Twitter is being sued for letting Saudi spies inside the company
protocol.comWhether twitter was negligent or not the bigger lesson here is that you should assume every big tech company is compromised by every state that cares to do so. Don’t trust any company with compromising information. The bigger the company, the higher the chance that they employ a spy for your adversary.
Or assume that these censorship platforms are complicit and in-bed with national security apparatuses of their home countries and the close allies of their home countries.
“The suit also alleges that Al-Ahmed's Arabic-language Twitter account was suspended in 2018 and has not been reinstated despite multiple attempts at appeal, and accuses the company of keeping Al-Ahmed's account offline because of its interest in maintaining users in Saudi Arabia. "While Twitter may wish to play the victim of state-sponsored espionage, Twitter's conduct in punishing the victims of this intrigue, including Mr. Al-Ahmed, tells a far different story: one of ratification, complicity, and/or adoption tailored to appease a neigh beneficial owner and preserve access to a key market, the KSA," Randy Kleinman, the attorney for Al-Ahmed, wrote in the complaint.“
I'm sure this is true to a certain extent, but it'd be interesting to see how it varies in degree. For instance
* do some companies have good enough insider risk controls to make it expensive or risky to access particular kinds of sensitive data?
* not all nation state actors are equally well-resourced (and not all of them have equally large populations of computer science grads from which to recruit potential spies): is there a difference between what (say) KSA or Iran could get, vs US/UK/China/Russia?
Insider risk can be reduced, not eliminated. Let's say a company has more stringent checks than TS//SCI and pays employees that handle sensitive info well. People can always be turned, if not direct then indirect extortion through loved ones and family. You don't need that much money to develop an asset (it can be a lot but even the poorest nation would find it trivial).
If you can't get to data handlers then you can go after developers and the software supply chain. You have to understand, people can cooperate with threat actors without implicating themselves by getting paid or coerced to allow an intrustion (fall for a phish link or email, install seemingly legit software, insert a USB drivr they found in the parking lot,etc..). Worst case they get fired.
More importantly: stop giving your phone number and GPS position to services.
Your phone number is the same as your home address, because it is linked to same in a million databases.
How much do you trust Strava or Garmin with your data?
I don't need to. The GPS device from Garmin I have has no mobile connectivity. So it doesn't send data.
It's also pretty much impossible for a big tech company to filter against this during hiring without risking catastrophic discrimination suits.
That’s the big problem. It’s absolutely insane that tech companies can’t keep foreign nationals and people with foreign ties from sensitive positions.
I know what you are trying to say, but for many people outside the US, Facebook is a foreign tech company. What makes US nationals any better in safeguarding sensitive data/access about the companies customers than people from UK or Canada or Germany or Norway or Australia or New Zealand etc?
Should a tech company silo its data and operations so each country has its own independent unit? No, too infeasible and defeats the purpose for a lot of their services.
Well, the U.S. Government isn’t likely to steal IP from American companies. For things like customer data or encryption secrets, it’s also perfectly reasonable to avoid hiring former spooks.
The problem isn't just foreign nationals. There's plenty of CIA inside FAAMG.
It is always a mistake to use nationality as a proxy for trustworthiness.
Being a US person, personally I'm much more concerned with the negative impacts of US spies spying in the US than foreign spies spying in the US.
Foreign governments don't regularly go around mass murdering and torturing Americans the way the US government does.
Americans have a lot more to lose from CIA spying than they do from Saudi intelligence agency spying.
Please elaborate on what the insanity is.
You're kinda right, but on the other hand how I'll get visa and steal some faamg jobs if they'll not accept foreigners? /s
ok, just kidding, now serious take:
US population: 330kk
Rest of the World: 8kkk
Delta (8kkk-330kk)
Even if we assume that distribution of highly skilled people is not uniform (lack of decent higher edu places, harder access to computers/internet)
then you still lose shitton of outliers
edit.
ops I misread.
Are you using kkk as a unit prefix for billion? I've never seen that before. I can't say I would recommend the practice.
>Are you using kkk as a unit prefix for billion? I've never seen that before.
afaik it's pretty common within gaming communities
e.g
1k - 1 000 (of gold)
1kk - 1 000 000 (of gold)
1kkk - 1 000 000 000 (of gold)
>I can't say I would recommend the practice.
