What the two Twitter employees’ actions in accessing user data for use by the Saudi Kingdom was not technically a criminal offense
On Nov. 7, the United States Department of Justice (DoJ) charged two individuals, one a U.S. citizen the other a citizen of the Kingdom of Saudi Arabia, with helping the Saudi government identify and target dissidents and protesters by providing them with personal information gleaned from the database of their employer, Twitter. “Acting in the United States under the direction and control of Saudi officials, the defendants are alleged to have obtained private, identifying information about users of Twitter who were critical of the Saudi government,” said Assistant Attorney General for National Security John C. Demers in a press release. ‘Two of the defendants – Alzabarah and Abouammo – are former Twitter employees who violated their terms of employment to access this information in exchange for money and other benefits. Aside from being criminal, their conduct was contrary to the free speech principles on which this country was founded.”
The defendants were actually charged with two crimes: first, that they were acting as unregistered agents of a foreign government, and second, that they lied about the amount of money they were paid for working for the Kingdom of Saudi Arabia. What is interesting is that none of the defendants were charged with a computer crime.
What is Hacking?
At first blush, it seems obvious that what these defendants did was not computer hacking. When we traditionally think of hacking, we think of some outsider breaking into a computer or computer network, exploiting a vulnerability, introducing a virus, or “breaking in” to a network where they do not belong. What these two defendants appear to have done was simply use the opportunity created through their employment at Twitter to obtain information and use it in a way that Twitter expressly prohibited. So is that hacking?
Magic 8 Ball says, “Situation hazy, ask again later.”
The problem with the computer crime statute, like other criminal statutes, is that it was intended to deal with a particular problem at a particular time and it is not entirely clear on what it prohibits. The Computer Fraud and Abuse Act located at 18 USC 1030(a)(4) essentially prohibits two things: computer crime and computer trespass. The computer trespass provisions make it legal to access a computer without authorization, or—and this part is crucial—“exceed the scope of one’s authorization to access a computer,” and thereby do certain bad things.
In this respect, the computer crime statute is not that much different than ordinary trespass laws. A person can trespass by entering onto the property that’s not theirs and staying there without the authorization of the owner of the property. But a person can also trespass by entering onto the property and doing something they’re not authorized to do. So, for example, if you are on the Washington, D.C., Metro subway system, and you eat or drink without authorization in violation of the rules of the Metro, then in addition to being given a citation for violating the rules you can be arrested for trespass. In states that allow open carry of firearms but also permit individual stores to prohibit it, a person who enters a store openly carrying a firearm can be arrested for violating the rules of the establishment and therefore arrested for trespass. So trespass is both accessing without authorization or exceeding the scope of authorization to access—breaking any of the rules that permit access to the location.
It appears that the two Saudi Twitter employees had the authorization to access Twitter, view files on Twitter and read the files that they actually read. What they did not have was authorization to copy the files and to provide the data to the Kingdom of Saudi Arabia. So when they accessed the database to which they had lawful access but did so for an improper purpose, were they exceeding the scope of their authorization to access Twitter’s computers?
There are really two ways to exceed the scope of one’s authorization to access a computer. The first one is when you violate the rules, whether written or unwritten, that govern your access to the computer or computer network. These rules can govern access to the computer, access to data or your use of the data. So if your employer has a policy that says no personal use of employer email and you send an email to your child’s school saying that you’re going to be late to pick them up at school, you’ve violated your employer’s rules and therefore used your employer’s email in excess of authorization. A crime. Similarly, if your employer has a rule about what you’re allowed to do with data you access through computer and you do something different with it, then you have downloaded the data from the computer in excess of your authorization to do so.
The second way to violate the Computer Fraud and Abuse Act’s proscription on exceeding authorized access is by breaking some technical barriers to access—breaking a locked door. In the physical world let’s assume that you’re allowed to be in the building, but not allowed to be in a particular room. If you pick the lock or break the barrier to be in that room, you are then trespassing even though you are authorized to be in the building generally.
Courts have struggled over the years in applying the Computer Fraud and Abuse Act in the virtual world to these different scenarios in the physical world.
Indeed, just a few years ago the U.S. Court of Appeals for the Ninth Circuit—the court which includes both California and Washington state where the Saudi’s crimes are alleged to have occurred—ruled that when an employee takes files of his employer and uses them for the purposes of a competitor, even though this violates the rules on access to the computer and use of data, it does not constitute a criminal violation of the Computer Fraud and Abuse Act (CFAA). The court there was concerned with the expansive definition of exceeds authorized use and noted:
The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.
So even though the Saudi employees both accessed Twitter and data on the Twitter database for purposes that far exceeded the reason why they were given access to the computers, and even though they sold that data to a foreign government, it appears that the Justice Department, bound by the Ninth Circuit precedent, felt that it could not prosecute these two for exceeding the scope of their authorization to access or use the Twitter database.
Another curious aspect of the Saudi case is the fact that Twitter has not notified the Saudi dissidents or indeed anyone else that there’s been a breach of their data. At least, not yet. Clearly the data that was provided to the Saudi government constitutes personally identifiable information about which Twitter has an obligation to keep secret, and when there is unauthorized access to that data, the company has a legal obligation to notify the data subject about the authorized access. Maybe.
You see, the data breach disclosure laws were written to deal with specific kinds of data; not everything that is “personally identifiable” comes within the scope of those data breach disclosure laws. Under the Washington State law personal information “… means an individual’s first name or first initial and last name in combination with any one or more of the following data elements (a) Social security number; (b) Driver’s license number or Washington identification card number; or (c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” The IP address, Twitter handle, physical location, content of messages, etc., are not strictly covered as “personal information” about which a breach notification is legally required.
So it’s possible that Twitter’s lawyers have decided that the kind of information contained in the database does not meet the legal definition of personal information about which a breach must be disclosed. It’s also possible that they have determined that non-U.S. citizens are not the beneficiaries of the data breach disclosure laws and therefore they have no obligation to notify the Saudi dissidents about the breach. More likely, however, is that U.S. law enforcement in general, and the FBI in particular, requested that Twitter refrain from disclosing the breach while they pursued the criminal investigation that led to the instant charges. The Washington statute provides that “The notification required by this section may be delayed if the data owner or licensee contacts a law enforcement agency after discovery of a breach of the security of the system and a law enforcement agency determines that the notification will impede a criminal investigation.” If that is the case, we can expect Twitter to make these notifications shortly.
Well, maybe. Under the particular circumstances here, notifying Saudi dissidents that their information has been provided to the Saudi government may cause more harm than good. The mere act of notification will now identify these individuals as Saudi dissidents about whom the Saudi government was interested. The notification itself may serve as a means for targeting these individuals for retribution and reprisal. In fact, by making the notifications, Twitter may be doing the Saudi government’s work for them—specifically identifying the individuals (by name) about whom the Saudi government only may have had general information.
So right now, the defendants are simply charged with acting as unregistered agents of a foreign government, a very technical indictment. Which may act as a green light—or, at worst, a yellow light—for continued espionage activities targeting personal data in U.S. social media companies databases.