Saudi Twitter Spy Given Over 3 Years in Prison

Twitter is rarely out of the news these days, but this story highlights known security and privacy problems with the social media business that rarely receive as much attention as they deserve despite being the subject of whistleblowing revelations from Twitter’s former Chief of Security. Last week a Saudi Arabian spy and Twitter employee named Ahmad Abouammo was sentenced to 42 months of prison in the USA on charges of acting as a foreign agent as well as conspiracy, wire fraud, international money laundering and falsification of records in a federal investigation. In addition to the prison sentence, the authorities have confiscated USD242,000 as the proceeds of crime.

The Crimes of Abouammo and His Saudi Paymasters

According to a Department of Justice (DoJ) press release, US resident Abouammo was employed at Twitter’s offices as their Media Partnerships Manager for the Middle East and North Africa region.  Twitter policies required employees to protect user information, disclose conflicts of interest and report gifts from those doing business with Twitter.  The evidence demonstrated that Abouammo was paid by officials from the Kingdom of Saudi Arabia (KSA) to access the Twitter accounts and provide information about dissidents they targeted. As the press release explained:

The official of the KSA was head of the “private office” of a royal family member who, during the relevant time, was a Minister of State and then became the Minister of Defense and Deputy Crown Prince.

A KSA official met with Abouammo in London in December 2014, and gave him with a luxury Hublot watch that Abouammo later attempted to sell for USD42,000. Following this meeting, Abouammo began repeatedly accessing private information about several Twitter accounts, including an influential user who was critical of the Saudi government and royal family. Abouammo visited Lebanon in February 2015, after which a bank account was opened in the name of his father in Lebanon. Abouammo had access to that account, which was used to collect a USD100,000 payment from Saudi officials in February 2015. This money was laundered by Abouammo through a series of falsely described small wire transfers to the USA. When Abouammo left Twitter for other employment, the account received another USD100,000 payment soon after, accompanied by a note from the official apologizing for the delay in making payment.

Federal Bureau of Investigation (FBI) agents interviewed Abouammo in October 2018. They asked about his involvement with the KSA officials but Abouammo provided false information and a false invoice for one of the payments he received.

Who Paid Abouammo?

Associated Press reported that this is the first time Saudi Arabia has been accused of spying in the USA. Previous court documents name Abouammo’s Saudi contact as Bader Al-Asaker (pictured). Al-Asaker reportedly fled from the USA to Saudi Arabia in order to evade justice, along with two Twitter employees, Ali Alzabarah and Ahmed Almutairi, who were recruited to keep supplying information after Abouammo left. Ali Alzabarah was accused of accessing the personal information of more than 6,000 Twitter accounts on behalf of Saudi Arabia.

Al-Asaker is no minor bureaucrat. In 2020, Arabian Business included him in a list of 24 described as ‘the most powerful people in Saudi Arabia’. CNN describes him as a close adviser to Saudi Arabian Crown Prince Mohammed bin Salman. He has been variously called the Director of Mohammed bin Salman’s private office and the CEO of the Crown Prince’s charity, MISK. He used to consort with some of the richest and most influential Americans, including former New York Mayor and US Presidential hopeful Michael Bloomberg, though now he seemingly avoids visiting places where he might be arrested for his part in these crimes.

So whilst the DoJ refers to ‘a royal family member’ being ultimately behind the spying, this is an indirect way of referring to the ruler of Saudi Arabia, Mohammed bin Salman.

The Consequences of Twitter’s Failures

The Saudi authorities used inside information from Twitter to persecute their critics. Per the Guardian:

In one case believed to be connected to the breach, a Saudi court sentenced an aide worker named Abdulrahman al-Sadhan to 20 years in prison following allegations that he used a popular anonymous parody account to mock the Saudi government.

Spyware made by Israel’s NSO Group has been blamed for intercepting Whatsapp messages and monitoring of the movements of murdered Saudi journalist Jamal Khashoggi, but it is possible that information taken from Twitter was also a factor. Turkish media reported that Maher al-Mutrib, who led the Saudi operatives that murdered Khashoggi, called Asaker four times during that operation.