Oh, I just realized that somebody may think about other kkk...
damn, but with number in front of it it's just like yet another unit - I guess?
Not in any of the games I’ve played.
Why not use use m for million and b for billion? That’s the standard that everyone understands.
I see it rarely, but almost exclusively in games that feature exponential growth, like mobile idle games. Growth is so explosive that you typically entirely ignore the actual numbers, and you measure progress via orders of magnitude (i.e. my currency/second in the game is 5.6*10^47, I'd just call it 47).
The repeating k scale is better than m, b, t, etc because it still preserves a sense of scale. 2m does not look 1/1000000th the size of 2t. 2kk does look a lot smaller than 2kkkk. You can also still easily convert to real number by substituting each k with 3 0s.
And lastly, I don't know the letters going all the way up to 10^47th. That's nearly enough to wrap the alphabet twice, and it's not even that high for that style of game.
The scale is fine, it's just the letter that's unfortunate. M is the Roman Numeral for 1,000; they could just use that. The worst thing I can associate with any number of M's is someone enjoying their food entirely too much once you hit like 7 of them.
hmm, it's the same as e.g "Y2K problem"
>The Year 2000 problem, also known as the Y2K problem, Millennium bug, Y2K bug, Y2K glitch or Y2K error,
- https://en.wikipedia.org/wiki/Year_2000_problem
https://ell.stackexchange.com/questions/39370/what-does-k-me...
At least k stands for kilo, well known prefix for 1000 in sane systems. m or M also works for both million and mega. Albeit not perfect. After that everything breaks down...
We really should use more of SI units like Mg and Gg... Even Tg...
> afaik it's pretty common within gaming communities
Ah okay.
> Oh, I just realized that somebody may think about other kkk...
Well more just because (I thought) it is unusual it'd be hard to understand in a context where you hadn't made it obvious. Maybe I'm just out of touch!
Please elaborate on this impossibility and eluded catastrophes. Unless a candidate has a deep pocket and backers it is “impossible” to field a discrimination lawsuit based on a boilerplate rejection letter. If corporations were actually this scared of lawsuits, there would be no age ceiling in software hiring.
Twitter’s CEO is on the record being cozy with deep pocketed Saudi investors in Twitter. It was certainly not the fear of discrimination lawsuits that permitted Saudi agents gaining access to Twitter’s systems.
Discrimination is for protected classes.
The argument that being a victim of espionage constitutes per se negligence seems like a stretch.
For spies to exist at all, they need to fool whatever supervision is in place. For missing them to be negligence, it would have to be easy to prevent spying from happening.
When a warbler feeds a cuckoo chick and lets his own chicks starve, is that because he's a bad parent who could be fixed with a lawsuit, or is it just a fact about the ecosystem?
I have only read the article and not the text of the legal complaint, but according to the article, he is specifically not basing his complaint on them being a victim of espionage and is making more specific allegations:
> "While Twitter may wish to play the victim of state-sponsored espionage, Twitter's conduct in punishing the victims of this intrigue, including Mr. Al-Ahmed, tells a far different story: one of ratification, complicity, and/or adoption tailored to appease a neigh beneficial owner and preserve access to a key market, the KSA," Randy Kleinman, the attorney for Al-Ahmed, wrote in the complaint.
I have no idea if their allegations are correct, but the argument you're dismissing is explicitly not what they're saying.
The allegation you quote is not an espionage allegation. It's saying that because this activist's Twitter account received unfavorable treatment from Twitter, we should assume that the unfavorable treatment of his account is evidence that Twitter is an arm of the Saudi government, and therefore the separate incident involving espionage must have happened with Twitter's cooperation or at least without Twitter's objection.
Note that the quoted allegation does not even allege any misconduct on Twitter's part! The only purpose is to ask you to draw an adverse inference about what Twitter was thinking when they became the victim of espionage.
I didn't say it was an espionage allegation. It's quite possibly not. The quote alleges complicity among other terms. I don't know if that's legally a type of misconduct - my guess is that the legal terms for both are more precise and this is just the press release version. But in everyday parlance, calling someone complicit does suggest some active form of inappropriate knowing participation in something bad. Not necessarily in espionage specifically.
> But in everyday parlance, calling someone complicit does suggest some active form of inappropriate knowing participation in something bad.
