NO. 16 MARCH 2019 Introduction

Disinformation and Elections to the Annegret Bendiek and Matthias Schulze

Elections to the European Parliament (EP) will take place in May 2019. Politicians and experts fear that the election process might be disrupted by cam- paigns and cyber attacks. In December 2018, the presented an action plan against disinformation. It provided 5 million euros for raising awareness amongst voters and policymakers about manipulation, and for increasing the cyber security of electoral systems and processes. The strategy relies on voluntary and non- binding approaches by Internet companies to fight disinformation. To protect the integrity of elections in the medium term, independent research into technical, legal and market-regulating reforms must be boosted. The objective should be to preserve the functionality of democracies and elections in the age of digitalisation.

The next European elections will be held in are extremely significant for the strategic EU member states from 23 to 26 May 2019. orientation of European integration. A suc- Since right-wing nationalist and Euro-sceptic cess for EU opponents could push the EU movements have gained in strength, there to the very limits of its capacity to act, for is already talk of a “defining election” that example through further exit demands could decisively influence the future ori- along the lines of , or a blockade of entation of the EU. Euro-sceptic parties the complex decision-making process. The already account for almost one-third of elections not only decide the renewal of the parliamentarians, a proportion that might EP, but also the inauguration of the new EU rise following the elections. Commission for the 2019–2024 parliamen- EP elections have thus far been seen as tary term. The EP influences the appoint- “second-rank elections” and therefore as a ment of the Commissioners and can force good opportunity by the electorate to teach the entire Commission to resign with a two- the respective member state’s government thirds majority and realign the Multiannual a lesson. This attitude fails to appreciate the Financial Framework. mobilisation potential of the current debate on the pros and cons of European integra- tion, the influence of third parties, and the growing importance of the EP. The elections

Challenges false information, since even true state- ments taken out of context can be misused The EU’s structure and functions are not for suggestive conclusions. Disinformation easy to understand. European issues are campaigns can be short-term, for example unfamiliar to many, and it is relatively to influence an election result, or long- simple to spread false information about term, for instance to undermine confidence the EU. Considering the upcoming election, in the EU. Attempts can thus be made to the European Commissioner for the Secu- discredit individual politicians so as to pre- rity Union, Sir Julian King, urged member vent them from being re-elected. For exam- states to “take seriously the threat to demo- ple, “negative campaigning” can uncover cratic processes and institutions posed by alleged scandals or make accusations of cor- cyber attacks and disinformation” and to ruption. During the last presidential elec- draw up “national prevention plans” to pre- tion campaign in the USA, automated com- vent “state and non-state actors from under- puter programmes known as Twitter bots, mining our democratic systems and using probably of Russian origin, spread predomi- them as weapons against us”. This specifi- nantly negative reports about Hillary Clin- cally includes disinformation campaigns ton and relatively positive reports about and cyber attacks on the electronic electoral Donald Trump. In the medium term, this infrastructure, which can affect the con- promotes social division and the polarisa- fidentiality, availability and integrity of the tion of public discourse. electoral process. The negotiation of political interests in Disinformation already appears to have social discourses is the key element – but had an impact in Europe: researchers at also the Achilles heel – of democracies. Edinburgh University identified over 400 Tactics such as disseminating dubious false accounts on social networks, operated claims (“muddying the waters”) or constantly by so-called trolls based in St Petersburg, repeating large volumes of false information which were used to influence the Brexit or conspiracy theories (“firehose of false- referendum. Security and defence policy hood”) are used to undermine political cer- defines disinformation and cyber attacks tainties and dissolve a socially shared con- as elements of hybrid threats, i.e. covert cept of truth. One example was the reaction actions by third parties aimed at destabilis- to the downing of a Malaysian passenger ing Europe or the EU system. The term plane in July 2014: on social networks, “hybrid threats” usually refers to a form of there were attempts to discredit the investi- warfare that remains below the threshold of gation report which found that the Russian using military force. This ambiguity gener- armed forces had caused the catastrophe. ally complicates a military response accord- ing to international humanitarian law. IT-Enabled Disinformation

