
Former Twitter Employees Charged with Spying for Saudi Arabia - grzm
https://www.washingtonpost.com/national-security/former-twitter-employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html
======
danso
The complaint [0] is both very interesting – particularly the details on how
sloppy/non-existent Twitter's user-access-control was back in 2015 – and
pretty funny, such as how one of the suspects tried to fake a digital document
but didn't fake the timestamp, and the FBI noticed the receipt having a
creation date the same day of their interview with him (pg 13).

According to one of the suspects' LinkedIn, he left Twitter in 2015, and then
worked at Amazon for 3 years in marketing and social media. While I have
little doubt Amazon's internal auditing and access control are better than
Twitter's, it'd be nice to hear confirmation from Amazon that he didn't access
any private user data.

[0] [https://context-
cdn.washingtonpost.com/notes/prod/default/do...](https://context-
cdn.washingtonpost.com/notes/prod/default/documents/ab8276a2-2185-4345-956b-26cd1e52b228/note/e5624393-c7e9-4c7e-93e4-30d8fff6c28a.pdf#page=1)

~~~
thaumasiotes
Tangent, but one of the most interesting things in the complaint -- to me --
was this language:

> Many Twitter users live in Saudi Arabia and some users of Saudi nationality
> or descent live outside of Saudi Arabia, including in the United States.

It's kind of surreal to use "Saudi" as the demonym for the people of Arabia.
"Arab" would be normal. The language is Arabic, the country is Arabia, and
those are both named after the people, the Arabs. The "Saudi" in the name of
the country refers to the royal house, the House of Saud, and I would expect a
"person of Saudi descent" to be Arabic royalty, not just any old Arab.

~~~
barry-cotter
Arabia is a peninsula. Qataris, Yemenis and Emiratis among others would not
appreciate Saudis attempting to appropriate Arabian to refer to those from
Saudi Arabia.

And Arab refers to people from Morocco to Iraq so it’s equally unsuitable.

~~~
gpderetta
Exactly, imagine if people of the United States appropriated the name
'American'! I'm sure that every other country in the two Americas would be up
in arms!

(It is a joke, laugh).

~~~
paulryanrogers
Some other countries actually use terms like United Statians or North
Americans. And after traveling a bit makes the USA's use of 'America' seem
arrogant or ignorant.

~~~
orisa2
I'm guessing you haven't traveled much. American is a virtually ubiquitous
term to describe someone from the United States worldwide, no matter which
language you're speaking. Countries which have a problem with calling yourself
American are a minority, and even then it's usually a small minority of the
younger generation.

~~~
laken
If you go anywhere within Latin America, you'll find quite quickly that
"American" is used to describe someone from the continents, and it's consider
very odd to introduce yourself as "American" to a local. You say you're
Estadounidense, or "Soy de Estados Unidos" (From the United States).

It's actually a very charged topic in Latin America, as many latinos feel that
the word they use to describe themselves has been stolen.

------
woander
Is anyone surprised considering the amount of saudi money flooding around
traditional and social media?

Now lets look into israel and their spying/influence in traditional and social
media.

It was amazing the amount of "news" and social media spam we got about russia
( We were always at war with eurasia ). It's amazing the amount of "news" and
social media spam we are getting about china ( We were always at war with
eastasia ).

But one hardly ever hears a peep about israel or saudi arabia. Considering
what is happening to the palestinians, yemenis, etc, you would think you'd
hear a lot more "news" about them. Especially about saudi arabia from the
feminist/lgbt traditional media considering the saudis probably treat women
and the lgbt as badly as any nation on earth.

How come the "news" industry isn't going apeshit over more than half of the
state and the US house of senate pushing unconstitutional anti-BDS laws?

