REMEMBER: It is possible to believe both that Elon Musk’s case against Twitter is mostly bullshit … and also believe that Twitter is an extraordinarily badly run and dysfunctional company.
24 August 2022 – Of the many things that can be said about Elon Musk, one that I often return to is that he is really a CEO for the people. By that, I mean he’s an executive whose image is perpetually shaped and bolstered by the masses who adore him, look up to him or are in other ways obsessed by him.
And so it is somewhat fitting that he appeared to receive some legal help not from the courts but from “the people”, specifically a former Twitter executive who decided in this moment to go public with a whistleblower complaint that included, among other things, the allegation that Twitter has no idea how many bots are on its platform. Of course, Musk, beset with buyer’s remorse for his $44 billion impulse buy, has been making that same claim to get out of the deal. What a coincidence! More on the whistleblower in a moment.
Ultimately, I think this episode will go down as one of many footnotes in this circus of a trial, set for October. I can’t really imagine that the judge – who basically has to decide on the enforceability of merger agreements, not whether someone stretched the truth while negotiating a deal – will care much. Investors seem to disagree. Twitter stock fell 3.1% on the news, presumably because investors felt less certain Musk would be forced to be their white knight. Tesla was up 2.3% on the day, presumably because they thought the complaint increased the odds that their bosses wouldn’t have to sell or leverage their Tesla shares – or endure the distraction of owning Twitter.
But there is, of course, “the Akorn lifeline” on which the Musk team might be pinning their hopes. I’ll discuss that below.
The technology writer in me was also fascinated to watch the media coverage of the whole episode. I’m old enough to remember when whistleblowers hated the limelight. The classic for me was the Jeffrey Wigand case. Wigand is the American biochemist who became nationally known as a whistleblower when he appeared on the CBS news program 60 Minutes and stated that Brown & Williamson had intentionally manipulated its tobacco blend with chemicals such as ammonia to increase the effect of nicotine in cigarette smoke. He was subsequently harassed and received anonymous death threats. He was played by Russell Crowe in the movie “The Insider”.
Not these days. The Twitter whistleblower, security exec Peiter “Mudge” Zatko, worked with a professional team to deliver coordinated coverage in The Washington Post and CNN.
I am, of course, all for critics going public with their complaints and owning them. I also think we must factor the publicity they get by doing it into their claims. I suspect that with the high-profile nature of this trial, Zatko won’t be the last word we hear from people talking about their time at Twitter. Journalists should cover the claims but, as always, they should spend the most time trying to get to the truth.
In brief: In one of his first official acts as Twitter CEO, Parag Agrawal fired the company’s chief information security officer, Rinki Sethi, and its head of security, Peiter Zatko. It was the latter firing that surprised everybody. Zatko (who is known within cybersecurity circles as “Mudge”) is a veteran hacker who had previously worked at DARPA, Google, and Stripe. If you are in cybersecurity, you know this guy.
Zatko joined the company in 2020 after being recruited personally by then-CEO Jack Dorsey, after a deeply embarrassing hack in which teenagers temporarily took over the accounts of Barack Obama, Joe Biden, Elon Musk, and other celebrities. Agrawal told employees little about his rationale for firing Zatko and Sethi, saying only that the “nature of this situation” prevented him from saying more, the Times reported. Zatko maintained his public silence for eight months – and then showed up yesterday throwing bombs.
In an 84-page complaint (yes, I read it) filed with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, Zatko alleges severe negligence on the part of Agrawal and other company executives in protecting user data, misleading government officials, and violating a 2011 consent decree with the FTC. In preparing the complaint, Zatko worked with Whistleblower Aid, the same group that assisted Frances Haugen when she blew the whistle on Facebook last year; Whistleblower Aid worked with Zatko to secure prominent coverage of his complaint in CNN and the Washington Post.
Having read the complaint, I think The Washington Post summaries it very well:
Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes. The complaint — filed last month with the Securities and Exchange Commission and the Department of Justice, as well as the FTC — says thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.
In addition, the whistleblower document alleges the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam. Chief executive Parag Agrawal was “lying” when he tweeted in May that the company was “strongly incentivized to detect and remove as much spam as we possibly can,” the complaint alleges.
