What the Twitter Whistleblower Disclosure Means for Elon Musk

11 minute read
Updated: | Originally published:

A whistleblower disclosure by Twitter’s former security chief made allegations of “egregious deficiencies” in the company’s security and argued that the social media platform has more spam bots than it publicly acknowledges.

But even as Twitter stocks fell 7.3% on Tuesday following the public release of Peiter “Mudge” Zatko’s 84-page report, legal experts were skeptical that the claims would give billionaire Elon Musk a decisive advantage in his court battle to back out of his deal to buy the company.

Musk has said for months that Twitter misled investors about the platform’s financial health, including the proportion of spam bots on the site. The allegations about bots by Zatko, a well known cybersecurity expert who joined Twitter in November 2020, seem to support Musk’s claims. The disclosure obtained by TIME alleges that Twitter executives deprioritized getting an accurate count of spam bots—in part because the truth may not look good to advertisers.

But Ann Lipton, a law professor at Tulane University who specializes in corporate litigation, says the documents shed little light on the key legal issue: Whether Twitter misled Musk, especially over how it tallies users.

Unlike other major social media platforms, Twitter uses a proprietary metric that it calls “mDAU” or “monetizable daily active users” to report its user base to advertisers and investors. It also reports the amount of spam bots on its platform as a portion of mDAU—usually about 5%.

“The [whistleblower disclosure] basically just alleges that mDAU is the wrong metric,” Lipton told TIME after it was released. For Musk’s case, “that’s not the real legal question.”

Musk’s lawyer, Alex Spiro, says his team had already subpoenaed Zatko—who was fired this past January—before the whistleblower disclosure became public. “We found his exit and that of other key employees curious in light of what we have been finding,” Spiro says, adding that Musk’s legal team has had no contact with Zatko or his attorneys.

The Washington Post and CNN first reported Mudge’s whistleblower disclosure, which was filed with regulators in July, including the Securities and Exchange Commission.

A Twitter spokesperson said that “security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”

“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.

“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”

Musk’s uphill legal battle

In April, Musk offered to buy Twitter in a deal worth roughly $44 billion. But, in July, he put the deal on hold and is now trying to back out of it—citing the prevalence of spam or fake accounts on the platform. Twitter filed a lawsuit against Musk in an attempt to force him to complete the acquisition. At the heart of Musk’s claim: Whether Twitter breached its contract or made false representations as part of the agreement.

Most details about spam bots in Zatko’s report aren’t exactly new revelations—indeed, Musk’s legal team took issue with the process of how Twitter counts bots in legal filings earlier this month. Twitter itself has also included numerous references to its process in regulatory filings.

READ MORE: Whether or Not He Buys Twitter, Elon Musk Has Thrown the Company Into Turmoil

Prior to the whistleblower release, legal experts have said Musk must prove that Twitter misrepresented the number of bots on its platform on purpose—something that could be difficult because the company has been public about its use of mDAU as a metric for counting bots, Lipton says.

Adam Badawi, a law professor at the University of California, Berkeley who specializes in corporate transactions, agrees that the whistleblower report doesn’t change much for Musk’s lawsuit. “I don’t see anything in the whistleblower report that contradicts Twitter’s previous statements,” he tells TIME.

Zatko’s criticism of Twitter’s spam reporting, Badawi adds, has “nothing to do with the merger agreement.”

But Lipton and Badawi say that it’s possible—though unlikely—that the disclosures could help Musk back out of his deal to buy Twitter in another way: He could highlight security and integrity concerns by claiming that Twitter knew of “serious undisclosed problems that threaten their business’s future and didn’t disclose them as required in the SEC filings,” Lipton says.

The company denies Zatko’s allegations. A source close to the company says Twitter investigated numerous security-related allegations he made at the time of his firing and found them “sensationalistic and lacking merit.”

Musk’s legal team would have to prove that any nondisclosures were so dramatic that it would have a long-term, detrimental effect on Twitter’s finances going forward, known in legal circles as a “material adverse effect.”

Badawi also notes, though, that Musk waived his right to due diligence in the original purchase agreement. “To say that Twitter breached their contract is a non-starter,” Badawi says. “This is among the most seller-friendly agreements I’ve ever seen.”

The legal dispute is set to go to trial in Delaware Chancery Court in October, though legal experts say it’s possible the judge issues a delay given the new information from the whistleblower disclosure.

However, any impact on the case is anything but certain. “People sue public companies for making false statements in SEC filings all the time,” says Lipton, who has previously litigated fraud cases against public companies. “But when a disgruntled employee disagrees with management decisions, that’s frequently not taken as a sufficient basis for treating an SEC filing as false.”

How Twitter measures bots and users

The contentious discussion about mDAU has been a frequent source of frustration for Musk, whose legal team estimates that 33% of “visible accounts” on the social media platform are false or spam accounts—a calculation that hasn’t been independently verified. Twitter CEO Parag Agrawal, in response, has said external groups can’t verify Musk’s claim because the company “can’t share” the public and private information it uses, like phone numbers.

