What Happened
On November 5, the U.S. Justice Department filed a criminal complaint against two former Twitter employees and an accomplice, alleging that they had violated 18 U.S.C. § 951 by acting as agents of a foreign government without notifying the U.S. Attorney General. The complaint alleges that the former employees, Ali Alzabarah and Ahmad Abouammo, acted at the direction of the Saudi government. Their intermediary, Ahmed Almutairi, is a Saudi citizen who came to the U.S. on a student visa and resided in the U.S. from August 2014 to May 2015. He controls a social media company in Saudi Arabia that performs work for the Saudi Royal Family, including “Royal Family Member-1, presumed to be Crown Prince Mohammad Bin Salman.
Alzabarah, a citizen of Saudi Arabia, received a computer science degree in the U.S. and worked for Twitter as a site reliability engineer from around August 2013 to December 2015. Abouammo, a U.S. citizen, was a media partnership manager responsible for the Middle East and North Africa regions for Twitter. The Complaint states that both employees had access to proprietary and confidential Twitter information about Twitter users, including email addresses, birthdates, phone numbers, and Internet protocol (IP) addresses.
The Complaint details how the employees accessed Twitter data pertaining to accounts believed to be held by dissidents or critics of the Saudi government and provided information about them to the Saudi government. Abouammo was also charged with violating criminal statute 18 U.S.C. § 1519 for destruction of records related to the investigation.
According to the Complaint, both employees were required to agree to comply with the Twitter “Playbook” that sets forth employee policies, and they signed confidentiality agreements. In addition, they had employment contracts that prohibited them performing outside work, consulting, or engaging in any conduct that would create a conflict of interest for Twitter.
From December 12, 2014 to May 22, 2015, Abouammo accessed confidential account information on three users; two of them were prominent critics of the Saudi government. On May 22, 2015, Abouammo resigned and moved to Seattle, but continued to contact Twitter employees on behalf of the Saudi government. Alzabarah picked up this dirty work and accessed user information on at least 6,000 user accounts from May 21, 2015 through November 18, 2015, including the two accounts Abouammo had focused on. Saudi law enforcement had previously submitted emergency requests to Twitter on 33 of these accounts. The FBI noted in the Complaint that one of the accounts belonged to a well-known critic of the Saudi government who has asylum in Canada, which the Washington Post identified as Omar Abdulaziz, a close friend of Jamal Khashoggi.
Alzabarah also had access to highly sensitive account information such as “all recent IP address information, device used, user-provided biographical information, logs that contained the user’s browser information, and a log of all of a particular user’s actions on the Twitter platform at any given time.” The Complaint noted that he provided more information to the Saudi government than Twitter would have provided to them in response to an emergency disclosure request by law enforcement.
It is bad enough that these employees seemed to have unfettered access to such confidential Twitter account data, but – hold on – Alzabarah even accessed the data remotely while he was in Saudi Arabia between July 11 and August 14, 2015. Moreover, he went on leave, was gone a month, and then reported his absence to Twitter upon his return. The Complaint indicates that Twitter retroactively approved his “personal leave.”
According to the Complaint, Twitter and Abouammo’s supervisor noted that, “Abouammo had no legitimate business use as Media Partnerships Manager for accessing users’ account information, and doing so would have been a violation of the company’s policies.” With respect to Alzabarah, the Complaint notes that a Twitter Security Engineer told the FBI that although Alzabarah may have had some grandfathered access through an internal Twitter tool called Profile Viewer, “he had no legitimate business purpose as a Site Reliability Engineer to access user accounts.”
The Washington Post reported that on December 2, 2015, Twitter confronted Alzabarah about accessing user account data and placed him on leave. That same day, Alzabarah, his wife, and daughter flew from San Francisco to Saudi Arabia. During the flight, he sent an email to Twitter resigning his position, which Twitter received on December 3.
The Washington Post reported that Abouamma was arrested in Seattle. The intermediary, Almutairi, is also presumed to be in Saudi Arabia. Omar Abdulaziz has sued Twitter for failing to notify him that his account had been compromised in 2015 by Alzabarah.
Is Twitter to Blame?
The bottom line: Abouammo had 5.5 months of unfettered access and Alzabarah had it for six months. People may have been arrested, tortured, or killed as a result of the information these employees provided to the Saudi government. Who is to blame? In my opinion, this mess is at Twitter’s feet due to:
1. A lack of adequate cybersecurity controls; and
2. Poor governance by Twitter management.
Inadequate Cybersecurity Controls
Simplistically, cybersecurity programs are supposed to meet the control requirements set forth in information security best practices and standards and incorporate operational criteria, compliance requirements, and risk management. This consists of a comprehensive set of policies and procedures, the performance of specific activities, technical configurations and settings, and the use of various technologies.
