Month: August 2018

A team of researchers at Duo Security has unearthed a sophisticated botnet operating on Twitter — and being used to spread a cryptocurrency scam.

The botnet was discovered during the course of a wider research project to create and publish a methodology for identifying Twitter account automation — to help support further research into bots and how they operate.

The team used Twitter’s API and some standard data enrichment techniques to create a large data set of 88 million public Twitter accounts, comprising more than half a billion tweets. (Although they say they focused on the last 200 tweets per account for the study.)

They then used classic machine learning methods to train a bot classifier, and later applied other tried and tested data science techniques to map and analyze the structure of botnets they’d uncovered.

They’re open sourcing their documentation and data collection system in the hopes that other researchers will pick up the baton and run with it — such as, say, to do a follow up study focused on trying to ID good vs bad automation.

Their focus for their own classifier was on pure-play bots, rather than hybrid accounts which intentionally blend automation with some human interactions to make bots even harder to spot.

They also not look at sentiment for this study — but were rather fixed on addressing the core question of whether a Twitter account is automated or not.

They say it’s likely a few ‘cyborg’ hybrids crept into their data-set, such as customer service Twitter accounts which operate with a mix of automation and staff attention. But, again, they weren’t concerned specifically with attempting to identify the (even more slippery) bot-human-agent hybrids — such as those, for example, involved in state-backed efforts to fence political disinformation.

The study led them into some interesting analysis of botnet architectures — and their paper includes a case study on the cryptocurrency scam botnet they unearthed (which they say was comprised of at least 15,000 bots “but likely much more”), and which attempts to syphon money from unsuspecting users via malicious “giveaway” links…

‘Attempts’ being the correct tense because, despite reporting the findings of their research to Twitter, they say this crypto scam botnet is still functioning on its platform — by imitating otherwise legitimate Twitter accounts, including news organizations (such as the below example), and on a much smaller scale, hijacking verified accounts…

They even found Twitter recommending users follow other spam bots in the botnet under the “Who to follow” section in the sidebar. Ouch.

A Twitter spokeswoman would not answer our specific questions about its own experience and understanding of bots and botnets on its platform, so it’s not clear why it hasn’t been able to totally vanquish this crypto botnet yet. Although in a statement responding to the research, the company suggests this sort of spammy automation may be automatically detected and hidden by its anti-spam countermeasures (which would not be reflected in the data the Duo researchers had access to via the Twitter API).

Twitter said:

We are aware of this form of manipulation and are proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.

Twitter’s spokeswoman also make the (obvious) point that not all bots and automation is bad — pointing to a recent company blog which reiterates this, with the company highlighting the “delightful and fun experiences” served up by certain bots such as Pentametron, for example, a veteran automated creation which finds rhyming pairs of Tweets written in (accidental) iambic pentameter.

Certainly no one in their right mind would complain about a bot that offers automated homage to Shakespeare’s preferred meter. Even as no one in their right mind would not complain about the ongoing scourge of cryptocurrency scams on Twitter…

One thing is crystal clear: The tricky business of answering the ‘bot or not’ question is important — and increasingly so, given the weaponization of online disinformation. It may become a quest so politicized and imperative that platforms end up needing to display a ‘bot score’ alongside every account (Twitter’s spokeswoman did not respond when we asked if it might consider doing this).

While there are existing research methodologies and techniques for trying to determine Twitter automation, the team at Duo Security say they often felt frustrated by a lack of supporting data around them — and that that was one of their impetuses for carrying out the research.

“In some cases there was an incomplete story,” says data scientist Olabode Anise. “Where they didn’t really show how they got their data that they said that they used. And they maybe started with the conclusion — or most of the research talked about the conclusion and we wanted to give people the ability to take on this research themselves. So that’s why we’re open sourcing all of our methods and the tools. So that people can start from point ‘A’: First gathering the data; training a model; and then finding bots on Twitter’s platform locally.”

“We didn’t do anything fancy or investigative techniques,” he adds. “We were really outlying how we could do this at scale because we really think we’ve built one of the largest data sets associated with public twitter accounts.”

Anise says their classifier model was trained on data that formed part of a 2016 piece of research by researchers at the University of Southern California, along with some data from the crypto botnet they uncovered during their own digging in the data set of public tweets they created (because, as he puts it, it’s “a hallmark of automation” — so turns out cryptocurrency scams are good for something.)

