tek fog in action

By Ayushman Kaul and Devesh Kumar

This is the third in a series of articles investigating claims behind the use of ‘Tek Fog’, a sophisticated app used by political operatives affiliated with the Bharatiya Janata Party to drive propaganda at scale in India. In previous parts, The Wire examined claims about the various social media manipulation techniques available to app operators, including the ability to hijack ‘inactive’ WhatsApp accounts and use them to disseminate messages on the encrypted chat app. In this part, we look at ways in which operators have used the app to drive pro-BJP and Hindutva propaganda on Twitter, among other social media platforms.

New Delhi: Pro-Bharatiya Janata Party handlers managing an army of online operatives in a secret, industrial scale propaganda operation not only have the ability to flood major social media platforms with automated abuse and targeted harassment – much of which is misogynist and communal – and inflate engagement using inauthentic accounts managed by the secret Tek Fog app, but have devised an innovative work flow and remuneration process to ensure maximum political bang for their buck.

Screenshots and screencasts shared by the whistleblower whose revelations formed the starting point of The Wire‘s investigations into ‘Tek Fog’ also suggest the app uses a results-oriented, ‘surge pricing’ model to incentivise performance during elections and other politically important events.

One of the most important – and disturbing – features of the app is the hard-coding of abuse modules, and the manner in which these are deployed by a vast network of managed accounts to target critics, political opponents and ordinary citizens. Tek Fog appears to have been used particularly effectively against women journalists active on social media whose work or posts run counter to the BJP’s official narrative. The aim is to use abuse and harassment to not just drown out dissent and criticism but also intimidate and silence individuals.

So how does this ‘abuse’ feature work? The whistleblower explained that first, the app’s operators access a database of individuals integrated with Tek Fog to identify persons to target. The database includes students, journalists, comedians, film actors, social media influencers, spiritual leaders and others, together with information about their religion, gender, sexual orientation, language, age, political affiliation and, in some cases, physical attributes like complexion and even breast size. All of this information allows operators to target specific people based on their indicators – from harassing them from multiple accounts to sending offensive messages into their private Twitter inbox.

The most frequently targeted individuals were women and Muslims, according to a review of the app’s screenshots and screencasts that the source provided.

One screenshot shows a series of abusive and misogynistic keywords that operators can select to compose messages intended for women journalists.

To understand this targeting process, the authors used an open-source data collection tool to monitor a set of 280 highly retweeted women journalists.

From January 1, 2021 to May 31, 2021, the authors parsed 4.6 million replies to tweets by women journalists, and found that 18% of these replies – over eight lakh in number – originated from accounts belonging to the network of accounts managed by Tek Fog.

To corroborate these findings, the authors used an open-source profanity detection library to filter those replies that were abusive and/or derogatory. Some 67% (5.36 lakh) replies were classified as ‘offensive’.

Most of the targeted women were able to correlate their own experiences online with these revelations about Tek Fog. “I am not surprised,” Rana Ayyub, who tops this chart, tweeted when The Wire released this data on Twitter earlier this week. “From porn videos, misogynistic, communal abuse, character assassination, have seen it all, enabled by the government. The #tekfog investigation by the Wire, validates what most women journalists have flagged for years.” “A million abuses were hurled at women journalists through a secret app in just five months,” said Rohini Singh on Twitter. “The most powerful party in India spends its resources on abusing women in order to silence them. The price women pay for existing on social media….” Sagarika Ghose too was clear about whose footprints she saw. “#TekFog isn’t some anonymous app: its handlers are politically aligned. No wonder India’s power elite are silent. Their silence has enabled and normalised this malicious abuse of women. And tomorrow it could be your daughters,” she tweeted.

It is worth recalling that the whistleblower themselves had outed the use of sexualised trolling against women whom they alleged the BJP IT Cell had decided to target, such as the former Jawaharlal Nehru University student leader from Kashmir, Shehla Rashid.

In a tweet they put out in April 2020, they recalled how operatives had been “ordered to use obnoxious methods to troll Shehla Rashid. Doctored porn pics of @Shehla_Rashid were sent through WhatsApp groups to counter her on Twitter and Fb. Which forced her to deactivate [her] Twitter handle.” “Now I apologise @Shehla_Rashid. I’ve learnt much from those mistakes,” they said.

Other prominent women journalists targeted through the Tek Fog app, and independently verified by The Wire, include Ismat AraHiba BégNeha DixitFatima KhanJyoti YadavSakshi JoshiShereen Bhan and Madhu Trehan, amongst others. The list of the 20 most abused women journalists also included Quratulain Rehbar and Masrat Zahra, two independent journalists from Kashmir.

As part of its regular workflow, the Tek Fog homescreen shows a list of ‘daily trends’ that operatives are required to amplify across Twitter and Facebook using the automation features built into the app.

