Twitter’s former security chief alleges that the company is hiding the ball when it comes to spam and bots
On Tuesday, The Washington Post reported that Twitter’s former head of security, Peiter Zatko, had filed a whistleblower complaint with federal regulators, including the Securities and Exchange Commission, accusing Twitter of “Lying about Bots to Elon Musk.” Zatko, a well-known figure in the security community, alleges that Twitter is not incentivized to tally the true number of bots and spammy accounts on the service, which counts 238 million daily users.
Zatko also alleges that Twitter deceived regulators regarding its defenses against hackers, a claim that could provide support to Musk’s charge that Twitter has been untruthful in its reports to shareholders.
The whistleblower complaint provides limited evidence to back up Zatko’s claims. Nonetheless, Musk tweeted a screenshot of The Post article, and wrote: “So spam prevalence *was* shared with the board, but the board chose not [to] disclose that to the public … .” He also tweeted a meme of Jiminy Cricket, a character from the movie “Pinocchio,” with the words “Give a Little Whistle,” a line from a song that continues, “and always let your conscience be your guide.”
Musk’s team is due Wednesday to appear in Delaware Chancery Court for a hearing on his ability to demand information about Twitter’s internal practices and data. According to individuals with knowledge of the matter, Musk’s team could use the whistleblower complaint in that hearing to bolster his arguments or seek more time.
Musk’s lawyers had already scheduled a deposition with Zatko before news of the whistleblower complaint broke Tuesday, according to one of the people familiar with the matter, who like others spoke on the condition of anonymity to discuss an ongoing legal proceeding. The judge has rejected Musk’s requests for information from more than 20 company leaders — including Zatko — but the whistleblower claims could open the door for them to make further requests, legal experts said.
Twitter has repeatedly pushed back against the argument that it does not tally or work intensely to combat bots and spam. In May, CEO Parag Agrawal said the company removes half a million spam and bot accounts each day, a number the company updated in July to 1 million a day.
“Twitter fully stands by … our statements about the percentage of spam accounts on our platform, and the work we do to fight spam on the platform, generally,” said Twitter spokeswoman Rebecca Hahn, in response to Zatko’s allegations.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” said Alex Spiro, a partner at Quinn Emanuel who is representing Musk in his ongoing litigation with Twitter.
But any new allegations that Twitter misled shareholders and regulators could bolster Musk’s case in Delaware Chancery Court in October, according to five legal experts who spoke with The Post. The arguments would depend on the severity of the revelations, as well as data supporting any new claims — and the extent to which Musk relied on such claims in consummating the deal.
“The question ultimately boils down to the credibility of the assertions made by the whistleblower — and that is usually determined by the existence of hard evidence,” attorney Howard Fischer, a former SEC counsel, said in an email. “While significant attention appears focused on Twitter’s alleged undercount of bots, what might be more concerning are the allegations about Twitter’s technological contingency plans.”
On Tuesday afternoon, Twitter’s shares traded at about $39.86, down more than 7 percent from Monday’s close and significantly below the $54.20 per share Musk had offered in the acquisition deal.
Musk did not respond to a request for comment.
Musk has been angling to exit his deal to purchase the social media site, alleging Twitter’s longtime estimate that bot and spam accounts make up fewer than 5 percent of its “monetizable daily” users is untrue. He terminated his agreement to buy Twitter, alleging its miscount of bots would present a “material adverse effect,” a fundamental change to the business that, for example, cuts steeply into its value. And he has since countersued the company for allegedly misleading his team, accusing Twitter of fraud and breach of contract.
Zatko is a security pioneer who is known in the industry for his history of exposing software flaws — under the handle “Mudge.” His tenure at Twitter, however, was controversial, resulting in repeated clashes with fellow executives and, ultimately, his firing.
The complaint alleges that Twitter misled regulators from the Federal Trade Commission and Securities and Exchange Commission on security issues. Twitter’s Hahn said Zatko’s allegations were “riddled with inaccuracies.”
The true number of bots and spam accounts on Twitter is likely to be “meaningfully higher” than the figure Twitter claims, the complaint alleges.
“Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots,” the complaint alleges, adding “deliberate ignorance was the norm” among its executive team.
A redacted version of the 84-page filing went to congressional committees. The Post obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill.
The allegations about bots strengthen “Musk’s case for sure, because you have someone with inside knowledge,” said Anthony Casey, a professor of law and economics at the University of Chicago Law School. But he cautioned that the allegations don’t seem to be a smoking gun because there doesn’t appear to be concrete evidence that the company was intentionally lying about the number of bots.
