Hidden struggles of auditing social platforms: Why is creating user accounts so difficult?

Multiple factors influence the success and effectiveness of an audit of a social platform. These factors are not only varied, concerned with implementation and research alike, but also often unexpected. We have recently discovered some of these factors during the implementation of an audit for our recent reproducibility study, from proxying network connections to simulating different countries, handling ever-changing elements of the user interface, to defining realistic user behaviour. In this short blog, we will investigate a particularly tricky situation that leaves us guessing why auditors have to deal with these problems.

To interact with content and other peers, social media platform users have to create an account representing themselves on the platform. Trends in the last few years show that many features on social platforms are being made available exclusively to logged-in users. An automatic and ethical on-demand generation of these accounts is therefore needed to efficiently facilitate the authentic behaviour of social media users.

The automation of the account creation process is, however, strongly opposed by the platforms, which employ multiple restraints and procedures to stop consumers from creating fake bot accounts that can be used to artificially promote content, push engagement, spread spam or advertisements. In the case of TikTok, audited in our aforementioned study, the platform requires a mobile application to create a new account (alternatively, a Google account, which then requires a smartphone as well).

While such protection of social media platforms against automatic account creation is understandable in the case of actors with bad intentions, it is also a blocker for legitimate and ethical research activities, such as our aim to perform algorithmic audits and thus obtain a better understanding of recommender systems and the role they play in the social media environment.

Therefore, in our project, we need to find a way to create accounts for our personas, simulating various users during the audit process. The smartphone being a requirement for the user creation process, physically operating multiple smartphones would not only be costly but also difficult to scale. The alternative is emulating a virtual Android smartphone, which, in the end, brought a whole set of new issues.

A way to reliable and authentic Android emulation is long and troublesome.

First, while there are many Android emulators, the majority struggle with providing support for ARM architecture, dominantly used in Android devices as opposed to x86, which in practice means multiple applications are unable to launch. Other times, some applications either fail to start or work properly due to the unstable nature of emulators.

Second, emulators can be, and many times are, used for dubious or harmful purposes, such as bot spam or various scams, which resulted in the implementation of various measures to ensure emulators are properly identified and cannot be interchanged for a physical device. These measures include validation of build parameters, IMEI and unique Android ID, hardware and sensor-based detection, prevention of application tampering, or countless other methods, such as checking that the file system does not contain any suspicious patterns. These measures are commonly combined, which results in a very efficient prevention against emulated devices.

Third, the automation of a user interface of an Android application suffers from similar problems as the automation of a website interface. TikTok and many other platforms continue to introduce changes to their application, providing users with new features or a more accessible interface. The ever-changing environment causes automation to become difficult and highly unreliable.

Finally, even if we manage to successfully create a new account for the audit, our bot faces another danger – a shadow ban. A practice put in place to prevent spam and violations of Terms of Service, a user is seemingly able to browse and interact with the social platform, but their content and interactions are not seen by other users. This all happens without the impacted user being notified, and many times, them being completely unaware of this happening.

Why are researchers and independent auditors required to navigate their way around these restrictions?

The restrictions put in place against emulated devices are reasonable and required to detect scam and harmful activity. However, as long as these social platforms do not provide fair and effective ways to audit the underlying recommender systems, accessible to researchers and external independent auditors, the researchers will have to find a way around these measures.