Insider Threats: DOJ Says Twitter Employees Spied On User Accounts For Saudi Arabia

from the internal-controls-matter dept

We live in interesting times. A year ago, the NY Times had reported that the Kingdom of Saudi Arabia was aggressively using Twitter to keep tabs on and harass critics of the government. As part of that story, it also claimed that the Saudis might have a “mole” within the company in the form of Ali Alzabarah, who had risen through the engineering ranks to a point where he could access information on people the Saudi government was interested in. That story only noted that Western intelligence agencies had alerted the company that the Saudis were “grooming” Alzabarah. Now, the DOJ has charged two former Twitter employees, including Alzabarah, along with a third individual who worked in social media marketing, with spying for the Saudis. The complaint is worth reading.

It shows how officials appeared to groom the Twitter employees, starting with Ahmad Abouammo, who was (for a time) a marketing manager at Twitter, but who left the company in 2015. It describes how Saudi officials built up a relationship with him, setting up a tour of Twitter’s headquarters, and then later providing gifts, such as an expensive watch. Soon after, Abouammo is accused of accessing information on Saudi critics and dissidents;

Within one week of ABOUAMMO’s meeting in London with Foreign Official-1, ABOUAMMO began access private Twitter user information of interest to Foreign Official-1 and the Saudi Royal Family.

On December 12, 2014, ABOUAMMO accessed Twitter User-1’s email address through Twitter’s computer systems. Based on the FBI’s review of Twitter User-1’s public postings, Twitter User-1 was a prominent critic of the Kingdom of Saudi Arabia and the Royal Family with over 1,000,000 Twitter followers. ABOUAMMO accessed Twitter User-1’s email address again on January 5, 2015, January 27, 2015, February 4, 2015, February 7, 2015, February 18, 2015, and February 24, 2015.

On or about January 17, 2015, Foreign Official-1 began communicating with ABOUAMMO on ABOUAMMO’s personal email in addition to his Twitter email account. On January 17, 2015, Foreign Official-1 emailed ABOUAMMO at ABOUAMMO’s personal email and stated only “as we discussed in london…” Foreign Offical-1 attached to the email a document that discussed how Twitter User-1 had violated both Twitter policy and Saudi laws. On January 20, 2015, Foreign Official-1 called ABOUAMMO twice (the calls lasting 19 seconds and 51 seconds, respectively). On January 22, 2015, Foreign Official-1 called ABOUAMMO seven times (no answer, 6 seconds, 5 seconds, 3 seconds, 4 minutes 37 sections, 3 minutes 36 seconds, and 39 seconds, respectively). ABOUAMMO also accessed the email address provided by user @KingSalman the same day. The handle @KingSalman was the Twitter Account for Saudi King Salman bin Abdulaziz Al Saud. Foreign Official-1 called ABOUAMMO on January 23, 24, and twice on January 25, 2015 (1 minute 57 seconds, no answer, 1 minute 57 seconds, and 6 seconds, respectively). On January 27, 2015, ABOUAMMO accessed Twitter User-1’s user email address again. The next day, Foreign Official-1 called ABOUAMMO three times (11 seconds, 5 seconds, and no answer).

It goes on like this with the Saudi official sending “reports” about different accounts claiming they violate Twitter’s policies — which had nothing to do with Abouammo’s role in marketing. And then comes this:

On February 19, 2015, ABOUAMMO created an online user ID and password to access the Bank Audi Account his close relative opened in Lebanon on February 3, 2015. On February 24, 2015, ABOUAMMO accessed Twitter User-1’s email address and phone number. On the same day, a $9,963 wire transfer was sent from the Lebanon Bank Audi Account to ABOUAMMO’s Bank of America account…

There are a few more such transactions. Even after Abouammo quits Twitter (to go to Amazon) he apparently continues to receive money, and would reach out to former colleagues at Twitter to try to access the information the Saudis were seeking. Also, according to the DOJ, Abouammo lied to the FBI (not a good idea), then tried to “alter” documents he gave to the FBI (a very, very bad idea). Indeed, the DOJ’s complaint suggests that while the FBI was talking to him, he asked to go use his computer without them present, and then presented them with what they believe to be a doctored invoice.

During the interview, ABOUAMMO offered to obtain a copy of the consulting contract from a desktop computer that he claimed was in his bedroom, and requested that the Agents not follow him to the bedroom. A few minutes later, ABOUAMMO emailed an undated invoice to the email address of a Palo Alto, California based FBI Special Agent.

