“For many years, through many public statements [SEC]”Filings, Twitter made material misrepresentations, and omissions… concerning security, privacy, and integrity,” Zatko’s disclosure says. Given that Twitter’s potential takeover by Elon Musk is at stake, their misrepresentations have particular impact.

Zatko, better known as “Mudge,” is a prominent ethical hacker-turned-cybersecurity executive whose career also included stops at Google and the Department of Defense. Following a massive hack on Twitter in 2020, he was made the security lead at Twitter. However, he was fired in January this year after his attempts to whistle blow about possible security weaknesses and fraud from the senior leadership of the company.

He exposes the company’s security flaws that could threaten users data and platform functionality. This disclosure, he claims, may put US security at risk. Zatko alleges that Twitter’s highest executives have misled customers, regulators, and the company itself about its security. According to the disclosure, Zatko requested that Twitter open an investigation into any legal breaches.

Twitter spokeswoman said that Zatko had been fired because of “ineffective leadership” and poor performance.

The spokesperson stated that “What we have seen is a false narrative regarding Twitter, our privacy and security practices.” The timing and allegations of Mr. Zatko seem to be designed to attract attention and inflict damage on Twitter, its customers, and its shareholders. Twitter’s security and privacy are company priorities since the beginning and they will remain so.

Parag Agrawal, CEO of Twitter, wrote Tuesday an internal memo for employees. It was obtained by SME and promised to contest the disclosures and seek to reassure employees. He called the allegations “frustrating” and “confusing to read.”

After Zatko’s revelation was reported, Alex Spiro, a Musk lawyer, stated that Zatko had been subpoenaed by his legal team in relation to the Twitter dispute. Spiro stated to SME that he and other key employees found their exits “interesting” in light of the information he had uncovered.

To properly measure bots, you need to eat.

Twitter declared in February 2019 it would use a new measurement to measure the size of its audience for reporting quarterly financial results. The company, which had been facing a decline in users for several quarters, said it would shift from disclosing monthly active users — a metric commonly used by social media companies — to reporting monetizable daily active users (mDAU), a measure of the number of real users who could be shown an ad on the platform.

Twitter reported, since making the switch that spam and fake accounts account for less than 5% of all mDAUs. This figure was repeated by Twitter in its battle with Musk, and has been questioned by the billionaire. Twitter has admitted in SEC filings, that the figure depends on significant judgments that might not accurately reflect reality.

According to Zatko, Twitter considers bots to belong in a group of “non-monetizable users” that it doesn’t report. Twitter discloses publicly that the 5% bots estimate is a human-reviewed estimation of the bots that are included in the automated company count of monetizable daily users. While Twitter’s estimate of 5% of all mDAU bots may help advertisers identify fake accounts that could see their ads but are unable to respond, it is not representative of the entire range of spam and fake accounts on Twitter.

This disclosure points out another tweet Agrawal posted in May’s thread, in which he said that Twitter was “strongly incentivized” to remove spam every day. Zatko claims that Agrawal was wrong to state that the executives of the company were incentivized to increase mDAU by business pressures, bonus structures, and at times, sacrificed resources and attention for addressing spam issues on the platform.

Zatko claims that he started asking questions about bot accounts on Twitter early in 2021. He was then told by Twitter’s chief of site integrity how many bots were on the platform. SME Zatko was not provided with the context necessary by Twitter.

Zatko claims that he also came away with conversations with integrity teams with the understanding that company had “no appetite to properly assess the prevalence of bots,” partly because it might harm company’s image if that number is made public.

Twitter’s system to remove and measure bots is also made up of simple scripts that are mostly out-of-date, not monitored, and overworked.

In an interview with SME earlier in the month, he stated that the executive team, board, shareholders, and users deserve honest answers about what they’re consuming on the platform. The internet is a huge part of your perceptions about the world. This is scary because you won’t know the difference between what’s true and what’s fake.

