Twitter Whistleblower Seems to Confirm Twitter’s Legal Argument About Spam

Donie O’Sullivan, Clare Duffy, and Brian Fung, CNN:

Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.


The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).

You can read Mudge’s whistleblower disclosure and infosec report — both PDFs — for yourself, if you would like. Both contain heavily redacted sections, especially around claims of corporate fraud.

Mike Masnick reviewed these reports in two parts at Techdirt. Masnick’s first analyzed Mudge’s claims about Twitter’s security infrastructure, its compliance with an FTC consent decree, and whether it had hired foreign spies deeply embedded in the company. The second piece, published today, is exclusively responding to the many stories claiming Mudge’s investigations will help Elon Musk’s justification for backing out of his acquisition of Twitter:

So, let’s dive into those details. The first and most important thing to remember is that, even as Musk insists otherwise, the Twitter lawsuit is not about spam. It just is not. I’m not going to repeat everything in that earlier story explaining why not, so if you haven’t read that yet, please do. But the core of it is that Musk needed an escape hatch from the deal he didn’t want to consummate and the best his lawyers could come up with was to claim that Twitter was being misleading in its SEC reporting regarding spam. (As an aside, there is very strong evidence that Musk didn’t care at all about the SEC filings until he suddenly needed an escape hatch, and certainly didn’t rely on them).


Reading through all of this, anyone who actually understands the details — including what’s at play in the lawsuit — should see that Mudge is actually confirming the only thing that matters for the lawsuit: that the numbers Twitter reported to the SEC for mDAU involves estimating how much spam they mistakenly include in mDAU and not how much spam is on the platform as a whole. If the actual total amount of spam on the platform is higher than that, it doesn’t help Musk, because Musk’s legal argument is predicated on the <5% reported to the SEC.

Ryan Mac and Kate Conger, of the New York Times, listened in on a company meeting today:

Other executives — including Sean Edgett, the general counsel, and the privacy and security executives Damien Kieran and Lea Kissner — echoed Mr. Agrawal.

“We have never made a material misrepresentation to a regulator, to our board, to all of you,” Mr. Edgett said. “We are in full compliance with our F.T.C. consent decree.” He added that an external auditor reviews Twitter’s compliance with the decree every two years.

I read both of the PDFs linked above and, if true, they paint a picture of a company where developers have extraordinary latitude with few access controls and virtually no logging of their actions. If Mudge’s claims prove correct, Twitter’s board has been misled and the company constantly puts its users’ activity at risk. But after reading Masnick’s careful analysis, I am less convinced of the more headline-making claims in these documents.