Activists of the ruling party have had access to the Kurir and Espreso websites, where they could leave a large number of pluses of minuses on existing comments by readers, shows CINS’ analysis of the code of the VotR2 app, which the party’s “Internet team” has been using. In that way the activists, also known as bots, according to instructions received in advance, awarded positive or negative marks to the comments published by the two media, which in the case of the Južne Vesti website they used to deal with criticism aimed at the Serbian Progressive Party and Serbian President Aleksandar Vučić. Through that influence they create a false public image, CINS’ interlocutors say.
“VotR2 is especially designed to manipulate comments through voting,” says Jurre van Bergen, a digital security expert with the Organized Crime and Corruption Reporting Project (OCCRP).
This data was revealed by the VotR2 app’s code, i.e. text, which was available for download at least until January 2019. The code shows that it was enough to install the app on one’s cell phone and thus access these websites. Although the app no longer exists in the Google Play Store, it is available on at least one of the foreign websites that collect apps (APKMonk), while CINS reveals that accessing media websites in a similar way is still possible.
VotR2 is easy to use.
Judging by the analyzed code, after they have downloaded and launched the app on their phone the user receives a code they need to verify through a program on their computer. The app then continues to operate without further orders from the user, i.e. “in the background” of the phone, where it performs the work it was designed for – gives pluses and minuses to existing comments on the Kurir and Espreso websites. Van Bergen, a digital security expert, analyzed the app using three different tools. He says that, apart from operating on its own, the app is programmed to relaunch every time an Android phone is turned on or restarted.
Voting is done automatically every six seconds, with up to five votes per comment, after which the app moves on to the next comment. Votes are awarded according to a list of comments, with specific instructions as to whether a positive or a negative vote should be given.
This is possible b ecause the app code contains links leading to the comments on the news posted on the two websites. The Kurir and Espreso websites probably perceive clicks on those links as voting via mobile apps of these media, according to Van Bergen and other experts CINS consulted. These links are still available today, albeit better protected than before.
How Do We Know the App Belongs to the Progressive Party
With the help of several experts, CINS analyzed the code and found data on an IP address under the number 18.104.22.168. An IP address is a unique number, similar to a phone number, used by computers to communicate with each other on the Internet. During operation, the app communicated with a server, i.e. with this IP address.
A checkup of IP address ownership on any publicly available website (such as whois.domaintools.com) shows that its owner is the Serbian Progressive Party. The party registered this IP address in March 2016 at the address of the party headquarters, Palmira Toljatija 5 in Belgrade’s New Belgrade municipality. CINS reported earlier on how the Serbian Progressive Party had acquired the office space through an unpermitted donation.
By the time this article was published, the Progressive Party did not answer CINS’ questions.
IP address ownership
The aim of leaving comments under news and voting for them is to get access to potential voters through the vote of “a neutral fellow citizen,” says Nemanja Nenadić of Transparency Serbia.
“The aim is to create an impression of what the majority thinks, what a socially acceptable opinion is. I suppose that ultimately that has some effect on voters, because otherwise I do not think the ruling party, and probably some other parties to a lesser extent, according to their financial capacity, would be putting so much effort into it,” adds Nenadić.
Gordana Bjeletić, Editor-in-Chief of the Južne Vesti website, says that the bots are the most active on that website when the Serbian Progressive Party of the president are mentioned: “The most reactions, pluses and minuses are given to the news that mention Aleksandar Vučić.”
Interest of a Media Outlet or of the Party
According to experts, for the app to access the Kurir and Espreso websites in this way, the media had to give access to the Serbian Progressive Party, or for someone to hack their mobile apps. The third option is insufficient protection.
Tanja Maksić, Vice President of the Association of Online Media (AOM), told CINS that if the media themselves had allowed access to the app, that was “completely unethical” and “unacceptable.”
“That kind of business relationship is never transparent. None of the users of the Kurir and Espreso websites actually know they are in that way taking part in a staged public debate,” said Maksić, adding that this created a false public image.
Ana Marković, Executive Director of Espreso Group, which includes the Espreso website, denied that the Group had ever given the Espreso code to anyone, and says that only readers have control over the pluses and minuses awarded to comments. In her first reply to CINS, Marković said that “we have not noticed that those data are being manipulated,” but later, after consultation with the technical team, confirmed that the website had had problems in the past with some bots “who vote automatically by changing the IP address of the server,” i.e. by changing its location.
The technical team also mentioned the possibility of hacking:
“The aforementioned public API link is relatively easy to get by ‘sniffing’ traffic through Wireshark or by decompiling the app and reverse engineering the API call, just like it is possible to reach it from any other app,” reads the reply.
However, Marković declined to say whether Espreso’s official position was that they had been hacked.
CINS journalists received an identical answer from Sonja Lakić, Deputy Editor of the Kurir website, who also consulted the technical team and added that they had not given anyone their code.
“Kurir and Espreso were not hacked. It is a legitimate function that was envisaged – an API that will vote for or against comments on their website. Nevertheless, they did not build adequate security measures which would prevent people from manipulating voting with pluses or minuses on comments,” says Van Bergen.
The part of the app code where you can find Kurir and Espreso websites
Kurir and Espreso are part of Adria Media Group, one of the largest media groups in the Balkans. The Group was owned by businessman Aleksandar Rodić until January 2019, after which it was taken over by Igor Žeželj, the head of well-known website Mondo.
The Kurir newspaper is distributed nationwide, while the websites of both media register a lot of traffic. Kurir.rs boasted that close to 2.8 million readers visited the website over the course of August 2018, whereas research conducted by the Balkan Investigative Reporting Network (BIRN) showed that these two media had attracted 7.5% of the total audience in Serbia in 2018. Before purchasing the media outlet, Mondo handed the Commission for Protection of Competition an estimate that the two websites accounted for about 16.4% of the website market.
There are many comments under news posted on the Kurir website, sometimes up to 10 times more than on the rival Blic website. CINS’ interlocutors say that, if the app creator so wishes, comments and rating them with pluses and minuses can increase traffic on websites.
“They can create a system where every vote is not a visit, they can create a system where a vote is a visit. The goal is to manipulate the system,” said Gordana Bjeletić of Južne Vesti, which recently faced an “assault” by bots.
On some media websites, the comments with the most pluses automatically rise to the top and are the first to be seen by readers.
On the other hand, for parties this is a way to promote opinions that are positive for them. The experience of Južne Vesti shows that the biggest number of pluses and minuses go to the news that pertain to the incumbent authorities, from comments in their favor to criticism:
“They are very sensitive to each piece of news, each topic where the authorities are criticized and they react the most to that,” Bjeletić explains. Although voting did not bring Južne Vesti more traffic, she believes the party would not have done it if it had no effect, adding that their objective is to influence people, especially those who are undecided and look at what others think.
Nemanja Nenadić says that it is important for the media to prevent further access to comments, if they were hacked, otherwise their behavior might be interpreted as support to a political option. On the other hand, if the media allowed the Serbian Progressive Party to vote in this way, that would be “a special form of free service which would have to be reported as a free service, as a contribution to party funding.”
The case of Južne Vesti