Disinformation Campaigns A distinction must be made between digital and IT-enabled disinformation: digital dis- Disinformation is not a new phenomenon. information encompasses the entire range In security research it is regarded as “black” of digital mechanisms for disseminating , since it seeks to influence pub- information. IT-enabled disinformation, on lic opinion from the shadows. It uses the the other hand, includes hacking incidents same means as modern (PR) or cyber attacks that compromise IT secu- and campaigns. rity, namely confidentiality, availability and In contrast to PR, however, disinfor- integrity of data or systems. The technical mation wants to destabilise the pillars of hack is only one of many means by which democracy by attacking parties, elected the confidentiality of information can be politicians or the EU as a political system. violated, for example by stealing sensitive Disinformation does not necessarily mean information from the accounts of politi-

SWP Comment 16 March 2019

2 cians, parties or officials and then publish- hidden, a self-referential “echo chamber” ing it with harmful intent (doxing). Well- can develop. In online forums that bring known examples are the publication of together only like-minded users, the latter’s e-mails from the US Democratic National perceptions tend to be strengthened be- Committee (DNC) on the WikiLeaks plat- cause they do not experience any contra- form in 2016 and from the Emmanuel diction. Macron campaign team in 2017. Disinformation has a particularly polaris- The restriction of the availability of tech- ing effect on already politicised groups with nical systems via cyber attacks can facilitate strong ideological stances. These can be de- disinformation campaigns as well. Espe- liberately targeted with conspiracy theories cially in authoritarian regimes, websites of that fit their worldview. One example is the opposition politicians, parties and services campaign against alleged rape by asylum such as Twitter and Facebook are deliber- seekers, the so called Lisa case of 2016. Dur- ately paralysed shortly before elections ing the 2016 US election campaign, there by “distributed denial of service” attacks, were incidents where supporters of the meaning the deliberate overload of the right-wing Alternative Right movement and server concerned. Similarly, the digital left-wing groups were separately invited via voting infrastructure with its voting com- Facebook to take part in the same demon- puters and counting systems can be dis- stration, in the hope of provoking a violent rupted and manipulated. escalation. Conspiracy theories and disinformation Digital Disinformation can quickly be shared worldwide over social networks. This can be accomplished using Digital disinformation has the advantage a mix of automated accounts (“social bots”), of having low costs while having a high im- hybrid accounts (partly human, partly auto- pact: with few resources, a global audience mated) and so-called troll armies or 50-cent can be reached with customised disinfor- armies. Such “armies” consist of state actors mation through digital technologies. Digital or privately organised commentators who disinformation employs the legitimate systematically disseminate certain narra- means of the advertising industry to target tives in social media or on news sites. Often users based on their individual behaviour volunteers also unknowingly spread dis- profiles (so-called “targeted ads” and information (“unwitting agents”). In the “micro-targeting”). 2016 US election campaign, US citizens Social networks such as Facebook were spread Kremlin propaganda without know- not developed for the purpose of democratic ing its source. But traditional media cover- discourse, but to analyse and categorise age is also involved, as it increasingly takes their users’ interests and behaviour, and up trending topics from social networks. sell this information to third parties for If these contain disinformation, and the advertising purposes. According to their media carries them unreflectively, they re- behaviour patterns, users will be shown inforce the narratives or false reports. Dis- content that other users of the same cat- information has a cumulative effect over egory or with a similar behaviour profile longer periods of time. also prefer. Algorithms thus ensure that users are shown more of the same so as to hold their attention and keep it on the EU Counter-Strategies platforms as long as possible. These so- called filter bubbles arise directly from the Holding EP elections is the responsibility business model of online platforms to bring of member states. Although they are doing advertising to as many users as possible. much to protect the integrity of elections, If the same opinions are grouped together mostly this is in the form of patchwork and, simultaneously, differing views are measures. There are concerns that the EP

