Blog · arXiv Analysis · Last reviewed June 25, 2026

The Online Mask Becomes the Activity Taxonomy

Debora F. de Souza and coauthors' June 2026 arXiv paper treats disinformation less as one bad post than as a record of actors, activities, and coordination tactics in online social networks.

An activity-taxonomy receipt is the bounded record behind that claim: observed actor role, activity category, coordination tactic, platform context, evidence span, annotator disagreement, uncertainty, and appeal or correction path. It is not a mind-reading device and not a stand-alone enforcement verdict.

Not a Detector

The paper, arXiv:2606.27111 [cs.HC], was submitted on June 25, 2026. arXiv lists the title as Behind the Mask: A Taxonomic Analysis of Activities in Online Social Networks, by Debora F. de Souza, Gabriela Beltrao, Berta Chulvi, Sergio Dantonio, Mehmet Gokay Ozerim, Javier Torregrosa, Adrian Giron, Angel Panizo, Pablo Miralles Gonzalez, Helena Liz, Javier Huertas Tato, Sonia Sousa, Alejandro Martin, Monika Maciuliene, and David Camacho.

This page is not a moderation recipe and not a claim that a taxonomy can identify intent by itself. It reads the paper as governance infrastructure: a way to force analysts and future systems to record what kind of online activity they think they are seeing, where that judgment came from, and what remains uncertain.

Current Context

As of June 25, 2026, the paper is available on arXiv as version 1 with PDF and experimental HTML. Its practical importance is not only the taxonomy. It is the insistence that disinformation analysis needs a behavior record: actor role, activity, tactic, channel context, and uncertainty. That places the paper beside information disorder, coordinated inauthentic behavior, and content moderation, where source, identity, distribution, and impact are separate evidence layers.

The legal and platform context is also more formal than the first wave of social-media misinformation studies. The EU Digital Services Act requires covered hosting services to give users statements of reasons for many content restrictions, and Article 24(5) creates a public, machine-readable Transparency Database for platform-submitted statements of reasons. For designated very large online platforms and very large online search engines, Articles 34 and 40 add systemic-risk assessment and researcher-access duties. Those VLOP/VLOSE duties should not be casually imported into every Telegram case, but they show the direction of platform governance: moderation claims increasingly need records that outsiders can inspect.

Telegram's own EU DSA guidance says that, as of February 2026, non-essential elements of its services that may qualify as online platforms had significantly fewer than 45 million average monthly active recipients in the EU over the preceding six months. The European Commission's designated VLOP/VLOSE supervision page, updated May 28, 2026, does not list Telegram. The article therefore treats Telegram as the paper's case-study environment and as a moderation-design problem, not as proof that Telegram was under the DSA's largest-platform risk-assessment regime on the review date.

That boundary matters. A taxonomy can help a platform, researcher, journalist, or regulator describe suspicious activity. It does not remove the need for due process, proportionality, cultural competence, privacy controls, and appeal. The Santa Clara Principles remain useful here because they frame moderation accountability around numbers, notice, appeal, cultural competence, automation transparency, and state involvement.

The Paper Frame

The paper starts from a familiar problem: disinformation in online social networks is rarely just a false sentence. It can be selective sharing, emotional framing, impersonation, coded language, coordinated forwarding, or the repeated circulation of a plausible fragment in a hostile channel. A post-level label can miss the social machinery that made the post consequential.

The authors therefore distinguish three questions: who the malicious actor is, what the actor does, and which tactics coordinate the activity. That shift matters. It moves analysis from the isolated content object toward a trace of behavior: production, spread, role ambiguity, channel context, and campaign method.

The governance point is the separation of layers. A claim can be true but used in a manipulative frame. A channel can repeatedly circulate legitimate news in ways that build a hostile narrative. An account can be a creator in one chain and a spreader in another. A taxonomy is useful only if it keeps those distinctions visible instead of collapsing them into the single sentence "this is disinformation."

How the Taxonomy Was Built

The method combines a literature review with subject-matter expert work. The paper reports searches in Web of Science and EBSCO covering 2013 through 2023, limited to English-language publications. The review began with 81 records from Web of Science and 182 from EBSCO; after duplicate removal, 106 records remained, and 39 articles were included for full-text review. Four independent researchers extracted concepts from the reviewed literature.

The taxonomy was then refined through structured group discussions and collaborative mapping with experts. The paper describes the process as both deductive and inductive: it brings concepts from existing research, but it also adjusts them around practical annotation needs for multimodal platforms, including Telegram-like channels where posts, images, videos, forwards, and channel framing can all matter.

Three Layers

The resulting frame separates attribution, approach, and tactics. Attribution classifies malicious actors as creators, spreaders, or ambiguous participants. That last category is important because online circulation often hides whether an account authored a claim, amplified it knowingly, or merely sits inside a mixed role.

