London24NEWS

Twitter: SEC calls on firm to reveal how it counts bots as Musk seizes on whistleblower revelations

The crisis surrounding social media giant Twitter Inc. grew on Wednesday as the SEC called for the firm to reveal how it counts bots, Elon Musk seized on whistleblower revelations and the scale of the company’s on-going staff exodus was revealed.

To make matters worse, leaders of several congressional panels are poring over the disclosures by respected cybersecurity expert-turned whistleblower Peiter Zatko, and calls on Capitol Hill for investigations are mounting. 

Zatko – also known by his hacker alias ‘Mudge’ – served as Twitter’s security chief until he was fired early this year. He is due to testify next month at a Senate hearing.

In his complaint, Zatko claimed Twitter prioritized growth over fighting spam and disinformation, and had weak procedures to control fake accounts. Twitter’s CEO called the accusations ‘foundationally, technically and historically inaccurate.’

The accusations come as Twitter sues Tesla CEO Musk after he backed out of buying the company for $44 billion, citing Twitter’s failure to provide details about the prevalence of bot and spam accounts. 

Lawyers for Musk and Twitter faced off in court on Wednesday over the key issue of fake accounts – drawing battle-lines for the trial ahead. The trial is set for October.

A letter revealed on Wednesday that the Securities and Exchange Commission in June asked the company about its methodology for calculating false or spam accounts and ‘the underlying judgments and assumptions used by management.’

Twitter says it has 238 million active monthly users, and that about 5% of the accounts it sells ads against are fake, either spam or bots. Twitter said last month that it removes 1 million spam accounts daily.

The SEC is interested in both figures as Twitter uses them to attract advertisers, whose payments make up a little more than 90 percent of the company’s revenue.

Twitter’s crisis deepened even further on Wednesday as company executives told staff that the firm is facing even more employee departures, with employee attrition is currently sitting at 18.3%.

The crisis surrounding social media giant Twitter Inc. grew on Wednesday as the SEC called for the firm to reveal how it counts bots, Elon Musk seized on whistleblower revelations and the scale of the company's on-going staff exodus was revealed. Peiter 'Mudge' Zatko (pictured yesterday), the social media firm's former head of security, made a bombshell disclosure to Congress and federal agencies last month

The crisis surrounding social media giant Twitter Inc. grew on Wednesday as the SEC called for the firm to reveal how it counts bots, Elon Musk seized on whistleblower revelations and the scale of the company’s on-going staff exodus was revealed. Peiter ‘Mudge’ Zatko (pictured yesterday), the social media firm’s former head of security, made a bombshell disclosure to Congress and federal agencies last month

The SEC’s Division of Corporation Finance asked the questions in the June 15 letter, shortly before Musk raised the issue as grounds to back out of the takeover deal.

Musk has claimed that Twitter is undercounting the number of fake accounts, which inflates the number of real users, echoing Zatko’s accusations.

Such questions from the SEC can be routine, and it wasn’t clear whether the SEC has opened a formal investigation into Twitter’s fake accounts. Neither the SEC nor Twitter would comment Wednesday.

The law firm Wilson Sonsini of Palo Alto, California, replied to the SEC in a June 22 letter saying the company believes it adequately disclosed the methodology in its annual report filed for 2021.

The letter says that Twitter makes its estimates of false accounts with an internal review of sample accounts. 

The number of fake accounts ‘represent the average false or spam accounts in the samples during each monthly analysis period during a quarter,’ the letter said.

It added that fewer than 5% of Twitter’s ‘monetizable’ daily active users were fake accounts in the fourth quarter of last year, the period that the SEC had questioned.

The letter was disclosed in a filing posted by the SEC on Wednesday, a day after Zatko alleged that the company misled regulators about its poor cybersecurity and its negligence in attempting to root out fake accounts that spread disinformation.

Zatko filed the whistleblower complaints last month with the SEC, the Federal Trade Commission and the Department of Justice. 

The legal nonprofit Whistleblower Aid, which is working with Zatko, said he exhausted all attempts to get his concerns resolved inside the company before his firing in January.

Zatko was hired by Twitter in November 2020, months after a serious breach in which young hackers took over the accounts of Barack Obama, Joe Biden and Musk himself. He said at the time he would examine ‘information security, site integrity, physical security, platform integrity – which starts to touch on abuse and manipulation of the platform – and engineering.’