SWP Comment 16 March 2019

3 elections will be manipulated, disrupted or Networks such as Facebook, Twitter and unlawfully influenced by opponents of the YouTube have agreed on a Code of Practice EU, whether during the election campaign, on Disinformation to combat disinforma- at the ballot box or during the counting of tion and fake accounts on their platforms. votes. According to a Eurobarometer survey, In October 2018, this Code was signed by 83 percent of Europeans are worried about Facebook, Google, Twitter and Mozilla, as targeted disinformation on the Internet. The well as professional associations operating EU expects that targeted disinformation cam- online platforms and the advertising in- paigns will be present during election cam- dustry. paigns. Two months later, the Commission and the EU High Representative for Foreign Disinformation Warfare Affairs and Security Policy presented an action plan against disinformation. Both Since 2015, the European Commission has launched the creation of an early warning been attempting to combat disinformation system for information about disinforma- and technical influences using foreign and tion. Five million euros and 50 staff posi- domestic policy measures. It has, inter alia, tions were approved for it. The system is increased staffing and funding for the Euro- meant to be able to identify campaigns in pean Network and Information Security real time and raise awareness of the prob- Agency (ENISA) and set up an East StratCom lem. Task Force within the European External Since the EU fears being misrepresented Action Service (EEAS). The Task Force docu- beyond its borders as well, other teams are ments and regularly informs about disinfor- monitoring the spread of misinformation mation campaigns in the north-eastern in North Africa, the Middle East and the member states. This was followed in 2016 Balkans. Furthermore, it has set up an elec- by a Joint Communication and a Joint EU toral network, elaborated a guide to the Framework for Countering Hybrid Threats. application of EU data protection law in The Commission and the EEAS agree that elections, and given guidance on cyber such threats are increasingly causing security. As of February 2019, member trouble in the EU. states will be running a simulation of what The EU defines hybrid threats as “a mix- would need to be done in the event of an ture of military and civilian warfare by attack. EU states rely on the exchange of state and non-state actors such as covert experience. Further meetings are scheduled military operations, intense propaganda for spring 2019. In late January 2019, the and economic harassment”. These aggres- Commission warned Internet companies sions, it believes, not only cause direct that their transparency initiatives against damage and exploit vulnerabilities, but also covert advertising were not sufficient to destabilise societies and promote the divi- protect the integrity of EP elections. sion of the EU “through cover-ups”. Internal and external security must therefore be Cyber Security Measures even more closely interlinked. Commission President Jean-Claude What is the EU doing about IT-enabled dis- Juncker, in his speech on the state of the information? Critical infrastructure protec- Union 2018, proposed a series of concrete tion has long been subject to EU regulation. measures to ensure that the May 2019 elec- However, member states were unable to tions are free, fair and secure. Among other agree on defining voting systems as critical things, he called for more transparency in infrastructure as part of the 2016 Network (often covert) political advertising on the and Information Security (NIS) Directive. Internet, and the possibility of sanctions if The IT security of voting technology was personal data are used illegally to influence considered a purely national task. However, the outcome of the European elections. reports of alleged influence on the Brexit

SWP Comment 16 March 2019

4 referendum and elections in , Cata- the General Data Protection Regulation lonia and Belgium, have increased sensi- (GDPR) contains a further building block for tivity to the problem. In September 2017, action against cyber attacks and disinfor- the EU proposed a whole range of cyber- mation. In January 2019, the EU also agreed security measures, including a pan-Euro- on a relevant law that allows for fines to pean network of cooperation between data be imposed on political parties and founda- protection authorities, to share knowledge tions that violate data protection rules in on how elections are influenced. Only in the European election campaign in order December 2018 did EU states agree on a to influence voters. Parties can even lose cyber security law that will strengthen the all claims to EU party funding. The reason cyber security agency ENISA, and for the for this regulation was that Facebook had first time create a certification framework passed on user data to the British company for the protection of critical infrastructures. Cambridge Analytica, which evaluated the When, that same month, a hacker pub- data records of 220 million American Face- lished explosive data on Twitter under the book users to create user profiles for tar- pseudonym “0rbit”, politicians demanded geted advertising. an “emergency plan to be able to react within a short time to the outflow of sen- Cyber Security in Elections sitive data, digital industrial espionage or sabotage”. There are also calls for uniform What measures are being taken to ensure minimum legal standards for the security of the confidentiality, availability and integ- information technology equipment, which rity of electronic voting systems? Following would mean replacing the voluntary certifi- reports alleging that the US elections were cation framework of the EU by a European unlawfully influenced, the Council of regulation. This would apply, for example, Europe’s Venice Commission has been in to end-user devices such as mobile phones close contact with the electoral agencies of and laptops. Providers of online services the 61 Council members. Electronic voting and manufacturers of devices connected systems in member states vary widely. Elec- to the Internet would need to design their tronic voting in the EU has so far only been products in such a way that users must used in Belgium, Bulgaria, Estonia and choose strong passwords and update them France. In Belgium, Flemish municipalities regularly. in particular use voting machines. In Bul- As well as making technical infrastruc- garia, such machines will only be used in tures more robust, the EU relies on opera- smaller polling stations in the 2019 EP elec- tional cyber security measures. These in- tions. In France, the use of voting machines clude the development of better attribution was suspended during the 2017 presidential capabilities for cyber attacks, an exchange election due to the alleged incidents in the of information, and a stronger role for US election. In other countries, such as Ger- Europol in the fight against cybercrime. If many or Austria, voting is exclusively by member states become the target of such ballot paper, with information technology attacks, they should be able to find out for being used to determine the election result. themselves where the attacker came from, The security of the IT systems is therefore which security gaps were used, and which essential when establishing the provisional data was affected or extracted. The discus- election results. Estonia is the only country sion will focus on harsher penalties for in the world that allows online voting via cybercriminals and new criminal offences, the Internet. such as the operation of criminal infra- Overarching assessments of the technical structures. With principles such as “security vulnerability of electronic voting systems are by design”, i.e. the development of hard- not possible, as EU countries use different ware and software that seeks to avoid weak voting computers and systems. However, points and manipulations from the outset, since all voting computers can be manipu-

