New York CNN Business  — 

Elon Musk’s monthslong effort to buy — and then to get out of buying — Twitter has been marked by a range of unexpected twists. Now, a stunning whistleblower disclosure from the company’s former security lead Peiter Zatko is almost certain to become the latest complication.

As part of a wide-ranging, nearly 200-page disclosure sent last month to US lawmakers and regulators, which was exclusively reported by CNN and the Washington Post Tuesday, Zatko alleges that Twitter (TWTR) has neither the incentive nor the resources to properly measure the full scope of bots on its platform. He also alleges that Twitter (TWTR) suffers from a range of other security vulnerabilities that it has for years failed to fix. (Twitter (TWTR) has broadly defended itself and criticized Zatko’s allegations as “riddled with inconsistencies and inaccuracies.”)

Musk, who initially said he wanted to “defeat the spam bots” after buying Twitter, later raised alarms that the company might be significantly under-reporting the number of spam and fake accounts, although he had little apparent evidence beyond his own experience on the platform to support the claim. He has made the issue central to the legal fight over the $44 billion acquisition, even as Twitter argues Musk is simply attempting to get out of a deal for which he now has buyer’s remorse amid a market downturn.

Many merger law experts have previously said Twitter had the stronger legal argument in the case. Experts have also said the success of Musk’s bot argument will likely come down to how closely the Delaware Chancery Court judge wants to focus the case on the specific language in the contract — which does not mention bots — versus allowing the billionaire’s more tangential arguments.

But the new disclosure could help bolster Musk’s argument and potentially encourage the court to pay closer attention to the bot issue. Moreover, Musk’s legal team could attempt to seize on other claims in the disclosure unrelated to bots — including allegations that Twitter made misrepresentations to regulators such as the Federal Trade Commission and Securities and Exchange Commission about its privacy and security practices — as additional reasons he should be able to walk away from the deal.

“For years, across many public statements and [SEC] filings, Twitter has made material misrepresentations and omissions … regarding security, privacy and integrity,” Zatko’s disclosure states. “Twitter’s misrepresentations are especially impactful, given that they are directly at issue in Elon Musk’s contemplated takeover of the company.”

Zatko, better known as “Mudge,” is a prominent ethical hacker-turned-cybersecurity executive whose career also included stops at Google and the Department of Defense. He was hired as Twitter’s security lead following a major hack at the company in 2020 and fired in January of this year, a move he claims came after he tried to blow the whistle internally about security deficiencies and alleged possible fraud by the company’s senior leaders.

Peiter Zatko, known as Mudge in the computer hacking community, poses for a portrait on August 22, 2022.

His disclosure paints a picture of a company rife with security vulnerabilities that threaten user data and the platform’s functionality, and which he says could put US national security at risk. Zatko also alleges that Twitter’s top executives have misled users, regulators and even the company’s own board about the condition of its information security. “Please open an investigation into legal violations by Twitter,” the disclosure states.

A Twitter spokesperson said in a statement to CNN in response to the disclosure that Zatko was fired for “ineffective leadership and poor performance.”

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the spokesperson said. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Twitter CEO Parag Agrawal on Tuesday wrote an internal memo to employees, obtained by CNN, vowing to challenge the allegations in the disclosure and seeking to reassure employees, calling the allegations “frustrating and confusing to read.”

While the disclosure could impact Twitter’s standing with regulators, users and even its board of directors, one of the most pressing immediate impacts could be on its case against Musk. After Musk last month moved to terminate the deal over allegations that Twitter has misstated the number of bots on the platform and failed to hand over information to help him evaluate the issue, Twitter filed a lawsuit accusing him of using bots as a pretext to exit the deal. Twitter has asked a court to compel him to follow through with the agreement, and the case is set to go to trial in the Delaware Chancery Court in October.

On Tuesday, after news of Zatko’s disclosure broke, Musk lawyer Alex Spiro said the billionaire’s legal team had already subpoenaed Zatko in the dispute with Twitter. “We found his exit and that of other key employees curious in light of what we have been finding,” Spiro told CNN.

The stakes of the legal dispute, and any impact the latest disclosures have on it, could not be higher for Twitter. The company is fighting to complete a deal to be acquired at a price significantly higher than its current market valuation, or else secure a billion-dollar breakup fee from Musk, and to do so as soon as possible to avoid a prolonged cloud of uncertainty for its business. Even prior to Musk’s involvement, Twitter had been struggling to expand its user base and grow its advertising business.