[https://www.aclu.org/blog/free-speech/rights-
protesters/new-...](https://www.aclu.org/blog/free-speech/rights-
protesters/new-israel-anti-boycott-act-still-unconstitutional)

[https://www.timesofisrael.com/us-house-overwhelmingly-
passes...](https://www.timesofisrael.com/us-house-overwhelmingly-passes-anti-
bds-resolution/)

A country founded on boycotts banning its corporations from boycotting a
foreign country?

~~~
knowaveragejoe
I can't stand these kind of takes that are based purely in anecdote. On what
basis are you claiming we "hardly ever hear a peep about israel or saudi
arabia"? How do you even measure that?

~~~
s_dev
> How do you even measure that?

All this sort of stuff is claimed under Manufacturing Consent. Chomsky's point
is often why don't we hear about these other incidents .. because the news
isn't balanced and the government is trying to fashion a narrative and they
use the media to do this by selectivly choosing what we hear and see.

~~~
jrockway
Can you tell me a major news event that I haven't heard about?

~~~
s_dev
You're proabaly up to date with the war in Syria but why not Yemen? Why is
Syria vastly more newsworthy than Yemen? Because this is what the column
inches suggest.

~~~
Faark
The Yemeni Civil War makes it appear as if there is very little involvement
from the three global superpowers, while the Syrian standoff was worryingly
similar to a cold war era proxy war. Also quite close to Europe, thus more
important for our media and upcoming elections.

Though with the Syrian conflict dying down, I'd expect others like Yemen to
get more attention by filling the "war" slot in media.

------
formertwitter
I worked directly with Ahmad at Twitter on the international media team. All I
can say is I now understand how the next door neighbor to a serial killer can
say "but he always seemed like the nicest guy." He really was very nice to
everybody, worked hard, and seemed genuine.

They were definitely tools available to all of us that allowed this type of
access to personal data and more. Specifically a lot of the lists that were
generated about who to follow suggestions were manually curated at the time
and we could put whoever we wanted on the list. We were expected to put people
that were relevant in our industry on those lists, but I think Ahmed actually
got in trouble for putting himself on that list to build up his Twitter
following.

At the time it was certainly a major initiative to rebuild the legacy systems
to fix exactly this type of problem. There were strong mandates from the top
of the company that were made abundantly clear to us that while they were
fixing these things we were all under agreement and NDA to keep all of this
data private. The systems were broken no question, but the message was clear.
That just makes it even more disappointing to see what he did. He has a very
young family at home that is now going to be totally broken.

~~~
wheelerwj
> All I can say is I now understand how the next door neighbor to a serial
> killer

Hey, i get it, its a little surprising and scary. But this is just a quick
reminder that we do the whole innocent until proven guilty thing here in the
US. He hasn't been convicted yet, just keep that in mind when thinking about
your colleague.

~~~
threatofrain
Innocent until proven guilty is for the US courts though. Real life operates
by a different principle -- use your eyes and don't f __* up.

There are accusations that a teacher sexually molested somebody, but the
investigations never went anywhere; do you hire that teacher? I don't think
parents are about to blame you for not hiring that teacher.

~~~
concordDance
> There are accusations that a teacher sexually molested somebody, but the
> investigations never went anywhere; do you hire that teacher? I don't think
> parents are about to blame you for not hiring that teacher.

That has bad externalities. In particular, you'd be creating perverse
incentives for people to make accusations against those they dislike (or
threaten to do so), a very asymmetric weapon that benefits liars more than
anyone else.

~~~
threatofrain
I agree there are perverse incentives and an asymmetry to power, but I'm not
the one creating things, I'm making an observation of the land.

~~~
concordDance
That "you" was in the sense of "one, not in the sense of "threatofrain".

That particular confusion in the English language is probably responsible for
a noticeable amount of drama in the world...

------
gtoprak
Should anyone have access to the actual data at their company? I feel like
this is an indication of maybe scrubbing the said data is a "must" before it
goes into the hands of employees.

