Twitter’s former security chief alleges that the company is hiding the ball when it comes to spam and bots
Former head of security Peiter Zatko accuses Twitter of “Lying about Bots to Elon Musk” in a whistleblower complaint filed in July with regulators, including the Securities and Exchange Commission, a copy of which was obtained by The Washington Post.
Zatko, a well-known figure in the security community, alleges Twitter is not incentivized to tally the true number of bots and spammy accounts on the service, which counts 238 million daily users. And he lays out another argument that could give Musk a potential boost in his fight to prove Twitter broke its contract when he agreed to acquire the company for $44 billion: that Twitter deceived regulators regarding its defenses against hackers.
Importantly, however, Zatko provides limited hard documentary evidence in his complaint regarding spam and bots, so the potential impact of those allegations is difficult to initially gauge.
Twitter has repeatedly pushed back against the argument that it does not tally or work intensely to combat bots and spam. In May, CEO Parag Agrawal said the company removes half a million spam and bot accounts each day, a number the company updated in July to one million a day.
“Twitter fully stands by … our statements about the percentage of spam accounts on our platform, and the work we do to fight spam on the platform, generally,” said Twitter spokeswoman Rebecca Hahn, in response to Zatko’s allegations.
But any new allegations that Twitter misled shareholders and regulators could bolster Musk’s case in Delaware Chancery Court in October, according to half a dozen legal experts who spoke with The Post before the complaint became public, who were not briefed on the complaint. The arguments would depend on the severity of the revelations, as well as data supporting any new claims — and the extent to which Musk relied on such claims in consummating the deal.
Musk and his lawyers did not immediately respond to a request for comment.
Musk, the Tesla and SpaceX CEO, has been angling to exit his deal to purchase the social media site, alleging Twitter’s longtime estimate that bot and spam accounts make up fewer than 5 percent of its “monetizable daily” users is untrue. He terminated his agreement to buy Twitter alleging its miscount of bots would present a “material adverse effect,” a fundamental change to the business that, for example, cuts steeply into its value. And he’s since countersued the company for allegedly misleading his team, accusing Twitter of fraud and breach of contract.
Zatko is a security pioneer who is known in the industry for his history of exposing software flaws — under the handle “Mudge.” His tenure at Twitter, however, was controversial, resulting in repeated clashes with fellow executives and, ultimately, his firing.
The complaint alleges that Twitter misled regulators from the Federal Trade Commission and Securities and Exchange Commission on security issues. Twitter’s Hahn said Zatko’s allegations were “riddled with inaccuracies.”
The true number of bots and spam accounts on Twitter is likely to be “meaningfully higher” than the figure Twitter claims, the complaint alleges.
“Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots,” the complaint alleges, adding “deliberate ignorance was the norm” among its executive team.
A redacted version of the 84-page filing went to congressional committees. The Post obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill.
Multiple divisions at Twitter are in charge of fighting spam and bots. As the head of security, Zatko was not directly responsible for eradicating bots, but his role touched upon some aspects of bot removal. Zatko was fired long before Musk’s initial Twitter investment became public in April, in the run-up to his acquisition announcement later that month.
Four people familiar with the company’s processes for spam detection, who like others spoke on the condition of anonymity to describe sensitive internal matters, told The Post that the company keeps several internal tallies of spam and bots — known as “prevalence” — across the service beyond the number supplied to Wall Street. The Post also obtained an internal document, which was redacted to hide the numbers, showing that “spam prevalence“ was a number shared with
the board. The document was supplied to the board at a meeting Zatko attended, according to two of the people.
The four people said the social media company estimates the broader amount of spam and bots on the service using software to sample thousands of tweets each day, as well as 100 accounts that are sampled manually. Three of the people said that the company’s internal bot prevalence numbers were almost always less than 5 percent.
Twitter’s Hahn said the company is transparent about the number of accounts it removes for violating its rules. In addition, there are many rule-following bots that are allowed to stay. The company doesn’t report a total number of bots because it would just be a minimum number of the ones they’ve caught, she said. The internal measurements of prevalence focus on how many people are seeing the rule-breaking bots, which the company believes is the more accurate measure of potential harm than an overall count, since many bots are inactive, Hahn added.
Twitter and Musk became embroiled in a legal battle this summer, after Musk backed out of his deal to buy the social media company. Twitter filed suit, alleging he had breached his contract while disrupting the site’s operations and dragging down its stock.
In response, Musk filed a countersuit late last month alleging a spate of new issues, including that a majority of ads are shown to fewer than 16 million users. That’s a tiny fraction of the 238 million daily users that Twitter claims could earn the company revenue by viewing ads.
Alexander Manglinong, an attorney who focuses on business litigation at the firm Stubbs Alderton & Markiles, pointed to Musk’s waiving of due diligence in consummating the agreement, depriving him of a deeper look at Twitter’s internal workings.
“From my perspective — even without knowing what specific information could be out there, it still seems against Musk, an uphill battle,” he added.
Musk’s legal team has already shown its willingness to question high-ranking former executives, issuing a subpoena to former Twitter chief executive Jack Dorsey. (Zatko, according to one of the people familiar with the company, was already one of the executives whose records Musk’s legal team attempted to obtain, but a judge denied the request.)
Musk’s team has asked for information from more than 20 company leaders, but the judge so far has only allowed them to obtain internal communications from a single Twitter executive, former head of consumer product Kayvon Beykpour.
Zatko alleges in his complaint that an unnamed senior executive attempted to shut down a key tool for stopping bot and spammy accounts. The tool, internally called ROPO, for “read-only phone only,” blocks an account from tweeting until a user can prove it is linked to a real person.
That executive was Beykpour, who was fired by Agrawal this year, said two of the people familiar with the company’s processes with spam, as well as a third person familiar with the discussions. The complaint says Beykpour became critical of the tool after personally “receiving a small number of unsolicited DMS (text messages).” But the people said that Beykpour thought ROPO was riddled with much broader errors, and was not trying to shut down the tool but was proposing an overhaul.
Beykpour declined an interview request.
Zatko’s attorney from the nonprofit law firm Whistleblower Aid said that there had been no interaction with Musk’s team but that he would respond to subpoenas.
Zatko also alleges in the complaint that Twitter’s security systems had massive deficiencies, leaving the company vulnerable to repeated hacks and even the real possibility of a sitewide shutdown. He says that during his year-long tenure at the company, many workplace servers and laptops were running out-of-date and vulnerable software and far too many employees had access to internal systems that contained sensitive user data and software.
Twitter’s Hahn says security practices are up to industry standards.