I believe that ABOUAMMO created the invoice in his residence on a computer while Agents were waiting for ABOUAMMO to provide them with the invoice that was discussed. The address on the invoice for services ABOUAMMO said were rendered in 2015 and 2016 was ABOUAMMO’s current address, however, public records show that the property was built in 2017 and ABOUAMMO did not purchase it until August 2017, and the metadata properties associated with the file emailed to the FBI indicates that the file was created on the date of the interview (i.e., October 20, 2018)….

Yeah, don’t do that.

As for Alzabarah, the DOJ has details of him flying to DC to meet with various Saudi officials, and then upon returning to work getting pretty damn busy getting info on Twitter users critical of the Saudi government.

Within one week of returning to San Francisco, ALZABARAH began to access without authorization private data of Twitter users en masse. Specifically, although ALZABARAH had not access the private user data of any Twitter Accounts since February 24, 2015, starting on May 21, 2015, through November 18, 2015, ALZABARAH accessed without authorization through Twitter’s computer systems the Twitter user data of over 6,000 Twitter users, including at least 33 usernames for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter. A Twitter Security Engineer informed the FBI that, although ALZABARAH may have had grandfathered access to view user information through an internal Twitter tool called “Profile Viewer,” ALZABARAH had no legitimate business purpose as a Site Reliability Engineer to access user accounts. ALZABARAH’s job was to help keep the site up and running, which did not involve accessing individual user accounts.

The DOJ then notes that the Saudi official had email notes detailing the locations of some of the key Twitter users that Alzabarah was looking up for them. Alzabarah also created notes for himself about whether or not he was eligible for reward money the Saudi government was offering for information on certain “terrorists.” There are also notes about “secur[ing]” his “future and my family’s.” Alzabarah later fled the US and apparently resigned from Twitter via email after his flight took off from LA.

This is all kind of fascinating. For all the concerns about outside hacking, insider attacks are still considered a much bigger threat and much harder to detect or prevent. While it does sound like there were some lax controls in place to prevent people who shouldn’t have access to certain information from getting to that info, that’s not all that unexpected in Silicon Valley (and an area that many companies need to significantly improve in). The complaint does suggest that Alzabarah made “unauthorized” access to this information, even though he was allowed to access a tool. That certainly suggests criminal CFAA charges, and some aspects of that seem problematic. While it does appear that there are other laws Alzabarah broke, arguing it’s a CFAA violation to use tools he was granted access to seems like a stretch. And, of course, there are broader questions with Abouammo and why he even had access to any of this data at all.

If anything, hopefully these charges wake up many Silicon Valley companies to the value and importance of better internal controls on how data is made accessible. In the rush to build up companies, insider controls are often one of the last things companies care about (if no one uses a service, who cares, and if a service is growing like gangbusters, then there are many other, more important issues to focus on). But companies need to recognize that when these services are used as broadly as they are, they become an attack vector, and employees are often targeted by governments to try to access information. Of course, it’s always going to be impossible to stop all access to information — hell, even the NSA has had to deal with poor controls and “insider” attempts to access information (see: Snowden, Ed). But it does seem increasingly important for companies to be aware of how valuable their data might be to governments, and do more to protect it.

Filed Under: , , , , , , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Insider Threats: DOJ Says Twitter Employees Spied On User Accounts For Saudi Arabia”

Subscribe: RSS Leave a comment
Anonymous Coward says:

The missing bit of this story, all the more conspicuous due to the typical nature of reporting here, is exactly how did the FBI get all of that information? Did they hack Twitter’s network to gain access to activity audit logs? Did they subpoena the data from Twitter? Did they just send a "request" for the data? They had phone logs, too.

All of the above is typically reported as "bad" yet this article ignores it completely as "ok because terrorists". Where are we to draw the line?

Anonymous Coward says:

Re: Re:

Well, the government has DPI firehoses duplicating all data going over the internet anyway. Maybe they actually found something in there. Maybe Twitter alerted them to an issue first. Then they sifted their haystacks for email and other network activity, and Twitter and/or the Feds went through Twitters logs. Not necessarily in any particular order. Maybe the Feds were watching anyone with a "Muslim-sounding name" anyway, and turned up an actual thing to investigate. Maybe suggestions that something was up at Twitter occurred obliquely in the course of other investigations (NSO, Khashoggi, etc.).

