The Stanford Internet Observatory

With the technological infrastructure that physicists and astronomers have brought to bear for decades as its foundational metaphor, the Stanford Internet Observatory (SIO) was launched two years ago to create an equally as powerful social sciences-based “Observatory” for internet researchers:

“…the political and social sciences have been slow to build their capabilities to study the negative impact of technology, partially due to a lack of data access, information processing resources, and individuals with the necessary backgrounds to sift through exabytes of data. For centuries, physicists and astronomers have coordinated resources to build massive technological infrastructure to further their field. With infinitely expanding data and content, researchers need infrastructural capabilities to research this new information frontier.

The Stanford Internet Observatory is a cross-disciplinary program of research, teaching, and policy engagement for the study of abuse in current information technologies, with a focus on social media. Under the program direction of computer security expert Alex Stamos, the Observatory was created to learn about the abuse of the internet in real-time, to develop a novel curriculum on trust and safety that is a first in computer science, and to translate our research discoveries into training and policy innovations for the public good.

By providing researchers across Stanford with cutting-edge data analytics and machine learning resources we will unlock completely unforeseen fields of research. We envision a world where researchers do not limit themselves to the data that is easy to access but instead dive into the toughest and most important questions by leveraging the capabilities of the Stanford Internet Observatory.”

The work of the team over at the Observatory has been impressive – and we have been tuned in to their efforts since their launch in 2019.  If you would like an overview of the “research, teaching, and policy” and the thoughts of the SIO team as they reflect on their “research and refine our path forward as a research center, the following report details their “focus areas and goals for the coming year”:  The Stanford Internet Observatory Turns Two.

We now turn to the SIO’s latest offering, in partnership with Graphika:  the August 24th release of a joint investigation into “an interconnected web of accounts on Twitter, Facebook, Instagram, and five other social media platforms that used deceptive tactics to promote pro-Western narratives in the Middle East and Central Asia. The platforms’ datasets appear to cover a series of covert campaigns over a period of almost five years rather than one homogeneous operation”…which the SIO authors believe is “the most extensive case of covert pro-Western influence operations on social media to be reviewed and analyzed by open-source researchers to date.” (1)

Anatomy of an Internet-based, Covert Pro Western Influence Operations

In Unheard Voice: Evaluating five years of pro-Western covert influence operations (IO), the report by the SIO and Graphika, not only are the insights and findings of the report of interest, but, due to the research infrastructure objectives and overall “charter” of the SIO,  so too are the computer science techniques and research methodologies applied to the dataset made available to the researchers by Twitter and Meta:

“In July and August 2022, Twitter and Meta removed two overlapping sets of accounts for violating their platforms’ terms of service. Twitter said the accounts fell foul of its policies on ‘platform manipulation and spam,’ while Meta said the assets on its platforms engaged in ‘coordinated inauthentic behavior.’ After taking down the assets, both platforms provided portions of the activity to Graphika and the Stanford Internet Observatory for further analysis.” (1)

This research is also differentiated by the partnership with Graphika, a private sector company that offers an AI-based, SAAS, and managed services platform to study online communities (which grew out of research at the Harvard Berkman Center and launched in 2013).  The turnaround time on the research (at least in this researcher’s experience) is also noteworthy:  with full cooperation from the various social medial platforms owned by Twitter and Meta, datasets provided from their platforms in July/August 2022, and a publication of findings on August 2022.

For anyone who has managed corporate-sponsored research (that includes shepherding a proprietary dataset through both university and corporate legal vetting and cooperative research negotiations), this lightning-fast workflow is a clear operational, methodological innovation by the SIO.  If the analogy is re-orienting the lens of the observatory telescope at a specific area of activity and data for immediate results, the SIO is functioning as designed.

The Datasets

“As with previous disclosures, Twitter and Meta did not share the technical details of their investigations. Additionally, neither company has publicly attributed the activity to any entity or organization: Twitter listed the activity’s “presumptive countries of origin” as the U.S. and Great Britain, while Meta said the “country of origin” was the U.S. The findings in this report are based on our own open-source investigation and analysis of the two datasets shared by the platform.

