Former Twitter security chief alleges the company is hiding the ball when it comes to spam and bots
Former security chief Peiter Zatko accuses Twitter of “lying to Elon Musk about bots” in a complaint filed in July with regulators, including the Securities and Exchange Commission. a copy of which was obtained by The Washington Post.
Zatko, a well-known figure in the security community, argues that Twitter has no incentive to count the true number of bots and spam accounts on the service, which has 238 million daily users. And he makes another argument that could give Musk a potential boost in his fight to prove that Twitter broke its contract when it agreed to acquire the company for $44 billion: that Twitter misled regulators regarding its defenses against hackers.
However, it is important to note that Zatko provides limited hard documentary evidence in its complaint about spam and bots, so the potential impact of those allegations is difficult to gauge initially.
Twitter has repeatedly rejected the argument that it doesn’t count or work hard to combat bots and spam. In May, CEO Parag Agrawal said the company removes half a million spam and bot accounts each day, a number the company updated in July to one million per day.
“Twitter fully endorses … our statements about the percentage of spam accounts on our platform and the work we do to combat spam on the platform, in general,” Twitter spokeswoman Rebecca Hahn said in response to the allegations. by Zatko.
But any new accusation that Twitter misled shareholders and regulators could bolster Musk’s case in Delaware Chancery Court in October, according to a half-dozen legal experts who spoke to The Post before the complaint went public. They were not informed about the complaint. Arguments would depend on the seriousness of the revelations, as well as the data supporting any new claims, and the extent to which Musk relied on such claims to consummate the deal.
Musk and his lawyers did not immediately respond to a request for comment.
Musk, the CEO of Tesla and SpaceX, has been looking to get out of his deal to buy social networking site, claiming that Twitter’s longtime estimate that bot and spam accounts make up less than 5 percent of its “daily monetizable” users is false. He terminated his deal to buy Twitter on the grounds that its miscounting of bots would present a “material adverse effect” — a fundamental change to the business that, for example, sharply reduces its value. And since then he countersued the company. for allegedly cheating on his teamaccusing Twitter of fraud and breach of contract.
Zatko is a security pioneer known in the industry for his history of exposing software flaws, under the name “Mudge.” However, his tenure at Twitter was controversial, resulting in repeated clashes with other executives and ultimately his firing.
The complaint alleges that Twitter misled regulators at the Federal Trade Commission and the Securities and Exchange Commission on security issues. Twitter’s Hahn said Zatko’s allegations were “riddled with inaccuracies.”
the true number of bots and spam accounts on Twitter is likely to be “significantly higher” than the figure Twitter claims, the complaint alleges.
“Twitter executives have little or no personal incentive to ‘detect’ or accurately measure the prevalence of spam bots,” the complaint alleges, adding that “deliberate ignorance was the norm” among their executive team.
A redacted version of the 84-page submission went to congressional committees. The Post obtained a copy of the disclosure from a top Democratic aide on Capitol Hill.
Multiple divisions at Twitter are in charge of fighting spam and bots. As head of security, Zatko was not directly responsible for bot eradication, but his role did touch on some aspects of bot removal. Zatko was fired long before Musk’s initial investment in Twitter was made public in April, in the run-up to its acquisition announcement later that month.
Four people familiar with the company’s processes for detecting spam, who like others spoke on condition of anonymity to describe sensitive internal matters, told The Post that the company maintains various internal spam and bot registries, known as “prevalence”, throughout the service. beyond the number provided to Wall Street. The Post also obtained an internal document, which was redacted to hide the numbers, showing that the “spam prevalence” was a number shared with
the board. The document was provided to the board at a meeting attended by Zatko, according to two of the people.
The four people said the social media company estimates the broader amount of spam and bots on the service by using software to sample thousands of tweets each day, as well as 100 accounts that are manually sampled. Three of the people said that the company’s internal bot prevalence figures were almost always less than 5 percent.
Twitter’s Hahn said the company is transparent about the number of accounts it removes for violating its rules. Also, there are plenty of rule-following bots that can stick around. The company does not report a total number of bots because it would be only a minimum number of those that have been caught, he said. Internal prevalence measurements focus on how many people are seeing rule-breaking bots, which the company believes is a more accurate measure of potential harm than an overall count, since many bots are inactive, Hahn added.
Twitter and Musk were embroiled in a legal battle this summer after Musk backed out of their deal to buy the social media company. Twitter filed a lawsuit, claiming that it had breached its contract by interrupting the site’s operations and reducing its stock.
In response, Musk filed a countersuit late last month alleging a number of new issues, including that most of the ads are shown to fewer than 16 million users. That’s a tiny fraction of the 238 million daily users. that Twitter claims you could generate revenue for the company by viewing ads.
Alexander Manglinong, a lawyer who focuses on commercial litigation at the firm Stubbs Alderton & Markiles, noted that Musk foregone due diligence in consummating the deal, depriving him of a deeper look into Twitter’s inner workings.
“From my perspective, even without knowing what specific information might be available, it still looks like an uphill battle against Musk,” he added.
Musk’s legal team has already shown a willingness to question former high-ranking executives, issuing a subpoena to former Twitter CEO Jack Dorsey. (Zatko, according to one of the people familiar with the company, was already one of the executives whose records Musk’s legal team tried to obtain, but a judge denied the request.)
Musk’s team has asked more than 20 company leaders for information, but the judge has so far only allowed them to obtain internal communications from a single Twitter executive, former head of consumer products Kayvon Beykpour.
Zatko alleges in his complaint that an anonymous senior executive attempted to shut down a key tool for stopping spam and bot accounts. The tool, internally called ROPO, for “phone read only,” blocks an account from tweeting until a user can prove it’s linked to a real person.
That executive was Beykpour, who was fired by Agrawal earlier this year, said two of the people familiar with the company’s spam processes, as well as a third person familiar with the discussions. The complaint says that Beykpour criticized the tool after “personally receiving a small number of unsolicited DMS (text messages)”. But people said that Beykpour thought ROPO was riddled with much broader bugs and that he wasn’t trying to shut down the tool, but was proposing a hotfix.
Beykpour declined an interview request.
Zatko’s attorney at the nonprofit law firm Whistleblower Aid said there had been no interaction with Musk’s team, but he would respond to subpoenas.
Zatko also alleges in the complaint that Twitter’s security systems were massively flawed, leaving the company vulnerable to repeated attacks and even the very real possibility of a complete shutdown of the site. He says that during his year-long tenure with the company, many workplace servers and laptops were running outdated and vulnerable software and too many employees had access to internal systems containing sensitive user software and data.
Twitter’s Hahn says security practices are up to industry standards.