Former Twitter employee convicted of charges related to spying for Saudis (opens in new tab)

(politpost.com)

126 pointsdavidclark223y ago52 comments

52 comments

3233y ago

2020: How Saudi Arabia Infiltrated Twitter

> When the conversation concluded, management seized Alzabarah’s laptop, put him on administrative leave, and escorted him out of the building.

> At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI complaint, who arrived in a white SUV two hours later. Driving around Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after midnight, the consul general called Alzabarah back and spoke with him for three minutes.

> Early the next morning, Alzabarah, his wife, and daughter boarded a plane for Saudi Arabia.

https://www.buzzfeednews.com/article/alexkantrowitz/how-saud...

Twitter basically let him walk out. Probably afraid of backlash in case they called the cops on him.

mrtksn3y ago

Will the cops really come and arrest people on the spot for breaching internal company data access protocols?

I’m curious about it if the authorities act on it as an urgent situation.

3233y ago

By cops I meant FBI/... And the way this is done is you notify the cops first and then coordinate with them if needed. It's not like Twitter learned about this 5 minutes before.

mrtksn3y ago

Okay, so does it really happen?

To me it sounds like it’s a civil case where domain specialists need to prove the wrongdoing in court.

1 more reply

nradov3y ago

The FBI obviously doesn't enforce internal company policies. However, if the company has evidence that the employee is engaging in serious violations of the Computer Fraud and Abuse Act (CFAA) of 1986, or engaging in espionage for a foreign power, then the FBI might send agents to investigate.

shakil3y ago

Depends on who is doing the complaining, but yes there is precedent to arresting an employee for "theft of trade secrets" [1]

1. https://en.wikipedia.org/wiki/Sergey_Aleynikov

cmeacham983y ago

Was this page written by his lawyer? It seems like he downloaded source code from his employer and gave it to some other company.

It seems like he largely got off on what is effectively a technicality, but I doubt anyone would seriously argue what he did _should_ be legal.

TaylorAlexander3y ago

Someone I know had been working for twitter and they said they were blown away at the lack of internal protections built in to the system. I guess it could be a goldmine of data for spies.

nradov3y ago

Not to defend the incompetent jerks who run Twitter or anything, but only a complete idiot would have ever trusted them with private or damaging information (including metadata such as locations). Twitter never made any reliable, verifiable guarantees about security or internal controls.

TaylorAlexander3y ago

What I have found, as a technical person, is that things like metadata which are obvious to me may be unknown to most regular people. A person can be very smart and yet not know about how computers work, or how silicon valley works.

m00x3y ago

It's not a matter of Twitter giving guarantees about optional data. This is PII, which has to be protected legally.

Internal controls at a company of the size of Twitter is no longer optional. You don't have to intend malice to be guilty of negligence.

Equifax never gave guarantees of security and data safety either, but it's understood that they should be responsible.

nradov3y ago

Wrong. Under US federal law, Twitter has no legal obligation to protect PII. Internal controls for user data are optional.

https://pro.bloomberglaw.com/brief/data-privacy-laws-in-the-...

To be clear, I am not thrilled with this situation. But even if social networks were legally required to protect PII they would still suffer occasional breaches by advanced persistent threats and state intelligence agencies. Don't post anything important on social media. Just pictures of family vacations and such.

2 more replies

octoberfranklin3y ago

> it could be a goldmine of data for spies.

Wait until you hear about cell site location data...

joshxyz3y ago

applies to pretty much all social media and b2c platforms.

secondcoming3y ago

And political activists

adolph3y ago

The F.B.I. began monitoring the Twitter employees in 2014, according to the complaint. Investigators did not contact Twitter until the end of 2015, when they informed executives that the Saudi government was grooming employees to gain information about the company’s users.

[...]

During his employment at Twitter, Mr. Alzabarah had grown increasingly close to Saudi intelligence operatives, Western intelligence officials told executives. The operatives eventually persuaded Mr. Alzabarah to peer into the accounts of users they sought information on, including dissidents and activists who spoke against the crown, multiple people have told The Times.

https://web.archive.org/web/20191107003511/https://www.nytim...

Mr. Khashoggi’s online attackers were part of a broad effort dictated by Crown Prince Mohammed bin Salman and his close advisers to silence critics both inside Saudi Arabia and abroad. Hundreds of people work at a so-called troll farm in Riyadh to smother the voices of dissidents like Mr. Khashoggi. The vigorous push also appears to include the grooming — not previously reported — of a Saudi employee at Twitter whom Western intelligence officials suspected of spying on user accounts to help the Saudi leadership.

https://web.archive.org/web/20191107062324/https://www.nytim...

