Twitter has been accused of covering up security deficiencies and prioritizing user growth over removing spam in a fiery whistleblowing complaint from former security chief Peiter ‘Mudge’ Zatko.
First reported by CNN and The Washington Post, Zatko alleges that Twitter executives misled users, regulators and its board about flaws in its security, privacy and spam detection systems.
It is the latest in a string of crises for Twitter, which is embroiled in a lawsuit with billionaire Elon Musk, who is seeking to back out of his purchase agreement for the company after making a stink about the volume of spam on the platform.
Zatko claims Twitter lied to Musk about its incentive to remove spam. According to Zatko, executive’s bonuses are tied to their ability to grow monetizable daily active users (mDAU), but no incentive is offered to measure or clean up the “millions” of non-monetizable accounts on the platform, which include spam. Twitter’s strategy, as described in the complaint, was to “deprioritize platform health to focus on growing mDAU.”
Spam worsens the user experience on a platform — and failing to act on it is “very short-term thinking,” since it could have knock-on effects on user growth, said Hilary Wolfe, partner and creative director for Hub SF.
Several ad executives that Campaign US spoke with had a similar concern: that Twitter’s audience would shrink as a result of the whistleblowing complaint.
Zatko’s disclosure also alleges severe privacy violations and potential foreign interference, including that Twitter employees had spyware installed on their computers, and executives knowingly risked exposing user identities in China to protect revenue. Twitter is banned in China, but the company allows Chinese advertisers to access its global users.
Privacy researcher Zach Edwards described in a thread how Twitter’s custom audiences product could, in theory, be used by Chinese authorities to identify users circumventing the country’s firewall.
I've gone through mudge's redacted whistleblower complaint and there are some really spicy sections that relate to ad tech + privacy + foreign intelligence... brief thread of what I think is most interesting (link to documents in tweet below)️️⚖️ https://t.co/IesSlGVFBd
— Zach Edwards (@thezedwards) August 24, 2022
Advertisers have concerns
Advertisers don’t want to be associated with security risks or foreign interference and are quizzing their agencies whether Twitter is brand safe. “If security is at major risk, it seems like companies would want to pull ad budgets,” said Wolfe.
“Advertisers don’t want to be part of luring prospective customers into a scheme which might undermine their privacy and lead them to become victims of crime. This is a moral, reputational and financial red line for marketers,” said Mark DiMassimo, founder and creative chief of DiMassimo Goldstein. “Twitter will have to explain why advertising on the platform is not a mortal danger to brands.”
Several high-profile Twitter accounts were hacked in July 2020, including that of the former President Barack Obama. According to Zatko, the hack involved teenagers duping Twitter employees to hand over their account passwords.
Sam Huston, chief strategy officer at 3Q/Dept, said Zatko’s allegations on how Twitter succumbed to basic hacks indicates a “very low level of security within Twitter which could lead to a reduction of mDAU and broader privacy concerns from both advertisers and users.”
Concerns ≠ action
Past platform crises, however, indicate that advertiser concerns rarely lead to pulling spend. Ad spend on Facebook kept growing throughout the Cambridge Analytica scandal, when a whistleblower revealed how data on millions of Facebook users had been improperly obtained for use in political campaigns.
This is partly explained by the frequency of data breaches and system failures at big tech platforms. By now, advertisers have become desensitized.
“It’s true that bot accounts, spam content and hacking issues are pervasive on Twitter, but they’re similar issues that virtually every other social platform faces as well,” said RPA’s chief digital officer Mike Margolin. “It doesn’t seem like any of those companies are willing to commit the sheer manpower needed to supplement their AI technology, which is the more cost-efficient and investor-preferred method for battling spam and hacking.”
Twitter also operates a much smaller ad business than competitors like Google and Meta, so advertiser budgets are less impacted.
Kristie MacDonald, CEO of performance marketing company Huddled Masses, said Twitter has “consistently been a low priority for our mid-market brand clients since the performance results just aren't there.”
“This news gives us some clearer insight as to why the deliverables haven't been strong enough to merit clients' ad dollars,” she added.
Validating data
Advertisers will act, however, if they discover that their ad spend is wasted. Since the whistleblowing disclosure calls the reliability of Twitter’s systems into question, advertisers want assurances that the data they have used for planning and buying campaigns is valid.
“In light of the recent information, how might we validate and revalidate the active current user base, their demographics and profiles we've aligned to? How does this affect the metrics we've been measuring and placing faith in all along?” asked Doron Faktor, group connections director, social at VMLY&R.
Twitter’s systems have been under scrutiny since the platform revealed in April it had misreported metrics for nearly three years. Musk has subpoenaed verification firms Integral Ad Science and DoubleVerify for information on if or how they have audited Twitter’s user base.
But some are more concerned with Zatko’s motives than his allegations. RPA’s Margolin pointed out that “it’s hard to take accusations like this seriously, given the circumstances.” The complaint comes as Musk builds a case to back out of his $44 billion takeover deal, which is heading to court in October. Zatko could also be a “disgruntled employee,” Margolin notes, after he was fired in January.
“The timing is too suspicious to warrant significant new concern,” he said.
Twitter has similarly rebuffed the complaint in the press. The company did not return a request for comment.
Time for transparency
While advertisers are not expected to ax Twitter from their media plans, ongoing instability could lead to reduced budgets. Twitter’s ad revenue growth slowed in the second quarter to 2% from 23% in Q1, which it attributed in part to uncertainty over its potential acquisition.
Twitter will need to regain the trust of advertisers in order to protect its revenue. Marla Kaplowitz, president and CEO of agency trade association the 4A’s, said Twitter’s “first and most important step” is to be transparent about its operations.
“Marketers and agencies need to understand how these issues impact brand safety and suitability as well as consumer trust. The opportunity is to remind the industry of the protocols that have been put in place, as well as future efforts while they also share the benefits of new product offerings to support brand goals,” Kaplowitz added.
Specifically, 3Q’s Huston said Twitter will need to be more transparent about how it calculates its mDAU metric, which has been at the center of Musk’s probes.
DiMassimo suggested Twitter should “come clean” and “end the trickle of revelations” with “one big tsunami of truth.”
“Show us what went wrong, then show us how it is different and why it will remain different going forward,” he said.
The company will also need to outline exactly what security and safety measures they currently have, or are putting in place, to ensure accounts are safe from being hacked or appropriated, Faktor said.
Wolfe suggested addressing specific concerns, such as changing the bonus plan for executives and assigning payment penalties for security violations.
Money speaks, too. Both DiMassimo and Wolfe suggested offering discounts to advertisers would help soften the blow.
Additional reporting by Alison Weissbrot and Brandon Doerrer