To ascertain whether the feature was functional at the time of analysis, the authors requested the source to provide a screenshot of their ‘daily task’ on three consecutive days, from May 4 to May 6, 2020. To verify the results with a larger sample, and to better understand the scale of the operatives’ ability to manipulate social media indicators, the authors also asked for a list of previous hashtags that had been made to ‘trend’ using Tek Fog.

A review of these actions illuminated how operatives automated accounts to manipulate trends favouring the BJP – by artificially amplifying the narratives and popularity of its leaders and ideologues across Twitter and Facebook.

The list of ‘daily tasks’ the source shared included a few colour-coded hashtags. These saffron coloured hashtags referred to a ‘trend’ started by the Indian National Congress (INC), other opposition parties and/or their supporters. The source said that some of their daily tasks were to ‘counter’ these trends with spam and false and misleading information. The Wire was able to verify this claim through an independent analysis of posts uploaded from accounts controlled by the source via Tek Fog.

To verify the app’s features vis-à-vis Twitter, the source provided the authors with two screenshots of hashtags disseminated via the app ahead of time, a list of older hashtags amplified using the Tek Fog app, and a list of accounts on Facebook and Twitter that operatives managed using the app.

These daily-task screens also provided insights into the nature and objectives of each task created by the team. One of them was to create and popularise certain hashtags on Twitter. To achieve this, operators hijacked the ‘trending’ section of the platform by generating inauthentic engagement (tweets, retweets, quote-tweets, likes, etc.) using a large network of accounts that they controlled using Tek Fog.

An analysis of the on-platform activity for each hashtag using Brandwatch and Meltwater Explore – two tools commonly used to listen to social-media chatter – showed how they went on to ‘trend’ nationwide on Twitter.

The daily-task screen also showed that the app’s design incorporated a financial incentive structure to motivate operators to work longer and harder. Each action taken by an operator in the app was correlated to the amount of money they earn for performing that action.

The source alleged that when significant political events – like an election – were in the offing, the people behind the app increased the financial incentives. This is akin to the surge-pricing commonly associated with taxi apps like Ola and Uber. The source said the surge factor on Tek Fog goes up to 2x or 3x per action.

The source provided a screenshot that showed the total and monthly payment received by them through Tek Fog, and a review of their bank statement which suggested that a similar amount was transferred to them in the month of April 2020, but The Wire was unable to independently verify whether this ‘surge pricing’ feature was active at the time of publication.

The Wire was also provided with screenshots of Tek Fog that showed ‘past trends’ that the source had amplified using the app. These trends provided more insights into the sort of political and ideological messages that the app’s operators (in the Nagpur facility) had sought to disseminate.

Some of the hashtags sought to provoke majoritarian sentiments among Hindu users on the platforms, including #HinduRiseAsOne and #भगवा_तो_लहराएगा (“saffron flag will rise”). Others, like #SoniaSpeakNow, #PappuDiwas and #WeStandWithArnabGoswami, targeted the BJP’s political opponents and promoted partisan news and media personalities, respectively.

A review of these hashtags revealed they all exhibited a sudden spike in activity after being repeatedly used by Twitter accounts, helping them reach the ‘trending’ section of the platform in India. This process took place within minutes, further suggesting inorganic growth, a feature that was highlighted by the lack of any significant national event or news around the topic.

The authors analysed the list of accounts that the source provided for insights into the network of accounts used to manufacture Twitter trends.

To capture and visualise the underlying network of accounts used by the operatives to drive trends on Twitter, the team created a list with all the Twitter accounts that the source claimed to directly control, as well as all the accounts that were following or being followed by these accounts. Additionally, accounts that tweeted the targeted hashtags, appearing in the app screenshot provided by the source, were also added to the list, resulting in a set of some 102,000 Twitter accounts.

The team used scraping, open-source intelligence and complex-data analysis tools (Twint and Graphistry) to visualise connections between various accounts managed by Tek Fog, their followers and other accounts.

These accounts exhibited a range of diverse and dynamic behaviours, stymieing initial efforts at categorising their behaviour using the traditional methodological approach. For example, while some of the accounts examined in this network behaved autonomously with minimal human intervention, others appeared to be manually controlled at times, sharing pre-written posts, and engaging with other right-wing influencers and BJP office holders on the platform.

That’s why, to understand broader patterns in the above network, The Wire compiled and employed technical analysis that combined an examination of the temporal features, content properties and sentiment analysis of the 102,000 accounts. Temporal features included the account creation date, posting patterns and levels of engagement (likes, shares). In addition, analysis of the content posted by the accounts provided a list of their most-used keywords and news links shared by the accounts. Lastly, the team used AWS Comprehend, a Natural Language Processing tool, to detect whether the accounts tweeted in multiple languages and conduct a sentiment analysis of their uploaded posts. Through this methodology, around 40,500 accounts were filtered that demonstrated high activity levels while trending hashtags shown in the app screens provided by the source. On several days, these accounts tweeted more than 350 times per day, sometimes to the extent of more than 900 tweets in 15 minutes. Many independent research labs view 72 tweets per day (one every ten minutes for 12 hours at a stretch) as suspicious, and over 144 tweets per day as highly suspicious.