In terms of determining the classifier’s accuracy, Anise says the “hard part” is the ongoing lack of data on how many bots are on Twitter’s platform.

You’d imagine (or, well, hope) Twitter knows — or can at least estimate that. But, either way, Twitter isn’t making that data-point public. Which means it’s difficult for researchers to verify the accuracy of their ‘bot or not’ models against public tweet data. Instead they have to cross-check classifiers against (smaller) data sets of labeled bot accounts. Ergo, accurately determining accuracy is another (bot-spotting related) problem.

Anise says their best model was ~98% “in terms of identifying different types of accounts correctly” when measured via a cross-check (i.e. so not checking against the full 88M data set because, as he puts it, “we don’t have a foolproof way of knowing if these accounts are bots or not”).

Still, the team sounds confident that their approach — using what they dub as “practical data science techniques” — can bear fruit to create a classifier that’s effective at finding Twitter bots.

“Basically we showed — and this was what we were really were trying to get across — is that some simple machine learning approaches that people who maybe watched a machine learning tutorial could follow and help identify bots successfully,” he adds.

One more small wrinkle: Bots that the model was trained on weren’t all forms of automation on Twitter’s platform. So he concedes that may also impact its accuracy. (Aka: “The model that you build is only going to be as good as the data that you have.” And, well, once again, the people with the best Twitter data all work at Twitter… )

The crypto botnet case study the team have included in their research paper is not just there for attracting attention: It’s intended to demonstrate how, using the tools and techniques they describe, other researchers can also progress from finding initial bots to pulling on threads, discovering and unraveling an entire botnet.

So they’ve put together a sort of ‘how to guide’ for Twitter botnet hunting.

The crypto botnet they analyze for the study, using social network mapping, is described in the paper as having a “unique three-tiered hierarchical structure”.

“Traditionally when Twitter botnets are found they typically follow a very flat structure where every bot in the botnet has the same job. They’re all going to spread a certain type of tweet or a certain type of spam. Usually you don’t see much co-ordination and segmentation in terms of the jobs that they have to do,” explains principal security engineer Jordan Wright.

“This botnet was unique because whenever we started mapping out the social connections between different bots — figuring out who did they follow and who follows them — we were able to enumerate a really clear structure showing bots that are connected in one particular way and an entire other cluster that were connected in a separate way.

“This is important because we see how the bot owners are changing their tactics in terms of how they were organizing these bots over time.”

They also discovered the spam tweets being published by the botnet were each being boosted by other bots in the botnet to amplify the overall spread of the cryptocurrency scam — Wright describes this as a process of “artificial inflation”, and says it works by the botnet owner making new bots whose sole job is to like or, later on, retweet the scammy tweets.

“The goal is to give them an artificial popularity so that if i’m the victim and I’m scrolling through Twitter and I come across these tweets I’m more likely to think that they’re legitimate based on how often they’ve been retweeted or how many times they’ve been liked,” he adds.

“Mapping out these connections between likes and, as well as the social network we have already gathered, really gives is us a multi layered botnet — that’s pretty unique, pretty sophisticated and very much organized where each bot had one, and really only one job, to do to try to help support the larger goal. That was unique to this botnet.”

Twitter has been making a bunch of changes recently intended to crack down on inauthentic platform activity which spammers have exploited to try to lend more authenticity and authority to their scams.

Clearly, though, there’s more work for Twitter to do.

“There are very practical reasons why we would consider it sophisticated,” adds Wright of the crypto botnet the team have turned into a case study. “It’s ongoing, it’s evolving and it’s changed its structure over time. And the structure that it has is hierarchical and organized.”

Anise and Wright will be presenting their Twitter botnet research on Wednesday, August 8 at the Black Hat conference.

A team of researchers at Duo Security has unearthed a sophisticated botnet operating on Twitter — and being used to spread a cryptocurrency scam.

The botnet was discovered during the course of a wider research project to create and publish a methodology for identifying Twitter account automation — to help support further research into bots and how they operate.

The team used Twitter’s API and some standard data enrichment techniques to create a large data set of 88 million public Twitter accounts, comprising more than half a billion tweets. (Although they say they focused on the last 200 tweets per account for the study.)