Zatko told CNN that his disclosure is unrelated to the acquisition, that he has no personal relationship with Musk and that he began documenting the concerns that would become his disclosure before there was any indication of Musk’s involvement with Twitter. Zatko says he holds as part of his broader stock portfolio, which includes shares in a number of individual companies, a small amount of Tesla (TSLA) shares acquired over the past 10 years, as well as a slightly larger stake in Twitter because his compensation plan there included stock. He told CNN he does not plan to touch either throughout the disclosure process.

Zatko began documenting his concerns about misleading statements made to Twitter’s board regarding security in December; Musk first reported his large stake in Twitter on April 4, before agreeing to acquire it later that month.

Peiter Zatko Mudge 2000 Bernard Shaw CNN Pkg
Twitter whistleblower was on CNN 22 years ago. Here's what he had to say
03:22 - Source: CNN

‘No appetite’ to properly measure bots

In February 2019, Twitter announced it would start using a new metric to quantify the size of its audience when the company reported its financial results each quarter. The company, which had been facing a decline in users for several quarters, said it would shift from disclosing monthly active users — a metric commonly used by social media companies — to reporting monetizable daily active users (mDAU), a measure of the number of real users who could be shown an ad on the platform.

“Our goal was not to disclose just the largest daily active user number we could,” Twitter said in a letter to shareholders at the time, adding that it felt the new metric would give advertisers a better sense of the value of ads placed on the platform. The metric also meant that the user numbers Twitter reported to shareholders — often a determining factor for a company’s share price — would be less likely to fluctuate if, for example, the company removed a large bot network comprising many accounts.

Since making the switch, Twitter has reported that fake and spam accounts make up less than 5% of mDAUs, a figure it has repeated in its fight with Musk and one the billionaire has called into question. (Twitter has acknowledged in SEC filings that figure relies on significant judgement that may not accurately reflect reality.)

Musk initially said in May that his deal to buy Twitter was “on hold,” and appeared to ask about the prevalence of bots as a percentage of total users. Agrawal responded in a tweet thread several days later, reiterating Twitter’s calculation that fake and spam accounts make up less than 5% of mDAU and defending the company’s measurement. In the disclosure, Zatko claims Agrawal was effectively answering a different question than Musk was asking, adding that most regular Twitter users and shareholders might not notice or understand the distinction between bots as a percentage of total users and bots as a percentage of mDAU.

Elon Musk spoke about his offer to purchase Twitter during an on-stage interview at a TED conference in Vancouver, Canada, on April 14.

Twitter, Zatko’s disclosure claims, actually considers bots to be a part of a category of millions of “non-monetizable” users that it does not report. The 5% bots figure that Twitter shares publicly is essentially an estimate, based on human review, of the number of bots that slip through into the company’s automated count of monetizable daily active users, the disclosure states. So while Twitter’s 5% of mDAU bots figure may be useful in indicating to advertisers the number of fake accounts that might see but be unable to interact with their ads, the disclosure alleges that it does not reflect the full scope of fake and spam accounts on the platform.

The disclosure also points to another tweet in Agrawal’s May thread in which he stated that Twitter is “strongly incentivized to detect and remove as much spam as we possibly can, every single day.” Zatko alleges that, contrary to Agrawal’s statement, the company’s executives were instead incentivized by business pressures and bonus structures to grow mDAU, and in some cases did so at the expense of dedicating resources and attention to addressing the amount of spam on the platform.

Zatko says he began asking about the prevalence of bot accounts on Twitter in early 2021, and was told by Twitter’s head of site integrity that the company didn’t know how many total bots are on its platform. (Twitter told CNN Zatko’s statement lacks necessary context.)

Zatko also alleges that he came away from conversations with the integrity team with the understanding that the company “had no appetite to properly measure the prevalence of bots,” in part because if the true number became public, it could harm the company’s value and image.

Twitter’s systems to measure and remove bots also consist of “mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed and reactive human teams,” the disclosure states.

Experts on inauthentic behavior online say it can be difficult to quantify bots because there isn’t a widely agreed upon definition of the term, because humans can sometimes be behind fake and spam accounts, and because bad actors constantly change their tactics. There are also many good bots on Twitter, such as automated accounts that tweet weather or news updates, and the platform offers opt-in labels for such accounts to identify themselves to users. But Zatko says he thinks there would still be value in attempting to better measure the full scale of spam, false or otherwise harmful automated accounts on the platform.

