Twitter’s former security chief has alleged that Twitter has far more spam bots on its platform than it acknowledges, and that executives deprioritized getting an accurate count—in part because the truth may not look good to advertisers. Additionally, the method that Twitter uses to publicize the portion of spam on its platform deliberately ignores most of these fake accounts, Peiter “Mudge” Zatko claims in an 84-page whistleblower disclosure.
Zatko is a well-respected cybersecurity expert. These allegations seem to be in line with those made by Elon Tesla, who is embroiled in a legal dispute with Twitter about his attempt to purchase the company. Musk has said for months that Twitter misled investors about the platform’s financial health, including the proportion of spam bots on the site.
Washington Post and CNN first reported Mudge’s whistleblower disclosure, which was filed in July with regulators, including the Securities and Exchange Commission.
The report also contains allegations that Twitter has “egregious” security and privacy vulnerabilities, and that company executives misled users, the board of directors, and federal regulators about them. A Twitter spokesperson wrote in a statement to TIME in response to questions about the whistleblower disclosures that “security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”
“Mr. “Mr. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.”
“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Most details about spam bots in Zatko’s report aren’t exactly new revelations—indeed, Musk’s legal team took issue with the process of how Twitter counts bots in legal filings earlier this month. Twitter included several references to the process itself in its regulatory filings.
Musk had offered to acquire Twitter in an agreement worth approximately $44 billion back in April. But, in July, he put the deal on hold and is now trying to back out of it—citing the prevalence of spam or fake accounts on the platform. In an effort to make Musk complete the acquisition, Twitter brought a lawsuit against him.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Musk’s lawyer Alex Spiro told TIME after the whistleblower disclosures were released.
What does mDAU mean?
What the company does to count the people using Twitter is at the core of this dispute. Starting in 2019The company started to use its own measurement, which it called monetizable daily active Twitter user (mDAU), instead of reporting raw numbers.
Using a formula that Twitter does not disclose, mDAU excludes many accounts from the total, including those it believes are automated (like spam bots) and accounts it can’t monetize, perhaps because Twitter isn’t selling ads for that region or language. These accounts are unlikely to purchase anything from an advertiser via Twitter.
The whistleblower’s documents say that disclosing only those spam bots that are part of mDAU is deliberately misleading.
“Twitter created the mDAU metric precisely to avoid having to honestly answer the very questions Mr. Musk raised,” Zatko claims in the whistleblower report.
Twitter’s spam calculation also doesn’t reflect how regular users experience the social media platform, because they still encounter spam bots more often than Twitter’s accounting of spam would suggest, Zatko says.
Twitter says it regularly challenges and suspends accounts for spam, misinformation, and manipulation and removes more than one million accounts a day and locks millions more each week if they don’t pass human verification requirements—that includes captcha and verifying phone or email addresses.
Twitter has not responded directly to inquiries about the use of mDAU.
Musk has already contested Twitter’s use of mDAU in his legal filing, and has claimed that if mDAU is proved to be less than representative of the general Twitter population, executives have effectively misrepresented the value of the company.
Twitter on the other side claims that mDAU can be a more effective way to count users since it focuses on those who matter most to its bottom line—those who may buy ads. The vast majority of Twitter’s revenue comes from ad sales.
While the company recognizes that some accounts are fake or bot-generated, the mDAU report shows that it is much lower than 5%. And that figure isn’t new: Twitter has published the same qualified estimate for the last three years.
Twitter says it calculated this figure through an internal review of a sample of accounts, a process that it acknowledged in a regulatory filing involves “significant judgment.” The company first takes a random sample of mDAU, then analyzes those accounts by hand to determine whether they are fake or not, using a combination of public and private data like IP address, phone number, geolocation, and account activity.
Andrea Stroppa, a cybersecurity researcher who specializes in bots on social media, tells TIME that mDAU is an “ad hoc metric” that was created to protect Twitter’s interests. “Twitter is the only company among the biggest social networks to use monetizable daily active users,” he says. “There is no standard in the industry.”
Jasmine Enberg (a social media analyst from Insider Intelligence) says that even though Twitter’s user base is smaller than its rivals, the reporting of mDAUs instead of monthly actives users makes sense financial strategies. “Twitter’s switch to publicly reporting mDAUs only came at a time when it was struggling to show growth in monthly users,” she adds. “The company’s value proposition to advertisers has long been the quality of its audience, rather than the overall size of its user base.”
TIME spoke to both Stroppa as well Enberg before the revelations became public.
The whistleblower claims that the main problem was that the growth of mDAU and making the company attractive to advertisers who wish to reach the right audiences, took precedence over other aspects that could make the platform safer and more user-friendly. Zatko claims that executive compensation was tied at least in part to mDAU. This includes bonuses up to $10,000,000.
Zatko reported that one source at the company told him senior management was “concerned that if accurate measurements of spam ever became public, it would harm the image and valuation of the company.”
While Twitter did not directly address Zatko’s allegations about failing to fully disclose the number of spam bots on its platform, a source close to the company says that Zatko’s claims around the time of his exit were “investigated and found to be sensationalistic and lacking merit.”
Additionally, four people familiar with Twitter’s spam detection process told The Washington PostThe company maintains internal statistics that go beyond what is reported.
Claim: Twitter deprioritized the counting of spam bots
Zatko alleges that for Twitter’s executive leadership team, “deliberate ignorance was the norm” around getting more accurate numbers. “We don’t really know,” Twitter’s Head of Site Integrity allegedly told Zatko in early 2021 when he asked what the underlying spam bot numbers were. Zatko also claims Twitter couldn’t give an accurate upper limit for the number of spambots present on the platform. Zatko thinks this is because Twitter relied heavily on old tools and understaffed staff to monitor its bots.
Zatko claims that Twitter employees had actually found a way to stop and find bots using its platform, but this method was criticized by senior executives. The mechanism, known as “Read-Only Phone Only” (ROPO), placed suspected bot accounts into a restricted read-only mode that could only be unlocked if the user manually entered a one-time code sent to an associated phone number. Research performed at Zatko’s direction found that the ROPO method blocked more than 10-12 million bots each month with less than 1% of false positives. Zatko claims that a senior executive suggested disabling this effort following direct messages from some users whose accounts had been paused. He claims that several senior executives have suggested disabling the method before.
Musk’s response to the whistleblower reports
Prior to the whistleblower release, legal experts have said Musk must prove that Twitter misrepresented the number of bots on its platform on purpose—something that could be difficult because the company has been public about its use of mDAU as a metric for counting users.
Ann Lipton, a law professor at Tulane University who specializes in corporate litigation, says, “It appears that [Musk’s] strategy is to show that the numbers are so off that the only possible way they could have gotten this 5% number is if they used a dishonest process.” Lipton spoke to TIME before news of the whistleblower report broke.
The contentious discussion about mDAU has been a frequent source of frustration for Musk, whose legal team estimates that 33% of “visible accounts” on the social media platform are false or spam accounts—a calculation that hasn’t been independently verified. Twitter CEO Parag Agrawal, in response, has said external groups can’t verify Musk’s claim because the company “can’t share” the public and private information it uses, like phone numbers.
Twitter claims that it is impossible to determine whether an account counts in the mDAU. It even acknowledges that the 5% number could be incorrect. “It’s a very hard statement to falsify because it’s so non-committal,” Lipton says. “All Twitter is saying is they have a process for evaluating mDAU and the number may or may not be wrong.”
Here are more must-read stories from TIME