Twitter: SEC calls on firm to reveal how it counts bots as Musk seizes on whistleblower revelations

The crisis surrounding social media giant Twitter Inc. grew on Wednesday as the SEC called for the firm to reveal how it counts bots, Elon Musk seized on whistleblower revelations and the scale of the company’s on-going staff exodus was revealed.

To make matters worse, leaders of several congressional panels are poring over the disclosures by respected cybersecurity expert-turned whistleblower Peiter Zatko, and calls on Capitol Hill for investigations are mounting. 

Zatko – also known by his hacker alias ‘Mudge’ – served as Twitter’s security chief until he was fired early this year. He is due to testify next month at a Senate hearing.

In his complaint, Zatko claimed Twitter prioritized growth over fighting spam and disinformation, and had weak procedures to control fake accounts. Twitter’s CEO called the accusations ‘foundationally, technically and historically inaccurate.’

The accusations come as Twitter sues Tesla CEO Musk after he backed out of buying the company for $44 billion, citing Twitter’s failure to provide details about the prevalence of bot and spam accounts. 

Lawyers for Musk and Twitter faced off in court on Wednesday over the key issue of fake accounts – drawing battle-lines for the trial ahead. The trial is set for October.

A letter revealed on Wednesday that the Securities and Exchange Commission in June asked the company about its methodology for calculating false or spam accounts and ‘the underlying judgments and assumptions used by management.’

Twitter says it has 238 million active monthly users, and that about 5% of the accounts it sells ads against are fake, either spam or bots. Twitter said last month that it removes 1 million spam accounts daily.

The SEC is interested in both figures as Twitter uses them to attract advertisers, whose payments make up a little more than 90 percent of the company’s revenue.

Twitter’s crisis deepened even further on Wednesday as company executives told staff that the firm is facing even more employee departures, with employee attrition is currently sitting at 18.3%.

The SEC’s Division of Corporation Finance asked the questions in the June 15 letter, shortly before Musk raised the issue as grounds to back out of the takeover deal.

Musk has claimed that Twitter is undercounting the number of fake accounts, which inflates the number of real users, echoing Zatko’s accusations.

Such questions from the SEC can be routine, and it wasn’t clear whether the SEC has opened a formal investigation into Twitter’s fake accounts. Neither the SEC nor Twitter would comment Wednesday.

The law firm Wilson Sonsini of Palo Alto, California, replied to the SEC in a June 22 letter saying the company believes it adequately disclosed the methodology in its annual report filed for 2021.

The letter says that Twitter makes its estimates of false accounts with an internal review of sample accounts. 

The number of fake accounts ‘represent the average false or spam accounts in the samples during each monthly analysis period during a quarter,’ the letter said.

It added that fewer than 5% of Twitter’s ‘monetizable’ daily active users were fake accounts in the fourth quarter of last year, the period that the SEC had questioned.

The letter was disclosed in a filing posted by the SEC on Wednesday, a day after Zatko alleged that the company misled regulators about its poor cybersecurity and its negligence in attempting to root out fake accounts that spread disinformation.

Zatko filed the whistleblower complaints last month with the SEC, the Federal Trade Commission and the Department of Justice. 

The legal nonprofit Whistleblower Aid, which is working with Zatko, said he exhausted all attempts to get his concerns resolved inside the company before his firing in January.

Zatko was hired by Twitter in November 2020, months after a serious breach in which young hackers took over the accounts of Barack Obama, Joe Biden and Musk himself. He said at the time he would examine ‘information security, site integrity, physical security, platform integrity – which starts to touch on abuse and manipulation of the platform – and engineering.’

Among Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users. Zatko also accuses the company of deceptions involving its handling of ‘spam’ or fake accounts.

As lawmakers stepped up calls for investigations into Zatko’s allegations, the Senate Judiciary Committee announced Wednesday that Zatko will testify at a hearing on Sept. 13 – the same day Twitter’s shareholders are scheduled to vote on the company’s pending buyout by Musk.

