Twitter’s lax account security should give pause to online activists

One reason I write this newsletter about social networks is to cover the new and exotic methods that state actors employ to bend the public to their will. Much of the conversation over the past two years has been around “troll farms” or “troll armies” — essentially, remote workforces that attempt to wreak havoc from their laptops on targets around the world.

On Saturday we learned of a much more disturbing — and in-person — method of social media hacking. Katie Benner, Mark Mazzetti, Ben Hubbard and Mike Isaac had the tale of Ali Alzabarah, a Twitter engineer recruited by Saudi Arabia to use his position to identify government critics:

Twitter executives first became aware of a possible plot to infiltrate user accounts at the end of 2015, when Western intelligence officials told them that the Saudis were grooming an employee, Ali Alzabarah, to spy on the accounts of dissidents and others, according to five people briefed on the matter. They requested anonymity because they were not authorized to speak publicly.

Mr. Alzabarah had joined Twitter in 2013 and had risen through the ranks to an engineering position that gave him access to the personal information and account activity of Twitter’s users, including phone numbers and I.P. addresses, unique identifiers for devices connected to the internet.

Perhaps it had previously occurred to you that state actors would attempt to recruit engineers and other social-network employees as spies. I spent less time thinking about it than I probably should have! In any case, it’s chilling, and had real-world consequences. Alzabarah — who was fired, and now reportedly works for the Saudi government — accessed dozens of accounts, as part of a wide-ranging effort to identify the kingdom’s most influential critics and intimidate them into silence.

Another part of this effort involved the consulting company McKinsey, best known as the place where your college friends spend two lazy postgraduate years before business school. As the New York Times reported, McKinsey assembled a 9-page report on the Saudis’ behalf naming prominent Saudi dissidents. One of the men named was arrested, along with two of his brothers, and the account of an anonymous critic was shut down. (McKinsey denied everything, rather weakly.)

Facebook has spoken often in the past about the strict controls it places around user accounts in an effort to thwart the kind of attack that Alzabarah mounted. Every time a user’s data is accessed, Facebook logs which employ did so, and regularly audits the logs looking for suspicious behavior.

At Twitter, things are much looser. Perhaps you have forgotten the time that a contract worker briefly deactivated President Trump’s account; I sure haven’t. Here is the seriousness with which Twitter takes account security, from my story last year:

In the wake of Trump’s account deactivation shortly before 10PM ET on Thursday, former employees gathered in a private Slack that they use to discuss the company’s travails. The rogue employee, who has not been identified, was an immediate source of fascination. “We’re now referring to this individual as ‘the legend,’” one former employee told The Verge. At the same time, the former employee was not surprised by the incident. “People have ‘dropped the mic’ in the past and deleted accounts, verified users, and otherwise abused their power on the last day,” the employee said. In each case, the employee said, the abuse was caught quickly and did not become public.

These “mic drops” were possible because of the broad availability of customer support tools inside Twitter. The company won’t say how many people have access to the tools necessary to deactivate an account like Trump’s — and after today, the number is likely much lower. But up until now, as many as hundreds of people have had access to the tools, which let employees see a broad range of information about the account. The access does not allow employees to send tweets from other users’ accounts, or to read a user’s direct messages.

The man was eventually revealed to be a German citizen named Bahtiyar Duysak. He said that he had made a mistake. Still, when considered in light of the Times’ story about spying, it ought to give pause to the large group of people who use Twitter as a tool for activism.

It ought to give pause to other social networks, as well. I asked around for other public cases in which a social network had caught a spy in its ranks, and came up empty. But it’s a safe bet that others have attempted the playbook that the Saudis have, and possibly succeeded — at Twitter and elsewhere. For activists who risk their freedom when they tweet, it’s a chilling reminder to take extra steps to protect their identities, lest they wind up in the next McKinsey report. And for Twitter, it’s another major embarrassment in a year that has had too many of them.

Michel ColaciComment