Let's say this guy's Twitter account was shut down because Mohammed bin Salman personally called Jack Dorsey and asked for a favor. That would be complicity, in shutting down the Twitter account. It would not be complicity in espionage.
Agreed. Nothing you are saying is contradicting anything I am saying, nor anything in the quote we're discussing.
I'm not sure why you're spending so much time to emphasize that the quote in the article doesn't allege espionage by Twitter when nobody is claiming it does, but indeed we are in full agreement that it doesn't. (Having not read the legal complaint itself, I express no opinion on what that alleges.)
You used that quote to support that claim that he is not basing his complaint on Twitter being a victim of espionage.
That claim is incorrect. Your quote does not state a cause of action against Twitter. Its only purpose, in the lawsuit, is to support, through innuendo, the claim that Twitter was complicit in an espionage "attack" against themselves. The complaint is based only on the espionage incident.
The quote is mostly irrelevant, which is the type of support you'd expect this complaint to be able to muster.
That's what I'm saying.
You're misunderstanding the quote, from what another HN commenter said (in a way that makes sense to me). Whether it includes everything necessary to state a cause of action or is at all legally critical to the complaint is not a relevant consideration when lawyers are talking to the court of public opinion rather than to the court of law, as in this quite.
The espionage is something Twitter was unaware of, as was the status of the spies at Twitter. Nobody is saying that Twitter committed espionage. But if they knew that the employees were doing or enabling something severely shady (without knowing specifics) in a way that they should have investigated or mitigated more than they did, but chose not to investigate or mitigate for an inappropriate reason like wanting good commercial outcomes from Saudi Arabia, they're choosing to be negligent in stopping the thing from happening. This is easily described in a press statement as complicity in something, even if they didn't know the something is espionage. In other words they negligently facilitated a bad thing that to their surprise turned out to be espionage.
So if I understand how this quote fits into the allegations: according to the plaintiff, the plaintiff was a victim of the espionage by the spies and not by Twitter, but Twitter's negligence enabled the espionage and they should have known something wrong was facilitated by their choices, therefore Twitter indirectly contributed to the espionage against plaintiff without having committed espionage themselves. Since Twitter made the situation worse and met the bar of negligence regardless of knowing that the specifics involved espionage, they allegedly should be liable. (I am not citing laws here because, again, I have not read the complaint and don't know the specific relevant laws.)
So, yes, it's based on the espionage incident, and yes Twitter was probably a victim of the espionage as well. But the plaintiff's argument doesn't depend on Twitter's status as victim of the espionage.
I've already stayed up far later than I should tonight to reply to lots of rapid-fire text from you, so this is my last one for now and hopefully for this subthread at all. Good night and be well.
I get what you’re saying, but one way or another personal data twitter was entrusted with was leaked and people were murdered as a result. I don’t know if twitter was actually negligent here, but it seems worthwhile to find out through this law suit.
> but it seems worthwhile to find out through this law suit.
If Twitter could assess a huge penalty on the plaintiff for filing a frivolous lawsuit, maybe.
Otherwise, no. We already know that Twitter specifically tried to deal with one of these spies when he came to their attention, shortly before he escaped. There is no reason to believe that Twitter did anything wrong, and excellent reason to believe they didn't.
Lawsuits aren't cost-free; the off-chance that, against all expectations, you might find something that almost definitely isn't there is not a good reason to entertain one.
If Twitter could assess penalties this wouldn’t be a legal system. Courts and judges assess penalties. Companies can sue for damages but they don’t assess penalties.
With all due respect, this is the second ignorant thing you’ve said on this article. You don’t have a fucking clue what you’re talking about. Please stop…
Sorry, I responded to "this is a good idea" with "in case of X, it might be, but in reality, it isn't", and you think "but X is not true" undermines that argument?
Look, if you’re going to engage with me, cut the shit. You wrote:
“If Twitter could assess a huge penalty on the plaintiff for filing a frivolous lawsuit, maybe.”
If Twitter could assess a huge penalty, it would violate absolutely every single tenet of both the western justice system and all principles of natural justice. Companies don’t get to assess penalties when they think they’ve been wrong. Companies can sue for damages and Twitter has the right to do that here. However, companies don’t assess damages - JUDGES DO!
This is so simple that I can’t believe I just had to explain it on Hacker News. Tune in next time, when we do “Hello world” in Python.