The Twitter board is recommending approval of the buyout.

Twitter Chief Executive Parag Agrawal moved to reassure employees on Wednesday, calling a whistleblower’s accusations ‘foundationally, technically and historically inaccurate,’ during a company-wide meeting, audio of which was heard by Reuters.

Twitter General Counsel Sean Edgett also told employees the company reached out proactively to various agencies around the world before the news broke.     

Twitter said Tuesday that Zatko was fired for ‘ineffective leadership and poor performance’ and said the ‘allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.’ 

The company called his 84-page complaint ‘a false narrative’ that is ‘riddled with inconsistencies and inaccuracies and lacks important context.’

Musk called off the sale in July, alleging that Twitter had failed to provide detailed methodology for calculating fake accounts. 

Twitter sued in Delaware Chancery Court, asking a judge to order Musk to go through with the purchase, and Musk counter-sued.

Musk agreed in April to buy Twitter and take it private, offering $54.20 per share and vowing to loosen the company’s policing of content and to root out fake accounts.

As part of the deal, Musk and Twitter had agreed to pay the other a $1 billion breakup fee if either was responsible for the deal collapsing.

In its response to the SEC, Twitter said the review of fake accounts is done manually by humans who check thousands of them. 

The accounts are chosen randomly, and the employees use a complex set of rules ‘that define spam and platform manipulation.’ 

An account is deemed to be false if it violates one or more of the rules, the letter said. The fake accounts are investigated by multiple trained employees, it said.

The SEC also questioned Twitter’s disclosure that it overestimated the number of monetizable accounts from the first quarter of 2019 through the end of last year. 

The agency wrote that the error persisted for three years and asked why the company didn’t consider that a weakness in its financial reporting and controls.

In response, Twitter said the overstatement of accounts had no impact on its financial statements, and that the overstatement was less than 1% of its daily average users. Twitter’s share price was up just over 2% in trading late Wednesday.

Meanwhile, attorneys for Musk and Twitter squared off in court on Wednesday over the key issue of fake accounts, showing potential battle lines for the trial over whether the Tesla boss can be forced to conclude his $44 billion buyout bid.

Musk’s attorney Alex Spiro tried to convince a US judge to order Twitter to hand over billions of ‘data points,’ including user phone numbers and locations, arguing the information is needed to prove Twitter deceived investors and regulators about bots.

Twitter lawyer Bradley Wilson countered that the company deceived nobody, and that Musk wants a ‘do-over’ regarding questions he should have asked before he charged in with his unsolicited buyout offer early this year.

The hearing before Judge Kathaleen McCormick in Delaware Court of Chancery came as the rival sides seek records, messages and more that could be used as ammunition at trial.

‘We saw slide after slide of documents that aren’t before the court on this motion — that Twitter was not fairly presented with an opportunity to respond to — what I think is a preview of Mr. Spiros closing argument in the case,’ Wilson said.

While Twitter has pointed out that Musk opted not to perform due diligence typically seen in merger deals, Spiro told the judge the billionaire trusted the firm’s filings with the Securities and Exchange Commission (SEC).

Spiro argued that Twitter contrived a category of ‘monetizable daily active users’ that it shared publicly to make it seem the company was doing well, while other internal data indicated otherwise.

‘Twitter created its own metric,’ Spiro told the judge. ‘They changed the game; invented their own currency.’

Wilson said the firm made clear in filings that Twitter’s numbers of users and false accounts were estimates.

Twitter opposes handing over certain types of data for reasons including the potential to violate user privacy protected by law, the attorney argued.

‘They want a do-over; they want to recount the spam,’ Wilson said of Musk’s team.

‘They want to get all of the information that the reviewers had so that they can have their experts, I presume, do a count of their own and see if they can come up with a different number.’

Even if Musk’s experts come to a different conclusion about the number of spam accounts at Twitter, that would not amount to a breach significant enough to let him break the buyout contract, Twitter attorneys argue.

