Brussels needs to move beyond ready-made slogans in the fight against disinformation
The recent Doppelganger operation we exposed mainly consisted of Russian actors cloning media websites and buying many domain names echoing real ones to spread anti-Ukraine narratives. Our report presented a series of policy recommendations on Internet domain names and the need to enforce existing laws like GDPR and trademark laws.
Nevertheless, most of the press coverage and the follow-up discussions with policy-makers focus once again on platforms. These discussions go like this:
Us: What can we do to better protect the media from being impersonated using domain names? Why isn’t GDPR enforced on Russia-based actors when they breach it targeting Europeans?
Them: Yes, interesting… But can we talk about Facebook?
Let’s be clear: the EU DisinfoLab has been very transparent in supporting a better regulation of Facebook, for instance in the Digital Services Act (DSA). We shared our strong disagreements with Facebook’s team when we needed to do so. But Facebook and other platforms cannot remain the only entities we discuss when trying to find solutions to disinformation.
Repeating over and over that “Facebook is bad” is an easy zero-risk policy for MEPs and other officials. Still, it does not meaningfully contribute to reaching our common goal, which should be to better tackle the spread of disinformation and foreign interference.
What can the EU and its Member States do against disinformation? They can adopt and enforce laws that make it harder and more expensive for malicious actors to spread disinformation and regulations that force platforms to mitigate this risk. They can create a favourable environment for researchers, civil society, and journalists who expose disinformation and foreign interference.
We argue for refocusing our common efforts towards enforcing EU laws on malicious actors, using the laws we already have and defining new ones where they are missing. Our assessment is that only using ready-made slogans on platforms accountability, which again is undoubtedly an important piece of the puzzle, hides the fact that the EU and its Member States are not doing enough to tackle disinformation and to support civil society in other key areas.
Here is a non-exhaustive list of recommendations:
- Better regulation of the domain name industry: almost all influence operations use media and media domain names. It would be unreasonable to ask every media to buy all possible domain names. Thus, a mechanism must be put in place to better protect media from impersonation (without reopening the door to exempting media from platform moderation).
- EU funding: We have repeatedly mentioned that operational funding should be available for civil society organisations in this field. UK and US-based entities provide such financing, while the EU and its Member States do not. Can we afford to be that dependent on foreign funding?
- Sanctions: In 2020, we published a report about InfoRos, a Russian news agency, which is now on the US and the UK sanctions list but not on the EU sanctions list.
Other actors reported in our investigations continue their malicious activities without sanction. Some continue to be accredited in the transparency register of the European Union, and even get EU funding (we do not mention the names here; to understand why, please read point 7 below).
- GDPR: The General Data Protection Regulation (GDPR) is breached by almost all actors we wrote about, who continue breaching GDPR without penalties. The difficulty of attribution should not be the easy answer to continued inaction. Instead, it should be a call to work on attribution to enforce the law effectively.
- Cybersecurity: Besides the regular announcements about the EU’s intention to support “civil society resilience”, organisations like ours get no help from the EU and its Member States. When a Russian cyberattack targeted us, only US actors helped us: someone at Meta proactively reached out to put us in touch with FireEye (now Mandiant). FireEye helped us for free for days when we really needed help (tremendous help). Meanwhile, we did not get any support from any EU-based organisations.
- Abuse of Freedom of Information Requests (FOIR): Anyone with an anonymous email address can decide to ask EU institutions an unlimited number of questions about us. We woke up one day to our names on the asktheEU.org website, with questions framed to leave a climate of suspicion upon our activities. We were even told that “anyone at the GRU” could use this platform anonymously to smear us and that “it is how it is”. Our email addresses were shared without our consent, and some institutions did not even consult us before publishing our email correspondence. We are not at all against transparency, but transparency should not become a weapon that malicious actors can use without limitations against civil society. Here is an additional warning: in the US, the Election Integrity Partnership is currently the victim of severe FOIR abuse.
- Abuse of the judiciary system: we welcome the EU’s work on Strategic Lawsuits Against Public Participation (SLAPPS) and call on solutions to be found rapidly. There are many examples of such abuse, such as in France where civil society and journalists are being sued regularly by a well-known state-owned media. Our organisation has spent a substantial amount of money and time dealing with justice abuses. Contrary to what is often thought: our legal expenses are not covered, and in the last years they amount to about 50,000 EUR.
- Speaking to platforms’ experts: EU officials keep talking to, meeting with, and sometimes funding manipulative actors depicted in open-source investigations. Meanwhile, some EU officials refuse to speak to platforms experts. Platforms like Meta and Twitter have some of the world’s best disinformation researchers in their teams. Refusing to listen to them is as inefficient as taking everything they say for granted.
So, as it stands: malicious actors will not be sanctioned, GDPR and other existing laws are not enforced on them and they can continue buying domain names impersonating media organisations while organisations tackling disinformation, which often do not get sufficient operational funding nor cybersecurity and legal support, can be targeted by freedom of information requests’ abuse and lawsuits.
If the EU and its Member States wish to see a dynamic civil society fighting disinformation and to meaningfully address information disorder, we believe it is time to go beyond ready-made slogans and to work – concretely – on tackling the issues described in this contribution.