Saudi recruitment of Twitter workers reflects insider risks

Allegations that two former Twitter employees spied on users for the Saudi government have spotlighted the threat posed by insiders who exploit their access to the mountains of sensitive data held by tech companies.

The Twitter case adds an alarming international dimension to the longstanding problem of rogue employees who steal information or snoop on others.

"It's stupid to think foreign intelligence services would spend tens of millions trying to hack a company like Twitter when they can pay less than USD 100,000 to bribe employees," cybersecurity expert Robert Graham of Errata Security said Thursday.

Detecting insider access isn't easy, despite the availability of tools to do so, experts say.Yet the wealth of data that these companies have turned them into lucrative targets.

Companies that provide email, social media, search and other services have troves of personal data, including users' location, hobbies, political views and connections to other users.

Many services also have users' private emails and other conversations.

While activists fearing repercussions might use a pseudonym in public posts, that's ultimately tied to a real account.

An employee can look up the email address or phone number used to sign up and the locations used to access the app.

The coordinated spying effort unveiled Wednesday included the user data of over 6,000 Twitter users, including at least 33 usernames for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter, investigators said.

Most big tech platforms already take measures to prevent employees from abusing their position to spy on a crush they saw on Tinder.

Detecting well-instructed moles working for foreign governments is a "whole different kind of problem" because they may be cannier about what data they access and how to justify it, said John Scott-Railton, a researcher with the internet watchdog Citizen Lab.

He said companies can erode collaboration and trust if they put up too many silos, but they become a target if they put up too few.

Wednesday's federal complaint in San Francisco alleged that the Twitter employees were able to access the private data, including a user's email account, despite holding jobs that didn't require access to Twitter users' private information.

That violated company policy, according to the complaint.

Ahmad Abouammo and Ali Alzabarah were charged with acting as agents of Saudi Arabia without registering with the US government.

Prosecutors say they were rewarded by Saudi royal officials with a designer watch and tens of thousands of dollars funnelled into secret bank accounts.

Twitter said in a statement that it "limits access to sensitive account information to a limited group of trained and vetted employees," but declined to elaborate on how the breach described by prosecutors happened.

A year ago, after reports first surfaced of Twitter insiders targeting Saudi dissidents on the platform, the company said that "no other personnel have the ability to access this information, regardless of where they operate."
"Very few organisations can do it right, even sophisticated ones like the NSA or the CIA."