TWitter’s former security chief has supposed that Twitter has far more spambots on its platform than it admits, and that executives haven’t prioritized getting an accurate number — in part because the truth might not look good to advertisers. In addition, the method Twitter uses to publish the spam portion of its platform deliberately ignores most of these fake accounts, Peter “Mudge” Zatko claims in an 84-page exposé.
The claims of Zatko, a well-known cybersecurity expert, appear to support those of Elon Musk, who is locked in legal battle with Twitter over his offer to buy the company. Musk has said for months that Twitter misled investors about the financial health of the platformincluding the share of spam bots on the site.
Washington Publish and CNN first reported Mudge’s disclosure, which was filed in July with regulators, including the Securities and Exchange Commission.
The report also contained allegations that Twitter had “reckless” security and privacy vulnerabilities and that the company’s executives had misled users, its board of directors and federal regulators about them. A Twitter spokesperson wrote in a statement to TIME in response to questions about the whistleblower disclosures that “security and privacy have long been priorities for the entire Twitter company, and we still have a lot of work ahead of us.”
“Mr. Zatko was fired as a senior executive at Twitter for poor performance and ineffective leadership more than six months ago. While we have not had access to the specific allegations that have been made, what we have seen so far is a telling story of our privacy practices and data security that is full of inconsistencies and inaccuracies and lacks important context.”
“Mr. Zatko’s allegations and opportunistic timing appear designed to attract attention and harm Twitter, its customers and its shareholders.
Most of the details about spambots in Zatko’s report aren’t exactly new revelations — in fact, Musk’s legal team took issue with the process of how Twitter counts bots in legal filings earlier this month. Twitter itself has also included multiple references to its process in regulatory filings.
In April, Musk offered to buy Twitter in a deal worth about $44 billion. But in July it shelved the deal and is now trying to pull out of it, citing the proliferation of spam or fake accounts on the platform. Twitter filed a lawsuit against Musk in an attempt to force him to complete the acquisition.
“We have already issued a subpoena for Mr. Zatko and found his exit and that of other key employees to be curious in light of what we discovered,” Musk’s attorney Alex Spiro told TIME after the whistleblower disclosures were made public .
What is mDAU?
At the heart of the bot controversy: how the company counts the number of people who use Twitter. Starting in 2019the company stopped reporting raw user numbers and started using its own measure, a statistic it calls monetizable Twitter daily active users (mDAU).
Using a formula that Twitter doesn’t disclose, mDAU excludes many accounts from the total, including those it considers automated (like spam bots) and accounts it can’t monetize, perhaps because Twitter doesn’t sell ads for that region or language. Essentially, these are accounts that are unlikely to buy anything from a Twitter advertiser.
The whistleblower’s documents say that disclosing only those spam bots that are part of mDAU is intentionally misleading.
“Twitter created the mDAU metric precisely to avoid having to answer honestly the very questions raised by Mr. Musk,” Zatko claimed in the whistleblower report.
Twitter’s spam count also doesn’t reflect how average users experience the social media platform, as they still encounter spam bots more often than Twitter’s spam count suggests, Zatko says.
Twitter says it regularly challenges and suspends accounts for spam, misinformation and manipulation, and removes more than a million accounts a day and locks millions more every week if they don’t pass human verification requirements — which include captchas and verifying phone or email addresses.
Twitter did not directly respond to questions about mDAU usage.
Musk has already disputed Twitter’s use of mDAU in legal filings and said that if mDAU is proven to be less representative of Twitter’s overall population, executives have effectively misrepresented the company’s value.
Twitter, on the other hand, says mDAU is actually a more useful way to count users because it focuses on those that matter most to the bottom line— those who can buy ads. The the majority of Twitter’s revenue comes from ad sales.
The company acknowledges that mDAU includes some accounts that are fake, automated or spam bots, but reports that number is below 5%. And this figure is not new: Twitter has published the same qualified estimate for the past three years.