The resulting visualisation (displayed below) confirmed the existence of a large, heavily interconnected and organised cluster of accounts to drive right-wing, pro-BJP narratives on Twitter. Between June 1, 2021 and June 14, 2021, the network of accounts also expanded from 40,500 users to 77,800 users.

A historical analysis of the behaviour of these accounts on Twitter between December 1, 2019 and April 30, 2020 revealed that the app’s operators used the same network to disseminate communally polarising narratives during the February 2020 Delhi communal violence.

The network graph of the Delhi communal violence with 4,523 nodes (each node represents a different account) is centralised with @kapilmishra_ind, a verified account belonging to BJP leader Kapil Mishra, sitting at one end, and @OpIndia_com, a right-wing website, perched on the other. Other accounts like @Rudraravisharma@Kuldeep78328755@vishkanyaaaa and @nationalist_kid managed by the source using the Tek Fog app form the centre of the network relaying tweets to other accounts in the network.

Before the violence broke out in the national capital, Mishra delivered an incendiary speech in which he threatened to take the law into his own hands if the police didn’t ‘clear’ people protesting peacefully against the Citizenship (Amendment) Act 2019 from the streets. Later, in an interview with The Wire on February 23, 2021, Mishra said he didn’t think his call to violence that day, or that of others with the words ‘Goli maro saalon ko (Shoot the bastards)’, were wrong.

In June 2020, NewsLaundry investigated ‘OpIndia’ and found that the outlet had published “at least 25 instances of false news and no less than 14 instances of misreporting” in the previous two years. The network graph itself indicated that OpIndia was a source of false and polarising narratives during the communal violence. On the other hand, Kapil Mishra mobilised this network by sharing mis- and disinformation frequently and bringing new and inauthentic accounts into the cluster.

The ‘past trends’ screenshot from Tek Fog also lists multiple hashtags that indicate that the operators were actively involved in communalising India’s first major COVID-19 outbreak, in 2020, by focusing on the Tablighi Jamaat. They made hashtags like #तब्लीगी_जमात_जिहाद (“Tablighi Jamaat Jihad”) and #TablighiJamatVirus, trend – with a goal to demonise a Muslim congregation and pin the blame for the country’s expanding epidemic on the event’s organisers and attendees, and by extension, Muslims as a whole.

The network graph of these hashtags has 1,896 nodes (each node represents a different account). At the center of this network are four accounts: @ManojKureel (now suspended), @KiranKS (158,000 followers), @rose_k01 (63,000 followers) and @RameshwarArya (now suspended). This network coincides with the broader Tek Fog network, with more than 1,700 of the 1,896 accounts present in the cluster. Apart from Kapil Mishra, the verified accounts of other BJP leaders and office-holders like Sambit Patra and Amit Malviya also featured in this network. In addition to OpIndia, Suresh Chavanke, editor-in-chief of Sudarshan News, pumped this network with mis- and disinformation and communal narratives.

#TablighiJamatVirus, one of the hashtags amplified by the operatives, was shared by this network extensively. The hashtag was amplified by more than 156,000 tweets, reaching an audience of around eight crore users.

A (now deletedtweet by @rosek01, an account in the Tek Fog list that communalised the COVID-19 pandemic by spreading disinformation, was one of the most popular tweets in the network.

The scale and sophistication of Tek Fog’s features outlined in this article, and in this series, offer a springboard from which to understand the use of automated propaganda online and its role in engineering public discourse by state and corporate actors in India. The ‘Tek Fog’ app itself appears to be the backbone of a vast and still largely unexplored network of paid workers and volunteers deploying disinformation strategies on social media platforms to distort or corrupt public conversations in favour of India’s ruling party.

As social media platforms become more popular, the impact of online discourse on individual beliefs and views will also expand. And when unscrupulous political and private actors hijack such platforms, we face a considerable and unprecedented threat to the freedom of expression and of political association guaranteed to all citizens in India.

Indeed, the possibility of similar apps being employed by political operatives in other countries, albeit in less sophisticated forms, poses a deeply corrosive threat to the institutionalisation of democratic norms and the guarantee of independent public discourse, both intrinsic elements of the continued functioning of major democracies across the globe.

Note: If you are working with Persistent Systems, Sharechat or the BJYM and are using/ have used or know more about the Tek Fog app and the broader operation underpinning its use, please contact us at [email protected]. We will ensure your anonymity and privacy at all costs.

This story first appeared on thewire.in