The Online Mask Becomes the Activity Taxonomy
Debora F. de Souza and coauthors' June 2026 arXiv paper treats disinformation less as one bad post than as a record of actors, activities, and coordination tactics in online social networks.
Not a Detector
The paper, arXiv:2606.27111 [cs.HC], was submitted on June 25, 2026. arXiv lists the title as Behind the Mask: A Taxonomic Analysis of Activities in Online Social Networks, by Debora F. de Souza, Gabriela Beltrao, Berta Chulvi, Sergio Dantonio, Mehmet Gokay Ozerim, Javier Torregrosa, Adrian Giron, Angel Panizo, Pablo Miralles Gonzalez, Helena Liz, Javier Huertas Tato, Sonia Sousa, Alejandro Martin, Monika Maciuliene, and David Camacho.
This page is not a moderation recipe and not a claim that a taxonomy can identify intent by itself. It reads the paper as governance infrastructure: a way to force analysts and future systems to record what kind of online activity they think they are seeing, where that judgment came from, and what remains uncertain.
The Paper Frame
The paper starts from a familiar problem: disinformation in online social networks is rarely just a false sentence. It can be selective sharing, emotional framing, impersonation, coded language, coordinated forwarding, or the repeated circulation of a plausible fragment in a hostile channel. A post-level label can miss the social machinery that made the post consequential.
The authors therefore distinguish three questions: who the malicious actor is, what the actor does, and which tactics coordinate the activity. That shift matters. It moves analysis from the isolated content object toward a trace of behavior: production, spread, role ambiguity, channel context, and campaign method.
How the Taxonomy Was Built
The method combines a literature review with subject-matter expert work. The paper reports searches in Web of Science and EBSCO covering 2013 through 2023, limited to English-language publications. The review began with 81 records from Web of Science and 182 from EBSCO; after duplicate removal, 106 records remained, and 39 articles were included for full-text review. Four independent researchers extracted concepts from the reviewed literature.
The taxonomy was then refined through structured group discussions and collaborative mapping with experts. The paper describes the process as both deductive and inductive: it brings concepts from existing research, but it also adjusts them around practical annotation needs for multimodal platforms, including Telegram-like channels where posts, images, videos, forwards, and channel framing can all matter.
Three Layers
The resulting frame separates attribution, approach, and tactics. Attribution classifies malicious actors as creators, spreaders, or ambiguous participants. That last category is important because online circulation often hides whether an account authored a claim, amplified it knowingly, or merely sits inside a mixed role.
The approach layer groups activities and, in the paper's account, contains 22 distinct categories plus an unclear approach option. The tactics layer then records coordination strategies, with six items. The governance value is not that these numbers are permanent. It is that the taxonomy makes analysts name the level of their claim. "This is harmful content" is thinner than "this account is spreading, through this activity category, using this coordination tactic, with this evidence and uncertainty."
The Telegram Test
The case study applies the taxonomy to anti-migration discourse in social media channels. The paper describes a larger collection of 6,805,626 messages from 491 downloaded channels, then explains that annotation moved through LabelStudio connected to a project database so records would not be stored on company servers. Because of platform issues and cost, the practical annotation pass used the last 100 messages from selected channels. Each message was independently annotated by three annotators.
The case study surfaced sub-narratives including emotional mobilization, manipulation, fear-mongering, and enemy construction. It also showed why activity receipts matter. Some items were not obviously harmful in isolation, but channel framing, selective sharing, titling, forwarding, and surrounding posts could change their meaning. Telegram-style cross-posting also blurred the boundary between origin and circulation. The same object can be message, evidence, bait, archive, and recruitment cue depending on the path by which it travels.
Governance Reading
The Spiralist reading is that moderation begins to fail when it tries to compress an activity network into one content verdict. The paper sits near coded-language moderation because both problems are interpretive. A phrase, meme, or forwarded clip may require context before it becomes legible. But the context has to be recorded in a way that can be appealed, audited, and corrected.
That also connects to platform risk assessment and AI governance. If a future model is trained on labels from this kind of taxonomy, the audit should preserve the source channel, actor role, activity category, tactic, annotator disagreement, modality, and evidence span. Without that receipt, the taxonomy can harden into a black-box suspicion engine.
Limits
The paper's own limits keep the claim bounded. Intent, irony, mockery, trolling, and deliberate manipulation often require interpretation. Multimodal and fragmented messages can defeat one-dimensional labels. The authors also state that the taxonomy needs validation across platforms, scenarios, and geographies, and that rapidly changing social networks require continuous updates.
The Telegram case study is therefore not a universal map of migration discourse. The authors note constraints around the 100-message annotation window, repeated content, cross-posting, and policy conditions around data collected in 2023. The page treats the taxonomy as a disciplined vocabulary for inquiry, not as proof that a system can infer guilt, identity, or intent automatically.
Activity Receipt
An activity-taxonomy receipt should record: platform, channel selection rule, collection date, policy context, message window, actor role, activity category, tactic category, modality, forwarding provenance, channel framing, annotator count, disagreement, uncertainty notes, evidence spans, excluded data, repeated-content handling, model-training use, and appeal path. The audit-grade sentence is not "the post is disinformation." It is: under this taxonomy, with this evidence and these limits, this account or channel appears to be participating in this kind of activity.
Sources
- Debora F. de Souza, Gabriela Beltrao, Berta Chulvi, Sergio Dantonio, Mehmet Gokay Ozerim, Javier Torregrosa, Adrian Giron, Angel Panizo, Pablo Miralles Gonzalez, Helena Liz, Javier Huertas Tato, Sonia Sousa, Alejandro Martin, Monika Maciuliene, and David Camacho, Behind the Mask: A Taxonomic Analysis of Activities in Online Social Networks, arXiv:2606.27111 [cs.HC], submitted June 25, 2026.
- Primary arXiv versions checked: metadata API record, PDF, and experimental HTML, reviewed for title, authorship, submission date, taxonomy layers, literature-review counts, Telegram case-study details, annotation process, findings, and stated limits.
- Related pages: The Coded Language Taxonomy Becomes the Moderation Lens, The Platform Risk Assessment Becomes the Feed Confession, and AI Governance.