They then used classic machine learning methods to train a bot classifier, and later applied other tried and tested data science techniques to map and analyze the structure of botnets they’d uncovered.

They’re open sourcing their documentation and data collection system in the hopes that other researchers will pick up the baton and run with it — such as, say, to do a follow up study focused on trying to ID good vs bad automation.

Their focus for their own classifier was on pure-play bots, rather than hybrid accounts which intentionally blend automation with some human interactions to make bots even harder to spot.

They also not look at sentiment for this study — but were rather fixed on addressing the core question of whether a Twitter account is automated or not.

They say it’s likely a few ‘cyborg’ hybrids crept into their data-set, such as customer service Twitter accounts which operate with a mix of automation and staff attention. But, again, they weren’t concerned specifically with attempting to identify the (even more slippery) bot-human-agent hybrids — such as those, for example, involved in state-backed efforts to fence political disinformation.

The study led them into some interesting analysis of botnet architectures — and their paper includes a case study on the cryptocurrency scam botnet they unearthed (which they say was comprised of at least 15,000 bots “but likely much more”), and which attempts to syphon money from unsuspecting users via malicious “giveaway” links…

‘Attempts’ being the correct tense because, despite reporting the findings of their research to Twitter, they say this crypto scam botnet is still functioning on its platform — by imitating otherwise legitimate Twitter accounts, including news organizations (such as the below example), and on a much smaller scale, hijacking verified accounts…

They even found Twitter recommending users follow other spam bots in the botnet under the “Who to follow” section in the sidebar. Ouch.

A Twitter spokeswoman would not answer our specific questions about its own experience and understanding of bots and botnets on its platform, so it’s not clear why it hasn’t been able to totally vanquish this crypto botnet yet. Although in a statement responding to the research, the company suggests this sort of spammy automation may be automatically detected and hidden by its anti-spam countermeasures (which would not be reflected in the data the Duo researchers had access to via the Twitter API).

Twitter said:

We are aware of this form of manipulation and are proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.

Twitter’s spokeswoman also make the (obvious) point that not all bots and automation is bad — pointing to a recent company blog which reiterates this, with the company highlighting the “delightful and fun experiences” served up by certain bots such as Pentametron, for example, a veteran automated creation which finds rhyming pairs of Tweets written in (accidental) iambic pentameter.

Certainly no one in their right mind would complain about a bot that offers automated homage to Shakespeare’s preferred meter. Even as no one in their right mind would not complain about the ongoing scourge of cryptocurrency scams on Twitter…

One thing is crystal clear: The tricky business of answering the ‘bot or not’ question is important — and increasingly so, given the weaponization of online disinformation. It may become a quest so politicized and imperative that platforms end up needing to display a ‘bot score’ alongside every account (Twitter’s spokeswoman did not respond when we asked if it might consider doing this).

While there are existing research methodologies and techniques for trying to determine Twitter automation, the team at Duo Security say they often felt frustrated by a lack of supporting data around them — and that that was one of their impetuses for carrying out the research.

“In some cases there was an incomplete story,” says data scientist Olabode Anise. “Where they didn’t really show how they got their data that they said that they used. And they maybe started with the conclusion — or most of the research talked about the conclusion and we wanted to give people the ability to take on this research themselves. So that’s why we’re open sourcing all of our methods and the tools. So that people can start from point ‘A’: First gathering the data; training a model; and then finding bots on Twitter’s platform locally.”

“We didn’t do anything fancy or investigative techniques,” he adds. “We were really outlying how we could do this at scale because we really think we’ve built one of the largest data sets associated with public twitter accounts.”

Anise says their classifier model was trained on data that formed part of a 2016 piece of research by researchers at the University of Southern California, along with some data from the crypto botnet they uncovered during their own digging in the data set of public tweets they created (because, as he puts it, it’s “a hallmark of automation” — so turns out cryptocurrency scams are good for something.)

In terms of determining the classifier’s accuracy, Anise says the “hard part” is the ongoing lack of data on how many bots are on Twitter’s platform.

You’d imagine (or, well, hope) Twitter knows — or can at least estimate that. But, either way, Twitter isn’t making that data-point public. Which means it’s difficult for researchers to verify the accuracy of their ‘bot or not’ models against public tweet data. Instead they have to cross-check classifiers against (smaller) data sets of labeled bot accounts. Ergo, accurately determining accuracy is another (bot-spotting related) problem.