Twitter states that they allow bots to use its platform. However, its guidelines prohibit any type of spamming or manipulation. However, like all other social media platforms, it is difficult to enforce these rules.

It claims it routinely challenges, suspends or removes accounts that are involved in spam and platform manipulation. Typically, the company has removed more than 1 million spam accounts every day. Twitter has confirmed that spam accounts are a fraction of the total spam and fake accounts. The company stated that the total number is not useful as it may include accounts Twitter already took action against. It also said it doesn’t believe Twitter could capture all of these accounts so the count would be minimal.

Zatko claims that it is difficult to understand Twitter’s figures about taking down fake accounts and spam without additional context. It is unclear whether that number, which Twitter claims to have collected from spam and fake accounts on its platform of over 900 million users per day, “is too large or small” for such an enormous site like Twitter. Because there’s no context, nobody knows.

Twitter refused to disclose the total number or average of accounts created daily to support the removal of the bot.

It’s possible that bots are not the only problem

Much of the dispute between Twitter and Musk has focused on bots — an issue that legal experts have said may not be material to the deal even if Twitter was found to have misstated the numbers. However, Musk’s legal team may also decide to address some other serious allegations against Zatko after the disclosure.

For example, Zatko’s disclosure alleges that Twitter has lax security practices and a lack of emergency plans, which could threaten to take down the servers that keep the platform running, potentially permanently — a so-called “Black Swan” event that he claims nearly occurred in the spring of 2021.

The disclosure states that Twitter “has consistently misrepresented” in SEC filings the company’s ability to recover from an outage of a few computers. This disclosure refers to risk factors that the company has listed in its annual report. It states it has a disaster recovery plan in the event of data center damage. Zatko asserts that the company’s recovery program might not be functional enough to avoid a Black Swan Event.

Twitter declined to answer specific questions regarding the possibility of data center failures, however it stated that the company continues to invest in technology and its people to protect the platform. SME also heard from a source familiar with the issue that there were systems in place for privacy, security and other health concerns long before Zatko arrived. They have continued to do so since Zatko’s departure.

In addition, the disclosure alleges that Twitter violated a consent order issued in 2011 by the Federal Trade Commission. This consent order was made after the company pledged to improve its security measures and protect user privacy. Zatko claims that Twitter’s executives know that they have “never been compliant” with the order, despite their assertions to the contrary.

Twitter claimed it is compliant with applicable privacy rules. It also stated it was transparent with regulators concerning its attempts to correct any deficiencies in its systems.

According to the disclosure, Zatko’s shortcomings in leading security at the company could lead to issues that could constitute “material adverse effects,” which is a term that refers to a change that significantly affects a company’s value. This could be a risk that might give Musk more leverage when trying out the deal.

This disclosure refers to the section of Twitter’s merger agreement with Musk in which Twitter stated that it doesn’t “infringe or misappropriate any Intellectual Property Rights of other persons” in any way that could be considered a material adverse. However, the disclosure alleges that Twitter has failed to obtain the appropriate licenses for the data it uses to train its artificial intelligence — which is used in key Twitter features such as the algorithm it relies on to rank what tweets users see.

The disclosure stated that “Twitter senior management have known for years, that the company never had the correct licenses to the data and/or the software needed to build some key Machine Learning model used to run this service.”

An acquisition agreement describes a material adverse impact as any change or event that causes or will cause material harm to the “business, financial condition, or results of operations” of Twitter. There are several exceptions, including economic and political conditions as well as “acts by God”, such as cyberattacks, terrorism, or data breaches. A court could decide which topics would be included in this classification. However, the claims by Twitter that any litigation against the owner of intellectual property that was used in training Twitter’s AI could lead to “massive financial damages” for Twitter. It also alleges that an injunction could prevent Twitter from operating key products. This could be a material adverse result.

The disclosure claims that Twitter will continue to operate many basic products unless circumstances change since Mudge’s firing in January.

Twitter didn’t respond to queries about its intellectual property rights to the data it used for training its AI.