically motivated disinformation in 2021 resulted in the removal of 617 Facebook assets engaging in coordinated inauthentic behaviour on behalf of foreign entities and local governments.
In the case of Uganda, the pages, profiles, groups and Instagram accounts linked to the Government Citizens Interaction Center at the Ministry of Information and Communications Technology were removed from the platform for violating Facebook’s policy against government interference.
In Sudan, Facebook removed a network of assets using inauthentic profiles, pages and groups to amplify pro-Russian content. The operators behind the network, despite attempting to conceal their identities, were linked to Russia’s infamous Internet Research Agency, and used the network of assets to promote Russia, Russian oligarch Yevgeny Prigozhin, and the formation of a Russian naval base in Port Sudan.
The DFRLab also investigates influence operations that spread from websites to social media. In May 2021, amidst escalating fighting in the Tigray region of Ethiopia, a 72-page report looking at Western media’s alleged role in scapegoating Eritrea during the crisis was published by a previously unknown non-profit organization (NPO).
Following an investigation into the author of the report and the unregistered non-profit organisation, the DFRLab was able to prove a connection between the author and the Eritrean government, indicating a clear bias. The DFRLab also found evidence that government officials endorsed the report, despite the Eritrean Embassy in the United States denying connections to the NPO.
Tools the DFRLab uses to investigate disinformation
WHOIS lookups
WHOIS lookups allow users to see who registered a domain name, when it was registered, and sometimes find contact information for the registrant. This can be incredibly useful when investigating suspicious websites spreading disinformation or propaganda. It is important to note, however, that certain laws as well as the use of privacy proxies can make it difficult or even impossible to access this information.
Facebook transparency and about sections
While there are limited external tools available to investigate Facebook, the platform itself does provide information about pages and groups through the transparency and about sections. Admin location data is listed under transparency, as well as records of name changes, allowing one to check if the page was repurposed or if the admins are not located in the country they claim to be. The about section can sometimes contain map coordinates, cell phone numbers, email addresses or even website links, all of which can be used to try and trace the operators of the page.
Google Analytics and Adsense
When WHOIS lookups are not successful, there are still alternative options. A quick look at a website’s source code, which can be accessed by right clicking on the page then clicking “view source code,” can reveal important information.
Google Analytics information can be found by searching the source code for “ua-”. This will return a unique number in the format ua-12345678, which can be used to do a reverse Analytics lookup using tools such as DNSlytics, to see if the same analytics ID is embedded into the source code of multiple websites. A WHOIS lookup can subsequently reveal more information about the website operators. Google Adsense IDs can be found in a similar manner to Analytics IDs — simply search the source code for “pub-” rather than “ua-”.
Advanced Google Search/ Google Dorking
By using advanced search operators, the DFRLab was able to find and identify connections between the author of the Eritrean propaganda report and the Eritrean government. Google dorking, or advanced Google searching, allows one to manipulate search engines to find information that would not necessarily be easy to find searching through a website — for example, spreadsheets of expenses on government websites.
Advanced Twitter Search
Twitter’s advanced search allows one to do more advanced investigations into connections between two or more Twitter accounts, to see if/when they interacted, and, if they did interact, what topics they engaged on. Twitter’s advanced search also allows one to circumvent the platform’s 3,200 tweet limit, which prevents users from viewing more than 3,200 tweets posted to an account’s timeline.
Using advanced search, it is possible to go back to the account’s creation, searching all the tweets for a specific hashtag, word or phrase, or simply searching through a specific time period. This allows investigators to get a better understanding of the account itself, specifically to see if its behaviour changed at any point in time.
Twitter investigation tools
Free tools to search Twitter, such as Twitonomy, TweetBeaver and TruthNest provide greater insight into a user’s Twitter activity. TruthNest and Twitonomy allow investigators to see what tools a Twitter user primarily uses to post to the platform, which can indicate bot-like or inauthentic activity. TweetBeaver allows investigators to download a user’s last 3,200 tweets, so as to analyse them in depth, or can be used to lookup account data for 90,000 accounts every 15 minutes.
______________
The Atlantic Council’s DFRLab’s mission is to identify, expose, and explain disinformation where and when it occurs using open source research; to promote objective truth as a foundation of government for and by people; to protect democratic institutions and norms from those who would seek to undermine them in the digital engagement space.
Code for Africa (CfA) is the continent’s largest network of civic technology and data journalism labs, with teams in 21 countries. CfA builds digital democracy solutions that give citizens unfettered access to actionable information that empowers them to make informed decisions, and that strengthens civic engagement for improved public governance and accountability. This includes building infrastructure like the continent’s largest open data portals at openAFRICA and sourceAFRICA, as well as incubating initiatives as diverse as the africanDRONE network, the PesaCheck fact-checking initiative and the sensors.AFRICA air quality sensor network.
CfA also manages the African Network of Centres for Investigative Reporting (ANCIR), which gives the continent’s best muckraking newsrooms the best possible forensic data tools, digital security and whistleblower encryption to help improve their ability to tackle crooked politicians, organised crime and predatory big business. CfA also runs one of Africa’s largest skills development initiatives for digital journalists, and seed funds cross-border collaboration.