Anise says their best model was ~98% “in terms of identifying different types of accounts correctly” when measured via a cross-check (i.e. so not checking against the full 88M data set because, as he puts it, “we don’t have a foolproof way of knowing if these accounts are bots or not”).

Still, the team sounds confident that their approach — using what they dub as “practical data science techniques” — can bear fruit to create a classifier that’s effective at finding Twitter bots.

“Basically we showed — and this was what we were really were trying to get across — is that some simple machine learning approaches that people who maybe watched a machine learning tutorial could follow and help identify bots successfully,” he adds.

One more small wrinkle: Bots that the model was trained on weren’t all forms of automation on Twitter’s platform. So he concedes that may also impact its accuracy. (Aka: “The model that you build is only going to be as good as the data that you have.” And, well, once again, the people with the best Twitter data all work at Twitter… )

The crypto botnet case study the team have included in their research paper is not just there for attracting attention: It’s intended to demonstrate how, using the tools and techniques they describe, other researchers can also progress from finding initial bots to pulling on threads, discovering and unraveling an entire botnet.

So they’ve put together a sort of ‘how to guide’ for Twitter botnet hunting.

The crypto botnet they analyze for the study, using social network mapping, is described in the paper as having a “unique three-tiered hierarchical structure”.

“Traditionally when Twitter botnets are found they typically follow a very flat structure where every bot in the botnet has the same job. They’re all going to spread a certain type of tweet or a certain type of spam. Usually you don’t see much co-ordination and segmentation in terms of the jobs that they have to do,” explains principal security engineer Jordan Wright.

“This botnet was unique because whenever we started mapping out the social connections between different bots — figuring out who did they follow and who follows them — we were able to enumerate a really clear structure showing bots that are connected in one particular way and an entire other cluster that were connected in a separate way.

“This is important because we see how the bot owners are changing their tactics in terms of how they were organizing these bots over time.”

They also discovered the spam tweets being published by the botnet were each being boosted by other bots in the botnet to amplify the overall spread of the cryptocurrency scam — Wright describes this as a process of “artificial inflation”, and says it works by the botnet owner making new bots whose sole job is to like or, later on, retweet the scammy tweets.

“The goal is to give them an artificial popularity so that if i’m the victim and I’m scrolling through Twitter and I come across these tweets I’m more likely to think that they’re legitimate based on how often they’ve been retweeted or how many times they’ve been liked,” he adds.

“Mapping out these connections between likes and, as well as the social network we have already gathered, really gives is us a multi layered botnet — that’s pretty unique, pretty sophisticated and very much organized where each bot had one, and really only one job, to do to try to help support the larger goal. That was unique to this botnet.”

Twitter has been making a bunch of changes recently intended to crack down on inauthentic platform activity which spammers have exploited to try to lend more authenticity and authority to their scams.

Clearly, though, there’s more work for Twitter to do.

“There are very practical reasons why we would consider it sophisticated,” adds Wright of the crypto botnet the team have turned into a case study. “It’s ongoing, it’s evolving and it’s changed its structure over time. And the structure that it has is hierarchical and organized.”

Anise and Wright will be presenting their Twitter botnet research on Wednesday, August 8 at the Black Hat conference.

Another acquisition for French carpooling platform BlaBlaCar: It’s picked up Russian Internet giant Mail.Ru’s relatively recent rival offering, BeepCar, in what’s being billed as both an acquisition and a partnership.

BlaBlaCar says the move is aimed at consolidating its international growth.

“Through this acquisition, we are doubling down our commitment to develop carpooling in Russia, and to address growing Russian demand for a convenient and reliable long-distance mobility solution,” said co-founder and CEO Nicolas Brusson in a statement.

Russia, a market which BlaBlaCar launched into via acquisition back in 2014 is now its largest market (with 15M users out of its global user base on 65M+). Whereas BeepCar, which only started in 2017, is reported to have passed five million downloads for its app as of Q2 this year.

But close competition from a well-resourced, local Internet giant in a core strategic market where BlaBlaCar has focused for growth likely meant this acquisition was probably only a matter of time.

