The SEC released on EDGAR a brief staff comment letter dialogue with Twitter concerning the company’s Form 10-K for the year ended December 31, 2021 and the company’s Form 10-Q for the quarter ended March 31, 2022. The Office of Technology, within the SEC’s Division of Corporation Finance, had inquired of Twitter how it calculates monetizable daily active users (mDAU), a measure that takes into account the presence of automated bots or spam accounts, as well as why the company did not consider an error in calculating mDAU that was propagated across a three year period of the company’s filings to constitute material weakness in its internal control over financial reporting with similar impact on the company’s disclosure controls and procedures. The comment letter dialogue was released a day after Whistleblower Aid announced that it represents Peiter “Mudge” Zatko, a former Twitter executive who has filed whistleblower claims with the SEC and other federal agencies regarding Twitter’s allegedly faulty bot counts and other newly alleged security flaws in Twitter’s platform. The dialogue also comes at a time when Twitter seeks to enforce its merger agreement with Elon Musk while Musk seeks to back out of the deal because of bots he alleges are more plentiful on Twitter’s platform than the company has disclosed.
mDAU error—ICFR-DCP. SEC staff first questioned Twitter’s disclosures around the prevalence of bots, which Twitter had posited account for less than 5 percent of mDAU. The SEC’s letter asked Twitter to disclose its method for calculating mDAU along with management’s underlying judgments and assumptions.
According to Twitter’s reply, the company’s method for calculating mDAU generally combines an internal review of sample accounts and the company’s own business judgment. Twitter also stated that it has already disclosed key definitions used in its metrics and that its measures of mDAU rely on internal data and may not be directly comparable to those of other social media companies or third party analysts.
With respect to the mDAU overstatement that occurred during the three years starting in Q1 2019 and ending in Q4 2021, Twitter explained that the error arose from a new feature that allowed Twitter users to link multiple accounts to a primary account. Twitter’s metrics in place at that time counted all of the linked accounts as mDAU.
Twitter also said that it had stopped counting any identified spam accounts as mDAU. Twitter, it suspended “a large number of spam, malicious automation, and fake accounts.” Supplementally, the company told the SEC that humans manually review thousands of accounts that are randomly selected from mDAU accounts. Twitter said an account is considered a spam account if it violates Twitter’s rules regarding spam and platform manipulation.
The SEC’s letter also asked Twitter how it could conclude that the mDAU error did not result in a material weakness in internal control over financial reporting and how its disclosure controls and procedures could be effective during the flagged period. Twitter replied that the mDAU error was not material. Twitter further explained that its qualitative analysis of the issue found that only mDAU (and not other business metrics) was impacted, the error was disclosed only in its MD&A and not in its financial statements, and the error had no impact on mDAU trends.
The SEC’s comment letter mDAU dialog with Twitter began in mid-June 2022. By the end of July 2022, the SEC staff had concluded its mDAU inquiry.
Congressional whistleblower hearing. Senate Judiciary Committee Chair Dick Durbin (D-Ill) and Ranking Member Chuck Grassley (R-Iowa) announced that the Judiciary Committee will hold a full committee hearing on September 13, 2022 regarding Zatko’s allegations about Twitter’s security failures.
Senators Durbin and Grassley jointly commented via press release: “Mr. Zatko’s allegations of widespread security failures and foreign state actor interference at Twitter raise serious concerns. If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world. The Senate Judiciary Committee will investigate this issue further with a full Committee hearing this work period, and take further steps as needed to get to the bottom of these alarming allegations.” a press release issued by Whistleblower Aid, Zatko was Security Lead on Twitter’s senior executive team until January 2022 when, as reported by CNN (a related The Washington Post article could not be viewed because it resides behind a paywall), he was fired for allegedly “poor performance.” Whistleblower Aid also said that former Twitter CEO Jack Dorsey had personally recruited Zatko to join Twitter. Before joining Twitter, Zatko held senior positions at Google, Stripe, and the U.S. Defense Advanced Research Projects Agency (DARPA) (at DARPA Zatko received the highest award for civilian, non-career employees).
With respect to bots, the CNN article suggested that Zatko’s whistleblower disclosures indicated that Twitter’s mDAU metric may not accurately state the prevalence of bots on its platform because Twitter reports bots a as percentage of mDAU.
“Twitter has an outsized influence on the lives of hundreds of millions around the world, and it has fundamental obligations to its users and the government to provide a safe and secure platform,” said Libby Liu, CEO of Whistleblower Aid.
Whistleblower Aid said that Zatko began the process of making whistleblower disclosures to the SEC, FTC, and the DOJ in December 2021.
A Twitter internal memo tweeted by CNN reporter Donie O’Sullivan appeared to cast doubt on Zatko’s claims. “We are reviewing the redacted claims that have been published, but what we've seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context,” Twitter CEO Parag Agrawal said in the memo.