Twitter has said in its SEC filings that whether any given account is counted in mDAU is not available to the public and it even admits the 5% figure could be wrong. “It’s a very hard statement to falsify because it’s so non-committal,” Lipton told TIME before the disclosure. “All Twitter is saying is they have a process for evaluating mDAU and the number may or may not be wrong.”

Critical to the dispute over bots: How the company counts the number of people who use Twitter. Starting in 2019, the company stopped reporting raw user numbers and started using its own measure, a statistic it calls monetizable daily active Twitter users (mDAU).

Using a formula that Twitter does not disclose, mDAU excludes many accounts from the total, including those it believes are automated (like spam bots) and accounts it can’t monetize, perhaps because Twitter isn’t selling ads for that region or language. Essentially, these are accounts that may be unlikely to buy anything from an advertiser on Twitter.

The whistleblower’s documents say that disclosing only those spam bots that are part of mDAU is deliberately misleading.

“Twitter created the mDAU metric precisely to avoid having to honestly answer the very questions Mr. Musk raised,” Zatko claims in the whistleblower report.

Twitter’s spam calculation also doesn’t reflect how regular users experience the social media platform, because they still encounter spam bots more often than Twitter’s accounting of spam would suggest, Zatko says.

 

Twitter says it regularly challenges and suspends accounts for spam, misinformation, and manipulation and removes more than one million accounts a day and locks millions more each week if they don’t pass human verification requirements—that includes captcha and verifying phone or email addresses.

Musk has already contested Twitter’s use of mDAU in his legal filing, and has claimed that if mDAU is proved to be less than representative of the general Twitter population, executives have effectively misrepresented the value of the company.

Twitter, on the other hand, says mDAU is actually a more useful way to count users, because it focuses on those who matter most to its bottom line—those who may buy ads. The vast majority of Twitter’s revenue comes from ad sales.

The company acknowledges that mDAU includes some accounts that are phony, automated, or spam bots, but reports that number is less than 5%. And that figure isn’t new: Twitter has published the same qualified estimate for the last three years.

Twitter says it calculated this figure through an internal review of a sample of accounts, a process that it acknowledged in a regulatory filing involves “significant judgment.” The company first takes a random sample of mDAU, then analyzes those accounts by hand to determine whether they are fake or not, using a combination of public and private data like IP address, phone number, geolocation, and account activity.

Andrea Stroppa, a cybersecurity researcher who specializes in bots on social media, tells TIME that mDAU is an “ad hoc metric” that was created to protect Twitter’s interests. “Twitter is the only company among the biggest social networks to use monetizable daily active users,” he says. “There is no standard in the industry.”

Although Twitter has a smaller user base than some of its competitors, reporting mDAU instead of monthly active users is an understandable financial strategy, according to Jasmine Enberg, a social media analyst at Insider Intelligence. “Twitter’s switch to publicly reporting mDAUs only came at a time when it was struggling to show growth in monthly users,” she adds. “The company’s value proposition to advertisers has long been the quality of its audience, rather than the overall size of its user base.”

Both Stroppa and Enberg spoke with TIME before the disclosures were made public.

But the bigger issue, according to the whistleblower, is that growing mDAU (and making the company look appealing to advertisers, who want to reach receptive audiences) took priority over many other things that would make the platform better and safer in the long run. Executive compensation was at least partially tied to mDAU, including bonuses of up to $10 million, Zatko alleges.

Zatko reported that one source at the company told him senior management was “concerned that if accurate measurements of spam ever became public, it would harm the image and valuation of the company.”

Four people familiar with Twitter’s spam detection process told The Washington Post that the company keeps several internal tallies of spam and bots beyond the reported numbers. In response to the reporting, Musk tweeted: “So spam prevalence *was* shared with the board, but the board chose not disclose that to the public.”

Claim: Twitter leaders showed ‘deliberate ignorance’ of bots

Zatko alleges that for Twitter’s executive leadership team, “deliberate ignorance was the norm” around getting more accurate numbers. “We don’t really know,” Twitter’s Head of Site Integrity allegedly told Zatko in early 2021 when he asked what the underlying spam bot numbers were. Moreover, Zatko says Twitter could not provide an accurate upper bound on the total number of spam bots on the platform, which Zatko believes is in part because Twitter relied on outdated tools and understaffed teams to police its bots.

Zatko also claims that Twitter staff had in fact figured out an effective way to find and stop bots on its platform but that method was under fire from senior executives. The mechanism, known as “Read-Only Phone Only” (ROPO), placed suspected bot accounts into a restricted read-only mode that could only be unlocked if the user manually entered a one-time code sent to an associated phone number. Research performed at Zatko’s direction found that the ROPO method blocked more than 10-12 million bots each month with less than 1% of false positives. But Zatko says a senior executive proposed disabling the effort after getting direct messages from a handful of users whose accounts were paused. He says that senior executives had proposed disabling this method several times before.

More Must-Reads from TIME

Write to Nik Popli at nik.popli@time.com