The Twitter dataset provided to Graphika and SIO covered:

• 299,566 tweets by 146 accounts between March 2012 and February 2022
  • These accounts divide into two behaviorally distinct activity sets:
    • The first was linked to an overt U.S. government messaging campaign called the Trans-Regional Web Initiative, which has been extensively documented in academic studies, media reports, and federal contracting records.
    • The second comprises a series of covert campaigns of unclear origin.
• On Aug. 23, shortly before the publication of this report, Twitter increased the size of its dataset to include an additional 24 accounts and 103,385 tweets. The updated disclosure statement said the activity took place between March 2012 and August 2022.
• These covert campaigns were also represented in the Meta dataset of:
  • 39 Facebook profiles
  • 16 pages
  • two groups;
  • and 26 Instagram accounts active from 2017 to July 2022.” (2)

Methodology & Overview

According to the report, here is what the researchers did with the data:

The decision to focus on the exclusively covert activity represented in two datasets drawn from separate takedowns by Twitter and Meta posed certain methodological challenges. Accordingly, we employed the following practices to build a subset of assets for further analysis:

1.  Firstly, we conducted a qualitative review of content samples, metadata, and the profile information associated with each account to determine if an asset should be classified as overt or covert. We conducted an additional open-source investigation to determine asset classifications when required.
2. We then built a social media network map of the covert Twitter accounts’ followers. This helped us understand the collective audience these assets built and each asset’s relative influence and community. The resulting network map revealed three major groups reflecting specific regions and nations, including Iran, Arabic-speaking Middle East, and Afghanistan.
3. We used these network groupings as a foundation to review further the covert Twitter and Meta assets and assign labels corresponding to their audience. This included a qualitative review of asset behavior, such as the fake personas they employed online, and a quantitative content analysis of the assets’ most-used hashtags, key terms, and web domains.
4. This second review resulted in four labeled asset groups, each of which appeared to encompass a contained campaign targeting audiences in one country or geographic region. The activity sets related to Central Asia, Iran, and Afghanistan were each distinct enough to merit their own labels. We combined four less distinct Arabic-language clusters related to Iraq, Syria, Lebanon, and Yemen as one group labeled ‘Middle East.’
5. Finally, we analyzed the assets in each group individually and collectively to identify the tactics, techniques, and procedures (TTPs) they employed to conduct their campaigns and the narratives they promoted.

The major groupings in the map reflect three nations and regions: Iran, Afghanistan, and an Arabic-speaking Middle East group comprising Iraqi and Saudi subgroups, some of which contain a few accounts associated with Syria, Kuwait, and Yemen. In addition to these major groupings, there were smaller community clusters in the network containing mixed international accounts focused loosely on a variety of international figures and organizations. We also encountered an unclustered set of accounts with insufficient data for categorization.

For each of the covert Twitter accounts we identified, we calculated its “follower footprint” in each community cluster, defined as the proportion of accounts in the community cluster that followed it. There was a typical long-tail distribution in the follower footprints, with a few influential accounts followed by a descending list of accounts with progressively fewer followers. The distribution also featured a large set of assets (about 20% of all the suspended covert Twitter assets) with no followers evident among the map’s communities. Accounts with a significant follower footprint showed a clear association with a specific national or regional group in the map.

The method used to construct the network map is designed to reveal the communities in which the covert assets were embedded. We found 60,798 active Twitter accounts that followed at least one of the covert takedown assets on Twitter, and collected follower and following data for each of these. We used an iterative method to find the accounts among these best connected to each other in strong communities, yielding a map of 13,946 densely interconnected accounts. These were clustered based on network relationships into 49 individual community clusters, then further categorized into seven map groupings based on the strength of their relationships with each other and an analyst review of the language, interests, and behavioral characteristics. Five of these map groupings combine further into two analytic parts: Iran (with three groupings) and Middle East Arabic (with two groupings).

