Tag: cybercrime

Elon Musk has been handed a fat golden goose to feed his legal battle over ending his acquisition of Twitter. The tech mogul has been trying to cancel his Twitter-approved $44 billion bid because he believes Twitter has not been transparent about the number of bots on the platform. Twitter’s taken him to court to get him to honor his deal saying it’s honored all requests. Now, however, Musk can cite data from the company’s former head of security, renowned hacker Peiter “Mudge” Zatko, to bolster his claim.

But if Musk is still looking for an actual number of bots, he won’t find that here.

The information comes from an explosive whistleblower complaint that Mudge made earlier this year to the U.S. SEC, FTC and DOJ over Twitter’s cybersecurity and data protection mismanagement, which was made public for the first time earlier today.

That complaint includes a pretty extensive rundown on the subject of bots on Twitter.

To be clear, Mudge has stated that he hadn’t previously shared information with Musk about the topic of bots:

“Mudge began preparing these disclosures in early March 2022, well before Mr. Musk expressed any interest in acquiring Twitter, and has not communicated these disclosures to anyone with a financial interest in Twitter,” the report notes. And to be sure, bots are a huge part of Twitter and have been a topic of discussion for at least a decade at this point. Nevertheless, the complaint as published today by the non-profit Whistleblower Aid includes a specific reference to the spat between Musk and Twitter, with the evidence supplied playing directly into Musk’s hand. (Note: The Washington Post reports that even if Mudge didn’t disclose this information to Musk directly, he was allegedly contacted by Musk for a deposition before this report became public in connection with Musk’s legal case.)

The complaint runs to some 84 pages, with a section of about 11 pages dedicated to the bot issue, centering on how Twitter has repeatedly misrepresented bots on the platform, not just with Musk.

Mudge alleges that not only does Twitter not care about the number of bots on the platform but that “executives are not incentivized to accurately ‘detect’ or report total spam bots on the platform.”

The attempt to move the discussion away from bots at Twitter, he said, was directly related to the creation of a new user metric at the company, monetizable daily active users (mDAUs). Until 2019, the complaint notes, Twitter reported total monthly users, “but stopped because the number was subject to negative swings for a variety of reasons, including situations such as the removal of large numbers of inappropriate accounts and botnets.”

The mDAU metric, which covered “valid user accounts that might click through ads and actually buy a product” has been a subject of criticism precisely for the reason Mudge’s complaint notes: Twitter basically defined the metric to fit a rosier picture of the company. It “could internally define the mDAU formula, and thereby report numbers that would reassure shareholders and advertisers,” it notes.

Executives are incentivized to avoid counting spam bots as mDAU, it continues, “because mDAU is reported to advertisers, and advertisers use it to calculate the effectiveness of ads.” Put simply, it’s not been disclosing or counting bots as part of mDAU because to do so would present a bad picture to advertisers: they’re paying to reach an audience that will never click on ads.

Importantly, the bullseye is never hit here, either. There are “many millions” of active accounts that are not considered as part of mDAU, Mudge’s complaint notes — “either because they are spam bots, or because Twitter does not believe it can monetize them.

“Musk is correct,” he goes on. “Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots.”

The explanation for how hard it is to figure out how many bots are on the platform speaks to how the company does try to avoid this topic at an executive, as well as organizational, level.

When Mudge describes talking to the former Head of Site Integrity about spam bot numbers, the response was simple: “We don’t really know.”

The company could not even provide an accurate upper bound on the total number of spam bots on the platform, he continues, citing three reasons for this: (1) no ability to measure; (2) could not keep up with bots and platform abuse; (3) no appetite to know from senior management, and therefore de-prioritized. His claim is that revealing the actual numbers would harm the company’s reputation and business.

One very interesting detail in the report is about a tool Twitter has called ROPO, short for read-only, phone-only. ROPO is a script that identifies and blocks spam bots based on how little accounts engage in content versus tweet it. The activity imbalance prompts a text message to be sent by Twitter with a one-time code, so that if the account is just a natural lurker, it can verify that is the case. Or if it’s a bot and doesn’t respond, the account switches to read-only.

Mudge notes that an executive during his time there proposed disabling ROPO altogether, claiming that it brought up too many errors. The Site Integrity exec teamed up with Mudge to try to prevent it from getting disabled, since “ROPO was effectively blocking more than 10-12 million bots each month with a surprisingly low rate (<1%) of false positives.”

There is also an extensive rundown of wordplay from the current CEO Parag Agrawal over how many bot accounts there are on the platform. The long and short is that the complaint dances around numbers but never lands on them, which effectively proves the point that Twitter does not have a grip on this number, or at least doesn’t have a grip that it’s willing to disclose.