Amid a rise in harassment campaigns carried out by automated bots, companies like Twitch are resorting to a more targeted approach—less “ban hammer,” and more like a bunch of little ban daggers.
Twitch is introducing a new tool that the company believes will mitigate bot attacks wreaking havoc in chatrooms on the video game streaming site. Starting today, streamers globally will be able to require other users to verify their phone number via SMS before they can participate in the chat. This extra step could help cut down on harassment from accounts that aren't even human, the thinking goes. The news was first reported by Twitch watchdog Zach Bussey.
The feature comes on the heels of an epidemic of bot attacks, dubbed “hate raids,” in which harassers send hundreds or thousands of bots into streamers’ chatrooms. There, the bot accounts spam hateful, bigoted language, sometimes using unicode that evades hate speech filters.
Streamers impacted by hate raids spoke out about the damage it has caused their channels. Sometimes, they were forced to stop streaming on Twitch altogether. The disruptive attacks have spurred two large-scale social media protests and a lawsuit so far in response. At the beginning of September, thousands of streamers and their supporters organized a one-day boycott, #ADayOffTwitch, to protest the attacks and raise awareness. The hashtag #TwitchDoBetter has also been popular on Twitter. Shortly after the boycott, Twitch sued two users who allegedly perpetrated raids. The suit claims that these individuals, who have not yet been identified, violated its terms of service by “targeting black and LGBTQIA+ streamers with racist, homophobic, sexist, and other harassing content.”
The trouble with bot attacks is that Twitch can’t just ban one or one hundred accounts associated with these raids and be done with it. “The challenge right now is that bad actors can create additional accounts in order to evade bans,” says Angela Hession, Twitch’s vice president of trust and safety. Twitch alleges that the two users it’s suing, for example, operate multiple Twitch accounts under different aliases. And attached to each of those accounts are countless bots. Both users, the complaint says, claim they can “generate thousands of bots in minutes” to raid streamers.
Twitch has been battling botmakers for a decade. (In 2016 it sued botmakers who inflated streamers’ viewer and follower counts.) But the company also has to strike a balance between making its platform safe and making it accessible. Chatrooms are an important feature for streamers to cultivate their audiences. If Twitch makes it too tough for new viewers to post, the service loses a lot of its power.
Twitch’s approach so far has been to offer streamers more control over who can and can’t chat. Streamers already have the option to make their chats subscriber-only, or slow down their chat so moderators can approve messages. There’s also the option to force all chatters to verify their email on Twitch. That hasn’t been enough, though.
The company believes that adding phone number verification to this toolbox will help. Users can verify up to five accounts through one phone number, because there are some good reasons why streamers might have multiple accounts—like making chatbots for sharing useful information. If one account associated with a number is banned, though, all the other accounts will be too. Unlike two-factor authentication, viewers will only have to verify once, not every time they log in or chat. And the phone verification will apply to all channels they watch who require it.
A Twitch representative says the company’s product team started working on the tool five months ago, before August’s hate raid epidemic.
“We considered potential trade-offs between safety and channel growth very carefully when designing this tool, and we don’t expect it to impact streamers’ viewer numbers,” says Hession. “That's because enabling the tool will only prohibit non-verified users from participating in chat—it won’t prohibit them from watching and enjoying a stream as usual.”
Phone numbers are significantly more difficult to spoof than email accounts, but they aren’t a perfect solution. SMS was not designed to verify identities. Data breaches from providers like T-Mobile make it easier for hackers to impersonate users through their phone numbers. Authenticating users through phone numbers means there’s an incentive for hackers to collect that information and log into services—particularly those that require two-factor authentication—on behalf of victims.
Competing game-streaming services YouTube Gaming and Facebook gaming haven’t dealt with the same sort of bot attacks. Google, which runs YouTube Gaming, did not answer WIRED’s question about its approach to verification. Facebook Gaming asks anyone participating in chat to have a Facebook account. Because Facebook has measures in place to combat fake accounts and does not allow fake phone numbers, it’s not as fertile ground for botmakers. “We also hear from our creators and gaming communities that the use of real names on our platform, which reduces anonymity, contributes to a generally more positive environment on Facebook Gaming,” says Drew Symonds, Facebook Gaming’s communications manager.
Twitch says its product team is still developing several tools to mitigate hate raids, including one tool that will prevent bad actors from circumventing channel bans.
“Safety is a journey,” Hession says. “There's not going to ever be one tool that fixes hate raids, just as there's not going to be one tool that fixes hate and harassment on the internet. But we're committed and investing in resources and tools to ensure that we're creating spaces that are safe and inclusive for our community.”