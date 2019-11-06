Saudi Arabian officials allegedly paid at least two employees of Twitter to access personal information on users the government there was interested in, according to recently unsealed court documents. Those users were warned of the attempt in 2015, but the full picture is only now emerging.

According to an AP report citing the federal complaint, Ahmad Abouammo and Ali Alzabarah were both approached by the Saudi government, which promised "a designer watch and tens of thousands of dollars" if they could retrieve personal information on certain users.

Abouammo worked for Twitter in media partnerships in the Middle East, and Alzabarah was an engineer; both are charged with acting as unregistered Saudi agents — spies.

Alzabarah reportedly met with a member of the Saudi royal family in Washington, D.C. in 2015, and within a week he had begun accessing data on thousands of users, including at least 33 that Saudi Arabia had officially contacted Twitter to request information on. These users included political activists and journalists critical of the royal family and Saudi government.

This did not go unnoticed and Alzabarah, when questioned by his supervisors, reportedly said he had only done it out of curiosity. But when he was forced to leave work, he flew to Saudi Arabia with his family literally the next day, and now works for the government there.





The attempt resulted in Twitter alerting thousands of users that they were the potential targets of a state-sponsored attack, but that there was no evidence their personal data had actually been exfiltrated. Last year, The New York Times reported that this event had been prompted by a Twitter employee groomed by Saudi officials for the purpose. And now we learn there was another employee engaged in similar activity.

The cases in question are still open and as such more information will likely come to light soon. I asked Twitter for comment on the events and what specifically it had done to prevent similar attacks in the future. It did not respond directly to these queries, instead providing the following statement: