from the internal-controls-matter dept
We live in interesting times. A year ago, the NY Times had reported that the Kingdom of Saudi Arabia was aggressively using Twitter to keep tabs on and harass critics of the government. As part of that story, it also claimed that the Saudis might have a “mole” within the company in the form of Ali Alzabarah, who had risen through the engineering ranks to a point where he could access information on people the Saudi government was interested in. That story only noted that Western intelligence agencies had alerted the company that the Saudis were “grooming” Alzabarah. Now, the DOJ has charged two former Twitter employees, including Alzabarah, along with a third individual who worked in social media marketing, with spying for the Saudis. The complaint is worth reading.
It shows how officials appeared to groom the Twitter employees, starting with Ahmad Abouammo, who was (for a time) a marketing manager at Twitter, but who left the company in 2015. It describes how Saudi officials built up a relationship with him, setting up a tour of Twitter’s headquarters, and then later providing gifts, such as an expensive watch. Soon after, Abouammo is accused of accessing information on Saudi critics and dissidents;
Within one week of ABOUAMMO’s meeting in London with Foreign Official-1, ABOUAMMO began access private Twitter user information of interest to Foreign Official-1 and the Saudi Royal Family.
On December 12, 2014, ABOUAMMO accessed Twitter User-1’s email address through Twitter’s computer systems. Based on the FBI’s review of Twitter User-1’s public postings, Twitter User-1 was a prominent critic of the Kingdom of Saudi Arabia and the Royal Family with over 1,000,000 Twitter followers. ABOUAMMO accessed Twitter User-1’s email address again on January 5, 2015, January 27, 2015, February 4, 2015, February 7, 2015, February 18, 2015, and February 24, 2015.
On or about January 17, 2015, Foreign Official-1 began communicating with ABOUAMMO on ABOUAMMO’s personal email in addition to his Twitter email account. On January 17, 2015, Foreign Official-1 emailed ABOUAMMO at ABOUAMMO’s personal email and stated only “as we discussed in london…” Foreign Offical-1 attached to the email a document that discussed how Twitter User-1 had violated both Twitter policy and Saudi laws. On January 20, 2015, Foreign Official-1 called ABOUAMMO twice (the calls lasting 19 seconds and 51 seconds, respectively). On January 22, 2015, Foreign Official-1 called ABOUAMMO seven times (no answer, 6 seconds, 5 seconds, 3 seconds, 4 minutes 37 sections, 3 minutes 36 seconds, and 39 seconds, respectively). ABOUAMMO also accessed the email address provided by user @KingSalman the same day. The handle @KingSalman was the Twitter Account for Saudi King Salman bin Abdulaziz Al Saud. Foreign Official-1 called ABOUAMMO on January 23, 24, and twice on January 25, 2015 (1 minute 57 seconds, no answer, 1 minute 57 seconds, and 6 seconds, respectively). On January 27, 2015, ABOUAMMO accessed Twitter User-1’s user email address again. The next day, Foreign Official-1 called ABOUAMMO three times (11 seconds, 5 seconds, and no answer).
It goes on like this with the Saudi official sending “reports” about different accounts claiming they violate Twitter’s policies — which had nothing to do with Abouammo’s role in marketing. And then comes this:
On February 19, 2015, ABOUAMMO created an online user ID and password to access the Bank Audi Account his close relative opened in Lebanon on February 3, 2015. On February 24, 2015, ABOUAMMO accessed Twitter User-1’s email address and phone number. On the same day, a $9,963 wire transfer was sent from the Lebanon Bank Audi Account to ABOUAMMO’s Bank of America account…
There are a few more such transactions. Even after Abouammo quits Twitter (to go to Amazon) he apparently continues to receive money, and would reach out to former colleagues at Twitter to try to access the information the Saudis were seeking. Also, according to the DOJ, Abouammo lied to the FBI (not a good idea), then tried to “alter” documents he gave to the FBI (a very, very bad idea). Indeed, the DOJ’s complaint suggests that while the FBI was talking to him, he asked to go use his computer without them present, and then presented them with what they believe to be a doctored invoice.
During the interview, ABOUAMMO offered to obtain a copy of the consulting contract from a desktop computer that he claimed was in his bedroom, and requested that the Agents not follow him to the bedroom. A few minutes later, ABOUAMMO emailed an undated invoice to the email address of a Palo Alto, California based FBI Special Agent.
I believe that ABOUAMMO created the invoice in his residence on a computer while Agents were waiting for ABOUAMMO to provide them with the invoice that was discussed. The address on the invoice for services ABOUAMMO said were rendered in 2015 and 2016 was ABOUAMMO’s current address, however, public records show that the property was built in 2017 and ABOUAMMO did not purchase it until August 2017, and the metadata properties associated with the file emailed to the FBI indicates that the file was created on the date of the interview (i.e., October 20, 2018)….
Yeah, don’t do that.
As for Alzabarah, the DOJ has details of him flying to DC to meet with various Saudi officials, and then upon returning to work getting pretty damn busy getting info on Twitter users critical of the Saudi government.
Within one week of returning to San Francisco, ALZABARAH began to access without authorization private data of Twitter users en masse. Specifically, although ALZABARAH had not access the private user data of any Twitter Accounts since February 24, 2015, starting on May 21, 2015, through November 18, 2015, ALZABARAH accessed without authorization through Twitter’s computer systems the Twitter user data of over 6,000 Twitter users, including at least 33 usernames for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter. A Twitter Security Engineer informed the FBI that, although ALZABARAH may have had grandfathered access to view user information through an internal Twitter tool called “Profile Viewer,” ALZABARAH had no legitimate business purpose as a Site Reliability Engineer to access user accounts. ALZABARAH’s job was to help keep the site up and running, which did not involve accessing individual user accounts.
The DOJ then notes that the Saudi official had email notes detailing the locations of some of the key Twitter users that Alzabarah was looking up for them. Alzabarah also created notes for himself about whether or not he was eligible for reward money the Saudi government was offering for information on certain “terrorists.” There are also notes about “secur[ing]” his “future and my family’s.” Alzabarah later fled the US and apparently resigned from Twitter via email after his flight took off from LA.
This is all kind of fascinating. For all the concerns about outside hacking, insider attacks are still considered a much bigger threat and much harder to detect or prevent. While it does sound like there were some lax controls in place to prevent people who shouldn’t have access to certain information from getting to that info, that’s not all that unexpected in Silicon Valley (and an area that many companies need to significantly improve in). The complaint does suggest that Alzabarah made “unauthorized” access to this information, even though he was allowed to access a tool. That certainly suggests criminal CFAA charges, and some aspects of that seem problematic. While it does appear that there are other laws Alzabarah broke, arguing it’s a CFAA violation to use tools he was granted access to seems like a stretch. And, of course, there are broader questions with Abouammo and why he even had access to any of this data at all.
If anything, hopefully these charges wake up many Silicon Valley companies to the value and importance of better internal controls on how data is made accessible. In the rush to build up companies, insider controls are often one of the last things companies care about (if no one uses a service, who cares, and if a service is growing like gangbusters, then there are many other, more important issues to focus on). But companies need to recognize that when these services are used as broadly as they are, they become an attack vector, and employees are often targeted by governments to try to access information. Of course, it’s always going to be impossible to stop all access to information — hell, even the NSA has had to deal with poor controls and “insider” attempts to access information (see: Snowden, Ed). But it does seem increasingly important for companies to be aware of how valuable their data might be to governments, and do more to protect it.