Among Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users. Zatko also accuses the company of deceptions involving its handling of ‘spam’ or fake accounts.

As lawmakers stepped up calls for investigations into Zatko’s allegations, the Senate Judiciary Committee announced Wednesday that Zatko will testify at a hearing on Sept. 13 – the same day Twitter’s shareholders are scheduled to vote on the company’s pending buyout by Musk.

The Twitter board is recommending approval of the buyout.

Zatko's accusations come as Twitter sues Tesla CEO Musk (pictured in May) after he attempted to back out of buying the company for $44 billion, citing Twitter's failure to provide details about the prevalence of bot and spam accounts

Zatko’s accusations come as Twitter sues Tesla CEO Musk (pictured in May) after he attempted to back out of buying the company for $44 billion, citing Twitter’s failure to provide details about the prevalence of bot and spam accounts

Twitter’s full response to whistleblower

‘Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. 

‘What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. 

‘Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. 

‘Security and privacy have long been company-wide priorities at Twitter and will continue to be.’ 

Advertisement

Twitter Chief Executive Parag Agrawal moved to reassure employees on Wednesday, calling a whistleblower’s accusations ‘foundationally, technically and historically inaccurate,’ during a company-wide meeting, audio of which was heard by Reuters.

Twitter General Counsel Sean Edgett also told employees the company reached out proactively to various agencies around the world before the news broke.     

Twitter said Tuesday that Zatko was fired for ‘ineffective leadership and poor performance’ and said the ‘allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.’ 

The company called his 84-page complaint ‘a false narrative’ that is ‘riddled with inconsistencies and inaccuracies and lacks important context.’

Musk called off the sale in July, alleging that Twitter had failed to provide detailed methodology for calculating fake accounts. 

Twitter sued in Delaware Chancery Court, asking a judge to order Musk to go through with the purchase, and Musk counter-sued.

Musk agreed in April to buy Twitter and take it private, offering $54.20 per share and vowing to loosen the company’s policing of content and to root out fake accounts.

As part of the deal, Musk and Twitter had agreed to pay the other a $1 billion breakup fee if either was responsible for the deal collapsing.

In its response to the SEC, Twitter said the review of fake accounts is done manually by humans who check thousands of them. 

The accounts are chosen randomly, and the employees use a complex set of rules ‘that define spam and platform manipulation.’ 

An account is deemed to be false if it violates one or more of the rules, the letter said. The fake accounts are investigated by multiple trained employees, it said.

The SEC also questioned Twitter’s disclosure that it overestimated the number of monetizable accounts from the first quarter of 2019 through the end of last year. 

The agency wrote that the error persisted for three years and asked why the company didn’t consider that a weakness in its financial reporting and controls.

In response, Twitter said the overstatement of accounts had no impact on its financial statements, and that the overstatement was less than 1% of its daily average users. Twitter’s share price was up just over 2% in trading late Wednesday.

Twitter Chief Executive Parag Agrawal (pictured in July) moved to reassure employees on Wednesday, calling a whistleblower's accusations 'foundationally, technically and historically inaccurate,' during a company-wide meeting, audio of which was heard by Reuters

Twitter Chief Executive Parag Agrawal (pictured in July) moved to reassure employees on Wednesday, calling a whistleblower’s accusations ‘foundationally, technically and historically inaccurate,’ during a company-wide meeting, audio of which was heard by Reuters

Twitter says it has 238 million active monthly users, and that about 5% of the accounts it sells ads against are fake, either spam or bots. Twitter said last month that it removes 1 million spam accounts daily. The SEC is interested in both figures as Twitter uses them to attract advertisers

Twitter says it has 238 million active monthly users, and that about 5% of the accounts it sells ads against are fake, either spam or bots. Twitter said last month that it removes 1 million spam accounts daily. The SEC is interested in both figures as Twitter uses them to attract advertisers

Meanwhile, attorneys for Musk and Twitter squared off in court on Wednesday over the key issue of fake accounts, showing potential battle lines for the trial over whether the Tesla boss can be forced to conclude his $44 billion buyout bid.

Musk’s attorney Alex Spiro tried to convince a US judge to order Twitter to hand over billions of ‘data points,’ including user phone numbers and locations, arguing the information is needed to prove Twitter deceived investors and regulators about bots.

Twitter lawyer Bradley Wilson countered that the company deceived nobody, and that Musk wants a ‘do-over’ regarding questions he should have asked before he charged in with his unsolicited buyout offer early this year.