There's nothing unusual about private parties being able to assess penalties against other private parties. Your bank does it all the time. It does not make a mockery of the justice system.
The justice system frequently does make a mockery of the justice system by assessing penalties, such as when someone is arrested, proves to have been someone other than the target, and then gets charged for the time they spent in jail.
If a failed frivolous lawsuit against Twitter automatically gave Twitter a claim on the plaintiff's assets, that would in fact not violate every tenet of the western justice system, nor would it violate all principles of natural justice. It is a system that has obtained elsewhere and that people frequently advocate for.
> There's nothing unusual about private parties being able to assess penalties against other private parties
Absent a contract, there is, and even with a contract there are limits.
> Your bank does it all the time.
Within a contractual relation and governed by the contract, sure. But that's not what you are talking about.
> It does not make a mockery of the justice system.
Outside of the bounds of contract, it would, as it would amount to private parties making and adjudicating public law.
> If a failed frivolous lawsuit against Twitter automatically gave Twitter a claim on the plaintiff's assets, that would in fact not violate every tenet of the western justice system,
Yes, it would. Now, if merely a failed lawsuit did, it might not, as the failure itself is the conclusion of an adjudication, leaving no private determination to be made.
> It is a system that has obtained elsewhere and that people frequently advocate for.
No, its not, nor is it Twitter assessing a penalty. Loser pays is civil lawsuits is a thing, but it involves the court, not the offended party, assessing the penalty.
Loser pays for frivolous lawsuits only (but not all failed lawsuits) is also a thing, and is common in US jurisdictions, but requires a separate court determination that the claim was frivolous as well as the court assessing damages.
A penalty for filing a bad suit can be (and notionally already is!) part of the price of filing suit, just as overdraft penalties are part of the price of a bank account. A contract between the plaintiff and the defendant is not necessary.
> Loser pays for frivolous lawsuits only (but not all failed lawsuits) is also a thing, and is common in US jurisdictions, but requires a separate court determination
Requiring a separate court determination is a coincidence of the American system, not a logical necessity.
> Requiring a separate court determination is a coincidence of the American system, not a logical necessity.
No, its a logical necessity. “Frivolous” is a separate facr feom “losing”.
> There is no reason to believe that Twitter did anything wrong, and excellent reason to believe they didn't.
Why do they ask for personal information in the first place? Why are DM messages not e2e-encrypted? That's plenty of wrong already.
If you're building a public/global microblogging platform, enable nicknames for all and never ask for any personal information. If you're building a private messenger, enable e2e encryption (or at least at-rest inbox encryption).
If you're building both, and ignoring all security best practices, and encouraging people to give away their phone numbers, i would hold you responsible to any harm that comes their way because of this.
I think that depends on the organization we're talking about. There exist organizations where spies getting in probably should be per se negligence. The CIA and NSA are indisputably in this list. We just don't punish them via lawsuits, because there are better mechanisms for public groups.
The question at hand is whether Twitter belongs in that group. In the general case, I tend to believe no. Twitter has no deterministic means to tell whether a candidate is a risk or not, and they cannot be held liable for actions they couldn't know were illegal.
I do believe they can be held responsible for espionage in the event that they knowingly hired a spy, which seems to be the case here.
If the government believes it is important to national security to prevent Twitter from even unknowingly hiring spies, I think the onus is on the government to nationalize whatever parts need protecting. In this case, they could probably just nationalize the background check portion via security clearances. It doesn't sound like we're at that point, though.
Yes, the argument that being a victim of espionage constitutes negligence is a stretch. However, that’s not what Mr. Al-Ahmed’s suit alleges - it alleges they were victims of espionage because of their negligence.
I have a suggestion. In the future, keep the analogies to yourself and talk about facts.
I imagine the argument is that twitter was negligent in allowing employees access to the security tool this guy used to track Saudi dissidents without oversight and shouldn't have warned him that the FBI was investigating him?
Not even close:
> The claim filed Thursday in California alleges [among other things] that Twitter should have known that these two men were unfit employees
> For missing them to be negligence, it would have to be easy to prevent spying from happening.
Well it is! Tech companies should not act as surveillance/intelligence companies: stop gathering personal info on people, and suddenly you've raised the bar considerably for spies to harm your users.
