Former Twitter security chief says company is hiding the ball when it comes to spam and bots
Former security chief Peiter Zatko accuses Twitter of “lying about bots to Elon Musk” in a whistleblower complaint filed in July with regulators including the Securities and Exchange Commission, a copy of which was obtained by the Washington Post.
Zatko, a well-known figure in the security community, says Twitter has no incentive to count the actual number of bots and spam accounts on the service, which has 238 million daily users. And he lays out another argument that could give Musk a potential boost in his fight to prove that Twitter breached his contract when he agreed to acquire the company for $44 billion: that Twitter misled regulators about its defenses against pirates.
Importantly, Zatko provides limited documentary evidence in its complaint about spam and bots, so the potential impact of these claims is difficult to assess initially.
Twitter has repeatedly pushed back against the argument that it doesn’t match or work hard to fight bots and spam. In May, CEO Parag Agrawal said the company was deleting half a million spam and bot accounts every day, a figure the company had updated in July to one million a day.
“Twitter fully supports … our statements about the percentage of spam accounts on our platform and the work we’re doing to combat spam on the platform, in general,” Twitter spokeswoman Rebecca said. Hahn, in response to Zatko’s allegations.
But any new allegations that Twitter misled shareholders and regulators could bolster Musk’s case in Delaware Chancery Court in October, according to half a dozen legal experts who spoke to The Post before the complaint. not be made public, who have not been informed of the complaint. Arguments would hinge on the seriousness of the revelations, as well as the data supporting any new claims — and the extent to which Musk relied on those claims to seal the deal.
Musk and his attorneys did not immediately respond to a request for comment.
Musk, the CEO of Tesla and SpaceX, is seeking to terminate his agreement to buy social media site, alleging that Twitter’s long-standing estimate that bot and spam accounts make up less than 5% of its “monetizable daily” users is wrong. He terminated his agreement to buy Twitter, alleging that his bot counting error would present a “material adverse effect”, a fundamental change for the company that, for example, significantly reduces its value. And he has since counterattacked the company for allegedly misleading his teamaccusing Twitter of fraud and breach of contract.
Zatko is a security pioneer who is known in the industry for his history of exposing software flaws – under the nickname “Mudge”. His tenure at Twitter, however, was contentious, leading to repeated clashes with fellow executives and ultimately his firing.
The complaint alleges that Twitter misled regulators at the Federal Trade Commission and the Securities and Exchange Commission on security issues. Twitter’s Hahn said Zatko’s claims were “riddled with inaccuracies.”
The true number of bots and spam accounts on Twitter is likely to be “significantly higher” than the figure announced by Twitter, according to the complaint.
“Twitter executives have little or no personal incentive to ‘detect’ or accurately measure the prevalence of spambots,” the complaint alleges, adding that “willful ignorance was the norm” among its intelligence team. direction.
A redacted version of the 84-page brief was sent to congressional committees. The Post obtained a copy of the disclosure from a senior Democratic official on Capitol Hill.
Several divisions of Twitter are responsible for combating spam and bots. As a security officer, Zatko was not directly responsible for bot eradication, but his role touched on certain aspects of bot removal. Zatko was fired long before Musk’s initial Twitter investment went public in April, ahead of its acquisition announcement later that month.
Four people familiar with the company’s spam detection processes, who like others spoke on condition of anonymity to describe sensitive internal matters, told The Post that the company keeps multiple counts. spam and bots – known as “prevalence” – across the service. beyond the number provided to Wall Street. The Post also obtained an internal document, which has been redacted to hide the numbers, showing that “spam prevalence” was a number shared with
table. The document was provided to the board at a meeting Zatko attended, according to two of the people.
The four people said the social media company estimates the highest amount of spam and bots on the service by using software to sample thousands of tweets each day, as well as 100 manually sampled accounts. Three of the interviewees said the company’s internal bot prevalence figures were almost always below 5%.
Twitter’s Hahn said the company is transparent about how many accounts it takes down for violating its rules. Moreover, there are many bots that follow the rules and are allowed to stay. The company does not report the total number of bots because it would only be a minimum number of those they captured, she said. Internal prevalence metrics focus on the number of people who see bots breaking the rules, which the company says is the more accurate measure of potential damage than an overall tally, since many bots are inactive. , added Hahn.
Twitter and Musk became embroiled in a legal battle this summer, after Musk backed out of his deal to buy the social media company. Twitter sued, alleging it breached its contract while disrupting site operations and driving down its stock.
In response, Musk filed a countersuit late last month alleging a range of new issues, including that a majority of ads are serving fewer than 16 million users. That’s a tiny fraction of the 238 million daily users that Twitter claims to be able to generate revenue for the company by viewing advertisements.
Alexander Manglinong, a lawyer who focuses on commercial litigation at law firm Stubbs Alderton & Markiles, pointed to Musk’s reneging on due diligence in reaching the deal, denying him further scrutiny of the inner workings. from Twitter.
“From my perspective – even without knowing what specific information might be available, it still seems against Musk, an uphill battle,” he added.
Musk’s legal team has already shown its willingness to question former high-ranking executives, issuing a subpoena to former Twitter chief executive Jack Dorsey. (Zatko, according to one of the people familiar with the company, was already one of the executives whose records Musk’s legal team tried to obtain, but a judge denied the request.)
Musk’s team has sought information from more than 20 business leaders, but so far the judge has allowed them to obtain internal communications from only one Twitter executive, the former head of Kayvon Beykpour consumer products.
Zatko alleges in its complaint that an anonymous senior executive attempted to shut down a key tool to stop bot and spam accounts. The tool, internally called ROPO, for “read-only phone only”, blocks an account from tweeting until a user can prove they are linked to a real person.
That executive was Beykpour, who was fired by Agrawal this year, said two of the people familiar with the company’s processes with spamming, as well as a third person familiar with the discussions. The complaint states that Beykpour became critical of the tool after he personally “received a small number of unsolicited DMSs (text messages). But people said Beykpour thought ROPO was riddled with much broader errors and wasn’t trying to stop the tool but was proposing a redesign.
Beykpour declined an interview request.
Zatko’s attorney from the nonprofit law firm Whistleblower Aid said there had been no interaction with Musk’s team but would respond to subpoenas.
Zatko also alleges in the complaint that Twitter’s security systems had huge flaws, leaving the company vulnerable to repeated hacks and even the real possibility of a site shutdown. He says that during his one-year tenure at the company, many servers and laptops in the workplace were running outdated and vulnerable software and far too many employees had access to internal systems containing data and software. sensitive user.
Twitter’s Hahn says security practices meet industry standards.