“It has to be more than just, ‘you guys were sloppy about this because you didn’t really care,’” Casey said. “It adds to (Musk’s) case, but I still think he’s got a weak case.”
The allegations could be a jumping-off point for Musk’s legal team to seek more information, legal experts said, as he seeks to bolster his argument.
“It gives them a reason to dig in,” said Robert Penza, an attorney at law firm Polsinelli who practices in the Delaware Court of Chancery. Still, he said, Musk would probably have to show that Twitter intentionally had misleading information in its financial statements and that those substantially skewed the business.
Multiple divisions at Twitter are in charge of fighting spam and bots. As the head of security, Zatko was not directly responsible for eradicating bots, but his role touched upon some aspects of bot removal. Zatko was fired long before Musk’s initial Twitter investment became public in April, in the run-up to his acquisition announcement later that month.
Four people familiar with the company’s processes for spam detection, who like others spoke on the condition of anonymity to describe sensitive internal matters, told The Post that the company keeps several internal tallies of spam and bots — known as “prevalence” — across the service beyond the number supplied to Wall Street. The Post also obtained an internal document, which was redacted to hide the numbers, showing that “spam prevalence” was a number shared with the board. The document was supplied to the board at a meeting Zatko attended, according to two of the people.
The four people said the social media company estimates the broader amount of spam and bots on the service by using software to sample thousands of tweets each day, as well as 100 accounts that are sampled manually. Three of the people said that the company’s internal bot prevalence numbers were almost always less than 5 percent.
Twitter’s Hahn said the company is transparent about the number of accounts it removes for violating its rules. In addition, there are many rule-following bots that are allowed to stay. The company doesn’t report a total number of bots because it would just be a minimum number of the ones they’ve caught, she said. The internal measurements of prevalence focus on how many people are seeing the rule-breaking bots, which the company believes is the more accurate measure of potential harm than an overall count, since many bots are inactive, Hahn added.
Twitter and Musk became embroiled in a legal battle this summer, after Musk backed out of his deal to buy the social media company. Twitter filed suit, alleging he had breached his contract while disrupting the site’s operations and dragging down its stock.
In response, Musk filed a countersuit late last month alleging a spate of new issues, including that a majority of ads are shown to fewer than 16 million users. That’s a tiny fraction of the 238 million daily users that Twitter claims could earn the company revenue by viewing ads.
Alexander Manglinong, an attorney who focuses on business litigation at the firm Stubbs Alderton & Markiles, pointed to Musk’s waiving of due diligence in consummating the agreement, depriving him of a deeper look at Twitter’s internal workings, in saying the tech mogul faces an “uphill battle.”
“He might be emboldened thinking that this is now his ticket to beating Twitter,” he said. “It may cause him to act even more rashly. … He has more than what he had previously; whether that’s actually going to be anything substantive that’s going to affect the case, that’s unclear to me.”
Musk’s legal team has already shown its willingness to question high-ranking former executives, issuing a subpoena to former Twitter chief executive Jack Dorsey. (Zatko was already one of the executives whose records Musk’s legal team attempted to obtain, but a judge denied the request.)
Musk’s team has asked for information from more than 20 company leaders, but the judge so far has only allowed them to obtain internal communications from a single Twitter executive, former head of consumer product Kayvon Beykpour.
Zatko alleges in his complaint that an unnamed senior executive attempted to shut down a key tool for stopping bot and spammy accounts. The tool, internally called ROPO, for “read-only phone only,” blocks an account from tweeting until a user can prove it is linked to a real person.
That executive was Beykpour, who was fired by Agrawal this year, said two of the people familiar with the company’s processes with spam, as well as a third person familiar with the discussions. The complaint says Beykpour became critical of the tool after personally “receiving a small number of unsolicited DMS (text messages).” But the people said that Beykpour thought ROPO was riddled with much broader errors and was not trying to shut down the tool but was proposing an overhaul.
Beykpour declined an interview request.
Zatko’s attorney from the nonprofit law firm Whistleblower Aid said before publication that there had been no interaction with Musk’s team but that he would respond to subpoenas.
Zatko also alleges in the complaint that Twitter’s security systems had massive deficiencies, leaving the company vulnerable to repeated hacks and even the real possibility of a sitewide shutdown. He says that during his year-long tenure at the company, many workplace servers and laptops were running out-of-date and vulnerable software and far too many employees had access to internal systems that contained sensitive user data and software.
Twitter’s Hahn says security practices are up to industry standards.
Go to Publisher: Technology
Author: Faiz Siddiqui