Twitter’s Saudi Arabia spying scandal could be just the beginning
This week, the United States Justice Department charged two former Twitter employees with spying for Saudi Arabia. The two alleged spies are accused of using their positions within the company to access information of dissidents and political opponents of the Saudi Crown Prince Mohammed bin Salman. The situation may seem like something out of a spy novel, but it's a reminder that behind the faceless and seemingly secure apps and websites that you share your information with are a plethora of people who may have access to it — and the fact that so much information is held by tech companies means those corporations may find themselves as the target of espionage.
According to the Department of Justice, one of the former Twitter employees, Ahmad Abouammo, used his access to spy on at least three different users on the platform. One of the victims of the monitoring efforts was posting tweets detailing the inner workings of leadership within Saudi Arabia. Another employee, Saudi citizen Ahmed Almutairi, allegedly accessed personal information of more than 6,000 Twitter accounts during his time at the company. Those subjected to the spying included prominent political dissidents and free speech advocates in Saudi Arabia — including one person who was believed to have a close relationship with Jamal Khashoggi, a Washington Post columnist who was assassinated by agents of the Saudi government last year.
The revelation that the Saudi government had agents operating within Twitter is a troubling one, as it raises questions about how well the company can truly protect its users and their information. Twitter — for its many, many faults — has historically been a platform where marginalized voices can express themselves and share information. Perhaps most notably, the platform was essential to spreading the message of Arab Spring activists, highlighting what they believed to be injustices carried out by their governments and organizing massive protests. Activists all over the world have used Twitter to spread their message, often putting their lives at risk by doing so. That platform also became a rallying point for accounts supposedly run by "rogue" U.S. government officials who had been silenced by a gag order from the Trump administration — an issue that made Trump so mad, the government actually tried to force Twitter to unmask one of the accounts.
Following the recent charges of the alleged Saudi spies, Twitter claimed that it restricts access to sensitive account information to "a limited group of trained and vetted employees," according to the Washington Post. The company also claimed to "understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable," and said that it has "tools in place to protect their privacy and their ability to do their vital work.” But the incident seems to make clear that users cannot solely trust the company — or any tech giant, for that matter — to protect their anonymity. Behind all of these platforms are humans who, whether you are aware of it or not, likely have access to information attached to your account — information that you might consider to be private or sensitive.
While they aren't necessarily cases of international espionage, there have been several cases of employees at major tech firms abusing their position to access user information. Earlier this year, a Yahoo employee pleaded guilty to illegally accessing and stealing photos and videos from the accounts of more than 6,000 people. In 2010, Google fired an employee who improperly accessed Gmail and GTalk accounts to harass minors. Uber employees have allegedly used "god's eye" style tools to spy on ex-partners, politicians and celebrities in real-time. Snapchat employees have been accused of abusing a tool designed to fulfill law enforcement requests to improperly spy on users. Tech companies have built massive databases of our information and a bunch of tools to organize and access that data — all of which is seemingly agnostic. But in the wrong hands, accessed by the wrong people, that information can be weaponized and used for malicious purposes.
That makes schemes like the Saudi spying operation so troubling. Government-sponsored spying occurs regularly, and there are an estimated 10,000 spies living and operating in Washington D.C., according to the International Spy Museum. But government agencies and operations are aware of these threats and better equipped to deal with them through thorough background checks and varying levels of security clearance that ensure information remains only accessible to those who can be trusted with it. Tech companies don't have the same concerns as a government, which could make them susceptible to these types of espionage efforts. These firms are heavily reliant on workers who come from outside of the United States — more than half of Silicon Valley workers are foreign-born, according to the Silicon Valley Competitiveness and Innovation Project Report. That shouldn't be taken as an excuse to cut off those workers — the vast majority of whom are doing their job and seeking opportunities for themselves and their families. But it does open up these companies to the potential of spying efforts. American corporations, because of the massive amount of data they hold — not just on American citizens, but people around the world — have increasingly become targets of hacking efforts. North Korea targeted Sony in 2014 and made a point to release massive amounts of emails and other personal information after infiltrating the company. Earlier this year, reports started to surface that the 2017 hack of credit reporting bureau Equifax, which resulted in more than 143 million Social Security numbers and other sensitive information being stolen, may have been the work of nation-state actors. A U.S. intelligence official suggested to CNBC that it's possible a foreign government was behind the attack and is using the information for its own purposes, which would explain why the data hasn't been released online more than two years after the hack occurred.
The more information that these private corporations hold — and they hold an incredible amount of information ranging from personal details to private communications to location information — the more likely it is they may become targets of hacking or spying schemes. Within the cybersecurity and information security business, it's often said that humans are the weakest link in the security chain. If these companies continue to fail to account for that, either by falling victim to spying operations or by allowing employees to access information they should never be able to see or interact with, then it seems likely that the recent Twitter spying scandal will not be the last of its kind.