An explosive whistleblower complaint by Twitter’s former head of security is reigniting conversations about online security and how the site handles bots and spam online — and could complicate billionaire Elon Musk’s legal battle with the social media company.
The whistleblower, Peiter “Mudge” Zatko, alleges a laundry list of failures by Twitter to secure data, maintain user privacy and prevent bots on the platform in a complaint to federal regulators first reported by The Washington Post and CNN. Zatko also alleges that Twitter lied to Musk about how many of its users are bots. Musk had previously seized on the bot issue to justify terminating his $44 billion agreement to purchase Twitter.
Zatko’s complaint arrives as Musk’s legal team is gearing up for a trial in Delaware Chancery Court in October over the billionaire’s attempt to back out of his deal for Twitter. Musk has subpoenaed Zatko, whom Twitter fired in January, to testify. But legal experts are skeptical that Zatko’s claims will sway the outcome of the legal fight — in large part because Musk waived due diligence, setting up a straightforward case concerning established contract law.
“I don’t think it will significantly affect Musk’s case, given the unusually restrictive language in the merger agreement in which Musk effectively waived most of the issues that typically gum up these kinds of transactions,” said Howard Fischer, a former senior trial counsel at the Securities and Exchange Commission and a partner at law firm Moses & Singer.
Brian Quinn, an associate professor at Boston College Law School, predicted that Musk’s legal counsel will lean on the whistleblower allegations, although he is also skeptical that such a strategy would ultimately affect the outcome of the court case.
“I’m not sure it will move the needle in the end,” Quinn said in an email. “First, as reported, the whistleblower describes things that are already known about the bot discussion, but [the complaint] says very little about Twitter’s very hedged bot disclosure. So, I’m not sure he adds much there.”
Musk, an avid Twitter user who has posted blunt updates on the site about his ongoing legal battle, appeared to comment on the whistleblower complaint via Twitter.
The case for Musk
Musk argues that Twitter has misreported its monetizable daily active Twitter users (mDAU) by not owning up to the scale of its bot problem. Twitter claims that around 5 percent of users on the platform are bots. In his complaint, Zatko says a source at Twitter told him there were concerns that accurately identifying the number of bots “would harm the image and valuation of the company.” He also says that “deliberate ignorance was the norm among the executive leadership team” and that Twitter lied to Musk about the number of bots on the platform.
Zatko also says in the complaint that tweets by Twitter CEO Parag Agrawal and Twitter’s previous blog posts “misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots. The reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”
Agrawal said in a statement to Twitter employees Tuesday that Zatko was terminated for ineffective leadership and poor performance and his narrative was “riddled with inconsistencies and inaccuracies.”
While the bot issue is a legal red herring, Quinn said, the notion that Twitter’s board may have failed to disclose significant security problems could help Musk.
“I suspect Musk will very quickly start to harp on how critically important security is,” said Quinn. “I’m pretty confident that he hasn’t thought about security up until now, but suddenly, it’s like a lottery ticket for him. If it’s true that the board has been hiding (improperly) vulnerabilities and not disclosing them in their SEC filings, then that might [be] something he can latch on to.”
Beyond the bots
Ann Lipton, an associate professor of business law and entrepreneurship law at Tulane University, offered a similar analysis. Beyond its allegations about bots, Zatko’s complaint “does report a number of other problems at Twitter concerning things like privacy and security and systems integrity,” she said. “If those add up to a material adverse effect — meaning, a long-term significant financial problem for Twitter — it’s a basis for him to walk away.”
There is also an issue about whether those problems are severe enough that Twitter should have disclosed them in filings to the Securities and Exchange Commission. Zatko explicitly alleges fraud in the complaint.
“Musk has an outside chance at proving fraud — which would be an additional basis for him to walk away,” said Lipton.
Fischer noted that the SEC is “very concerned” about whether public companies have plans for how to continue normal operations in the face of a significant threat or problem, such as a cybersecurity breach, technological failure or other systemic interruption.
“The SEC is very concerned about whether or not public companies employ a robust resiliency plan,” he said. “If Twitter is truly at risk of significant and long-lasting outages, that would likely be a material factor that should be disclosed to investors and in its SEC filings.”
Experts said that taken together, the allegations in the complaint could rise to a “material adverse event,” which would also give Musk additional ammunition for walking away. But there’s not enough information publicly available to know how likely that is.
“Does any of this rise to the level of a material adverse event? I suspect no, but it’s still early,” said Quinn. “Let’s say for argument’s sake the allegations are correct and Twitter is in violation. OK, does that violation rise to the level of an MAE (because not every bad thing is an MAE)? We’ll see, but unless it has a large impact on revenue or operation of the business, I doubt it will.”
Nevertheless, he said, “get ready for security to take center stage until the court reigns them in (or not).”
Thanks to Dave Tepps for copy editing this article.