Federal prosecutors Wednesday (Nov. 6) charged two former Twitter employees — a Saudi national and a U.S. citizen — with spying on behalf of Saudi Arabia.

The Justice Department alleges the individuals used their access at the social media giant to gather sensitive and nonpublic information on dissidents of the Saudi regime. Cybersecurity and privacy expert Mike Chapple, associate teaching professor of information technology, analytics and operations at the University of Notre Dame’s Mendoza College of Business, says Twitter failed to live up to industry-standard cybersecurity practices.


“Both of the accused accessed information about private individuals that they had no legitimate need to view as part of their job responsibilities,” says Chapple, a former computer scientist with the National Security Agency. “One of the two employees worked as a site reliability engineer responsible for keeping the Twitter platform up and running. His job did not involve accessing individual user accounts, yet he managed to access the personal information of over 6,000 individuals of interest to the Saudi government, apparently without drawing any attention from Twitter’s cybersecurity team.”


Chapple notes this was a significant violation of the principle of least privilege, a long-standing security paradigm stating that any employee should only have the minimum level of access necessary to carry out their job function. “If Twitter had implemented this principle,” he says, “the misappropriation of information would not have been possible.”


The case also underscores the interest that foreign governments have in obtaining information from American technology companies. 


“The global nature of social media makes user data an attractive target for foreign intelligence agencies,” Chapple says. “The information maintained by these companies goes far beyond the posts users make on their accounts and also includes sensitive personal details, such as telephone numbers, IP addresses and even precise geolocation information. Social media companies must understand the sensitivity of this information and restrict access to the smallest possible number of employees. Failing to do so puts the privacy, and even the physical safety, of social media users at risk."


Chapple says the individuals did not break any federal privacy laws, because there are none. He has long recommended the U.S. implement comprehensive privacy laws as the European Union did in 2018 with its General Data Protection Regulation (GDPR).


Chapple stated in a recent CNN op-ed urging regulation, “That law applies to broad categories of personal information across all industries and offers individuals some basic protections. It requires that companies obtain consent before collecting personal information, disclose how they will use the information they do collect, and provide a mechanism for consumers to request the deletion of their personal information from corporate files. GDPR also requires that companies promptly disclose data breaches to regulators and affected individuals.”