Twitter’s former security chief has alleged that Twitter has far more spam bots on its platform than it acknowledges, and that executives deprioritized getting an accurate count—in part because the truth may not look good to advertisers. Additionally, the method that Twitter uses to publicize the portion of spam on its platform deliberately ignores most of these fake accounts, Peiter “Mudge” Zatko claims in an 84-page whistleblower disclosure.
The allegations from Zatko, a well-known cybersecurity expert, seem to support those made by Elon Musk, who is locked in a legal battle with Twitter over his bid to buy the company. Musk has said for months that Twitter misled investors about the platform’s financial health, including the proportion of spam bots on the site.
The report also contains allegations that Twitter has “egregious” security and privacy vulnerabilities, and that company executives misled users, the board of directors, and federal regulators about them. A Twitter spokesperson wrote in a statement to TIME in response to questions about the whistleblower disclosures that “security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”
“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.”
“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Most details about spam bots in Zatko’s report aren’t exactly new revelations—indeed, Musk’s legal team took issue with the process of how Twitter counts bots in legal filings earlier this month. Twitter itself has also included numerous references to its process in regulatory filings.
In April, Musk offered to buy Twitter in a deal worth roughly $44 billion. But, in July, he put the deal on hold and is now trying to back out of it—citing the prevalence of spam or fake accounts on the platform. Twitter filed a lawsuit against Musk in an attempt to force him to complete the acquisition.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Musk’s lawyer Alex Spiro told TIME after the whistleblower disclosures were released.
What is mDAU?
At the heart of the dispute over bots: how the company counts the number of people who use Twitter. Starting in 2019, the company stopped reporting raw user numbers and started using its own measure, a statistic it calls monetizable daily active Twitter users (mDAU).
Using a formula that Twitter does not disclose, mDAU excludes many accounts from the total, including those it believes are automated (like spam bots) and accounts it can’t monetize, perhaps because Twitter isn’t selling ads for that region or language. Essentially, these are accounts that may be unlikely to buy anything from an advertiser on Twitter.
The whistleblower’s documents say that disclosing only those spam bots that are part of mDAU is deliberately misleading.
“Twitter created the mDAU metric precisely to avoid having to honestly answer the very questions Mr. Musk raised,” Zatko claims in the whistleblower report.
Twitter’s spam calculation also doesn’t reflect how regular users experience the social media platform, because they still encounter spam bots more often than Twitter’s accounting of spam would suggest, Zatko says.
Twitter says it regularly challenges and suspends accounts for spam, misinformation, and manipulation and removes more than one million accounts a day and locks millions more each week if they don’t pass human verification requirements—that includes captcha and verifying phone or email addresses.
Twitter did not respond directly to questions about its use of mDAU.
Musk has already contested Twitter’s use of mDAU in his legal filing, and has claimed that if mDAU is proved to be less than representative of the general Twitter population, executives have effectively misrepresented the value of the company.
Twitter, on the other hand, says mDAU is actually a more useful way to count users, because it focuses on those who matter most to its bottom line—those who may buy ads. The vast majority of Twitter’s revenue comes from ad sales.
The company acknowledges that mDAU includes some accounts that are phony, automated, or spam bots, but reports that number is less than 5%. And that figure isn’t new: Twitter has published the same qualified estimate for the last three years.
Twitter says it calculated this figure through an internal review of a sample of accounts, a process that it acknowledged in a regulatory filing involves “significant judgment.” The company first takes a random sample of mDAU, then analyzes those accounts by hand to determine whether they are fake or not, using a combination of public and private data like IP address, phone number, geolocation, and account activity.
Andrea Stroppa, a cybersecurity researcher who specializes in bots on social media, tells TIME that mDAU is an “ad hoc metric” that was created to protect Twitter’s interests. “Twitter is the only company among the biggest social networks to use monetizable daily active users,” he says. “There is no standard in the industry.”
Although Twitter has a smaller user base than some of its competitors, reporting mDAU instead of monthly active users is an understandable financial strategy, according to Jasmine Enberg, a social media analyst at Insider Intelligence. “Twitter’s switch to publicly reporting mDAUs only came at a time when it was struggling to show growth in monthly users,” she adds. “The company’s value proposition to advertisers has long been the quality of its audience, rather than the overall size of its user base.”
Both Stroppa and Enberg spoke with TIME before the disclosures were made public.
But the bigger issue, according to the whistleblower, is that growing mDAU (and making the company look appealing to advertisers, who want to reach receptive audiences) took priority over many other things that would make the platform better and safer in the long run. Executive compensation was at least partially tied to mDAU, including bonuses of up to $10 million, Zatko alleges.
Zatko reported that one source at the company told him senior management was “concerned that if accurate measurements of spam ever became public, it would harm the image and valuation of the company.”
While Twitter did not directly address Zatko’s allegations about failing to fully disclose the number of spam bots on its platform, a source close to the company says that Zatko’s claims around the time of his exit were “investigated and found to be sensationalistic and lacking merit.”
Additionally, four people familiar with Twitter’s spam detection process told The Washington Post that the company keeps several internal tallies of spam and bots beyond the reported numbers.
Claim: Twitter deprioritized counting spam bots
Zatko alleges that for Twitter’s executive leadership team, “deliberate ignorance was the norm” around getting more accurate numbers. “We don’t really know,” Twitter’s Head of Site Integrity allegedly told Zatko in early 2021 when he asked what the underlying spam bot numbers were. Moreover, Zatko says Twitter could not provide an accurate upper bound on the total number of spam bots on the platform, which Zatko believes is in part because Twitter relied on outdated tools and understaffed teams to police its bots.
Zatko also claims that Twitter staff had in fact figured out an effective way to find and stop bots on its platform but that method was under fire from senior executives. The mechanism, known as “Read-Only Phone Only” (ROPO), placed suspected bot accounts into a restricted read-only mode that could only be unlocked if the user manually entered a one-time code sent to an associated phone number. Research performed at Zatko’s direction found that the ROPO method blocked more than 10-12 million bots each month with less than 1% of false positives. But Zatko says a senior executive proposed disabling the effort after getting direct messages from a handful of users whose accounts were paused. He says that senior executives had proposed disabling this method several times before.
What the whistleblower report means for Musk
Prior to the whistleblower release, legal experts have said Musk must prove that Twitter misrepresented the number of bots on its platform on purpose—something that could be difficult because the company has been public about its use of mDAU as a metric for counting users.
Ann Lipton, a law professor at Tulane University who specializes in corporate litigation, says, “It appears that [Musk’s] strategy is to show that the numbers are so off that the only possible way they could have gotten this 5% number is if they used a dishonest process.” Lipton spoke to TIME before news of the whistleblower report broke.
The contentious discussion about mDAU has been a frequent source of frustration for Musk, whose legal team estimates that 33% of “visible accounts” on the social media platform are false or spam accounts—a calculation that hasn’t been independently verified. Twitter CEO Parag Agrawal, in response, has said external groups can’t verify Musk’s claim because the company “can’t share” the public and private information it uses, like phone numbers.
Twitter has said that whether any given account is counted in mDAU is not available to the public and it even admits the 5% figure could be wrong. “It’s a very hard statement to falsify because it’s so non-committal,” Lipton says. “All Twitter is saying is they have a process for evaluating mDAU and the number may or may not be wrong.”
More Must-Read Stories From TIME