Charges were for acting as foreign agent without notice and records falsification.

https://web.archive.org/web/20200920010209/https://www.washi...

nullc3y ago

I wonder how many people are murdered each year due to communications platforms that haven't implemented end to end encryption for private user communications, since all these large platforms are easily infiltrated by agents of homicidal regimes.

sneak3y ago

Apple has access to the plaintext of pretty much every iMessage and the vast, vast majority of iOS users' photo libraries.

They are required to turn over data to the US federal authorities without a warrant (under FAA702), and they do this over 30,000 times per year per their own transparency report.

The mind reels. Can you imagine how much this is used for blackmail, extortion, coercion, parallel construction, etc?

zip12343y ago

Is iMessage not end to end encrypted? Facebook Messenger has end to end encryption. How does Apple not?

sneak3y ago

iMessage's "end to end encryption" has a key escrow backdoor which sends your endpoint keys to Apple and is maintained for the FBI. It's more like "end-to-end-and-Apple encrypted".

It's "end to end encrypted" but then the device's private iMessage syncing keys ("Messages in iCloud") are included in an iCloud Backup, which is not end-to-end encrypted, backdooring the crypto. This means that Apple can decrypt the iMessages as they transit Apple's servers in realtime, using the device private keys you backed up (without e2e) the previous evening.

Even if you turn off the non-e2e iCloud Backup backdoor, your iMessages will still get compromised because it's on by default and all of the other people you iMessage with haven't turned it off.

https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...

iCloud Photos isn't end to end encrypted at all. It syncs every photo you take to Apple servers effectively unencrypted. Apple can see all of them, and so can the US government (without a warrant). Turning off iCloud is indeed an effective mitigation for this, which keeps your photos on-device.

radicaldreamer3y ago

Twitter or Facebook is one thing, but imagine the iCloud hacks (not the ones which exfiltrated porn, some apparently single actors using home connections) but those from nation states targeting individuals.

I'm sure the death toll is large and the harassment tool even higher.

trhway3y ago

Why would a high suit shmoozing media partnership manager have access to user info? Seems like an issue of data access at Twitter.

josh26003y ago

For a long time many social networks were just any employee god mode.

Access controls are just not a priority while blitz scaling and then very difficult to patch on after the fact.

ChrisMarshallNY3y ago

> Access controls are just not a priority while blitz scaling and then very difficult to patch on after the fact.

That's why the app that I'm writing now, started off as seriously tinfoil. In fact, I've had to [reluctantly] loosen some of the armor, in order to add a few features.

I won't say that it's Fort Knox, but it ain't gonna be easy to crack.

The demographics of its target user base are pretty paranoid, so I have to do my homework.

techdragon3y ago

Is there somewhere we can learn more about the app?

1 more reply

dboreham3y ago

1. Pass law. 2. Put people in jail. Oh...wait this is America..

radicaldreamer3y ago

Odd that the defendant used a federal public defender instead of a private attorney and the lack of a plea deal here (in exchange for cooperation?)

beachy3y ago

Perhaps it was explained to him that he better go down quietly or his loved ones might get bonesawed.

tick_tock_tick3y ago

He fled the country probably had no reason plans of defending himself.

JumpCrisscross3y ago

> He fled the country

We don’t convict in absentia. This is the one who got left behind.

JumpCrisscross3y ago

> Ali Alzabarah, another former Twitter employee who was also charged in the scheme, fled the country before he could be arrested

Apparently “Alzabarah [is] believed to be in Saudi Arabia” [1].

What the fuck?! Sooner we can decouple from that regime the better in my book.

[1] https://www.justice.gov/opa/pr/two-former-twitter-employees-...

Syonyk3y ago

> What the fuck?! Sooner we can decouple from that regime the better in my book.

"The Saudis, a despotic, murderous regime who... er, what's that? Gas prices are where? The Saudis, a heroic, brave people, living in a wonderful country with a deep culture of..."

