The Twitter vs. Musk lawsuit could be rocked by whistleblowers

Twitter’s former security chief claims the company is hiding the ball when it comes to spam and bots
Former security chief Peiter Zatko accuses Twitter of “lying about bots to Elon Musk” in a whistleblower complaint filed in July with regulators, including the Securities and Exchange Commission, a copy of which was obtained by The Washington Post.
Zatko, a well-known figure in the security community, claims that Twitter is not motivated to count the true number of bots and spammy accounts on the service, which number 238 million daily users. And he lays out another argument that could give Musk a potential boost in his fight to prove that Twitter breached its contract when it agreed to buy the company for $44 billion: that Twitter misled regulators about its defenses against hackers.
Importantly, however, Zatko provides limited, hard documentary evidence in his complaint regarding spam and bots, so the potential impact of these claims is difficult to gauge a priori.
Twitter has repeatedly pushed back on the argument that it is not true or working intensively to fight bots and spam. In May, CEO Parag Agrawal said the company removes half a million spam and bot accounts every day, a figure the company updated in July to one million a day.
“Twitter stands by … our statements about the percentage of spam accounts on our platform, and the work we do to combat spam on the platform in general,” Twitter spokeswoman Rebecca Hahn said in response to Zatko’s allegations.
But any new allegations that Twitter misled shareholders and regulators could bolster Musk’s case in Delaware Chancery Court in October, according to half a dozen legal experts who spoke to The Post before the complaint became public, who were not briefed on the complaint. The arguments will depend on the seriousness of the revelations, as well as data supporting any new claims — and the extent to which Musk relied on such claims to complete the deal.
Musk and his lawyers did not immediately respond to a request for comment.
Musk, the CEO of Tesla and SpaceX, has sought to scuttle the deal to buy the social media site, arguing that Twitter’s long-held estimate that bot and spam accounts make up fewer than 5 percent of its “daily monetizing” users is untrue. He pulled out of his deal to buy Twitter, claiming the miscounting of bots would have a “significantly negative effect,” a fundamental change in the business that would, for example, cut sharply into its value. And he has since accused the company of allegedly misleading his team, accusing Twitter of fraud and breach of contract.
Twitter deal temporarily on hold pending details supporting calculations that spam/fake accounts actually represent less than 5% of usershttps://t.co/Y2t0QMuuyn
— Elon Musk (@elonmusk) 13 May 2022
Zatko is a security pioneer known in the industry for his history of exposing software bugs — under the handle “Mudge.” However, his tenure at Twitter was controversial, resulting in repeated clashes with other executives and his eventual firing.
The complaint alleges that Twitter misled regulators from the Federal Trade Commission and the Securities and Exchange Commission on security issues. Twitter’s Hahn said Zatko’s claims were “riddled with inaccuracies.”
The true number of bots and spam accounts on Twitter is likely to be “significantly higher” than the number Twitter claims, the complaint alleges.
“Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spambots,” the complaint alleges, adding “willful ignorance was the norm” among management.
A redacted version of the 84-page submission went to congressional committees. The Post obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill.
Several divisions at Twitter are responsible for combating spam and bots. As head of security, Zatko was not directly responsible for eradicating bots, but his role touched on some aspects of bot removal. Zatko was fired long before Musk’s first Twitter investment went public in April, ahead of the acquisition announcement later that month.
Four people familiar with the company’s spam detection processes, who like others spoke on condition of anonymity to describe sensitive internal matters, told The Post that the company keeps multiple internal counts of spam and bots — known as “prevalence” — across the service beyond the number provided to Wall Street. The Post also obtained an internal document, which was redacted to hide the numbers, which shows that “spam prevalence” was a number shared with
the board. The document was delivered to the board at a meeting Zatko attended, according to two of the people.
The four people said the social media company estimates the broader amount of spam and bots on the service by using software to sample thousands of tweets each day, as well as manually sampling 100 accounts. Three of the people said the company’s internal fine prevalence figures were almost always less than 5 percent.
Twitter’s Hahn said the company is open about the number of accounts it removes for violating its rules. In addition, there are many rule-following robots that are allowed to stay. The company does not report a total number of robots because it will only be a minimum number of those they have caught, she said. The internal measurements of prevalence focus on how many people see the offending bots, which the company believes is a more accurate measure of potential harm than a total count, since many bots are inactive, Hahn added.
Twitter and Musk became embroiled in a legal battle this summer, after Musk backed out of a deal to buy the social media company. Twitter sued, alleging he had breached his contract while disrupting the site’s operations and pulling down its stock.
In response, Musk filed a countersuit late last month alleging a number of new problems, including that the majority of ads are shown to fewer than 16 million users. That’s a small fraction of the 238 million daily users that Twitter claims can earn the company’s revenue by viewing ads.
Alexander Manglinong, a lawyer who focuses on business litigation at the firm Stubbs Alderton & Markiles, pointed to Musk’s waiver of due diligence in completing the deal, depriving him of a deeper look into Twitter’s inner workings.
“From my perspective — even without knowing what specific information might be out there, it still seems against Musk, an uphill battle,” he added.
Musk’s legal team has already shown its willingness to question senior former executives, issuing a subpoena to former Twitter CEO Jack Dorsey. (Zatko, according to one of the people familiar with the company, was already one of the executives whose documents Musk’s legal team sought to obtain, but a judge denied the request.)
Musk’s team has requested information from more than 20 company executives, but the judge has so far only allowed them to obtain internal communications from a single Twitter executive, former head of consumer products Kayvon Beykpour.
Zatko alleges in his complaint that an unnamed executive attempted to shut down a key tool to stop bots and spam accounts. The tool, internally called ROPO, for “read-only phone,” blocks an account from tweeting until a user can prove it’s linked to a real person.
That manager was Beykpour, who was fired by Agrawal this year, said two of the people familiar with the company’s spam processes, as well as a third person familiar with the discussions. The complaint says Beykpour became critical of the tool after personally “receiving a small number of unsolicited DMS (text messages).” But the people said Beykpour believed ROPO was riddled with much broader flaws, and did not seek to shut down the utility but proposed an overhaul.
Beykpour declined an interview request.
Zatko’s lawyer from the non-profit law firm Whistleblower Aid said there had been no interaction with Musk’s team, but he would respond to subpoenas.
Zatko also claims in the complaint that Twitter’s security systems had massive flaws, leaving the company vulnerable to repeated hacks and even the real possibility of a site-wide shutdown. He says that during his years-long tenure at the company, many workplace servers and laptops ran outdated and vulnerable software, and far too many employees had access to internal systems containing sensitive user data and software.
Twitter’s Hahn says its security practices are up to industry standards.