Financial terms have not been disclosed but it includes a marketing partnership — with BlaBlaCar committing to further promote carpooling through Mail.Ru Group platforms (so it’ll presumably be buying ads).

While, from this fall, BeepCar traffic will be redirected to BlaBlaCar — thereby “driving” advertising revenue for Mail.Ru Group, as they put it (ho-ho).

A spokeswoman for BlaBlaCar confirmed the BeepCar brand and platform will be going away as the service is being consolidated into BlaBlaCar’s platform.

This April the French startup also acquired a Paris-based rival, called Less. While, back in 2015, it bagged its then biggest European rival, Carpooling.com, to dominate its home region.

For its part, the Mail.Ru Group said it will focus on developing its larger verticals: Food delivery, classifieds, cross-border trade, and taxi ride-hailing services.

Another acquisition for French carpooling platform BlaBlaCar: It’s picked up Russian Internet giant Mail.Ru’s relatively recent rival offering, BeepCar, in what’s being billed as both an acquisition and a partnership.

BlaBlaCar says the move is aimed at consolidating its international growth.

“Through this acquisition, we are doubling down our commitment to develop carpooling in Russia, and to address growing Russian demand for a convenient and reliable long-distance mobility solution,” said co-founder and CEO Nicolas Brusson in a statement.

Russia, a market which BlaBlaCar launched into via acquisition back in 2014 is now its largest market (with 15M users out of its global user base on 65M+). Whereas BeepCar, which only started in 2017, is reported to have passed five million downloads for its app as of Q2 this year.

But close competition from a well-resourced, local Internet giant in a core strategic market where BlaBlaCar has focused for growth likely meant this acquisition was probably only a matter of time.

Financial terms have not been disclosed but it includes a marketing partnership — with BlaBlaCar committing to further promote carpooling through Mail.Ru Group platforms (so it’ll presumably be buying ads).

While, from this fall, BeepCar traffic will be redirected to BlaBlaCar — thereby “driving” advertising revenue for Mail.Ru Group, as they put it (ho-ho).

A spokeswoman for BlaBlaCar confirmed the BeepCar brand and platform will be going away as the service is being consolidated into BlaBlaCar’s platform.

This April the French startup also acquired a Paris-based rival, called Less. While, back in 2015, it bagged its then biggest European rival, Carpooling.com, to dominate its home region.

For its part, the Mail.Ru Group said it will focus on developing its larger verticals: Food delivery, classifieds, cross-border trade, and taxi ride-hailing services.

Business travelers have become an increasingly important part of the Airbnb business, according to a new blog post. The company says that Airbnb for Work, which launched in 2014, has seen bookings triple from 2015 to 2016, and triple again from 2016 to 2017. In fact, Airbnb says that almost 700,000 companies have signed up for and booked with Airbnb for Work.

Interestingly, the breakdown of companies working with Airbnb for traveler lodging are pretty diverse — employees from large enterprise companies (5,000+ employees) and employees from startups and SMBs (one to 250 employees) take a 40-40 split, with the final 20 percent of Airbnb for Work bookings going to mid-sized companies.

In July of 2017, Airbnb started making its listings available via SAP Concur, a tool used by a large number of business travelers. Airbnb says that this integration has been a huge help to growing Airbnb for Work, with Concur seeing a 42 percent increase in employees expensing Airbnb stays from 2016 to 2017. Moreover, 63 percent of Concur’s Fortune 500 clients have booked a business trip on Airbnb.

One interesting trend that Airbnb has noticed is that nearly 60 percent of Airbnb for Work trips had more than one guest.

“We can offer big open areas for collaborations, while still giving employees their own private space,” said David Holyoke, global head of business travel at Airbnb. “We think this offers a more meaningful business trip and it saves the company a lot of money.”

Given the tremendous growth of the business segment, as well as the opportunity it represents, Airbnb is working on new features for business travelers. In fact, in the next week, Airbnb will be launching a new feature that lets employees search for Airbnb listings on a company-specific landing page.

So, for example, a Google employee might search for their lodging on Google.Airbnb.com, and the site would be refined to cater to Google’s preferences, including locations close to the office, budget, and other factors.

While the growth has picked up, Holyoke still sees Airbnb for Work as an opportunity to grow. He said that Airbnb for Work listings only represent 15 percent of all Airbnb trips.