Then again, what type of side-affects would that have on the quality of the
products moving forward.

~~~
noident
You can and should restrict the number of people with access to the data, but
in a tech company there's always going to be a significant number of people
with direct access to the raw data. Software engineers on an on-call rotation,
full-time site reliability engineers, data analysts, maybe even some external
contractors... maybe this isn't the case for Twitter, but many companies also
have to put complete trust in their cloud provider or datacenter, which puts
even more people in the loop.

Even if you follow best practices with access control, in the end you're
always going to have a group of people who you need to trust with access to
folks' personal data. Maybe the solution is better audit logging and even
tighter access, but I'm not sure leaks of this nature are preventable.

~~~
nostrademons
"Software engineers on an on-call rotation...data analysts, maybe even some
external contractors"

These groups usually get access through a bastion that anonymizes data and
logs access. I remember that as a SWE at Google, I could run aggregated &
anonymized statistics across query logs, but some info (eg. IPs, user logins)
had been scrubbed before any of my code could get access to it, and for things
that were more personal (eg. your GMail login) you could only get access to
your own account.

There's nothing you can do about SREs who have root access on the box or the
SWEs who need to implement & maintain the bastion servers, but that's
presumably a more restricted, vetted, and trusted group.

~~~
remarkEon
Would it be smart for companies like google and twitter to publish how they
vet people for these roles? That’s a seriously tremendous amount of power. I
almost think it needs to be regulated like heath info. I get that that would
make it more expensive to handle this data at all, and would serve as a
significant barrier to entry for startups ... but data breach after data
breach is pushing me in the regulation direction.

~~~
retrovm
Pretty much nobody at Google has that kind of access. You can be an SRE of
just about anything at Google and never access user data. The "break-glass"
means of emergency access is ridiculously booby-trapped. A person wanting to
do this thing has to 1) badge into a special room, at which time both
production security and privacy incident teams are notified, 2) use a special
hardware security device that is used for no other purpose than to activate a
VPN box with a hard-line into the production network. By the way if a random
Googler just rolls up to a datacenter without a reason to be there, that also
triggers privacy incident response, even though physical access to production
storage is virtually useless due to all the encryption.

I would say it is much more likely that Google will accidentally lose the
organizational ability to become root-in-prod, than it is that a person has
done this thing without being noticed.

In short, insider risk cannot be mitigated with hiring practices. You need
robust technical measures against insider risk.

~~~
belltaco
When did that start? Here's an account of someone working at Google accessing
info to stalk teens.

[https://www.businessinsider.com/google-engineer-stalked-
teen...](https://www.businessinsider.com/google-engineer-stalked-teens-spied-
on-chats-2010-9)

~~~
dredmorbius
That story dates from 2010.

Snowden's revelations (2013) were a major watershed. There'd been several
measures taken since, based on what I heard on the outside, largely through
discussions, mostly public, a few direct, with Google staff via G+.

Starting on, of all days, November 9th, 2016, I began regularly posting an
image of Jewish shop windows shattered during Krystallnacht, asking whether
Google were thinking of brownshirt-proofing their data. That generated
responses including from G+'s architect (then in a role with user data safety
& privicy), and the data security lead.

It wasn't until some time later that I realised I'd entirely accidentally
picked the anniversary of the event for the post. Though the coincidence was
useful.

My understanding was that numerous protections were in place by that time. I
continue to have concerns.

~~~
ForHackernews
> I began regularly posting an image of Jewish shop windows shattered during
> Krystallnacht

This is so incredibly cringey. You're actively building the panopticon and yet
you think of yourselves as righteous warriors for justice.

I don't mean this to be a personal attack, but yours is such a revealing
comment about the mindset of people inside these surveillance behemoths.

(See also: this "pledge" [http://neveragain.tech/](http://neveragain.tech/) to
not build registries for targeting citizens...signed by a bunch of people who
work at companies whose entire business is targeting citizens with ads)

------
codedokode
The best way to protect dissidents would be not to ask unnecessary personal
information like phone numbers. Sadly, it is difficult to find a messenger or
web email service that doesn't require it.