"Yeah, hey, buddy, pal, MBS-o, think you could maybe squeak out a couple more MBPD? Elections coming up and... oh... really? Few hundred thousand, tops? Well, I guess, see what you can do... thanks!"

sigh :(

jen729w3y ago

There's a fascinating profile of the crown prince, 'MBS', in this week's Economist double summer edition. I have a print copy, paywalled link is:

https://www.economist.com/1843/2022/07/28/mbs-despot-in-the-...

biztos3y ago

I find it super fascination that this guy, as a strategic partner, is at the same time:

1) Completely out of his f---ing mind!

2) Indisputably important and in control.

3) Remarkably easy to please.

Now, sure, I could be wrong about any of these -- my sources of information are almost exclusively the US/EU press, which are not free of bias and might hold a globally minority definition of "truth."

But when you consider what's at stake, and which other famous defenders of Human Rights we're in bed with, I honestly can't understand why we (US/EU) are not working more actively with the most transparent one.

radiojasper3y ago

doesn't seem paywalled to me, but maybe there's a limit on the amount of articles that can be read. Anyway: https://archive.ph/JQFiG

radicaldreamer3y ago

Not happening until the oil runs out in the eastern desert and gulf.

bingohbangoh3y ago

how did they try him in absentia? I'm pretty certain that's illegal in the united states.

JumpCrisscross3y ago

> how did they try him in absentia?

They didn’t.

“Abouammo was arrested in Seattle, Washington, on Nov. 5, 2019, and made his initial federal court appearance in Seattle at 2:00 p.m.on Nov. 6, 2019” [1]. He is the one they left behind.

[1] https://www.justice.gov/opa/pr/two-former-twitter-employees-...

aYsY4dDQ2NrcNzA3y ago

What led you to believe that the United States can’t try defendants in absentia?

https://www.ojp.gov/ncjrs/virtual-library/abstracts/trial-ab...

j / k navigate · click thread line to collapse

52 comments

3233y ago

2020: How Saudi Arabia Infiltrated Twitter

> When the conversation concluded, management seized Alzabarah’s laptop, put him on administrative leave, and escorted him out of the building.

> Early the next morning, Alzabarah, his wife, and daughter boarded a plane for Saudi Arabia.

https://www.buzzfeednews.com/article/alexkantrowitz/how-saud...

Twitter basically let him walk out. Probably afraid of backlash in case they called the cops on him.

mrtksn3y ago

Will the cops really come and arrest people on the spot for breaching internal company data access protocols?

I’m curious about it if the authorities act on it as an urgent situation.

3233y ago

By cops I meant FBI/... And the way this is done is you notify the cops first and then coordinate with them if needed. It's not like Twitter learned about this 5 minutes before.

mrtksn3y ago

Okay, so does it really happen?

To me it sounds like it’s a civil case where domain specialists need to prove the wrongdoing in court.

1 more reply

nradov3y ago

shakil3y ago

Depends on who is doing the complaining, but yes there is precedent to arresting an employee for "theft of trade secrets" [1]

1. https://en.wikipedia.org/wiki/Sergey_Aleynikov

cmeacham983y ago

Was this page written by his lawyer? It seems like he downloaded source code from his employer and gave it to some other company.

It seems like he largely got off on what is effectively a technicality, but I doubt anyone would seriously argue what he did _should_ be legal.

TaylorAlexander3y ago

Someone I know had been working for twitter and they said they were blown away at the lack of internal protections built in to the system. I guess it could be a goldmine of data for spies.

nradov3y ago

TaylorAlexander3y ago

m00x3y ago

It's not a matter of Twitter giving guarantees about optional data. This is PII, which has to be protected legally.

Internal controls at a company of the size of Twitter is no longer optional. You don't have to intend malice to be guilty of negligence.

Equifax never gave guarantees of security and data safety either, but it's understood that they should be responsible.

nradov3y ago

Wrong. Under US federal law, Twitter has no legal obligation to protect PII. Internal controls for user data are optional.

https://pro.bloomberglaw.com/brief/data-privacy-laws-in-the-...

2 more replies

octoberfranklin3y ago

> it could be a goldmine of data for spies.

Wait until you hear about cell site location data...

joshxyz3y ago

applies to pretty much all social media and b2c platforms.

secondcoming3y ago

And political activists

adolph3y ago

[...]

https://web.archive.org/web/20191107003511/https://www.nytim...

https://web.archive.org/web/20191107062324/https://www.nytim...

Charges were for acting as foreign agent without notice and records falsification.

https://web.archive.org/web/20200920010209/https://www.washi...

nullc3y ago

sneak3y ago

Apple has access to the plaintext of pretty much every iMessage and the vast, vast majority of iOS users' photo libraries.

