As Italy counts down to national elections in March, one party has taken a creative approach to spreading its message on Twitter: it enlisted supporters to turn themselves into bots.
Bots are automated accounts which post retweets or likes without human intervention. In politics, they are normally used to make small groups look bigger. Usually, bots are made by a bot herder or team, either by creating new accounts or repurposing hijacked ones. @DFRLab published a guide on how to #BotSpot, a primer on how bots are used, and some techniques botmakers use to disguise their product.
In the Italian case, some bots have been created by the account-holders themselves — what could be called “selfbots.”
This is not the first time this has been done (the Russian Embassy in the UK used the same tactic a year ago), but with the election approaching, it highlights how different actors are trying all possible tactics to give themselves an edge online.
Automatic posts
The story broke on January 23, after Matteo Salvini, leader of the nationalist Lega party, appeared on national television.
Italian blogger, web designer, and fact-checker David Puente was quick to point out a suspicious number of accounts tweeted the same message advertising Salvini’s appearance at exactly the same time.
@DFRLab conducted a machine scan of the phrase and confirmed that the identical text was posted by 154 accounts in the space of 74 seconds, from 21:45:11 UTC to 21:46:25 UTC.
This is typical bot behavior. Puente analyzed the data coming from two of the accounts and revealed that they came from an automator called “LegaNordIllustrator”, linked to the official Lega Twitter feed, @LegaSalvini, and to the URL SalviniPremier.it.
Both salvinipremier.it and Salvini’s other apparent websites, matteosalvini.eu and matteosalvini.com, redirect to Salvini’s official Facebook page. Puente identified this URL as the host of the automator: http://matteosalvini.com/seguimitw.asp.
The link leads to an advert for Salvini’s own Twitter account:
Bots, yet not bots
The behavior of these accounts was too similar and too synchronized to be anything other than automated. Analysis of the accounts involved confirmed this, demonstrating that they repeatedly posted the same Salvini messages (usually with his name hashtagged) in the same order.
Scanning these tweets, in turn, revealed an identical pattern of simultaneous posts from the same accounts.
Some of the amplifiers were corporate accounts: Lega chapters across Italy, and Radio Padania Libera, a nationalist radio station whose name calls for a free republic of “Padania,” the northern part of Italy.
Others appeared to be human users, but posted with machine-like regularity — too regular to be human. These accounts are all automated to post the same content at the same time. In that sense, they are a botnet.
However, different accounts in the botnet behave in different ways. For example, the last time @Flory1952 posted anything other than automated Salvini content was on August 6, 2017.
@HarrisonPala, by contrast, interspersed Salvini tweets with commercials for Xbox and a few authored posts. This tweet included a selfie showing a face which matches the profile picture. A reverse image search did not return other results for these pictures, indicating that this is a genuine user.
@Dumbo54 caught our eye because its profile picture is the flag of the so-called “Novorossiya,” the (largely discontinued) Russian-led separatist name for eastern Ukraine, and it is a highly-active account with over 133,000 engagements since it was created in 2010.
The account posts long slews of Italian-language retweets, many from Lega member Claudio Borghi, in a botlike pattern of behavior.
However, it does not behave like a pure bot. It posts many replies, such as these, which appear to be authored.
Despite its use of the separatist flag, it barely mentions Novorossiya or Ukraine in its tweets.
@dumbo54 appears to be a genuine Italian account, partially automated to amplify pro-Lega messaging, but also used to post many replies.
How to be a selfbot
These accounts therefore constitute a botnet when it comes to posts about Salvini, but not necessarily when it comes to other topics.
The app exposed by Puente explains this dichotomy. The users in question appear to have signed up to it, and thus converted themselves into willing “selfbots”, effectively handing the keys of their accounts to Lega.
We can deduce a little about the way the app works by studying the posts it generated. It appears to hold its human users in a list, and run through them in a set order, second by second, with minimal variation.
The corporate accounts appear to constitute a separate sub-list which displays a little more variation in the order and timing of posts.
In each case, the official Lega account, @LegaSalvini, was the first corporate account to post, with the Salvini supporters’ group, @Noiconsalvini, and Radio Padania Libera following in short order.
However, these were always preceded by the first in the “humans” series of accounts, albeit only by one or two seconds.
Thus, the @LegaSalvini account does not appear to act as a trigger for the human accounts, as might have been suspected; rather, it, like the others, is triggered by the automator, which then appears to run through its list of accounts with minimal variation.
This is not the first time Lega resorted to a selfbot strategy. On the matteosalvini.com home page, Salvini's supporters can still find the promotional pictures that invite them to join Lega's social campaign on Facebook and Twitter.
As Puente also pointed out in his article, the social media campaign was launched in 2014 before the elections for the European Parliament and was suspended. Lega invited supporters to subscribe to the app through their Facebook, Twitter, or both their profiles in order to become a "spokesperson" for Salvini. They also specify that, upon registration, the supporters' profiles will automatically like, repost, and retweet Matteo Salvini's content.
Another example of Lega's use of selfbots was the referendum announced by Renzi in December 2016. On the night before the referendum, between 10:04pm and 10:09pm, 156 Twitter accounts shared the same picture with the same message that invited Italian citizens to go and vote "no". In this case, we found some of the same people involved in the selfbots case two days ago.
Conclusion
This network of “selfbots” is a variation on a well-known political theme. It created a dormant network of bots, which can operate autonomously but also be activated at will to amplify a political message.
The botnet was both obvious and small. It appeared to include just over 150 accounts, of which some are Lega corporate ones. Its main impact on the Italian Twittersphere appeared to have been to expose the Lega’s use of automation online, which was not necessarily the desired effect.
However, it is a point of vulnerability in the online debate. By blurring the distinction between human-run accounts and automated ones, it opens the door to larger-scale abuse. With apparently human users behaving like bots, at the same time as bot makers are trying to make their bots behave more like humans, “selfbots” like this further blur the distinction between human and algorithm, and render the online space more vulnerable still to abuse.
Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
Anna Pellegatta is a Digital Forensic Research Assistant at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
Our #ElectionWatch coverage for the upcoming Italian elections is in partnerhsip with fanpage.it.
Follow along for more in-depth analysis from our #DigitalSherlocks.