~~~
sneak
It's hard to deduplicate spam users without an identifier that is at least
slightly costly to get. There's no easy/practical way to do "charge $0.02 per
signup".

If you get 10k new accounts in 5 minutes and they're all from some VoIP
provider in a tiny corner of the second or third world, you have some data to
work with there.

~~~
devin
Could someone who downvoted explain their disagreement? There seems a kernel
of truth here that more than a few of us could agree on.

~~~
sneak
I think I have attracted someone’s ire, that seems to happen to all or most of
my comments within a short window after posting.

~~~
remotecool
This happened to me for awhile too. I think people that disagreed with you on
a previous post are using bots to downvote you.

~~~
mandelbrotwurst
This would surprise me given the fairly high karma minimum to downvote.

~~~
novok
Make a new account every time you reach the threshold, add it to the bot list.

~~~
mandelbrotwurst
Yeah, I thought of that, I was just thinking that surely someone able to
create sufficient karma to do something like that would necessarily also be
unlikely to be petty enough to bother.

Maybe I am too charitable.

~~~
novok
You can gain karma fairly casually by just using the site, you get 1 karma per
comment, so it's easy to make it a passive activity.

The site has also been around for over a decade, lots of opportunity to
accumulate.

------
arch1717
I had to command-f for "isp" and "comcast" because that's the stuff that
should scare you. The kind of data someone can get and the ease of which they
can get it while not even going through so much as a background check should
scare you. We had internal tools, such as the aptly named Xray, which would
give you a pretty detailed profile on someone, everything from the names of
the devices attached to their wifi network, places that they used Xfinity
Wifi, and even what they ordered on Pay-per-view. Going further down the
rabbit hole, we had access to logging that could tell you what you passed into
your voice remote, what channels you watched and for how long, and what you
were downloading. To me, it is a matter of time until a tool like this is
abused and you find out that some NFL star was watching scandalous
pornography, or even worse, using the Xfinity wifi hotspots to get an idea on
where someone was in the US.

------
Mizza
This was talked about in the great PBS Frontline documentary about MBS:
[https://www.pbs.org/video/crown-prince-saudi-
arabia-1jt2ey/](https://www.pbs.org/video/crown-prince-saudi-arabia-1jt2ey/)

~~~
AndrewBissell
Interesting that MBS has ties to both Jack Dorsey and Jeff Bezos, CEOs of the
companies where these spies were placed.

------
sneak
It's interesting to see how the phrasing of the headline makes this seem
totally different. "Saudi Spies Managed To Infiltrate Twitter as Employees"
reads very differently than "Former Twitter Employees Charged with Spying for
Saudi Arabia".

It again raises my periodic wonder: how many spies, both for the USA, as well
as the intel agencies of others, are employed in sensitive roles at Apple,
Amazon, Microsoft, Google, and others? How many of them work on the cloud
platforms? How many of them have access to HSMs and other internal systems
that are used as trust roots?

Can we assume that any major platform provider's highest level keys haven't
been stolen, perhaps without their own knowledge? It's safe to assume that if
they were stolen by their own government's agents, they probably wouldn't tell
anyone even if they found out (even if they weren't gag ordered, which they
probably would be).

You can trust a company down to the ground but still necessarily realize that
everyone who hires engineers is going to be vulnerable to this. AWS' GovCloud
that only permits US citizens physical access to the facilities doesn't even
totally solve the problem, it just (somewhat) reduces the risk, because even
US citizens like bribes.

~~~
rozab
How do those titles sound different to you? Seems pretty similar to me.

Anyway, from the article it seems at least some of them were groomed after
becoming Twitter employees, so it wouldn't be quite accurate.

~~~
cwkoss
Are they:

employees who happened to become spies

or

spies which happened to become employees

------
x0948fklmen
Seemed rather a weird coincidence that after leaving(or being fired from)
Twitter, Ali was appointed the CEO of MBS's MiSK Foundation – which is
essentially a mafia organization for his loyalists.

