Twitter Faces Blowback After Ex-Employees Charged With Spying for Saudi Arabia

Users “could claim a basic right to privacy violation, just as if someone had trespassed into your house and taken a photo of you in your bathroom,” attorney Matt Bilinsky says

Social Media Site Twitter alt-right logo displayed on a mobile device
Getty Images

Twitter could soon be dealing with fresh legal and regulatory issues after two former employees were charged with spying on behalf of the Saudi government. The details, included in a court filing in San Francisco on Wednesday, are alarming: One former employee, Saudi native Ali Alzabarah, is accused of accessing the personal information of more than 6,000 users; another ex-employee, U.S. citizen Ahmad Abouammo, is accused of spying on three Twitter users on behalf of the Saudi regime. Both men targeted critics of the Saudi government and, in particular, Crown Prince Mohammed bin Salman, between 2014 and 2015. The private user information allegedly accessed by the two men included “email addresses, phone numbers, IP addresses, and dates of birth,” according to the U.S. Justice Department. “This information could have been used to identify and locate the Twitter users who published these posts.” It’s unclear to what extent Twitter played in the Justice Department and FBI’s investigation, although some Twitter employees did speak with the FBI, according to the court filing. It’s also unclear if Twitter alerted the thousands of users who had their accounts unwittingly compromised; a Twitter representative did not comment to TheWrap on whether the company had informed its users. If those users who were allegedly spied on are alerted, they could have a legal case to bring against Twitter. “You could claim a basic right to privacy violation, just as if someone had trespassed into your house and taken a photo of you in your bathroom when you had a reasonable expectation of privacy,” Matt Bilinsky, a media-focused attorney with Weinberg Gonser LLP, told TheWrap. “You could theoretically sue on those grounds.” Another route these users could take is suing for having their data breached. But this is a legal gray area, Bilinsky said, because it’s difficult to prove a user has been damaged directly. That might be easier to argue in this instance, however, when you consider the murder of Jamal Khashoggi, a prominent critic of the crown prince, last year. In other words: A user could argue they’re in danger because the Saudi government has access to their location and personal information. These cases wouldn’t be slam dunks, Bilinsky said, but they’d have a much better chance of winning than they did four years ago. That’s because the public has grown more skeptical of tech giants like Twitter and Facebook in recent years, following countless stories on Russian misinformation campaigns during the 2016 election and the Cambridge Analytica data leak. “The alleged malfeasance occurred in 2015, nearly five years ago. People are going to view this through the lens of contemporary issues,” Bilinsky added. “2015 was a far more hospitable atmosphere for social media companies. Now, you’re not just talking about whether or not privacy laws were violated, you’re talking about how significant the repercussions will be.” Twitter was aware, to some extent, something was amiss, according to the U.S. government. The court filing said managers confronted Alzabarah in early December 2015 regarding his unauthorized access of private user data. (Both Alzabarah, an engineer, and Abouammo, a media partnerships manager, were not authorized to view private user data as part of their roles.) Alzabarah admitted he had accessed the accounts, “but stated that he did so simply out of curiosity,” according to the court filing. The next day, he left the U.S. and returned to Saudi Arabia, with the help of his Saudi handler, according to the suit. “We recognize the lengths bad actors will go to try and undermine our service. Our company limits access to sensitive account information to a limited group of trained and vetted employees,” a Twitter rep told TheWrap on Wednesday. “We understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable. We have tools in place to protect their privacy and their ability to do their vital work. We’re committed to protecting those who use our service to advocate for equality, individual freedoms, and human rights.” All Tech Is Human founder David Ryan Polgar, who writes about tech ethics, said Twitter should enlist a third-party firm to investigate whether other employees have inappropriately accessed user data following Wednesday’s charges. “The push lately around data responsibility has to do with being open and transparent about its use and potential misuse and who is really seeing this data,” Polgar said. “Anytime you have a situation where the data is viewed by actors outside the reasonable expectations of the user, then [the social media company] would have an obligation to reach back out and let the user know that’s something that was seen.” He added: “You would certainly want to know if you’re on someone’s radar, considering the sensitivities and security issues around Saudi Arabia.” Twitter declined to comment on if it was considering an internal investigation. Simply from a PR standpoint, it wouldn’t be a dumb idea, either. The charges came at a time when Silicon Valley is facing remarkable pressure from lawmakers and regulators. Facebook, in particular, has received extra attention, after it admitted last year that up to 87 million users had their profiles unknowingly accessed by Cambridge Analytica. The social network ended up reaching a $5 billion settlement with the FTC in July over its mishandling of user data. At the same time, 2020 presidential hopeful Elizabeth Warren has called for the breakup of several tech giants, including Facebook and Amazon. This espionage story could exacerbate Silicon Valley’s regulatory concerns even more, Bilinsky said. New legislation, imposing stiff penalties on companies that misuse data — even if it’s only a few rogue employees involved — isn’t out of the question in the current environment. “The timing” for Twitter, Bilinsky said, “is really bad.”

Comments