Fun stuff. Given the Elon Musk angle, the bot stuff is inherently more interesting, and what could be dryer than “violat[ing] the terms of an 11-year-old settlement with the Federal Trade Commission”? In fact, though, the latter seems like a serious and well-founded allegation that is likely to cause Twitter a substantial amount of trouble in the future.
NOTE TO MY READERS: the FTC’s 2011 complaint alleged that Twitter, contrary to its public statements to users, made it trivially easy for its employees to log into Twitter, wherein they had total access to all of Twitter, and that this poor security had been leveraged by hackers, including sending tweets from then President Obama’s account.
What had happened was an intruder used an automated password guessing tool to derive an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. The password was a weak, lowercase, letter-only, common dictionary word. Using this password, the intruder could access nonpublic user information and nonpublic tweets for any Twitter user. In addition, the intruder could, and did, reset user passwords, some of which the intruder posted on a website.
The poor security and corresponding FTC violation is, by far, the most substantial part of the complaint (with the caveat that nearly the entire section on Agrawal’s alleged fraud in his representations to the Board of Directors is redacted).
The first 10 pages of allegations, though, are about bots, which are at the center of Musk’s case as to why he shouldn’t have to abide by his agreement to buy Twitter. And you’ll get an education on Twitter’s proprietary (but opaque) metric they called “mDAU” or “Monetizable Daily Active Users,” defined as valid user accounts that might click through ads and actually buy a product. From Twitter’s perspective, “mDAU” was an improvement because it could internally define the mDAU formula, and thereby report numbers that would reassure shareholders and advertisers. Executives’ bonuses (which can exceed $10 million) are tied to growing mDAU. SURPRISE!
And if you really dig into this stuff you’ll find that Mudge alleges that the denominator is in fact not mDAUs; in truth, there is a huge amount of spam on Twitter; the trick is not to get rid of it, but rather to not count it.
But the killer for me was this one, and I’ll quote a summary from The Washington Post:
“Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.”
Given that a former Twitter employee was just found guilty of being an agent of the government of Saudi Arabia, this is an extremely serious and worrisome charge. The Saudi agent used his access to internal systems to obtain data about dissidents and report it back to the government, enabling the government to spy on them.
Twitter’s response? This “agent” was not placed there by the government. Rather, Twitter was meeting its obligations under the new (and terrible) IT Rules of India, which require tech platforms to appoint local representatives that can be intimidated into doing the government’s bidding. I need to dig into this.
And, of course, Congressional knee-jerk reaction … with its never-ending discourses around data, privacy, censorship, Big Tech, and so on, and so on, and so on … with both Republicans and Democrats leaping to their feet screaming that “they will be taking Zatko extremely seriously” and that “there is a need for Congress to pass consumer privacy legislation to safeguard Americans’ data” and that several Congressional committees are “assessing next steps”. Oh, and “the Federal Trade Commission must investigate Zatko’s claims and bring enforcement actions, including fines, against Twitter where appropriate”. Wow, real action is coming!!
Musk’s Akorn Lifeline
As I noted last night in my short version of this post, Musk has been struggling to show he has suffered a material adverse effect (“MAE”) which under Delaware law would allow him to abandon the deal. Last month the law firm Kramer Levin opined:
Based on Delaware case law to date, Mr. Musk faces an uphill battle to prove the existence of an MAE. The only case in which the Delaware Court of Chancery has found an MAE is Akorn, Inc. v. Fresenius Kabi AG, C.A. No. 2018-0300-JTL, 2018 WL 4719347 (Del. Ch. Oct. 1, 2018), aff’d 198 A.3d 724 (Del. 2018) (finding MAE based on a long-term collapse in value and financial metrics of a seller resulting from seller’s violations of FDA regulations).
To the extent Mudge’s FTC allegations are true, there does seem to be some parallels between Twitter and the Akorn case. From the decision in the Delaware Court of Chancery:
In October 2017, Fresenius received a letter from an anonymous whistleblower who made disturbing allegations about Akorn’s product development process failing to comply with regulatory requirements. In November 2017, Fresenius received a longer version of the letter that provided additional details and made equally disturbing allegations about Akorn’s quality compliance programs. The letters called into question whether Akorn’s representations regarding regulatory compliance were accurate and whether Akorn had been operating in the ordinary course of busines.