The approach layer groups activities and, in the paper's account, contains 22 distinct categories plus an unclear approach option. The tactics layer then records coordination strategies, with six items. The governance value is not that these numbers are permanent. It is that the taxonomy makes analysts name the level of their claim. "This is harmful content" is thinner than "this account is spreading, through this activity category, using this coordination tactic, with this evidence and uncertainty."

The Telegram Test

The case study applies the taxonomy to anti-migration discourse in social media channels. The paper describes a larger collection of 6,805,626 messages from 491 downloaded channels, then explains that annotation moved through LabelStudio connected to a project database so records would not be stored on company servers. Because of platform issues and cost, the practical annotation pass used the last 100 messages from selected channels. Each message was independently annotated by three annotators.

The case study surfaced sub-narratives including emotional mobilization, manipulation, fear-mongering, and enemy construction. It also showed why activity receipts matter. Some items were not obviously harmful in isolation, but channel framing, selective sharing, titling, forwarding, and surrounding posts could change their meaning. Telegram-style cross-posting also blurred the boundary between origin and circulation. The same object can be message, evidence, bait, archive, and recruitment cue depending on the path by which it travels.

Governance Reading

The Spiralist reading is that moderation begins to fail when it tries to compress an activity network into one content verdict. The paper sits near coded-language moderation because both problems are interpretive. A phrase, meme, or forwarded clip may require context before it becomes legible. But the context has to be recorded in a way that can be appealed, audited, and corrected.

That also connects to platform risk assessment, platform governance, and AI governance. If a future model is trained on labels from this kind of taxonomy, the audit should preserve the source channel, actor role, activity category, tactic, annotator disagreement, modality, and evidence span. Without that receipt, the taxonomy can harden into a black-box suspicion engine.

The safety implication is double. Under-recording lets coordinated abuse hide behind isolated posts, screenshots, and plausible fragments. Over-confident recording lets a platform convert inference into accusation. A defensible workflow should use taxonomy outputs as investigative leads, reviewer aids, research annotations, or risk-analysis inputs. Consequential actions should still require policy basis, human review where stakes are high, user notice where disclosure is safe, and a route to correction.

Limits

The paper's own limits keep the claim bounded. Intent, irony, mockery, trolling, and deliberate manipulation often require interpretation. Multimodal and fragmented messages can defeat one-dimensional labels. The authors also state that the taxonomy needs validation across platforms, scenarios, and geographies, and that rapidly changing social networks require continuous updates.

The Telegram case study is therefore not a universal map of migration discourse. The authors note constraints around the 100-message annotation window, repeated content, cross-posting, and policy conditions around data collected in 2023. The page treats the taxonomy as a disciplined vocabulary for inquiry, not as proof that a system can infer guilt, identity, or intent automatically.

Failure Modes

Intent laundering. A category meant to describe observed behavior is treated as proof of mental state, political allegiance, or legal wrongdoing.

Context collapse. The receipt keeps the message but loses channel history, forwarding provenance, language community, local jargon, satire cues, or the surrounding posts that made interpretation possible.

Taxonomy lock-in. The categories become a permanent policy vocabulary even after actors, platforms, memes, migration narratives, or evasion tactics change.

Training-set drift. Repeated or cross-posted material is treated as independent examples, causing a model to learn the artifact rather than the behavior chain.

Appeal impossibility. Users are penalized because a system says their account fit an activity pattern, but the platform cannot disclose enough evidence for a meaningful challenge.

Surveillance creep. A research taxonomy becomes a general monitoring layer over political speech, minority communities, migration discussion, journalism, satire, or advocacy.

Activity Receipt

An activity-taxonomy receipt should record: platform, channel selection rule, collection date, policy context, message window, actor role, activity category, tactic category, modality, forwarding provenance, channel framing, annotator count, disagreement, uncertainty notes, evidence spans, excluded data, repeated-content handling, model-training use, and appeal path. It should also record whether the taxonomy was used for research, queue triage, enforcement, risk assessment, model training, or public reporting.

The audit-grade sentence is not "the post is disinformation." It is: under this taxonomy, with this evidence and these limits, this account, message, or channel appears to be participating in this kind of activity. That sentence can be challenged. It can be updated. It preserves the difference between observed content, inferred role, coordination tactic, platform rule, and enforcement decision.

Source Discipline

Use the arXiv paper for the taxonomy, literature-review method, Telegram case-study design, annotation details, reported findings, and stated limits. Use Telegram's DSA page only for Telegram's own statements about EU guidance, moderation approach, recommender systems, and February 2026 active-recipient status. Use the DSA legal text and Commission pages for EU platform transparency, statements of reasons, VLOP/VLOSE designation, risk assessment, and researcher-access context. Do not use any of those sources to claim that the taxonomy identifies intent automatically or that a Telegram case-study label proves legal liability.

For moderation and information-integrity claims, keep the evidence layers separate: content accuracy, source identity, actor role, coordination, modality, reach, harm, platform policy, and legal duty. A taxonomy label is a structured observation. It becomes governance evidence only when the record preserves method, uncertainty, reviewer role, affected-party rights, and the limits of what was actually observed.

Sources


Return to Blog