After assigning each of the covert assets a label, we were able to visualize activity and posting patterns for each group. This provided an overview of each campaign and the set as a whole.  (2)

Findings:  Campaigns and Narratives

• The platforms’ datasets appear to cover a series of covert campaigns over a period of almost five years rather than one homogeneous operation.
• These campaigns consistently advanced narratives promoting the interests of the United States and its allies while opposing countries including Russia, China, and Iran.
• The accounts heavily criticized Russia in particular for the deaths of innocent civilians and other atrocities its soldiers committed in pursuit of the Kremlin’s “imperial ambitions” following its invasion of Ukraine in February this year.
• To promote this and other narratives, the accounts sometimes shared news articles from U.S. government-funded media outlets, such as Voice of America and Radio Free Europe, and links to websites sponsored by the U.S. military. A portion of the activity also promoted anti-extremism messaging.
• … we focused our analysis on the exclusively covert activity to better understand how different actors use inauthentic practices to conduct online influence operations (IO). We did note, however, some low-level open-source connections between the overt and covert activity in the combined Twitter and Meta data. These consisted of limited cases of content sharing and one Twitter account that posed as an individual in Iraq but has previously claimed to operate on behalf of the U.S. military. Without supporting technical indicators, we are unable to assess further the nature of the relationship between the two activity sets.
• We believe this activity represents the most extensive case of covert pro-Western IO on social media to be reviewed and analyzed by open-source researchers to date. With few exceptions, the study of modern IO has overwhelmingly focused on activity linked to authoritarian regimes in countries such as Russia, China, and Iran, with recent growth in research on the integral role played by private entities. This report illustrates the wider range of actors engaged in active operations to influence online audiences.
• Twitter and Meta’s data reveals the limited range of tactics IO actors employ; the covert campaigns detailed in this report are notable for how similar they are to previous operations we have studied. The assets identified by Twitter and Meta created fake personas with GAN-generated faces, posed as independent media outlets, leveraged memes, and short-form videos attempted to start hashtag campaigns and launched online petitions: all tactics observed in past operations by other actors.
• ….the data also shows the limitations of using inauthentic tactics to generate engagement and build influence online. The vast majority of posts and tweets we reviewed received no more than a handful of likes or retweets, and only 19% of the covert assets we identified had more than 1,000 followers. The average tweet received 0.49 likes and 0.02 retweets. Tellingly, the two most followed assets in the data provided by Twitter were overt accounts that publicly declared a connection to the U.S. military.
• This report is non-exhaustive and benefited from previous studies by the academic and open-source research communities. We hope our findings can contribute to a better-informed understanding of online influence operations, the types of actors that conduct them, and the limitations of relying on inauthentic tactics. (2)

What Next?

The information threat vector, cognitive infrastructure, misinformation, and covert influence operations will be discussed (when we gather as the OODA Community in October at OODAcon 2022 – The Future of Exponential Innovation & Disruption) in the context of the panel Future Wars:  Beyond Cyberconflict, with:

John Robb, Global Guerrillas Report and Author of Brave New War

J.D. Work, Cyber threat expert and professor at Columbia, NDU, and MCU

Yegor Dubynsky (invited), Ukraine Office of Digital Transformation

A description of the panel:  Twenty years ago, cybersecurity experts warned of attacks against power grids and planes falling from the sky. They predicted a future that has not manifested itself yet. Will it? Or will the future of war be a conflict waged for the hearts and minds of social media users? What about the future of conflict in the contested domain of space – not only regarding assets in orbit but space exploration and resource exploitation? What lessons will Russia use from its extensive use of cyber tools against Ukraine? What lessons should defenders learn?

OODAcon 2022

To register for OODAcon, go to: OODAcon 2022 – The Future of Exponential Innovation & Disruption

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Strategies, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.