------
bhouston
What other tech companies have in house spies. NordVPN? Wikipedia? Facebook?
Gmail?

~~~
retrovm
It seems like there is an inverse relationship between sophistication and
risk. If everything is full-custom then it may be quite easy to integrate
auditing tools for who accessed user data. If an org uses mostly off-the-shelf
software then it's pretty much impossible to audit e.g. who connected to what
mysql server and ran which queries. So I'd be a lot more worried about a
Twitter (fairly unsophisticated deployments of standard software stacks),
moderately worried about Facebook (hacks upon the usual stack) and not very
worried about Google (literally everything written in-house).

~~~
NullPrefix
>who connected to what mysql server and ran which queries

I'm pretty sure that is not really a hard task

~~~
vast
It is quite common that sql servers run just with a few accounts. Helpful
audit logs on critical systems have a high cost. So technically it is not hard
but practically it is.

~~~
mc32
True but they can have systems which execute on the behalf of an authenticated
user and pass that to the SQL server but the system in the middle would have
logs of that query and by whom. Now, to be fair, there are usually holes that
allow direct access as well.

------
ComodoHacker
So that mysterious Gitlab customer's demand to protect their data was... not
unreasonable.

~~~
alpb
It was unreasonable.

1\. You can build systems in a way that every access is strictly logged and
audited.

2\. Many companies like Facebook or Google employ engineers who could be
possibly spying for Russia or China. But the systems and trust models are
designed with this in mind.

Here we see unrestricted access to user data, not even sure there’s audit
logging in place.

~~~
dannyw
Google or Facebook employees in China do not have access to overseas data.

Gitlab doesn’t really serve China and has no need for support engineers with
in China.

~~~
alpb
Correct, they do not have overseas data (at least in China).

However, GitLab's restriction also prevented them from employees moving to
China as well. Many companies employ people in Asia/Europe timezones as a
night-time on-call engineers and support.

Not to mention, the list (China, Russia) is a list of countries made up by
GitLab, with no particular backing that's officially recognized by any
particular government or organization, which makes the situation
discriminatory.

------
celticninja
I wonder if GitLab will add Saudi Arabia to their employee region block?

~~~
madisfun
Saudi Arabia is a US ally, so family region block against them is unlikely.
Even if it is a country that tolerates and promotes open slave trade (look up
#maidsfortransfer on BBC).

------
hnuser77
A few comments about how a non-negligent company handles user data:

* They wouldn't respond to "emergency disclosure" requests from the Kingdom of Saudi Arabia about random users

* The average developer has _zero_ access to user data besides names in crash logs and things that the developer has been explicitly copied on in the support system.

* Every command run on production servers by developers requires approval by someone above your org chart level (up to the executive level, when you just need someone at your level) and is logged forever.

* SREs who have to shell in to servers use Unix accounts that have no access to user data. Root access, which should hardly ever happen, requires org chart approval.

* Test environments use synthetic or anonymized data

* There is a separate team of dozens of highly paid people whose only job is it to identify, classify, and monitor access to user data. This is not even the same as the infosec team, who also would be looking for insider breaches.

------
abbracadabbra
It would be interesting to know what Saudi Arabia asked Abouammo to do at
Amazon as well.

------
tempsy
I would be shocked if there weren't a handful of spies working for various
countries at every large tech company at this very moment. I have no idea how
a company would screen for that but it would make little sense to not embed
insiders into each of these companies.

~~~
dannyw
Don’t screen; how can you? Principle of least access.

------
nautilus12
Ive always wondered if social media companies had any nefarious parts to play
in the arab spring, since it all started on social media and this was before
the accute awareness of bots to cause crazes on social media. Things like this
make me wonder more.

~~~
Mizza
They absolutely did - at the behest of the US State Department. Twitter was
scheduled to have some planned downtime during the Egyptian Arab Spring, but
they postponed it at the request of State. Evgeny talks about this.

~~~
im3w1l
I wouldn't call that nefarious.

