New whistleblower allegations could factor into Twitter vs.  Musk trial

New whistleblower allegations could factor into Twitter vs. Musk trial

Twitter’s former security chief alleges that the company is hiding the ball when it comes to spam and bots

Telsa CEO Elon Musk is seeking to terminate his deal to buy Twitter.
Telsa CEO Elon Musk is seeking to terminate his deal to buy Twitter. (Chloe Meister/Washington Post illustration; Jim Watson, Amy Osborne/AFP via Getty; iStock)

How

SAN FRANCISCO — Elon Musk alleges Twitter is vastly undercounting the number of spam and bot accounts on its platform. A new whistleblower complaint from a recently fired top Twitter executive could add ammunition to that argument, though it provides little hard evidence to back up a key assertion.

Former head of security Peiter Zatko accuses Twitter of “Lying about Bots to Elon Musk” in a whistleblower complaint filed in July with regulators, including the Securities and Exchange Commission, a copy of which was obtained by The Washington Post.

Zatko, a well-known figure in the security community, alleges Twitter is not incentivized to tally the true number of bots and spammy accounts on the service, which counts 238 million daily users. And he lays out another argument that could give Musk a potential boost in his fight to prove Twitter broke its contract when he agreed to acquire the company for $44 billion: that Twitter deceived regulators regarding its defenses against hackers.

Importantly, however, Zatko provides limited hard documentary evidence in his complaint regarding spam and bots, so the potential impact of those allegations is difficult to initially gauge. Musk’s lawyers scheduled a deposition with Zatko before the publication of the whistleblower complaint, according to a person familiar with the matter, who spoke on the condition of anonymity to discuss an ongoing legal matter.

Twitter has repeatedly pushed back against the argument that it does not tally or work intensely to combat bots and spam. In May, CEO Parag Agrawal said the company removes half a million spam and bot accounts each day, a number the company updated in July to 1 million a day.

“Twitter fully stands by … our statements about the percentage of spam accounts on our platform, and the work we do to fight spam on the platform, generally,” said Twitter spokeswoman Rebecca Hahn, in response to Zatko’s allegations.

But any new allegations that Twitter misled shareholders and regulators could bolster Musk’s case in Delaware Chancery Court in October, according to half a dozen legal experts who spoke with The Post before the complaint became public, who were not briefed on the complaint. The arguments would depend on the severity of the revelations, as well as data supporting any new claims — and the extent to which Musk relied on such claims in consuming the deal.

“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” said Alex Spiro, a partner at Quinn Emanuel who is representing Musk in his ongoing litigation with Twitter.

Musk did not immediately respond to a request for comment.

Musk’s countersuit contains aggressive new claims. Twitter is rebutting them.

Musk, the Tesla and SpaceX CEO, has been angling to exit his deal to purchase the social media site, alleging Twitter’s longtime estimate that bot and spam accounts make up fewer than 5 percent of its “monetizable daily” users is untrue. He terminated his agreement to buy Twitter alleging its miscount of bots would present a “material adverse effect,” a fundamental change to the business that, for example, cuts steeply into its value. And he’s since countersued the company for allegedly misleading his team, accusing Twitter of fraud and breach of contract.

Zatko is a security pioneer who is known in the industry for his history of exposing software flaws — under the handle “Mudge.” His tenure at Twitter, however, was controversial, resulting in repeated clashes with fellow executives and, ultimately, his firing.

The complaint alleges that Twitter misled regulators from the Federal Trade Commission and Securities and Exchange Commission on security issues. Twitter’s Hahn said Zatko’s allegations were “riddled with inaccuracies.”

The true number of bots and spam accounts on Twitter is likely to be “meaningfully higher” than the figure Twitter claims, the complaint alleges.

“Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots,” the complaint alleges, adding “deliberate ignorance was the norm” among its executive team.

A redacted version of the 84-page filing went to congressional committees. The Post obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill.

Twitter is probing Elon Musk’s social circle in broad legal requests

The allegations about bots “strengthens Musk’s case for sure, because you have someone with inside knowledge,” said Anthony Casey, a professor of law and economics at the University of Chicago Law School. But he cautioned that the allegations don’t seem to be a smoking gun because there doesn’t appear to be concrete evidence that the company was intentionally lying about the number of bots.