But, the introduction of boutique hotels and other amenity-driven listings such as those on Airbnb Plus are paving the way for business travelers to lean toward Airbnb instead of a business hotel.

Plus, as mobility and relocation become even more important to how a business operates, Airbnb believes it can be a useful tool to help employees get started in a new town before they purchase a home.

When weighing up the likely success of challenger banks in the U.K., two predominant schools of thought emerge.

Those who are bullish say that incumbent banks provide a lousy user experience, rip off customers, and innovate incredibly slowly — and therefore are ripe for the taking. Challenger banks just need to focus on what they do best and word of mouth-led switching will follow.

And then there are people who are less convinced who say that most consumers are happy enough with their current bank account and see no reason to switch. Besides, anything innovative a challenger does will be copied by incumbents eventually anyway.

But what if switching was only one means to customer acquisition? One argument I’ve sometimes made is that grabbing customers from a competing bank isn’t the only way to grow a challenger bank. Another customer segment is people who don’t have an existing current account, such as recent immigrants or young people who need to open their very first bank account.

In fact, incumbent banks have long targeted students, for example, with attractive student overdrafts or by setting up shop on university campuses. That’s how Barclays first won my business and why I still lazily bank with them today.

Enter challenger bank Monzo, which early on in its existence experimented with a Monzo ambassador program at a number of universities, with only limited success. Today the fintech is moving the funnel forward slightly by making its digital current account offering available to 16-18 year olds, opening up the bank to more than 1.5 million new young people.

Monzo says that 16 and 17 year old customers can sign up for a Monzo bank account today by downloading the app. They’ll then receive a contactless debit card in the post the next working day. Certain banking features, such as overdrafts and spending on gambling, will be blocked until customers turn 18.

With more than 860,000 registered account holders and set to cross 1 million accounts in the next few months, Monzo has employed a number strategies to grow customers, with a heavy emphasis on viral features and a fresh, young brand.

These have included making friend-to-friend payments easy, either to people who already bank with the startup, or via the Monzo.me service, which gives users a payment link to share with friends.

The idea, as Monzo co-founder Tom Blomfield (picture above) often explains, is that unlike traditional incumbent banks that basically have zero network effects (perhaps beyond joint accounts), the challenger bank is designed to become more useful the more people who join it.

More recently, the challenger bank launched ‘Nearby Friends’, geolocation functionality that uses Bluetooth to let you see anyone else that uses Monzo who is nearby so that you can initiate a payment without needing their phone number to be in your contact book first.

There’s yet more Alex Jones/Infowars news. Facebook yanked four of the conspiracy theorist’s videos from its platform last week, and now it has finally taken more stringent action after it removed four Infowars pages from the social network entirely.

Over the weekend Spotify, Stitcher and Apple all removed Infowars audio content from their platforms days after YouTube and then Facebook pulled four videos that were found to violate community standards.

A refresher for those who need it: Infowars has broadcast a range of conspiracy theories which have included claims 9/11 was an inside job and alternate theories to the San Bernardino shootings, while it has encouraged harassment of families of victims of the Sandy Hook shooting among other things. 

Yet despite much attention on the organization and its use of social media, Facebook’s efforts to handle Infowars have been confusing.

One of the four videos it removed had actually been cleared following a complaint one month ago, while the video purge saw Facebook hand a 30-day ban to Jones’ personal account but the Infowars page — where the content was posted — was able to continue on as normal. That was down to the Facebook system of warnings/accumulated warnings for content violations and nothing to do with peddling fake news. That’s apparently ok.

Indeed, the four Infowars pages that have been “unpublished” — the Alex Jones Channel Page, the Alex Jones Page, the InfoWars Page and the Infowars Nightly News Page — were punished for “repeated violations of Community Standards and accumulating too many strikes” after more videos and content were reported to Facebook by users of the social network.

“Upon review, we have taken [the pages] down for glorifying violence, which violates our graphic violence policy, and using dehumanizing language to describe people who are transgender, Muslims and immigrants, which violates our hate speech policies,” the company explained in an announcement.

Facebook didn’t provide details of exactly which videos violated its policies and how, but it did say explicitly that its action were not related to fake news.

“Much of the discussion around Infowars has been related to false news, which is a serious issue that we are working to address by demoting links marked wrong by fact checkers and suggesting additional content, none of the violations that spurred today’s removals were related to this,” it said in a statement.

