“For years, in many public statements and [SEC] Twitter has made material misrepresentations and omissions … regarding security, privacy and integrity,” Zatko’s disclosure states. “Twitter’s misrepresentations are particularly impactful given that they are directly the subject of Elon’s acquisition of the company Mask”.
Zatko, better known as “Mudge,” is a prominent cybersecurity executive with an ethical hacker whose career also included stints at Google and the Department of Defense. He was hired as Twitter’s security chief after a major hack at the company in 2020 and was fired in January this year, a move he claims came after he tried to blow the whistle internally on security deficiencies and alleged potential fraud by senior executives at the company.
His disclosure paints a picture of a company riddled with security vulnerabilities that threaten user data and platform functionality, and which he says could endanger US national security. Zatko also alleges that Twitter’s top executives misled users, regulators and even the company’s board of directors about the state of its information security. “Please open an investigation into legal violations by Twitter,” the disclosure reads.
A Twitter spokesperson said in a statement to CNN in response to the revelation that Zatko was fired for “ineffective leadership and poor performance.”
“What we have seen so far is a false narrative about Twitter and our privacy and data security practices that is full of inconsistencies and inaccuracies and lacks significant context,” the spokesperson said. “Mr. Zatko’s allegations and opportunistic timing appear designed to attract attention and harm Twitter, its customers and its shareholders. Security and privacy have long been company priorities at Twitter and will continue to be to be.”
Twitter CEO Parag Agrawal wrote an internal memo to employees on Tuesday, obtained by CNN, pledging to dispute the claims in the disclosure and seek to reassure employees, calling the allegations “disappointing and confusing to read.” .
While the revelation could affect Twitter’s standing with regulators, users and even its board of directors, one of the most pressing impacts could be on its case against Musk. After Musk last month moved to end the deal over allegations that Twitter had misrepresented the number of bots on the platform and failed to hand over information to help him assess the issue, Twitter filed a lawsuit accusing him of using bots as a pretext for to withdraw from the agreement. Twitter asked the court to compel it to follow the agreement, and the case is set to go to trial in the Delaware Chancery in October.
On Tuesday, after news of Zatko’s disclosure broke, Musk’s lawyer, Alex Spiro, said the billionaire’s legal team had already subpoenaed Zatko in the Twitter dispute. “We found the exit of him and other key employees puzzling in light of what we’re finding,” Spiro told CNN.
The stakes of the litigation, and whatever impact the latest revelations have on it, could not be higher for Twitter. The company is scrambling to complete a deal to be acquired at a price significantly higher than its current market valuation or secure a billion-dollar fee from Musk, and to do so as soon as possible to avoid a lingering cloud of uncertainty over his business. Even before Musk got involved, Twitter was struggling to expand its user base and grow its advertising business. Zatko told CNN that his disclosure was unrelated to the acquisition, that he has no personal relationship with Musk, and that he began documenting concerns that would be disclosed before there was any indication of Musk’s involvement with Twitter. Zatko says he owns as part of his broader stock portfolio, which includes shares in various individual companies, a small amount of Tesla ( TSLA ) stock acquired over the past 10 years, as well as a slightly larger stake in Twitter because of his compensation the plan included stock. He told CNN that he doesn’t plan to touch either of them throughout the disclosure process. Zatko began documenting his concerns about misleading statements made to Twitter’s board about security in December. Musk first mentioned his large stake on Twitter on April 4, before agreeing to acquire it later that month.
“No Appetite” to properly count bots
In February 2019, Twitter announced that it would begin using a new metric to quantify its audience size when the company reported its financial results each quarter. The company, which has been experiencing declining users for several quarters, said it would shift from disclosing monthly active users — a metric commonly used by social media companies — to reporting monetizable daily active users (mDAU), a measure of the number of actual users to whom an ad could be shown on the platform.
“Our goal was to not only reveal the highest number of daily active users that we could,” Twitter said in a letter to shareholders at the time, adding that it believed the new metric would give advertisers a better sense of the value of ads placed. on the platform. The metric also meant that the user numbers that Twitter reported to shareholders — often a determining factor in a company’s share price — would be less likely to fluctuate if, for example, the company took down a large bot network involving multiple accounts.
Since making the switch, Twitter has reported that fake and spam accounts make up less than 5% of mDAUs, a figure it has reiterated in its battle with Musk and one the billionaire has disputed. (Twitter has acknowledged in SEC filings that the number is based on significant judgment that may not accurately reflect reality.)
Musk initially said in May that his deal to buy Twitter was “on hold” and appeared to ask about the prevalence of bots as a percentage of total users. Agrawal responded in a tweet thread several days later, repeating Twitter’s calculation that fake and spam accounts make up less than 5% of mDAU and defending the company’s metric. In the disclosure, Zatko claims that Agrawal was essentially answering a different question than Musk asked, adding that most regular Twitter users and shareholders may not notice or understand the distinction between bots as a percentage of total users and bots as a percentage of mDAU.
Twitter, Zatko’s disclosure claims, actually considers bots to be part of a category of millions of non-monetized users that it doesn’t report. The 5 percent of bots that Twitter shares publicly is essentially an estimate, based on human review, of the number of bots that are slipping into the company’s automated monetizable daily active user count, the disclosure said. So while Twitter’s 5% mDAU bots may be useful in showing advertisers the number of fake accounts they may see but can’t interact with their ads, the disclosure claims it doesn’t reflect the full range of of fake and unwanted accounts the platform.
The disclosure also points to another tweet in Agrawal’s thread in May in which he said Twitter has a “strong incentive to detect and remove as much spam as we can, every day.” Zatko alleges that, contrary to Agrawal’s statement, company executives were motivated by business pressures and bonus structures to develop mDAU, and in some cases did so at the expense of devoting resources and attention to dealing with the volume of spam on the platform .
Zatko says he started asking about the prevalence of bot accounts on Twitter in early 2021 and was told by Twitter’s site integrity officer that the company didn’t know how many total bots were on its platform. (Twitter told CNN that Zatko’s statement lacked necessary context.)
Zatko also claims that he walked away from conversations with the integrity team with the understanding that the company “didn’t feel like properly measuring the prevalence of bots,” in part because if the true number became public, it could damage its value and image. company.
Twitter’s systems for measuring and removing bots also consist of “mostly outdated, uncontrolled, simple scripts, as well as overworked, inefficient, understaffed and reactive human teams,” the disclosure said.
Experts on authentic online behavior say bots can be difficult to quantify because there is no widely accepted definition of the term, because people can sometimes be behind fake and spammy accounts, and because bad actors are constantly changing tactics. There are also many good bots on Twitter, such as automated accounts that tweet weather or news updates, and the platform offers opt-in tags for such accounts to identify them to users. However, Zatko says he believes there would still be value in trying to better measure the full scale of spam, fake or otherwise harmful automated accounts on the platform.
“The executive team, the board, the shareholders and the users all deserve an honest answer about what it is that they are consuming in terms of data, information and content on the platform,” he told CNN earlier this year. month. “Your whole perception of the world is based on what you see and read and consume on the Internet. And if you don’t understand what’s real, what’s not… yeah, I think that’s pretty scary.”
Twitter says it allows bots on its platform, but its rules prohibit those involved in spamming or platform manipulation. But as with all social media…