SWP Comment 16 March 2019

5 lated, experts recommend a physical paper therefore be taken into account more printout for each individual vote. In July closely. 2018, under Article 11 of the NIS Directive, representatives from 20 member states pre- Hybrid Threats? pared a compendium on the cyber security of elections. They called on member states to There is competition for responsibilities put in place specific security arrangements and resources between security and defence and contact points for an overarching Euro- policy on the one hand, and domestic policy pean cooperation network. on the other. From the perspective of de- If individual constituencies experience fence policy, the phenomenon of disinfor- irregularities during the actual voting, or mation belongs in the category of hybrid technical problems with the vote count, threats. But narrowing the subject in this elections in individual countries could be way is not sufficient. In a 2017 congression- held again at short notice without the need al hearing, heads of American secret ser- for the entire European Parliament to be re- vices rightly stated that disinformation rep- elected. A cyber attack on a member state resents a new normal. According to NATO would mean that the allocation of seats in and the European Commission, Russia leads the EP could not be confirmed immediately. the way in the targeted dissemination of Targeted cyber attacks launched by third false information, but more than 30 other countries on individual elections can be countries are also involved. Governments sanctioned by the EU applying its Joint mandate think tanks and non-governmental Diplomatic Response (Bendiek 2018). A organisations to provide analyses, so there comprehensive and serious attack on the EP is no shortage of relevant reports. The elections would be seen as an attack on the American Alliance for Securing Democracy, EU. Under certain conditions this would for example, or the Digital Forensic Re- allow the use of the solidarity clause under search Lab, financed by the Atlantic Coun- Article 222 TFEU or even the mutual assis- cil and Facebook, concentrate their work tance clause under Article 42 para 7 TEU. primarily on Russia and China. Think tanks and political foundations dealing with disinformation must identify clients and Promoting Independent Research financiers of their projects so as to avoid suspicions of partiality. The EP elections decide on the new com- However, false information does not only position of the European Parliament, but come from countries outside the EU, but is election rules are a national responsibility. also disseminated within its member states. In many EU countries, local electoral Political , especially from the anti- authorities are responsible for conducting European spectrum; the pretence of a grass- the election. Although they are aware of roots movement (“”); and the the danger of disinformation and cyber role of the tabloid media are at least as attacks, they are not sufficiently technically significant as external attempts at influ- prepared for them. The credibility of the ence. Their impact on Brexit, for example, EP elections and thus of the EU is at stake. probably outweighed that of Twitter bots, European policy-makers prefer short-term which only has a user adoption of 17 per- and more technical measures in close co- cent of the British population. operation with Internet companies to com- The effectiveness of digital disinfor- bat disinformation and hold cyber-security mation has not been scientifically proven. exercises. Research on causes, however, Recent studies on the relevance of filter is lacking. The findings of the various in- bubbles have come to diverging conclu- dependent interdisciplinary research pro- sions. Empirical data indicate that users grammes on disinformation, cyber attacks deliberately choose certain formats and and the conditions of democracy must contents that differ from those of the estab-