They are required to turn over data to the US federal authorities without a warrant (under FAA702), and they do this over 30,000 times per year per their own transparency report.

The mind reels. Can you imagine how much this is used for blackmail, extortion, coercion, parallel construction, etc?

zip12343y ago

Is iMessage not end to end encrypted? Facebook Messenger has end to end encryption. How does Apple not?

sneak3y ago

iMessage's "end to end encryption" has a key escrow backdoor which sends your endpoint keys to Apple and is maintained for the FBI. It's more like "end-to-end-and-Apple encrypted".

Even if you turn off the non-e2e iCloud Backup backdoor, your iMessages will still get compromised because it's on by default and all of the other people you iMessage with haven't turned it off.

https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...

radicaldreamer3y ago

I'm sure the death toll is large and the harassment tool even higher.

trhway3y ago

Why would a high suit shmoozing media partnership manager have access to user info? Seems like an issue of data access at Twitter.

josh26003y ago

For a long time many social networks were just any employee god mode.

Access controls are just not a priority while blitz scaling and then very difficult to patch on after the fact.

ChrisMarshallNY3y ago

> Access controls are just not a priority while blitz scaling and then very difficult to patch on after the fact.

That's why the app that I'm writing now, started off as seriously tinfoil. In fact, I've had to [reluctantly] loosen some of the armor, in order to add a few features.

I won't say that it's Fort Knox, but it ain't gonna be easy to crack.

The demographics of its target user base are pretty paranoid, so I have to do my homework.

techdragon3y ago

Is there somewhere we can learn more about the app?

1 more reply

dboreham3y ago

1. Pass law. 2. Put people in jail. Oh...wait this is America..

radicaldreamer3y ago

Odd that the defendant used a federal public defender instead of a private attorney and the lack of a plea deal here (in exchange for cooperation?)

beachy3y ago

Perhaps it was explained to him that he better go down quietly or his loved ones might get bonesawed.

tick_tock_tick3y ago

He fled the country probably had no reason plans of defending himself.

JumpCrisscross3y ago

> He fled the country

We don’t convict in absentia. This is the one who got left behind.

JumpCrisscross3y ago

> Ali Alzabarah, another former Twitter employee who was also charged in the scheme, fled the country before he could be arrested

Apparently “Alzabarah [is] believed to be in Saudi Arabia” [1].

What the fuck?! Sooner we can decouple from that regime the better in my book.

[1] https://www.justice.gov/opa/pr/two-former-twitter-employees-...

Syonyk3y ago

> What the fuck?! Sooner we can decouple from that regime the better in my book.

"The Saudis, a despotic, murderous regime who... er, what's that? Gas prices are where? The Saudis, a heroic, brave people, living in a wonderful country with a deep culture of..."

"Yeah, hey, buddy, pal, MBS-o, think you could maybe squeak out a couple more MBPD? Elections coming up and... oh... really? Few hundred thousand, tops? Well, I guess, see what you can do... thanks!"

sigh :(

jen729w3y ago

There's a fascinating profile of the crown prince, 'MBS', in this week's Economist double summer edition. I have a print copy, paywalled link is:

https://www.economist.com/1843/2022/07/28/mbs-despot-in-the-...

biztos3y ago

I find it super fascination that this guy, as a strategic partner, is at the same time:

1) Completely out of his f---ing mind!

2) Indisputably important and in control.

3) Remarkably easy to please.

radiojasper3y ago

doesn't seem paywalled to me, but maybe there's a limit on the amount of articles that can be read. Anyway: https://archive.ph/JQFiG

radicaldreamer3y ago

Not happening until the oil runs out in the eastern desert and gulf.

bingohbangoh3y ago

how did they try him in absentia? I'm pretty certain that's illegal in the united states.

JumpCrisscross3y ago

> how did they try him in absentia?

They didn’t.

“Abouammo was arrested in Seattle, Washington, on Nov. 5, 2019, and made his initial federal court appearance in Seattle at 2:00 p.m.on Nov. 6, 2019” [1]. He is the one they left behind.

[1] https://www.justice.gov/opa/pr/two-former-twitter-employees-...

aYsY4dDQ2NrcNzA3y ago

What led you to believe that the United States can’t try defendants in absentia?

https://www.ojp.gov/ncjrs/virtual-library/abstracts/trial-ab...

j / k navigate · click thread line to collapse