Fresenius’s investigation uncovered serious and pervasive data integrity problems that rendered Akorn’s representations about its regulatory compliance sufficiently inaccurate that the deviation between Akorn’s actual condition and its as-represented condition would reasonably be expected to result in a Material Adverse Effect. During the course of the investigation, tensions escalated between the parties. Matters came to a head after Akorn downplayed its problems and oversold its remedial efforts in a presentation to its primary regulator, the United States Food and Drug Administration (“FDA”). As one of Akorn’s own experts recognized at trial, Akorn was not fully transparent with the FDA. Put more bluntly, the presentation was misleading. From Fresenius’s standpoint, Akorn was not conducting its operations in the ordinary course of business, providing an additional basis for termination.
This post-trial decision rules in favor of Fresenius and against Akorn. First, Fresenius validly terminated the Merger Agreement because Akorn’s representations regarding its compliance with regulatory requirements were not true and correct, and the magnitude of the inaccuracies would reasonably be expected to result in a Material Adverse Effect. Second, Fresenius validly terminated because Akorn materially breached its obligation to continue operating in the ordinary course of business between signing and closing. Third, Fresenius properly relied on the fact that Akorn has suffered a Material Adverse Effect as a basis for refusing to close.
I have been involved in many Delaware Chancery cases (back in my youth) and while I stay current (as a technology journalist you simply must follow this court), I am not au courant on current strategy or argument. But given this precedent, which entails not only a misrepresentation of a company’s data integrity but also misrepresentations to a regulator, I wonder if Mudge’s allegations of Twitter’s violation of the FTC’s order is in fact giving Musk exactly what he needs to win in court, even if the bot argument comes up short. At a minimum it would certainly seem like something that might drive Twitter’s Board of Directors to the negotiating table – and a Musk settlement could help pay off a future FTC fine. So there is an upside for Twitter.
The main reason all this is interesting is not that Twitter might someday have to pay a fine over all this. That has been expected for a few years. The Zatko information just makes it easier for the FTC.
The real question is whether any of this will be useful to Elon Musk in his effort to get out of the binding $44 billion contract he signed to buy Twitter. And it’s too soon to say: we don’t yet know which of these claims might be substantiated, or whether any of the claims here might be considered material by the chancery court judge.
Certainly it offers some fresh material to Musk and his legal team; they say they have subpoenaed Zatko. I imagine they’ll find him a cooperative source: a large section of his complaint is written essentially as a direct address to his lawyers, performing a deep read on Agrawal’s tweets back and forth with Musk about bots and attempting to make the case that Twitter lied. Musk likes to say that Twitter lied too, of course.
But these men are accusing Twitter of is very different. As Bloomberg analyst Matt Levine said last night (he is the “go to guy” on this whole affair):
Musk’s claim is that Twitter counts spam bots in its mDAU numbers. Zatko’s complaint says, no, obviously Twitter doesn’t do that — that’s just a thing that Musk made up to get out of the deal — but the spam bots exist and are annoying. Twitter does a good job of excluding them from its count of monetizable users, he says, but not of getting rid of them entirely. That’s not fraud; it’s just a thing that annoys Zatko (and Musk).
Zatko’s lawyer said he had begun his whistleblower preparations before Musk moved to buy Twitter. Still, Musk’s bot complaints are quite prominent in the complaint, coming ahead of seemingly much more consequential issues including the 2011 FTC consent decree, a section titled “Mudge Discovers Egregious Deficiencies, Negligence, Willful Ignorance, and Threats to National Security & Democracy,” and another named “New CEO Enables Fraud.”
Yeah, yeah. We all know why Elon Musk pretends to care about bots. But why is Zatko spending so much time talking about bots … when he (really) has not identified the harm? Any harm? Why is his case focused on proving that Twitter is lying to its potential acquirer, rather than attempting to demonstrate that these alleged lies have any effect on its user base? And why did these claims arrive less than two months before Musk goes to trial on the issue, in an effort to save him $44 billion?
Well, maybe, there’s an innocent explanation to all this. But you don’t have to be a conspiracy theorist to find it all rather suspicious. But then, I’m a rational cynic.