“The executive team, the board, the shareholders and the users all deserve an honest answer as to what it is that they are consuming as far as data and information and content on the platform,” he told CNN in an interview earlier this month. “Your whole perception of the world is made from what you are seeing, reading and consuming online. And if you don’t have an understanding of what’s real, what’s not … yeah, I think this is pretty scary.”

Twitter says that it allows bots on its platform, but its rules prohibit those that engage in spam or platform manipulation. But, as with all social media platforms’ rules, the challenge often lies in enforcing such policies.

The company says it regularly challenges, suspends and removes accounts engaged in spam and platform manipulation, including typically removing more than one million spam accounts each day. Twitter confirmed that the number of spam accounts as a percentage of mDAU is distinct from the total number of fake and spam accounts on the platform. But the company added that it believes the total number would not be useful because it could include accounts Twitter has already taken action on, and it does not believe it could catch all such accounts and thus the number would be a minimum count.

In the disclosure, Zatko alleges that without more context, it’s hard to fully understand the figures Twitter reports about taking down spam and fake accounts. The disclosure questions whether the number “is a lot or a little, for a platform as vast as Twitter? No one knows because there is no denominator provided for context.”

Twitter did not respond to a request to provide the total number of accounts on the platform, or the average number of accounts added daily, as context around the bot removal figure.

Bots may not be the only issue

Much of the dispute between Twitter and Musk has focused on bots — an issue that legal experts have said may not be material to the deal even if Twitter was found to have misstated the numbers. But following the disclosure, Musk’s legal team could also choose to focus on some of Zatko’s other serious allegations.

For example, Zatko’s disclosure alleges that Twitter has lax security practices and a lack of emergency plans, which could threaten to take down the servers that keep the platform running, potentially permanently — a so-called “Black Swan” event that he claims nearly occurred in the spring of 2021.

“Twitter has consistently misrepresented in SEC filings its capacity to recover from even a brief outage of only a few data centers,” according to the disclosure. The disclosure makes reference to the risk factors the company lists in its annual report, which states that it has a “disaster recovery program” in case of damage to its data centers. Zatko alleges that recovery program may not be “functional enough” to prevent a Black Swan event.

Twitter has pushed back, saying the disclosure is "riddled with inconsistencies and inaccuracies and lacks important context."

Twitter did not respond to specific questions about the risk of data center outages, but said it continuously invests in its teams and technology to ensure the platform’s security. And a source close to the matter told CNN that the platform had systems in place to address privacy, security and health-related risks for years before Zatko joined the company that have continued since his departure.

The disclosure also alleges that Twitter is in violation of a 2011 consent order that resulted from a lawsuit by the Federal Trade Commission, in which the company vowed to clean up its act around security and user data privacy. Zatko alleges that despite its claims to the contrary, Twitter executives are aware that the company has “never been in compliance” with the order.

Twitter said it is in compliance with relevant privacy rules and that it has been transparent with regulators about its efforts to fix any shortcomings in its systems.

The disclosure also claims that some of the shortcomings Zatko identified while leading the company’s security could create issues that would constitute a “material adverse effect,” a legal term for a change in a company’s circumstances that would significantly reduce its value, and the sort of risk that could give Musk greater leverage to get out of the deal.

The disclosure points to a section in Twitter and Musk’s merger agreement in which the company affirmed it does not “infringe, misappropriate or otherwise violate any Intellectual Property Rights of any other Person” in a way that would constitute a material adverse event. However, the disclosure alleges that Twitter has failed to obtain the appropriate licenses for the data it uses to train its artificial intelligence — which is used in key Twitter features such as the algorithm it relies on to rank what tweets users see.

“Twitter senior leadership have known for years that the company has never held the proper licenses to the data sets and/or software used to build some of the key Machine Learning models used to run the service,” the disclosure states.

The acquisition agreement defines a material adverse effect as a change or event that has or would result in material harm to “the business, financial condition or results of operations of Twitter,” with several exceptions including those caused by economic or political conditions and “acts of God” such as terrorism, cyberattacks or data breaches. It would likely be up to a court to decide exactly what issues would fall under that classification. But the disclosure claims that litigation by any of the owners of the intellectual property used to train Twitter’s AI could result in “massive monetary damages” to Twitter or an injunction that could affect its ability to operate key products, which it alleges could constitute a material adverse effect.

“Unless circumstances have changed since Mudge was fired in January, Twitter’s continued operation of many of its basic products is most likely unlawful,” the disclosure alleges.

Twitter did not respond to questions about the allegation that it does not have the proper intellectual property rights for the data used to train its AI.