The Twitter whistleblower is a bigger threat than Musk ever was

·6 min read

This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe

Wednesday, Aug. 24, 2022

Musk is now the least of Twitter's problems

Twitter (TWTR) is having a rough summer. In addition to a lackluster second quarter, it’s battling with Elon Musk over the Tesla CEO's decision to back out of buying the social media company. But matters got exponentially worse for the blue bird on Tuesday, when reports came out that its former security chief Peiter “Mudge” Zatko filed a whistleblower complaint suggesting Twitter is a security trainwreck.

Zatko's report, filed in July with the Securities and Exchange Commission, Department of Justice, and Federal Trade Commission, contends that Twitter disincentivized employees from determining the total number of bots on the platform in favor of growing monetizable daily active users (mDAU), CNN and The Washington Post reported. The firm asserts that less than 5% of those accounts are bots. Zatko, meanwhile, says that Twitter doesn’t understand how many bots are on the platform in general.

What’s more, Zatko claims half of Twitter employees had access to sensitive user data, and that the company hired representatives of India’s government who could access user data without their knowledge.

While the Musk saga has been a drag for Twitter, if Zatko’s claims hold true, the company could face an array of lawsuits from shareholders claiming the social media network lied about its security and operations. It could also get hit with fines from regulators. More damaging, Twitter could end up shedding advertisers if they deem the company untrustworthy.

“Twitter has another potential problem, and it isn't Musk,” Erik Gordon, clinical assistant professor at The University of Michigan Ross School of Business, told Yahoo Finance. “It's other shareholders who claim that they were hurt and claim that Twitter's statements, disclosures amounted to misrepresentation under securities law.”

Twitter’s bot problems run deeper than its battle with Musk

In October, Twitter will try to convince a Delaware court to force Musk to buy the company. Musk, meanwhile, hopes to prove that Twitter misled him about how many bots the platform has.

There are some key nuances to the arguments, though. Twitter has repeatedly said that it estimates that less than 5% of its mDAUs are bots. Musk, meanwhile, says Twitter hasn’t provided enough information about how many bots are on the platform and that the number could be far more than 5% — as much as 20% of mDAUs. This matters because bots don’t see ads and, therefore, can’t make money for the company.

Zatko claims that Twitter doesn't know how many of its total users are spam or bot accounts, and its employees are disincentivized to find out. But he doesn't challenge Twitter's assertion that less than 5% of its mDAUs are bots.

Instead, Zatko claims, Twitter prioritizes growing its mDAUs at the expense of culling bots from Twitter's overarching user numbers beyond mDAUs. The whistleblower further asserts that Twitter executives don’t want to know how many bots are on the service, because it could impact how advertisers and shareholders view the company.

WASHINGTON, DC - AUGUST 22: Peiter Zatko, who is also known as Mudge poses for a portrait on Monday August 22, 2022 in Washington, DC. He has worked for Google and Twitter. (Photo by Matt McClain/The Washington Post via Getty Images)
Peiter Zatko, who is also known as Mudge poses for a portrait on Monday August 22, 2022 in Washington, DC. He has worked for Google and Twitter. (Photo by Matt McClain/The Washington Post via Getty Images)

“[CEO Parag] Agrawal’s tweets and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated, systems to measure and block spam bots,” lawyers representing Zatko wrote in a letter to the SEC, DOJ, and FTC. “Mudge discovered the reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”

A Twitter spokesperson reiterated that the company fully stands by its prior statements about the percentage of bot and spam accounts on the service.

But if Zatko's claims are accurate, advertisers and shareholders alike could seek to ditch the company out of fear that the true amount of bots is far higher than their worst fears.

Shareholders could pummel Twitter with lawsuits

User numbers and bots are just part of the trouble Zatko’s revelations could stir up for Twitter. If his allegations are true, Twitter could face a series of shareholder lawsuits and its executive lineup could be forced out of the door.

According to Zatko, Twitter has never complied with a 2011 FTC settlement that required the company to establish a comprehensive security program to protect user data and prevent the platform from being exploited. Further, Zatko says, Twitter was never on track to meet those requirements.

A Twitter spokesperson refuted Zatko's claims saying, "While we haven’t received a copy of any specific allegations, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. This will not distract us from the critical work we do to safeguard the privacy and data of our customers."

Some of Zatko's more egregious allegations include the claim that 30% of employee devices had software and security updates disabled, and that Twitter never installed management software on employees’ smartphones that had access to corporate systems. If true, that would mean Twitter, one of the world’s best-known social networks, wasn’t even following the most basic level of cybersecurity preparedness.

And, if Zatko’s accusation that Twitter made misrepresentations to the FTC about those issues, the company could face steep fines.

“If, in fact, they were not reporting the full details to the FTC...that's a big issue that they have to deal with,” said TECHnalysis Research president and chief analyst Bob O’Donnell.

FILE - Tesla and SpaceX CEO Elon Musk arrives on the red carpet for the Axel Springer media award in Berlin on Dec. 1, 2020.  Musk has spent months alleging that Twitter, the company he agreed to buy for $44 billion undercounted its fake and spam accounts — and that he shouldn't have to consummate the deal as a result.  Now, a whistleblower complaint from Twitter’s former security chief alleging the company misled regulators about its privacy and security protections — and its ability to detect and root out fake accounts — might play into Musk's hands in an upcoming trial that scheduled for Oct. 17, 2022, in Delaware.   (Hannibal Hanschke/Pool Photo via AP, File)
Tesla CEO Elon Musk is attempting to back out of his deal to purchase Twitter. (Hannibal Hanschke/Pool Photo via AP, File)

It’s not just the FTC, though. If Zatko’s claims pan out, Twitter could also face a cavalcade of lawsuits from disgruntled shareholders claiming the company purposely misled them.

“There's a whole stable full of plaintiffs’ securities lawyers who…have paralegals scanning the news all day, looking for things that they could file lawsuits about claiming securities fraud,” Gordon said. “So I think the whistleblower allegations, whether they're true or false, are fresh meat for the security plaintiffs. Twitter is going to be fighting off lots of these securities law class action suits.”

As for Twitter’s executive team, they could end up marching toward the exit if what Zatko says is true. After all, how can you trust the leaders of a company if they’ve lied to shareholders and regulators?

“I think if there's any traction to the whistleblower allegations, then Twitter's next move — even if they win the Musk suit, if they lose the Musk suit — is you throw out the people who are tainted by your problem,” Gordon said. “If your problem is questionable numbers, anybody who was involved with questionable numbers, gets tossed out and you bring in new people and you say to the advertisers, you say to shareholders, the scoundrels are gone. You can trust this new team.”

Of course, none of that is a foregone conclusion. Twitter will likely refute Zatko’s claims one by one, and executives may survive all of this. But the damage to Twitter and its reputation may already be done.

By Daniel Howley, tech editor at Yahoo Finance. Follow him @DanielHowley

Read the latest financial and business news from Yahoo Finance

Follow Yahoo Finance on Twitter, Instagram, YouTube, Facebook, Flipboard, and LinkedIn