Wilson pointed out public comments made by Musk, asking the judge to keep in mind who is asking to be trusted with all that Twitter data.

‘This is someone who has publicly mocked Twitter for seeking to enforce a nondisclosure agreement,’ Wilson said of Musk.

U.S. lawmakers are growing increasingly anxious to hear from Zatko.

Leaders of several congressional panels are poring over the disclosures by the respected cybersecurity expert, and calls on Capitol Hill for investigations are mounting. Sen. Richard Blumenthal, D-Conn., called on the FTC to investigate.

‘These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public,’ Blumenthal wrote to FTC Chair Lina Khan.

The Judiciary Committee’s chairman, Sen. Dick Durbin, D-Ill., and its senior Republican, Sen. Chuck Grassley, R-Iowa, said in a joint statement Wednesday that if Zatko’s claims are accurate, ‘they may show dangerous data-privacy and security risks for Twitter users around the world.’

They said the panel ‘will investigate this issue further with a full committee hearing … and take further steps as needed to get to the bottom of these alarming allegations.’

Senior members of the Senate Intelligence and Commerce committees, as well as the House Energy and Commerce panel, also have publicly signaled their engagement on the issue. 

The Senate Intelligence Committee is planning a meeting with Zatko to discuss his allegations, a spokeswoman said, adding, ‘We take this matter seriously.’

With the midterm elections looming in early November, many lawmakers may wish to appear before TV cameras expressing concern about online privacy, an issue that resonates with consumers. 

That means camera lights glaring and outrage thundering from elected representatives as a lone whistleblower stands and takes the oath behind a table ringed by a photographers´ mosh pit – a scene that would mirror former Facebook product manager Frances Haugen’s testimony late last year.

Haugen’s far-reaching condemnation of the company and her allegation that it prioritized profits over safety of the platform were buttressed by a trove of internal Facebook documents.

Zatko´s complaint, by contrast, appears to stand alone, though there may be references to other documents in the unredacted version of the complaint. The Associated Press has been able to view only a redacted version.

Other possible witnesses at congressional hearings could include former Twitter CEO Jack Dorsey and current CEO Parag Agrawal.

Zatko’s attorneys have said that in late 2021, after Twitter´s board was given ‘whitewashed’ information about security problems, Zatko escalated his concerns, ‘clashed’ with Agrawal and board member Omid Kordestani, and was fired two weeks later.

The Twitter debacle has raised hopes among some lawmakers that it could give a boost to comprehensive data-privacy legislation, which has been stalled for years but recently cleared a key House committee – bringing it closer than ever to final passage. It has been held up in the Senate, however.

Rep. Frank Pallone, chairman of the House Energy and Commerce Committee, and its senior Republican, Rep. Cathy McMorris Rodgers, issued a joint statement saying the panel ‘is actively reviewing the Twitter whistleblower disclosure and assessing next steps.’

‘There are still a lot of unknowns and questions that need to be answered,’ they said.

‘Many of these allegations, if true, are alarming and reaffirm the need for Congress to pass comprehensive national consumer privacy legislation to protect Americans´ online data.’

Musk, meanwhile, responded to Zatko’s allegations in several cryptic tweets on Tuesday, including one depicting the Disney cartoon character Jiminy Cricket with the quotation ‘give a little whistle’.

He also cited the Washington Post article to accuse Twitter’s board of deception, writing that ‘spam prevalence *was* shared with the board, but the board chose not disclose that to the public.’  

Compounding the company’s woes, Twitter is also facing more employee departures, company executives told staff on Wednesday.

Employee attrition is currently 18.3%, Twitter executives told staff during a company-wide meeting, audio of which was heard by Reuters. 

Before Musk made his $44 billion offer to buy the company, attrition hovered between 14% and 16%, which was consistent with competitors, executives had previously said.

The months-long chaos related to the Musk takeover has caused some staff to flee, current employees had told Reuters. The staff meeting was held a day after Zatko filed his whistleblower complaint.