The hearing before Judge Kathaleen McCormick in Delaware Court of Chancery came as the rival sides seek records, messages and more that could be used as ammunition at trial.

‘We saw slide after slide of documents that aren’t before the court on this motion — that Twitter was not fairly presented with an opportunity to respond to — what I think is a preview of Mr. Spiros closing argument in the case,’ Wilson said.

While Twitter has pointed out that Musk opted not to perform due diligence typically seen in merger deals, Spiro told the judge the billionaire trusted the firm’s filings with the Securities and Exchange Commission (SEC).

Spiro argued that Twitter contrived a category of ‘monetizable daily active users’ that it shared publicly to make it seem the company was doing well, while other internal data indicated otherwise.

‘Twitter created its own metric,’ Spiro told the judge. ‘They changed the game; invented their own currency.’

Wilson said the firm made clear in filings that Twitter’s numbers of users and false accounts were estimates.

Twitter opposes handing over certain types of data for reasons including the potential to violate user privacy protected by law, the attorney argued.

‘They want a do-over; they want to recount the spam,’ Wilson said of Musk’s team.

‘They want to get all of the information that the reviewers had so that they can have their experts, I presume, do a count of their own and see if they can come up with a different number.’

Even if Musk’s experts come to a different conclusion about the number of spam accounts at Twitter, that would not amount to a breach significant enough to let him break the buyout contract, Twitter attorneys argue.

Wilson pointed out public comments made by Musk, asking the judge to keep in mind who is asking to be trusted with all that Twitter data.

‘This is someone who has publicly mocked Twitter for seeking to enforce a nondisclosure agreement,’ Wilson said of Musk.

According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey (pictured) in November

According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey (pictured) in November

What do Peiter Zatko’s accusations mean for Elon Musk? 

Elon Musk is engaged in a bitter legal battle over his $44billion acquisition of the social network, claiming Twitter lied about the number of bots on the platform.

Musk’s lawyers have reportedly sought information from a range of mid-level employees and high-level executives regarding Twitter’s user data and how it was collected and analyzed.

The Tesla CEO claims bots or fake accounts represent far more than the five per cent claimed by the company when he offered to buy it in April.

Twitter is suing the world’s richest man for backing out of the deal, claiming he is using the bot issue as a pretext for his buyer’s remorse. 

Twitter reports its user numbers to investors and advertisers, and are a useful metric for its potential value.

The company measures this by counting all users that could be shown an advert, known as monetizable daily active users (mDAUs) and ignoring those who couldn’t because they are known bots.

They said less than five per cent of its mDAUs are fake or spam. 

But Zatko says this obscures the scale of the issue, because bots are seen only as a percentage of mDAUs instead of the total number of accounts.

He claims the company’s head of site integrity admitted he did not know how many total bots are online.

Zatko says the company ‘had no appetite to properly measure the prevalence of bots’ because it could harm its image and value.

His claims could bolster Musk’s legal bid, even though there was no exemption in his takeover bid related to bots. 

Advertisement

U.S. lawmakers are growing increasingly anxious to hear from Zatko.

Leaders of several congressional panels are poring over the disclosures by the respected cybersecurity expert, and calls on Capitol Hill for investigations are mounting. Sen. Richard Blumenthal, D-Conn., called on the FTC to investigate.

‘These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public,’ Blumenthal wrote to FTC Chair Lina Khan.

The Judiciary Committee’s chairman, Sen. Dick Durbin, D-Ill., and its senior Republican, Sen. Chuck Grassley, R-Iowa, said in a joint statement Wednesday that if Zatko’s claims are accurate, ‘they may show dangerous data-privacy and security risks for Twitter users around the world.’

They said the panel ‘will investigate this issue further with a full committee hearing … and take further steps as needed to get to the bottom of these alarming allegations.’

Senior members of the Senate Intelligence and Commerce committees, as well as the House Energy and Commerce panel, also have publicly signaled their engagement on the issue. 

The Senate Intelligence Committee is planning a meeting with Zatko to discuss his allegations, a spokeswoman said, adding, ‘We take this matter seriously.’

With the midterm elections looming in early November, many lawmakers may wish to appear before TV cameras expressing concern about online privacy, an issue that resonates with consumers. 

That means camera lights glaring and outrage thundering from elected representatives as a lone whistleblower stands and takes the oath behind a table ringed by a photographers´ mosh pit – a scene that would mirror former Facebook product manager Frances Haugen’s testimony late last year.