Twitter says it calculated that figure through an internal review of a sample of accounts, a process it admits in a regulatory filing involves “significant judgment.” The company first takes a random sample of mDAUs, then analyzes those accounts by hand to determine whether they are fake or not, using a combination of public and private data such as IP address, phone number, geolocation and account activity.
Andrea Stropa, a cybersecurity researcher who specializes in social media bots, told TIME that mDAU is an “ad hoc metric” that was created to protect Twitter’s interests. “Twitter is the only company among the major social networks that uses monetizable daily active users,” he says. “There is no industry standard.”
Although Twitter has a smaller user base than some of its competitors, reporting mDAUs instead of monthly active users is an understandable financial strategy, according to Jasmine Enberg, a social media analyst at Insider Intelligence. “Twitter’s move to publicly report mDAUs came just as it was struggling to show growth in monthly users,” she adds. “The company’s value proposition to advertisers has long been the quality of its audience, not the total size of its user base.”
Both Stropa and Enberg spoke to TIME before the revelations were published.
But the bigger problem, according to the whistleblower, is that growing mDAU (and making the company look attractive to advertisers looking to reach receptive audiences) has taken priority over many other things that would make the platform better and more -safe in the long term. The CEO’s compensation was at least partially tied to mDAU, including bonuses of up to $10 million, Zatko alleged.
Zatko reported that a source at the company told him that senior management was “concerned that if accurate spam measurements ever became public, it would damage the company’s image and valuation.”
While Twitter did not directly address Zatko’s accusations that it failed to fully disclose the number of spambots on its platform, a source close to the company said that Zatko’s claims around the time of his departure were “investigated and it was determined, that they are sensational and baseless. “
In addition, four people familiar with Twitter’s spam detection process said Washington Publish that the company maintains several internal spam and bot reports beyond the reported numbers.
Claim: Twitter is deprioritizing spam bot counts
Zatko claims that for Twitter’s executive leadership team, “willful ignorance was the norm” about getting more accurate numbers. “We really don’t know,” Twitter’s head of site integrity allegedly told Zatko in early 2021 when asked what the spam bot numbers were. Zatko also says Twitter can’t provide an accurate upper limit on the total number of spam bots on the platform, which Zatko says is partly because Twitter relies on outdated tools and understaffed teams to control its bots.
Zatko also claims that Twitter staff have actually devised an effective way to find and stop bots on its platform, but that method has come under fire from senior executives. The mechanism, known as Read Only Phone Only (ROPO), puts suspected bot accounts into a restricted read-only mode that can only be unlocked if the user manually enters a one-time code sent to an associated phone number. Research conducted at Zatko’s direction found that the ROPO method blocks more than 10-12 million bots each month with less than 1% false positives. But Zatko says a senior executive suggested disabling the effort after receiving direct messages from a handful of users whose accounts had been paused. He says senior executives have suggested disabling this method several times before.
What the whistleblower report means for Musk
Before the whistleblower’s release, legal experts said Musk had to prove that Twitter misrepresented the number of bots on its platform on purpose — something that could be difficult since the company has publicly disclosed its use of mDAU as a counting metric to users.
Anne Lipton, a law professor at Tulane University who specializes in corporate litigation, says, “It appears that [Musk’s] The strategy is to show that the numbers are so bad that the only possible way they could have gotten that 5% is if they used a dishonest process. Lipton spoke with TIME before news of the whistleblower report broke.
The contentious mDAU debate is a frequent source of frustration for Musk, whose legal team estimates that 33% of “visible accounts” on the social media platform are fake or spam accounts, a figure that has not been independently verified. Twitter CEO Parag Agrawal responded by saying that outside groups could not confirm Musk’s claim because the company “cannot share” the public and private information it uses, such as phone numbers.
Twitter has said that whether an account counts in mDAU is not publicly available, and even acknowledged that the 5% figure could be wrong. “This claim is very hard to falsify because it’s so non-committal,” says Lipton. “All Twitter is saying is that they have a process to estimate mDAU, and the number may or may not be wrong.”
More must-see stories from TIME