Per the Gulf Centre for Human Rights, Areej Al-Sadhan, the sister of Abdulrahman Al-Sadhan, was shown a list of Twitter targets during Abouammo’s trial. The list was…

…compiled in 2015 by the crown prince’s aide, Bader Al-Asaker of ten Twitter handles that he wanted Abouammo to track. One of them was her brother Abdulrahman, and another was Omar Abdulaziz, a friend of [Jamal] Khashoggi.

But what of the consequences for Al-Asaker? He may not engage in as much international travel as previously, but he has not even been suspended from Twitter, where he has over 2 million followers and pushes out prolific amounts of propaganda on behalf of Mohammed bin Salman.

An Established Pattern of Privacy Abuses

Many independent reports state that Saudi Arabia has purchased mobile phone surveillance software and engages in extensive surveillance of perceived opponents of the ruling regime, irrespective of where they live. KSA is said to have operated Reign, as developed by Israeli company Quadream, as well as Pegasus by NSO Group.  Reign’s capacity to break into phones using zero-click technology is similar to that of Pegasus.  These tools can reportedly hack a target phone without the user clicking on a malicious link, can eavesdrop through the microphone, extract stored messages, photos, videos and emails, and can turn it into a tracking device.

In 2020, dozens of Qatari-based journalists who work at Al Jazeera were targeted by advanced spyware.  Citizen Lab at the University of Toronto said it traced malware that infected the personal phones of 36 journalists, producers, and executives at Al Jazeera back to the NSO Group. The investigators discovered that iMessages were infecting targeted mobiles without the users taking any action.  The malware then used push notifications which instructed the mobiles to upload their content to servers linked to NSO Group.

These are not isolated incidents. In August 2022, the Guardian reported that the High Court in London ruled that Saudi dissident Ghanem Al-Masarir’s case, which also relates to phone hacking using Pegasus software, can proceed against the Saudi government. The court dismissed the Saudi government’s argument that it was protected by sovereign immunity.

Twitter and Its Obligations

The New York Post reported that Twitter, recently acquired by Elon Musk, did not immediately respond to requests for comment.  I think we should hear from Twitter, particularly in light of other information they reported:

The attorneys also said Abouammo’s actions paled in comparison to those of Ali Alzabarah, another ex-Twitter employee, who was accused of accessing thousands of Twitter accounts on behalf of Saudi Arabia. Alzabarah left the United States before being charged.

From Engadget:

Two other men were charged in the scheme. Ali Alzabarah, a Saudi citizen, is another former Twitter employee who prosecutors say acquired personal info for over 6,000 accounts, including that of high-profile dissident (and Jamal Khashoggi ally) Omar Abdulaziz. A third man, Ahmed Almutairi, was also charged but didn’t work at Twitter. Instead, he allegedly served as a contact between Twitter staffers and the Saudi government. Of the three, only Abouammo was in the US to face charges.

It is difficult for Twitter to be impartial about Saudi illegality because another Saudi royal is their second-biggest shareholder. Prince Al Waleed bin Talal Al Saud owns 95 percent of Kingdom Holding Company, which first invested in Twitter by buying a USD300mn stake in 2011, five years after the platform’s launch. In 2015, when Al-Asaker was instructing Twitter insiders to spy on Saudi dissidents, and Twitter founder Jack Dorsey returned as CEO, Kingdom Holding’s Twitter stake was doubled to 5.2 percent.

Al Waleed originally opposed Musk’s takeover, to which Musk responded by tweeting “What are the Kingdom’s views on journalistic freedom of speech?”

However, Musk needed to come to an accommodation with investors who could easily damage the value of the company by dumping their shares or by opposing his changes. A 26th October filing with the Securities and Exchange Commission revealed that Musk, Al Waleed and Kingdom Holding Company had entered into an agreement that would maintain the Saudi stake at around 4.6 percent.

Twitter has failed to protect its users. It will be impossible to gauge what harm may have come to the 6,000 users whose accounts were allegedly compromised by Alzabarah. Enough suffering has been caused by Abouammo’s proven abuses. Much has been made of the risk that Twitter may fail because it sacked many employees following Musk’s takeover. These events show that having many employees whose actions are not monitored can represent just as great a risk. Keep that in mind when reviewing each new story about Twitter’s internal problems, and when contemplating what could go wrong within your own business.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.