While artificial intelligence (AI) bots can serve a legitimate purpose on social media — such as marketing or customer service — some are designed to manipulate public discussion, incite hate speech, spread misinformation or enact fraud and scams. To combat potentially harmful bot activity, some platforms have published policies on using bots and created technical mechanisms to enforce those policies.
But are those policies and mechanisms enough to keep social media users safe?
New research from the University of Notre Dame analyzed the AI bot policies and mechanisms of eight social media platforms: LinkedIn, Mastodon, Reddit, TikTok, X (formerly known as Twitter) and Meta platforms Facebook, Instagram and Threads. Then researchers attempted to launch bots to test bot policy enforcement processes.
The researchers successfully published a benign “test” post from a bot on every platform.
“As computer scientists, we know how these bots are created, how they get plugged in and how malicious they can be, but we hoped the social media platforms would block or shut the bots down and it wouldn’t really be a problem,” said Paul Brenner, a faculty member and director in the Center for Research Computing at Notre Dame and senior author of the study. “So we took a look at what the platforms, often vaguely, state they do and then tested to see if they actually enforce their policies.”
The researchers found that the Meta platforms were the most difficult to launch bots on — it took multiple attempts to bypass their policy enforcement mechanisms. Although the researchers racked up three suspensions in the process, they were successful in launching a bot and posting a “test” post on their fourth attempt.
The only other platform that presented a modest challenge was TikTok, due to the platform’s frequent use of CAPTCHAs. But three platforms provided no challenge at all.
“Reddit, Mastodon and X were trivial,” Brenner said. “Despite what their policy says or the technical bot mechanisms they have, it was very easy to get a bot up and working on X. They aren’t effectively enforcing their policies.”
As of the study’s publishing date, all test bot accounts and posts were still live. Brenner shared that interns, who had only a high school-level education and minimal training, were able to launch the test bots using technology that is readily available to the public, highlighting how easy it is to launch bots online.
Overall, the researchers concluded that none of the eight social media platforms tested are providing sufficient protection and monitoring to keep users safe from malicious bot activity. Brenner argued that laws, economic incentive structures, user education and technological advances are needed to protect the public from malicious bots.
“There needs to be U.S. legislation requiring platforms to identify human versus bot accounts because we know people can’t differentiate the two by themselves,” Brenner said. “The economics right now are skewed against this as the number of accounts on each platform are a basis of marketing revenue. This needs to be in front of policymakers.”
To create their bots, researchers used Selenium, which is a suite of tools for automating web browsers, and OpenAI’s GPT-4o and DALL-E 3. The research, published as a pre-print on ArXiv, was led by Kristina Radivojevic, a doctoral student at Notre Dame, and supported by CRC student interns Catrell Conley, Cormac Kennedy and Christopher McAleer.
Contact: Brandi Wampler, associate director of media relations, 574-631-2632, brandiwampler@nd.edu