Haugen’s far-reaching condemnation of the company and her allegation that it prioritized profits over safety of the platform were buttressed by a trove of internal Facebook documents.

Zatko´s complaint, by contrast, appears to stand alone, though there may be references to other documents in the unredacted version of the complaint. The Associated Press has been able to view only a redacted version.

Other possible witnesses at congressional hearings could include former Twitter CEO Jack Dorsey and current CEO Parag Agrawal.

Zatko’s attorneys have said that in late 2021, after Twitter´s board was given ‘whitewashed’ information about security problems, Zatko escalated his concerns, ‘clashed’ with Agrawal and board member Omid Kordestani, and was fired two weeks later.

Zatko, whose hacker alias is Mudge, is pictured testifying before the Senate Governmental Affairs hearing on government computer security in 1998

Zatko, whose hacker alias is Mudge, is pictured testifying before the Senate Governmental Affairs hearing on government computer security in 1998

The Twitter debacle has raised hopes among some lawmakers that it could give a boost to comprehensive data-privacy legislation, which has been stalled for years but recently cleared a key House committee – bringing it closer than ever to final passage. It has been held up in the Senate, however.

Rep. Frank Pallone, chairman of the House Energy and Commerce Committee, and its senior Republican, Rep. Cathy McMorris Rodgers, issued a joint statement saying the panel ‘is actively reviewing the Twitter whistleblower disclosure and assessing next steps.’

‘There are still a lot of unknowns and questions that need to be answered,’ they said.

‘Many of these allegations, if true, are alarming and reaffirm the need for Congress to pass comprehensive national consumer privacy legislation to protect Americans´ online data.’

Musk, meanwhile, responded to Zatko’s allegations in several cryptic tweets on Tuesday, including one depicting the Disney cartoon character Jiminy Cricket with the quotation ‘give a little whistle’.

He also cited the Washington Post article to accuse Twitter’s board of deception, writing that ‘spam prevalence *was* shared with the board, but the board chose not disclose that to the public.’  

Compounding the company’s woes, Twitter is also facing more employee departures, company executives told staff on Wednesday.

Employee attrition is currently 18.3%, Twitter executives told staff during a company-wide meeting, audio of which was heard by Reuters. 

Before Musk made his $44 billion offer to buy the company, attrition hovered between 14% and 16%, which was consistent with competitors, executives had previously said.

The months-long chaos related to the Musk takeover has caused some staff to flee, current employees had told Reuters. The staff meeting was held a day after Zatko filed his whistleblower complaint.      

WHO IS THE HACKER, MUDGE? 

Mudge testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time

Mudge testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time

Mudge is a famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes.

Peiter Zatko, known in the hacker world as Mudge, was the best-known member of pioneering Boston hacking group the L0pht as well as the long-lived computer and culture hacking cooperative the Cult of the Dead Cow.

More recently, he headed a Defense Department grant program for computer security projects.   

While involved with the L0pht, Mudge contributed significantly to disclosure and education on information and security vulnerabilities. 

In 2010 Mudge accepted a position as a program manager at Defense Advanced Research Projects Agency (DARPA) a government agency where he oversaw cyber security research.

In 2013 Mudge went to work for Google in their Advanced Technology & Projects division.

Born in December 1970, Mudge graduated from the Berklee College of Music at the top of his class and is an adept guitar player.

Mudge was responsible for early research into a type of security vulnerability known as the buffer overflow. 

Mudge was one of the first people from the hacker community to reach out and build relationships with government and industry. In demand as a public speaker, he spoke at hacker conferences such as DEF CON and academic conferences such as USENIX.

He was one of the seven L0pht members who testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time.

In 2000, after the first crippling Internet distributed denial-of-service attacks, he was invited to meet with President Bill Clinton at a security summit alongside cabinet members and industry executives.

In 2004 he became a division scientist at government contractor BBN Technologies, where he originally worked in the 1990s, and also joined the technical advisory board of NFR Security.

In 2010, it was announced that he would be project manager of a DARPA project focused on directing research in cyber security

In 2013 he announced that he would leave DARPA for a position at Google ATAP.

In 2015 Zatko announced on Twitter he would join a project called #CyberUL, a testing organisation for computer security inspired by Underwriters Laboratories, mandated by the White House.

Advertisement