Facebook has opted to remain news-neutral, in the sense that only issues warnings based on community standards.

That’s a controversial stance — it is instead pursuing a policy of fact-checking information and letting users make their own mind — but irrespective of whether you agree with that approach, its actions over the past week are problematic because they don’t scale. They rely squarely on the community flagging content in the first instance.

It isn’t clear why Facebook wasn’t able to conduct a more thorough analysis of these Infowars pages last week, when the initial complaints first rolled in. You’d imagine that there’s been enough interest in the topic to warrant a proactive investigation.

Instead, it has taken another week and more reporting of content from users to reach the inevitable conclusion that Infowars has more than just four offensive videos (!) and therefore its pages should be removed(!).

Facebook has chosen to police content based on community guidelines and not the accuracy of information, but the fact it takes so long to take action on the most obvious bad actors doesn’t bode well for finding other, less obvious pages lurking out there that also fall foul of its standards.

Based on that system, it will always be playing catch up. Given the damage that false information can have across its services — from swaying elections to encouraging lynchings, religious violence and more — that simply isn’t good enough.

Didi Chuxing is going pedal to the metal for its automobile services business after it announced it will invest $1 billion into the division, which is also getting a rebrand.

The Chinese ride-hailing firm had been tipped to spin out the business and raise $1.5 billion from investors ahead of an IPO, according to a recent Reuters report. The business itself hasn’t spun out, however, but it has been renamed to Xiaoju Automobile Solutions and given more autonomy with the introduction of its own general manager.

The division handles services for registered Didi drivers, such as leasing and purchase financing, insurance, repairs, refueling, car-sharing and more. Essentially, with its huge army of drivers, Didi can get preferential rates from service providers, which means better deals for its drivers. That, in turn, is helpful for recruiting new drivers and growing the business. (Didi claims to support 30 million drivers, but that covers food delivery as well as more basic point-to-point transportation.)

Rather than outsiders — SoftBank had been linked with an investment at a valuation of up to $3 billion — Xiaoju is getting its capital boost direct from Didi. The company said it injected $1 billion to “support its business in providing Didi drivers and the broader car-owner community with convenient, flexible, economical, and reliable one-stop auto services.”

Of course, these factors don’t preclude Didi from spinning the business out in the future and listing it separately to the parent Didi firm. That’s the reasoning Reuters made in its previous story, and it still stands to reason that if Didi is (as widely expected) planning a public listing of its own then it might be keen to break out this asset-heavy part of its business.

Didi didn’t respond to our request for comment on those future plans.

The company is saying more about the Xiaoju business itself. It said the services support drivers in over 257 cities through a network of 7,500 partners and distributors. There are some caveats, though: the auto care service is currently limited to seven cities in China.

Didi also went on the record with some financial data. The company claimed that annualized GMV for Xiaoju has jumped from 37 billion RMB ($5.4 billion) in April 2018 to 60 billion RMB ($8.76 billion) as of today. That’s impressive growth of 62 percent, and the forecast is that it will easily pass its previous goal of 90 billion RMB ($13.15 billion) for 2018 before this year is finished.

GMV, in this case, refers to the total value of goods and services crossing the Xiaoju platform. That help gives an idea of how active it is, but it doesn’t translate to revenue or profit/loss for Didi. The company didn’t provide information for either revenue or profitability for Xiaoju.

This year has been a notable one as the company has expanded its horizons for the first time by venturing outside of China.

Last year, Didi raised $4 billion to double down on technology, AI and move into new markets, and it has come good on that promise by entering Mexico, Australia and Taiwan. It also landed Brazil through the acquisition of local player and Uber rival 99 and it is preparing to go live in Japan, where it will operate a taxi-booking service through a joint venture with SoftBank.

Beyond that massive $4 billion raise, Didi recently landed a $500 million investment from Booking Holdings that’s aimed at providing strategic alliances between the Didi and the travel giant’s range of services. The company has raised over $17 billion from investors to date and it was last valued at $56 billion.

Didi Chuxing is going pedal to the metal for its automobile services business after it announced it will invest $1 billion into the division, which is also getting a rebrand.

