The Justice Department this week charged two former Twitter employees with accessing the firm’s data on more than 6,000 users. One account belongs to Omar Abdulaziz, a high-profile dissident who lives in asylum in Canada, and the description of another matches an anonymous critic of corruption who tweets under the handle @Mujtahidd. The architect of the Saudi regime’s aggressive online repression operation once hinted that authorities had ways to unmask online gadflies who were using pseudonyms for protection. We now know at least one of those ways.
The story rings an alarm about Saudi Arabia’s reach, but it also provides a more general warning to technology companies sitting on stockpiles of sensitive personal information. Security professionals across industries see insider threats as a rising concern, and Silicon Valley has hardly been a stranger to the risk. Vice has reported on Myspace employees harnessing a tool called “Overlord” to read users’ messages and passwords back in that platform’s heyday; Snapchat employees have allegedly snooped on saved photos and location information; a Yahoo software engineer recently pleaded guilty to tracking down private photos of women.
These sorts of compromising pictures could prove valuable to governments who hope to pressure a dissident out of dissenting, and a trove of behavioral data on U.S. voters would be a boon for any leader seeking to influence or to interfere. Foreign nationals have been accused of stealing before; the FBI accused Chinese engineers twice in the space of six months of sneaking away secrets on autonomous vehicles. Employees who attack companies from within need not be professional spies. Many laymen working overseas have family back at home, and an incentive to do what a notoriously demanding — and punishing — ruling party asks.
Technology companies aren’t national defense agencies with extensive built-in background checks for neatly defined levels of security clearance. We probably don’t want them to be, for fear it could shut out some of the brightest minds based merely on where they come from. But keeping data private unless someone’s job requires access is essential, and so are strategies to detect abnormal activity by employees on company networks along with logs to track who is looking at what. This is an issue Silicon Valley firms should prove they have a handle on, lest the next Cambridge Analytica break out — this time from within.