~~~
Mizza
That depends on your perspective. I support the intentions of the Arab Spring,
but I still think it's inherently nefarious for a private technology company
to partner with the US government in order to overthrow governments. I also
seriously doubt that they were simply sitting idly by and hoping that the
revolution went their way, as we now see that most all world governments have
their own online propaganda divisions.

~~~
pvg
It's a long way from postponing scheduled downtime to 'partnering with the US
government in order to overthrow governments'. I don't have any difficult
seeing how someone could view the former as nefarious but they aren't the same
thing.

~~~
jolmg
You mean the latter not the former.

~~~
pvg
No, I mean what I wrote. I don’t have to agree with it but there are plenty of
people who think cooperation, however indirect, with a US foreign policy goal
is bad. It’s a viewpoint. Calling a thing something that it isn’t is not a
viewpoint, it’s just wrong.

~~~
jolmg
I think perhaps you misunderstood me? You're saying:

> I don't have any [difficulty] seeing how someone could view [postponing
> scheduled downtime] as nefarious but they aren't the same thing.

Didn't you instead mean the following?

> I don't have any [difficulty] seeing how someone could view [partnering with
> the US government in order to overthrow governments] as nefarious but they
> aren't the same thing.

Or maybe you did mean that postponing scheduled downtime looks nefarious to
some. It just seemed like a weird thing to say compared to the other option.

~~~
pvg
_maybe you did mean that postponing scheduled downtime looks nefarious to
some_

You got it.

------
AndrewBissell
Interesting story here from someone who may have been targeted for an in-
person "warning" from Saudi security forces in New Delhi after posting
critical remarks from an anonymous Twitter account:
[https://mobile.twitter.com/marxatfarpoint/status/11921987493...](https://mobile.twitter.com/marxatfarpoint/status/1192198749331824645)

------
appleflaxen
This is why people who work in IT must be very careful with their loyalties.
If the charges are true for these two individuals, Kashoggi's blood is on
their hands.

We all need to be circumspect about the effects of our own actions, especially
as it relates to climate change, mass extinction, and the military industrial
complex.

------
neonate
[http://archive.is/byhRv](http://archive.is/byhRv)

------
ENOTTY
This is a very interesting article and complaint. Worth reading to get
insights into Twitter's insider threat countermeasures and their compliance
regime, at least as of 2014-2015.

------
FillardMillmore
It's probably more difficult for social media companies like Twitter to
prevent something like this than it is to actually properly secure and protect
user data.

~~~
thrower123
Even Twitter money pales in comparison to sheik money. I'm not sure you can
defend against somebody giving an engineer with admin access a suitcase with
$300k in it. Not to mention any other pressures that MBS could potentially
have brought to bear in these cases.

~~~
foobiekr
I wonder what the maximum here is. Cash is harder to spend than it used to be
and in addition you’d be at risk that the actual people facilitating the
payment delivery would be your biggest risk since it would be very likely they
would turn around later and rob/murder you.

There’s probably some optimal “suitcase full of cash” number that basically
optimizes for spendability and risk.

~~~
adolph
Maybe it could be a house or other asset bought for a less than market amount
or sold for a greater than market amount.

Example:
[https://www.insidehighered.com/admissions/article/2019/04/08...](https://www.insidehighered.com/admissions/article/2019/04/08/report-
purchase-coachs-house-brings-admissions-scandal-harvard)

------
TwoBit
There needs to be multi-person authorization required for account spelunking.
Engineer files a DB lookup request, and it must be signed by other personnel.

~~~
swalsh
Won't work, people probably need to query details of accounts hundreds of
times a day just in the course of daily business. Bad actors would just make
the request look like another standard query. People would likely become numb
to it after having to approve so many requests.

I know at a previous company, we needed a business signoff, and a technical
sign off on every deploy. While the technical sign off was usually
painstaking, the business sign off was rubber stamped. The guy who signed off
on my tickets was so overloaded, he barely even read the titles of the
tickets.

