2 Ex-Twitter Employees Charged With Spying For Saudi Arabia

Nov 7, 2019
Originally published on November 7, 2019 10:29 am
Copyright 2019 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

The relationship between the U.S. and Saudi Arabia could get a little more awkward. The Department of Justice yesterday charged two former Twitter employees of spying for the kingdom. Working within the company, the two could access private information about Saudi dissidents. According to reports, one of those dissidents included an associate of Jamal Khashoggi, The Washington Post journalist and critic of the Saudi government who was murdered by Saudi agents. The U.S. government is charging the two former Twitter employees and a third person, a Saudi, who worked as a go-between.

Our next guest believes that Twitter itself bears some responsibility in this. His name is Mike Chapple. He is currently with the University of Notre Dame. He previously was a computer scientist with the National Security Agency. Thank you so much for being with us.

MIKE CHAPPLE: Good morning, Rachel. It's good to be with you.

MARTIN: Should Twitter have known that two of its employees were spying for a foreign power?

CHAPPLE: Yes, absolutely, Rachel. I think - you know, Twitter is certainly a victim here in that they were targeted by their own employees who were abusing their privileges. But as a modern digital organization, Twitter really had a responsibility to make sure that their resources weren't being misused. So I think that there's responsibility on both sides here.

MARTIN: Is there any indication that Twitter did know?

CHAPPLE: There's not. And you know, one of the interesting things, when you look at this indictment that was unsealed yesterday - this is all coming to us in 2019, and all of the activity that took place here was from 2015. So there's really this kind of dead period where we don't really know who knew what when and how this eventually came to light.

MARTIN: Can you remind us of what we know about what these two employees did exactly for Twitter? I mean, what kind of access did they have?

CHAPPLE: Well, so that's really important part of the question here, right? We're looking at this - it's really a classic tale of espionage, where the - Twitter had information that the Saudi government wanted about these dissidents. And the Saudi government went and recruited these employees to help obtain that information without Twitter's permission.

So the employees they went after had access to this information but maybe shouldn't have. One of them was a media partnerships manager, and the other was a site reliability engineer. So these are roles that don't usually deal with personal user information. But because of the way Twitter systems were set up, both of those employees had access to go in and get really sensitive personal information - email addresses, IP addresses, geographic locations that users access Twitter from. And they abused those privileges to get this information about, in one case, a handful of Twitter users. And in the case of the engineer, he accessed over 6,000 Twitter users' information on behalf of Saudi Arabia.

MARTIN: Well - and at least one of those former Twitter employees had done work previously for the crown prince of Saudi Arabia. At this point, though, how do you hold Twitter accountable? I mean, I guess it's in how consumers respond.

CHAPPLE: That's right. There's - here in the United States, we don't really have a comprehensive privacy law. There are such laws in the European Union and elsewhere. But without having a law that says personal information of all types needs to be protected, I don't know that there's really any recourse that the U.S. government has against Twitter. And instead, they have to go after the two employees who abused their privileges and stole this information.

MARTIN: But I imagine it makes other big tech companies - I mean, they're reading this news, and they've got to be nervous today.

CHAPPLE: I think that's right. I think there are a lot of people in Silicon Valley this morning who are checking their own records and trying to see if there were similar types of activity taking place against them.

MARTIN: Mike Chapple, former computer scientist with the National Security Agency, now at the University of Notre Dame. Thank you so much for your time.

CHAPPLE: Thanks, Rachel. Transcript provided by NPR, Copyright NPR.