An assumed "OK because terrorists" for an assumed method of operation is a bit of a stretch.

That One Guy (profile) says:

Re: Re:

That story only noted that Western intelligence agencies had alerted the company that the Saudis were "grooming" Alzabarah. Now, the DOJ has charged two former Twitter employees, including Alzabarah, along with a third individual who worked in social media marketing, with spying for the Saudis.

Also, according to the DOJ, Abouammo lied to the FBI (not a good idea), then tried to "alter" documents he gave to the FBI (a very, very bad idea).

If they had enough to warn the company that some of their workers might be compromised, and especially if it was enough that they were actively investigating them I imagine they either simply asked the company after after providing enough evidence to suggest that there were valid concerns, issued a subpoena, or got a warrant as part of said investigation.

While it’s certainly possible that they might have ‘forgotten’ a few steps if it wasn’t noted in the original articles it’s probably safe to assume they actually jumped through the proper hoops this time around.

Anonymous Coward says:

Re: Re:

Not at all. I’m not really even griping. But I am curious about the conspicuous omission of that angle of the story when "that angle" is a major focus of articles here on TD. It really stood out to me as I was reading this one and I think it deserves coverage as privacy and data security are big issues. Maybe both have been violated here. At least some kind of honorable mention.

And the authors here often seek outside sources after finding something reported elsewhere. They don’t typically (as far as I can tell) rely solely on a single source reported by someone else. It wouldn’t surprise me in the least if Mike dug deeper to find many of the details in this story.

Thanks for your rather useless contribution to the discussion though.

Anonymous Coward says:

Re: Encryption is essential

End to end encryption is hard to securely implement. Most people wouldn’t bother to take the steps even if they were shown a working system.

End to end encryption is still vulnerable to attack if your adversary can get a keylogger on your system so you have to find a way to have a completely separate encryption device for entering the message and encrypting the data, a device to transfer the encrypted message to the transmission device that is only physically capable of being read only so malware can’t travel between the encryption-only device and the internet access device, and for a really secure message you need to meet up with the recipient beforehand and exchange your shared secrets offline so it can’t be intercepted in transit or from the trusted authority.

It’s not terribly difficult to do those things but it is too inconvenient for average internet users to do.

Jeremiah B. Frog says:

I am horrified to think that foreign intelligence services might have easy access to private information on Twitter users that only American intelligence services should have easy access to. There’s no telling what those dastardly foreigners might be doing with that information; I’m quite confident I know exactly what American intelligence agencies are doing with it.

fairuse (profile) says:

Saudi Arabia had people troll Twitter-

For those who wonder why this article is here.

  1. The Saudi Kingdom sets up hundreds of troll sites and pays people not bots to search for [critic of Crown]. 1000+ humans (okay bunches of well financed and skilled Troll Farms) looking for a location, etc.

From NYT article:
"Twitter has had difficulty combating the trolls. The company can detect and disable the machine-like behaviors of bot accounts, but it has a harder time picking up on the humans tweeting on behalf of the Saudi government."

1.1. Select some to go inside Twitter.

From NYT article:
"The specialists found the jobs through Twitter itself, responding to ads that said only that an employer sought young men willing to tweet for about 10,000 Saudi riyals a month, equivalent to about $3,000.

The political nature of the work was revealed only after they were interviewed and expressed interest in the job. According to the people The Times interviewed, some of the specialists felt they would have been targeted as possible dissenters themselves if they had turned down the job."

1.2 The world: All governments watch other governments. I think the nature of Saudi’s stopping critics at any cost is hard for some to believe but the scale of Saudi’s ability to use Twitter without much noise reaching top management is proof.

1.3 Twitter was notified by Western intelligence officials. The rest is in TD article.

My 2-cents:
Getting your agent into the source of information is most effective. One shot if lucky is worth the money spent. Ask the dead journalist.

End to End encryption and better internal controls could have slowed Saudi attempt or flagged access before damage was done to critics.

Anyone think this operation by Saudi Kingdom: Use Twitter 2015 to 2019 to locate critics is just a fluke?

I’m still trying to figure out how quiet those years where — oh, 2016 election and Russia and Ukraine. Wow, Saudi Arabia.

fairuse (profile) says:

End to End Encrypt


End to End Encrypt
Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor.

Internal controls
Flag access from within the platforms operations.
Better background checks – try to spot job applicant in HR hiring.

Saudi Arabia Intelligence ran this not some clever guy taking bribes.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...