Based on the Complaint and information reported, it seems that:
· Twitter did not have adequate access controls in place to restrict access to such sensitive data.
· Twitter’s system allowed personnel to access confidential user account information even though they were not authorized to do so.
· Twitter was not monitoring access to this highly confidential account data or analyzing user activity logs for this data.
· Twitter was not utilizing commercial tools that detect unauthorized or anomalous behavior by employees or rogue insider activities with respect to this data or, if they were, they were not reviewing the reports of these tools.
· Twitter was not restricting remote access to this sensitive account data, even by an employee who had gone absent from the workplace for a month.
· Twitter was not enforcing its policies and confidentiality agreements.
· Twitter had lax internal procedures regarding responses to emergency disclosure requests from an authoritarian regime.
· Twitter’s incident response procedures were lacking, since it apparently did not (a) conduct much of an internal investigation when it discovered Alzabarah’s unauthorized access to the user account data, or (b) engage law enforcement. It simply confronted him, put him on leave, and let him walk off to get on a plane and leave the country.
· Most importantly, the user account data appears not to have been encrypted. Unless the employees were accessing it using stolen credentials, these two rogue insiders would not have been able to see the account information.
Where Are The Cybercrime Charges?
It seems strange that the Complaint does not include charges against the two former employees for violating the 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (CFAA). The Complaint details a year of unauthorized access to the Twitter user account data and disclosures to Saudi officials.
The Complaint notes that, “Since December 2015, Twitter has enhanced its controls and permissions to restrict access to user information only to those whose duties require access.” This may mean that prior to December 15, 2015 – when the two employees were prowling through account data – the Twitter access control policies and procedures were so lax that the Justice department thinks it may be difficult to prove that their access was actually “unauthorized” under the CFAA.
Cyber Governance
Governance of information security requires specific actions by boards and executives to manage cyber risks, maintain good compliance programs, and protect the company’s operations, reputation, and bottom line. During the time these employees were running amok, Twitter did not seem to have good governance practices in place to achieve these goals. It appears that:
· Strict controls on access to sensitive user account data was not a metric that was reported to management.
· Management did not have a clear process for investigating serious policy violations and reporting illegal conduct to authorities, such as when using sensitive account data to conduct surveillance at the behest of an authoritative government.
· Emergency disclosure requests from foreign governments were not subjected to strict procedures and legal review.
· The Twitter board and management seems not to have strong cyber governance. It had put few or no controls in place to detect abuses by insiders and ensure its technology or data was not being used by authoritarian regimes to repress users.
Twitter has a heavy responsibility to protect the privacy of its users. Irrespective of any legal obligation, there is certainly an expectation of privacy by its users. Twitter’s privacy policy specifically allows users to use a pseudonym instead of a user’s real name. The company has 330 million monthly active users worldwide. Saudi Arabia ranks fourth in number of Twitter users, after the U.S., Japan, and U.K., but it has highest percentage of Internet users who are active on Twitter.
The New York Times notes that Twitter serves as Saudi Arabia’s “Town Square” since the government bans dissent and criticism. The media is owned by the government and the country lacks any place for people to gather and discuss politics and events. Thus, Twitter serves as the country’s digital meeting place to exchange ideas and thoughts. Since the murder of Jamal Khashoggi, the news reports have been plentiful detailing Saudi crackdowns, forced returns of dissidents back to Saudi Arabia, and government repression of activists and nonconforming members of the Royal Family. One can easily understand how valuable Twitter data would be to the Saudi government in its squelching criticism.
The Regulator’s Role
Twitter was founded in 2006 and is now a New York Stock Exchange company with a current market cap of about $23 billion. The foregoing is simply inexcusable for a company that runs a social media platform that has 330 million users globally, many of them in countries with repressive governments and poor human rights records. The SEC needs to take notice.
Sadly, the lack of governance is a recurring theme among a newer breed of Silicon Valley tech companies, such as Facebook, Yahoo! (before Verizon acquired it), and Uber. To be fair, early entrants, such as Microsoft, Oracle, and eBay, have well established governance structures and processes. But soaring profits and market valuations have driven a single focus on profits following IPOs. The Securities and Exchange Commission (SEC) has done a miserable job at requiring new public tech companies to put in place good governance practices to protect investors and users. This needs to change.
No comments:
Post a Comment