Sure, an insider spy could probably still setup a special-cased JS payload to infect a specific user, but that's more convoluted and more easily detected during review, compared to simply accessing one of the many troves of data companies keep on their users.
My thoughts exactly. Sometimes you will lose the cat and mouse game and often the spies just have a huge upper hand on you.
eh they were indicted by the Federal Government and so the civil suit by this person has a lot of ammunition already that they otherwise would not have
mayyybe they went amateur hour with the negligence angle, but maybe they didn't
The tech industry is chock full of spies working for one side or the other. FAANG has been an intelligence front since the beginning. The only bullshit here is targeting KSA, when everyone's involved.
Why do you say FAANG has been an intelligence front since the beginning?
Because it has[1]
As for the rest, it is just a matter of checking funding from inqtel and associated groups
The UK has information warfare agents on Twitter as well [2]
None of this is a disputed topic, back on the 70s with operation mockingbird US intelligence agencies bragged that they had an agent/asset on every important editorial board on the country [3] which all goes back to the church committee
[1] https://medium.com/insurge-intelligence/how-the-cia-made-goo...
[2] www.businessinsider.com/twitter-chief-also-works-for-the-british-armys-information-unit-2019-10
[3] https://schoolhistory.co.uk/notes/operation-mockingbird/
So your proof is one bullshit story made up by someone who wants to claim Google was created by the CIA but lacks any real evidence. The fact that a mid-level exec at twitter was an Army reservist, and an claim that TLAs were controlling newspapers that is even more poorly sourced than the Google claim. Did you even read the first and third story you cite to see the level of innuendo and hand-waving suggestions without supporting evidence that this 'reporting' was using? Try again paranoia troll.
Because all of Silicon Valley has a strong/long history with the military industrial complex and various intelligence services? It's not exactly a secret...
Now take a look at how many ex-intelligence run tech companies (may i remind you that former NSA head is on Amazon board?) and how many tech companies happily collaborate with intelligence services (Microsoft, Amazon, Palantir).
PRISM would seem to support that idea.
No it would not. It would only suggest that once the data existed there was an interest on the part of certain government agencies to gain access to the data. The idea that these companies are 'fronts' for these agencies is moronic to the point of being self-parody.
Front suggests secret ownership/control. More likely is that they are simply compelled by the state to spy, willingly or not.
How is "the state secretly compels them to do things" different from "they are secretly controlled by the state"?
As another commenter suggested: it's absurd beyond parody and a flagrant abuse of language to conflate being a "front" with being compelled by a third party (especially one with legal authority) to do some action(s). Being a "front" suggests an entire business model created by and built around propping up that third party such that the two are indistinguishable actors on everything but the surface level.
> Being a "front" suggests an entire business model created by and built around propping up that third party such that the two are indistinguishable actors on everything but the surface level.
No. One party being a front for another party suggests that the two are indistinguishable actors on everything but the surface level, or more accurately that any action taken by the first party might be better viewed as being "really" taken by the second party, that any information given to the first party is also being given to the second party, etc. It does not suggest that fronting for the second party is the only thing the first party does, or that the first party was created to serve the purposes of the second party.
Taking an example out of the dictionary, it would be unusual to claim that a massage parlor serving as a front for prostitution is obviously, by its nature as a "front", unwilling to provide massages.
so when google releases its 13th chat app, that’s really the CIA doing it? Netflix’s chaos monkey program is ackthuallee an intelligence scam to attack your distributed systems from within?
How did you go from
> It does not suggest that fronting for the second party is the only thing the first party does
to
> Netflix’s chaos monkey program is ackthuallee an intelligence scam to attack your distributed systems from within?
You're trying to interpret me as saying literally the opposite of the plain text of my comment. Work on your reading comprehension.
But yes, when Google releases its 13th chat app, there are good reasons to view that as being a CIA chat app with Google branding.
> more accurately that any action taken by the first party might be better viewed as being "really" taken by the second party
your comment was basically contradictory. As is this new one - google meet and google duo is a “CIA chat app”? Why?
What does that mean? Is someone previously on the Google Duo team a CIA officer? Is the leader of the team an asset? What design decisions are CIA adjacent? Where is this happening
> google meet and google duo is a “CIA chat app”? Why?
> What does that mean?