The Chinese ride-hailing firm had been tipped to spin out the business and raise $1.5 billion from investors ahead of an IPO, according to a recent Reuters report. The business itself hasn’t spun out, however, but it has been renamed to Xiaoju Automobile Solutions and given more autonomy with the introduction of its own general manager.

The division handles services for registered Didi drivers, such as leasing and purchase financing, insurance, repairs, refueling, car-sharing and more. Essentially, with its huge army of drivers, Didi can get preferential rates from service providers, which means better deals for its drivers. That, in turn, is helpful for recruiting new drivers and growing the business. (Didi claims to support 30 million drivers, but that covers food delivery as well as more basic point-to-point transportation.)

Rather than outsiders — SoftBank had been linked with an investment at a valuation of up to $3 billion — Xiaoju is getting its capital boost direct from Didi. The company said it injected $1 billion to “support its business in providing Didi drivers and the broader car-owner community with convenient, flexible, economical, and reliable one-stop auto services.”

Of course, these factors don’t preclude Didi from spinning the business out in the future and listing it separately to the parent Didi firm. That’s the reasoning Reuters made in its previous story, and it still stands to reason that if Didi is (as widely expected) planning a public listing of its own then it might be keen to break out this asset-heavy part of its business.

Didi didn’t respond to our request for comment on those future plans.

The company is saying more about the Xiaoju business itself. It said the services support drivers in over 257 cities through a network of 7,500 partners and distributors. There are some caveats, though: the auto care service is currently limited to seven cities in China.

Didi also went on the record with some financial data. The company claimed that annualized GMV for Xiaoju has jumped from 37 billion RMB ($5.4 billion) in April 2018 to 60 billion RMB ($8.76 billion) as of today. That’s impressive growth of 62 percent, and the forecast is that it will easily pass its previous goal of 90 billion RMB ($13.15 billion) for 2018 before this year is finished.

GMV, in this case, refers to the total value of goods and services crossing the Xiaoju platform. That help gives an idea of how active it is, but it doesn’t translate to revenue or profit/loss for Didi. The company didn’t provide information for either revenue or profitability for Xiaoju.

This year has been a notable one as the company has expanded its horizons for the first time by venturing outside of China.

Last year, Didi raised $4 billion to double down on technology, AI and move into new markets, and it has come good on that promise by entering Mexico, Australia and Taiwan. It also landed Brazil through the acquisition of local player and Uber rival 99 and it is preparing to go live in Japan, where it will operate a taxi-booking service through a joint venture with SoftBank.

Beyond that massive $4 billion raise, Didi recently landed a $500 million investment from Booking Holdings that’s aimed at providing strategic alliances between the Didi and the travel giant’s range of services. The company has raised over $17 billion from investors to date and it was last valued at $56 billion.

TechCrunch Startup Battlefield MENA 2018 represents our first foray into the rapidly developing startup scene in the Middle East and North Africa, and we couldn’t be more thrilled to help identify and showcase the top tech startups in the region. Our premiere startup pitch competition takes place on October 3 in the Beirut, Lebanon.

Tickets to this inaugural event cost $29 and are on sale now, and we invite you to witness greatness in the making as the founders of 15 incredible startups go head-to-head for the title of Middle East and North Africa’s best startup. Buy your ticket today.

If you’ve never experienced a Startup Battlefield, here’s what you can expect. It all goes down in front of a live audience filled with entrepreneurs, distinguished technologists and eager investors. In three preliminary rounds — five startups per round — teams have only six minutes to pitch and present a live demo to a panel of tech and VC experts. The judges have six minutes after each pitch to ask tough questions.

Only five teams move on to the finals for one more round of brilliant pitches and more tough questions from a fresh set of judges. From that impressive cohort, the judges will select one startup as the winner of TechCrunch Startup Battlefield MENA 2018.

The winners receive a US$25,000 no-equity cash prize, plus a trip for two to compete in the Startup Battlefield at TechCrunch Disrupt in 2019 (assuming the company still qualifies to compete at the time). Every TechCrunch Battlefield is an exhilarating, nerve-wracking experience and a joy to behold.

TechCrunch Startup Battlefield MENA 2018 takes place in the Beirut Digital District in Lebanon on October 3. This is your chance to see the best the Middle East and North Africa startups launch to the world. And it’ll cost you only $29 to say you knew them when. Click right here to purchase your ticket.