“It has to be more than just, ‘you guys were sloppy about this because you didn’t really care,’” Casey said. “It adds to (Musk’s) case, but I still think he’s got a weak case.”

Multiple divisions at Twitter are in charge of fighting spam and bots. As the head of security, Zatko was not directly responsible for eradicating bots, but his role affected upon some aspects of bot removal. Zatko was fired long before Musk’s initial Twitter investment became public in April, in the run-up to his acquisition announcement later that month.

Four people familiar with the company’s processes for spam detection, who like others spoke on the condition of anonymity to describe sensitive internal matters, told The Post that the company keeps several internal tallies of spam and bots — known as “prevalence” — across the service beyond the number supplied to Wall Street. The Post also obtained an internal document, which was redacted to hide the numbers, showing that “spam prevalence” was a number shared with the board. The document was supplied to the board at a meeting Zatko attended, according to two of the people.

The four people said the social media company estimates the broader amount of spam and bots on the service using software to sample thousands of tweets each day, as well as 100 accounts that are sampled manually. Three of the people said that the company’s internal bot prevalence numbers were almost always less than 5 percent.

Twitter’s Hahn said the company is transparent about the number of accounts it removes for violating its rules. In addition, there are many rule-following bots that are allowed to stay. The company doesn’t report a total number of bots because it would just be a minimum number of the ones they’ve caught, she said. The internal measurements of prevalence focus on how many people are seeing the rule-breaking bots, which the company believes is the most accurate measure of potential harm than an overall count, since many bots are inactive, Hahn added.

Elon Musk says Twitter deal is on hold, putting bid on shaky ground

Twitter and Musk became embroiled in a legal battle this summer, after Musk backed out of his deal to buy the social media company. Twitter filed suit, alleging he had breached his contract while disrupting the site’s operations and dragging down its stock.

In response, Musk filed a countersuit late last month alleging a spate of new issues, including that a majority of ads are shown to fewer than 16 million users. That’s a tiny fraction of the 238 million daily users that Twitter claims could earn the company revenue by viewing ads.

Alexander Manglinong, an attorney who focuses on business litigation at the firm Stubbs Alderton & Markiles, pointed to Musk’s waiving of due diligence in consuming the agreement, depriving him of a deeper look at Twitter’s internal workings.

“From my perspective — even without knowing what specific information could be out there, it still seems against Musk, an uphill battle,” he added.

Musk’s legal team has already shown its willingness to question high-ranking former executives, issuing a subpoena to former Twitter chief executive Jack Dorsey. (Zatko was already one of the executives whose records Musk’s legal team attempted to obtain, but a judge denied the request.)

Twitter sues Elon Musk, setting stage for epic legal battle

Musk’s team has asked for information from more than 20 company leaders, but the judge so far has only allowed them to obtain internal communications from a single Twitter executive, former head of consumer product Kayvon Beykpour.

Zatko alleges in his complaint that an unknown senior executive attempted to shut down a key tool for stopping bot and spammy accounts. The tool, internally called ROPO, for “read-only phone only,” blocks an account from tweeting until a user can prove it is linked to a real person.

That executive was Beykpour, who was fired by Agrawal this year, said two of the people familiar with the company’s processes with spam, as well as a third person familiar with the discussions. The complaint says Beykpour became critical of the tool after personally “receiving a small number of unsolicited DMS (text messages).” But the people said that Beykpour thought ROPO was riddled with much broader errors, and was not trying to shut down the tool but was proposing an overhaul.

Beykpour declined an interview request.

Zatko’s attorney from the nonprofit law firm Whistleblower Aid said before publication that there had been no interaction with Musk’s team but that he would respond to subpoenas.

As Musk moves to abandon deal, Twitter faces ‘worst case scenario’

Zatko also alleviates in the complaint that Twitter’s security systems had massive deficiencies, leaving the company vulnerable to repeated hacks and even the real possibility of a sitewide shutdown. He says that during his year-long tenure at the company, many workplace servers and laptops were running out-of-date and vulnerable software and far too many employees had access to internal systems that contained sensitive user data and software.

Twitter’s Hahn says security practices are up to industry standards.

Cat Zakrzewski and Rachel Lerman contributed to this report.

Leave a Comment

Your email address will not be published.