~~~
dannyw
Your processes are broken if an individual needs to query hundreds of accounts
for private information a day. That is a gigantic problem in itself.

Support tickets can be exempt because they’re initiated by user interaction.

------
linusnext
Could Jamal Khashoggi might have been a victim of this?

~~~
boomboomsubban
There's really no part of his assassination that needs a connection to Twitter
to explain.

------
daseiner1
not a good time to be a foreign tech worker in the US

~~~
gtoprak
I don't think it's fair to generalize on a sensitive topic like this. People
are already scrutinized enough when it comes to getting a working visa.

~~~
daseiner1
my point is innocent people are going to be unduly scrutinized further. plus
our current admin as-is doesn’t exactly love foreign workers (a massive
understatement)

~~~
remarkEon
I don’t doubt that this will happen, but it’s perfectly within the rights of
the United States to apply more scrutiny to e.g. Chinese nationals seeking
employment at tech companies. We’re in a trade war with them and a de facto
state of cyberwar. It’s not at all unreasonable to expect the US Government to
look a little more closely at people coming here to work in tech, especially
for roles in sensitive positions.

~~~
longerthoughts
Nobody said it wasn't reasonable. They're saying this will make your life suck
more if you're a foreign worker regardless of whether or not you're a spy.
Even if you view it as a necessary evil, it can still suck for people doing
nothing wrong.

------
Romanulus
Isn't a large part of Twitter owned by Saudi interests?

~~~
freddie_mercury
Nope.

You could have just Googled "twitters largest stockholders" but the answer is:

The largest stockholders of Twitter are all US mutual funds. Vanguard owns
10%, Morgan Stanley owns 5%, BlackRock owns 5%, StateStreet owns 4%, Fidelity
owns 2%, etc.