It means that the app may be used to advance CIA goals. It means that the CIA has control of the app along any dimension you're worried about. This is the nature of obfuscated relationships. If you're worried about something, and it's likely to be true, you need to assume that it is true. In this case, the assumption is justified. If you're not worried about something, you don't need to make the assumption that it's true. Since it doesn't matter, you can afford not to have a position on it.
this seems false
> May be used to advance CIA goals
What does this mean? Can CIA add a voice and video chat feature if the deputy director of it wants it? Can the CIA freely access internal communications? How? Who does this? Does Larry know? How do you know?
> cia has control over the app along any dimension
This is an excessively strong claim. Can the CIA delete the app and end the project if they feel like it today? Can they see what I’m typing before I post it? Again, why? Who knows about this? How do they do it?
I am secretly controlled by the state because they force me to pay taxes. We are all IRS assets in their quest to build a global American tax-base imperial seat of power.
There is a reason AWS’ first and largest region is in Northern Virginia
Yes, because at the time there were only four or five main junctions for cross-country internet peering locations. Seattle was not on that list and if you are not going to be local then why go to CA and compete for space, data-center engineers, and peering with every other late-90s dot-com on the planet when you could go to an area with equivalent infrastructure and less competition for the resources. The reason so much telecom infrastructure terminated in that region was due to proximity to the government center of gravity, but also due to simple geography and the tendency of new telecom infra to be built out in parallel to existing telecom infra.
Oh, you were trying to make some sort of sinister innuendo based upon your complete lack of understanding of the telecom industry in the original dot-com era and the existing long-haul infrastructure at the time? Ok.
> The reason so much telecom infrastructure terminated in that region was due to proximity to the government center of gravity
Yeah, that’s what I said. You could have just upvoted the comment ;)
The suggestion implied was that the infra was there so that it could be monitored. The reality is that the infra was there because the US federal government was, and continues to be, one of the largest customers of telecom on the planet.
Yeah I’m just saying they have a close relationship as evidenced by the location of us-east-1. How far that relationship goes you or I do not know, but clearly there is a close relationship
> ...to appease a neigh beneficial owner...
Has anyone seen this use of neigh before? Is it a legal term? What does it mean?
Perhaps the OP meant "nigh", which is archaic, and means the same as "near".
Even then, "nigh beneficial owner" and "near beneficial owner" are awkward constructions that would have broken the continuity of my reading comprehension.
But surely one is or is not a "beneficial owner". Being nearly a beneficial owner is the same as not being a beneficial owner at all.
I think "nigh" is meant to modify "owner", not "beneficial". I think the lawyer saying is saying that the KSA figuratively owns Twitter, and that Twitter benefits from that relationship. Golden handcuffs, basically.
That is the most awkward phrasing I've seen in a long time. I'm not even sure it's grammatically correct. I would've expected "beneficial nigh-owner" or something like that.
Huh, that’s a new one to me.
I found a couple of usages in academic publications, but they don’t give me any more context as to meaning. That leads me to believe that it’s not a legal term.
I can’t find any meaning other than the “sound a horse makes” in any dictionary, either.
ETA: Apparently, the old English “nēah” meant “near”. That seems to be the the root of the work “neighbor”.
Interestingly, it looks like “neigh” (like a horse) and “neighbor” both came into use in English in the 12th Century. Perhaps coincidental.
née, perhaps? Possibly something for r/BoneAppleTea
Alternative title could be: Twitter sued for discrimination and low personel diversity
you can just sue for discrimination though? That is common. It is considered legally dangerous to have an all white (or, less fantastically, 30% Jew 30% Asian 20% white 0% hispanicblack), but the mode of enforcement would be employment or hiring discrimination, not this...
"Discrimination" is what sensible people do all the time. It means "distinguishing things that are different", and if you don't discriminate, bad stuff is likely to happen. For example, it can be bad for your digestion if you fail to discriminate between a hamburger and a house-brick.
yeah I’d rather hire 7 skilled and well oiled Jews than an “equal opportunity” ratio mixture of 4 whites : 1 black. but there is a “civil rights act” and a lot of creative, anti-hegemonic jurisprudence enduring that my militant ascetic coding-Shtel will never be a reality. :(
Your comments read like someone who just did a large amount of drugs. All over the place.
The dangers of diverse hiring.
The biggest lesson here is the threat is within, but most security strategies focus on the concept of external threat.