A bombshell Twitter whistleblower complaint alleging the company has major security deficiencies is adding fuel to Elon Musk’s core argument in his case against Twitter as he tries to back out of his $44 billion deal to buy the platform.
Former Twitter security chief Peiter Zatko’s complaint, made public Tuesday, complicates the legal challenge for the social media platform. Twitter is suing in an effort to force Musk to complete his acquisition of the company after he walked away from his binding offer over accusations that Twitter breached the agreement by failing to provide him with sufficient data about spam accounts.
Zatko has had no contact with Musk, and the drafting of the complaint predates Musk’s involvement with Twitter, according to Whistleblower Aid, the group representing Zatko.
Nonetheless, key portions of the redacted 84-page complaint, published by The Washington Post, appear to bolster Musk’s accusations, even referencing tweets from Twitter CEO Parag Agrawal to Musk about the number of bots on the platform as a “recent example of misrepresentations.”
Musk’s legal team is already leaning into using Zatko’s complaint as the Musk-Twitter case heads to an October trial.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” said Alex Spiro, an attorney for Musk.
Twitter’s lawsuit against Musk was filed in July. It marks one of several fronts on which Twitter will have to navigate hurdles in the fallout from the whistleblower complaint, which includes a lengthy list of accusations about security deficiencies that the company denies and will also force Twitter to face scrutiny from Congress and federal regulators that have been increasingly hostile toward tech companies in recent years.
“This throws gasoline into the fire around the bot issue with Musk and Twitter,” Wedbush analyst Dan Ives said. “This alarming story also raises security concerns which will be a major focus of the Beltway on Twitter. For the Musk camp this story is like a kid looking under the tree on Christmas morning heading into Delaware court.”
Twitter is pushing back strongly on Zatko’s allegations — as it has with accusations made by Musk.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter spokesperson said in a statement. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
The spokesperson said Zatko was fired for “ineffective leadership and poor performance.”
Jeffrey Manns, a professor at the George Washington University Law School, said it is too early to tell how the allegations will impact the case, but they could give Musk more leverage to back out of the deal or renegotiate.
“At least up until this day, I think that conventional wisdom is that Elon Musk doesn’t have a lot to hang his hat on when it comes to backing out of the deal,” Manns said.
In order to boost Musk’s case, there needs to be more substance to back up the whistleblower’s claims, he said.
“The accusations are salacious in terms of misconduct and misrepresentation by leadership concerning both the levels of security and the number of fake accounts. But all we know at this point is we have a former employee who is raising what could be legitimate concerns. Until there’s greater scrutiny to show whether the former employee can back that up, the jury is out,” Manns said.
Musk engaged in a public back-and-forth with Agrawal in May, roughly a month after reaching a deal to buy the company, about the number of bots or spam accounts on Twitter.
Agrawal responded by stating that “we are strongly incentivized to detect and remove as much spam as we possibly can.” Zatko’s complaint calls the response a lie, alleging that the metric Twitter uses to quantify the average number of users on the platform that can view ads — called the mDAU, or monetizable daily active user, metric — incentivizes executives to avoid counting spam bots as mDAU because that figure is reported to advertisers. If the mDAU metric included spam bots that do not click through ads, then it could lead advertisers to shift to other platforms.
The complaint alleges there are “many millions of active accounts” not considered mDAU that include spam bots.
“Therefore Musk’s suspicions are on target: senior executives earn bonuses not for cutting spam, but for growing mDAU. In Fact, Twitter created the mDAU metric precisely to avoid having to honestly answer the very questions Mr. Musk raised,” the complaint states.
Agrawal later followed up his statement about spam removal with what appeared to be a more direct response to Musk, tweeting that an estimate of less than 5 percent of “reported mDAU” every quarter are spam accounts.
The complaint states Agrawal’s expanded explanation doesn’t include “out-and-out lies but they rely on world play to district and mislead Mr. Musk, and everyone else” and that the general public would not understand the difference between the metric Agrawal is using and the overall Twitter user population without insight into Twitter’s calculation for mDAU.
Twitter spokeswoman Rebecca Hahn told the Post that Twitter removes more than a million spam accounts every day, adding up to more than 300 million per year. She told the paper that Twitter “fully stands” by its Securities and Exchange Commission (SEC) filings and approach to fighting spam.
Others also questioned Zatko’s accusations, according to the Post’s report.
A person familiar with Zatko’s tenure at Twitter told the Post the company investigated Zatko’s security claims during his time there and concluded they were sensationalistic and without merit. Four people familiar with Twitter’s efforts to fight spam told the Post that the company uses extensive manual and automated tools to measure and reduce spam.
Zatko started at Twitter in November 2020 in the security/integrity lead position after being courted by Twitter founder and then-CEO Jack Dorsey, according to the complaint. He was fired in January.
A core part of Zatko’s complaint alleges that Twitter was not complying with a 2011 consent order from the Federal Trade Commission (FTC) for the past decade. The FTC ordered the company to create and maintain a security program designed to protect privacy and nonpublic consumer information as part of a settlement agreement over an FTC complaint that hackers were able to gain control of Twitter on two occasions in 2009.
Up until the time of Zatko’s termination, Twitter “remained out of compliance in multiple respects” with the 2011 order, the complaint alleges.
The whistleblower disclosure was reportedly sent to the SEC, FTC and Department of Justice (DOJ) last month.
After being publicly released Tuesday, Zatko’s allegations caused an immediate stir in Washington. Lawmakers on both sides of the aisle have criticized Twitter, and the new accusations are prompting calls for an investigation.
The Senate Intelligence Committee received the complaint and is “in the process of setting up a meeting to discuss the allegations in further detail,” a committee spokesperson said.
“We take this matter seriously,” the spokesperson added.
Top senators on the Judiciary Committee also vowed to take action.
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world. As Chair of the Senate Judiciary Committee, I will continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations,” the committee’s chair, Sen. Dick Durbin (D-Ill.), said in a statement.
Sen. Chuck Grassley (R-Iowa), the ranking member of the Judiciary Committee, said in a statement that the claims raise “serious national security concerns as well as privacy issues, and they must be investigated further.”
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Grassley said.
Sen. Ed Markey (D-Mass.) sent letters urging the FTC and DOJ to take action in response to the allegations raised by the whistleblower complaint.
Sen. Richard Blumenthal (D-Conn.) sent a letter to the FTC with a similar request.
“These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public, as Twitter executives appeared to ignore or hinder efforts to address threats to user security and privacy,” Blumenthal wrote.