Really nothing comes to close to the index funds. Vanguard, BlackRock, State
Street own 20% of pretty much every company.

~~~
drak0n1c
That's not a complete picture, Prince Alwaleed owned 4.9% of Twitter as
recently as the end of 2016 (the alleged espionage happened before this). It
is unknown how much he owns now after his late 2017 detainment, presumably
shares were either sold off, seized by Saudi authorities, or both. It's not
unusual for ownership to be split among smaller entities, and there is no
requirement for US companies to consolidate myriad unknown foreign stock
holders into specific entities in their reports.

[https://www.cnbc.com/2017/11/05/citigroup-twitter-held-by-
de...](https://www.cnbc.com/2017/11/05/citigroup-twitter-held-by-detained-
billionaire-alwaleed-bin-talal.html)

------
midnitewarrior
If I were spying at Twitter for Saudi Arabia, I'd stream Trump's real-time
location back to my handlers, as the Twitter app gathers location data and
Trump's online habits are lax.

------
buboard
end to end encrypted everything.

------
cryptozeus
This sounds like a great script for movie.

------
drawkbox
I wonder if this is in addition to or was part of the McKinsey scandal where
they targeted Saudi dissidents on Twitter for Saudi Arabia [1]. I wouldn't be
surprised if getting people on the inside like this was part of it though just
conjecture.

> _Role in Saudi clampdown on dissidents_

> _In October 2018, in the wake of the assassination of Jamal Khashoggi, a
> Saudi dissident and journalist, The New York Times reported that McKinsey
> had identified the most prominent Saudi dissidents on Twitter and that the
> Saudi government subsequently repressed the dissidents and their families.
> One of the dissidents was arrested. Another dissident 's family members were
> arrested, and the cell phone of the dissident was hacked. McKinsey issued a
> statement, saying "We are horrified by the possibility, however remote, that
> [the report] could have been misused. We have seen no evidence to suggest
> that it was misused, but we are urgently investigating how and with whom the
> document was shared." In December 2018, The New York Times reported that
> "the kingdom is a such a vital client for the firm — the source of nearly
> 600 projects from 2011 to 2016 alone — that McKinsey chose to participate in
> a major Saudi investment conference in October 2018 even after the killing
> and dismemberment of a Washington Post columnist by Saudi agents."_ [1]

> _On the 12th of February 2019, the European Parliament Greens /EFA group
> presented a motion for a resolution on the situation on women’s rights
> defenders in Saudi Arabia denouncing the involvement of foreign public
> relations companies in representing Saudi Arabia and handling its public
> image namely McKinsey & Company._ [1]

McKinsey also supports authoritarian regimes if they ask for reports and have
the money.

> _Support of authoritarian regimes_ [1]

> _McKinsey 's business and policy support for authoritarian regimes came
> under scrutiny in December 2018, in the wake of a lavish company retreat in
> China held adjacent to Chinese government internment camps where thousands
> of Uyghurs were being detained without cause. In the preceding few years,
> McKinsey's clients included Saudi Arabia's absolute monarchy, Turkey's
> autocratic leader Recep Tayyip Erdogan, ousted former President of Ukraine
> Viktor Yanukovych, and several Chinese and Russian companies under
> sanctions._ [1]

McKinsey one of the Big Three management consulting firms [4] is widely used
to use plausible deniability for private equity leveraged buyouts and
corruption like the Enron scandals. [2]

> _Enron was the creation of Jeff Skilling, a McKinsey consultant of 21 years,
> who was jailed after the company collapsed. McKinsey reportedly "fully
> endorsed the dubious accounting methods that caused the company to implode
> in 2001." Enron reportedly used McKinsey on 20 different projects, and
> McKinsey consultants had "used Enron as their sandbox."_

McKinsey was also a big part of the plausible deniability for big banks and
funds during the Great Recession. [3]. Very questionable ethics at McKinsey,
hard to trust anyone from there.

> _McKinsey is said to have played a significant role in the 2008 financial
> crisis by promoting the securitization of mortgage assets and encouraged the
> banks to fund their balance sheets with debt, driving up risk, which
> 'poisoned the global financial system and precipitated the 2008 credit
> meltdown'. Furthermore, McKinsey advised Allstate Insurance to purposefully
> give low offers to claimants. The Huffington Post revealed that the strategy
> was to make claims "so expensive and so time-consuming that lawyers would
> start refusing to help clients." Next to this, 2016 McKinsey partner Navdeep
> Arora was convicted for illegally depleting State Farm of over $500,000 over
> a period of 8 years, in collaboration with a State Farm employee._

[1]
[https://en.wikipedia.org/wiki/McKinsey_%26_Company#Role_in_S...](https://en.wikipedia.org/wiki/McKinsey_%26_Company#Role_in_Saudi_clampdown_on_dissidents)

[2]
[https://en.wikipedia.org/wiki/McKinsey_%26_Company#Role_in_c...](https://en.wikipedia.org/wiki/McKinsey_%26_Company#Role_in_corporate_accounting_scandals)

[3]
[https://en.wikipedia.org/wiki/McKinsey_%26_Company#2008_fina...](https://en.wikipedia.org/wiki/McKinsey_%26_Company#2008_financial_crisis)

[4]
[https://en.wikipedia.org/wiki/Big_Three_(management_consulta...](https://en.wikipedia.org/wiki/Big_Three_\(management_consultancies\))

------
samirillian
> who the CIA has concluded likely ordered the assassination of journalist
> Jamal Khashoggi in Istanbul last year.

More crack work from the cia.

------
yowlingcat
I smell a fall guy or two. What do you think the odds are that the token
optics of this can be replayed as "standing up" for free speech? Not that what
actually happened wasn't sketchy (it was) -- just that I have a sense this
slap on the wrist will be enough for some to say "At least we can say we
tried"

~~~
Railsify
Slim to none, the article claims they accessed info of people close to the
murdered journalist.