SWP Comment 16 March 2019

6 lished media. Filter bubbles of dissent do with short-term task forces and medium- not seem to arise because users are un- term action plans. Linguistic research shows aware that information can be one-sided or that mere fact checking is more likely to false. Rather, the explicit interest of users in inadvertently reinforce false information. divergent opinions seems to be the decisive The effectiveness of automated artificial- factor, accompanied by a steady loss of trust intelligence systems in combating disinfor- within democratic societies in political mation is also overestimated. Obviously, and public institutions. The idea that filter it is unrealistic to hope to eliminate false bubbles are deliberately formed and con- information completely. Instead of tackling trolled is reinforced by the fact that it seems symptoms, it would be useful to promote to be small groups that spread “alternative independent research to analyse proposals facts”, disinformation and manifestly false for short-term technical and policy meas- reports in a particularly vocal way. The fear ures. These should provide the blueprint for that digital algorithms could largely destroy fundamental reforms in the data economy. social communication is thus probably ex- Google’s global market share of 80 per- aggerated. cent of all search queries and Facebook’s and YouTube’s market share of 70 percent IT-Enabled Disinformation in social networks are an expression of the unprecedented concentration processes The EU’s technical measures to combat dis- within communication infrastructure. information campaigns and cyber attacks Alongside the growing importance of digi- are only a first step. Ideally, they will direct tal audiences, communication in society is member states to try to improve protection shifting towards a market-orientated arena for the EP elections during the election where every “speech act” or announcement campaigns, the actual voting and the vote has its price. Private companies provide count. Constant exchange and regular cyber spaces for public digital discourse; access to security exercises are necessary to minimise them is controlled. Only those who enter dangers. However, most member states have into a private contractual relationship and so far failed to consider elections as a criti- make their contribution either financially cal infrastructure for democracy and to or in the form of commercially usable data secure them at a high level. Manufacturers have a say. and suppliers of critical IT products there- These social networks were developed fore urgently need to be made more ac- for purposes and do not cater countable. The problem of unsecured IT for unconditional democratic participation hardware and software in voting technology based only on citizen status. They are com- is still underestimated. In the long term, parable to a situation in which the parlia- the EU must also be enabled to respond ment building is owned by a private pro- strategically, communicatively and with vider, access to it is regulated according to technical effectiveness to attempts at mani- economic criteria, and the loudspeaker pulating elections, and must be provided volume and transmission of speeches to the with the necessary financial and human outside world are assessed in line with mar- resources. Until this goal has been achieved, ket conditions. The EU’s previous regulatory emergency teams can be deployed around approaches, for example its insistence on the clock during the elections. voluntary commitments, do not do justice to this concentration of power. The Council The Supremacy of and Commission were right to criticise the Internet Companies code of conduct currently in force. It con- tained “no common measures, no substan- It is questionable, however, whether the tial obligations, no compliance or enforce- weaknesses of European democracies as dis- ment measures”. When the personal data of cussed above can be addressed effectively numerous German politicians were illegally

SWP Comment 16 March 2019

7 published in December 2018, the online platform Twitter dragged its feet despite its voluntary commitment under the code. Large platform providers have hardly any competition to fear in Europe, meaning that a fundamental reform of the antitrust legislation is the last resort. Previous pro- cedures for the evaluation and control of monopolies have often been inadequate. A key problem is merger control. Large © Stiftung Wissenschaft companies buy burgeoning smaller com- und Politik, 2019 petitor start-ups before they can become a All rights reserved threat to their business model. A striking example of this is Facebook’s acquisition of This Comment reflects WhatsApp and Instagram, and its merging the authors’ views. of user data, against former promises not to The online version of do so. Election advertising on television and this publication contains a stall on the high street are no longer what functioning links to other decides elections, but rather artificial-intel- SWP texts and other relevant ligence technologies such as microtargeting. sources. These are used to specifically address voters SWP Comments are subject who are willing to change their minds and to internal peer review, fact- who can often tip the scales. Only the EU, checking and copy-editing. with its economic power as a whole, can For further information on fight the power of transnational digital cor- our quality control pro- porations. In this context, the EP elections cedures, please visit the SWP website: https://www.swp- are a historic turning point: European berlin.org/en/about-swp/ policy means tackling the major fundamen- quality-management-for- tal issues of the European communication swp-publications/ order, such as the control of platform monopolies and excessive communicative SWP power. During EP election campaigns, po- Stiftung Wissenschaft und Politik litical parties and organisations must com- German Institute for mit themselves to bringing transparency to International and their campaign activities and to preventing Security Affairs the use of social bots.

Ludwigkirchplatz 3–4 10719 Berlin Telephone +49 30 880 07-0 Fax +49 30 880 07-100 www.swp-berlin.org [email protected]

ISSN 1861-1761 doi: 10.18449/2019C16

Translation by Tom Genrich

(English version of SWP-Aktuell 10/2019)

Dr Annegret Bendiek is Senior Associate in the EU / Europe Division at SWP. Dr Matthias Schulze is Associate in the International Security Division at SWP.

SWP Comment 16 March 2019

8