Twitter spy case highlights risks for big tech platforms

WASHINGTON: The allegations of spying by former Twitter employees for Saudi Arabia underscore the risks for Silicon Valley firms holding sensitive data which make the platforms ripe for espionage.

The two Saudis and one US citizen allegedly worked together to unmask the ownership details behind dissident Twitter accounts on behalf of the Riyadh government and royal family, according to a federal indictment.

Analysts say the incident shows how massive databases held by Silicon Valley giants can be juicy targets for intelligence agencies, which can often apply pressure to company insiders.

“The Twitter case shows how data is not only an asset but a liability for companies,” said Adrian Shahbaz, research director for technology and democracy at the human rights group Freedom House.

“For companies collecting massive amounts of data, the challenge is how to keep it secure not only from hackers, but from rogue employees.”

Shahbaz said platforms such as Twitter and Facebook remain important tools for human rights activists, but that users should be aware of potential for data leaks -- both in their countries, and from insiders.

“It’s been alarming to see how governments using tactics to exploit the inherent weaknesses of the internet... go after people expressing dissent,” he said.

“It’s a constant cat-and-mouse game between users and very well-resourced governments.”

Bruce Schneier, a security researcher and fellow at Harvard University’s Berkman Klein Centre for Internet & Society, said it is not surprising to see governments targeting databases of tech platforms.

“We all assume it happens a lot. But this (prosecution) rarely comes up,” Schneier said.

Schneier said there have long been fears about Chinese or Russian insiders pressured to introduce vulnerabilities in major software platforms, and that companies may be ill-equipped to thwart those efforts.

“The government of Russia versus Twitter is not a fair fight,” he said. “It’s hard to blame the tech companies.”

Because major tech firms have engineers from all over the world, Schneier said it enables intelligence services to seek out and pressure their expats for espionage purposes.

The case highlights the potential for insider threats, said James Lewis of the Centre for Strategic and International Studies in Washington.

“Insider threats go back to biblical times,” he said, noting that the suspects were probably caught because they “did a terrible job of covering their tracks.”

According to an indictment unsealed on Wednesday, US citizen Ahmad Abouammo and Saudi national Ali Alzabarah were recruited in 2014-2015 to use their positions in Twitter to gain access to private information related to accounts of critics of Riyadh.

Ahmed Almutairi, a marketing official with ties to the royal family, was a critical go-between who arranged contacts, prosecutors said.

Twitter said in a statement it restricts access to sensitive account information “to a limited group of trained and vetted employees.”

But John Dickson, a former US air force information warfare officer who is now with the security consultancy Denim Group, said private companies, even in Silicon Valley, are not equipped to for background checks needed to find potential spies.

“Most employers do cursory background checks for the most obvious stuff such as criminal records or bankruptcy,” he said.