The lawsuit alleges that the network divulges user data to Saudi authorities at a significantly higher rate compared to the US, UK, and Canada
In an amended civil lawsuit filed in the United States, the social media firm, previously known as Twitter but now referred to as X, faces allegations of aiding Saudi Arabia in committing severe human rights violations against its users. These accusations include the company’s purportedly higher rate of disclosing confidential user data to Saudi authorities, in comparison to its practices in the United States, United Kingdom, or Canada. The lawsuit, initially initiated in May, was brought by Areej al-Sadhan, the sister of a Saudi humanitarian worker who was subjected to forced disappearance and subsequently sentenced to a 20-year prison term.
The lawsuit revolves around the incidents related to the infiltration of the California-based company by three Saudi agents, including two who posed as Twitter employees in 2014 and 2015. This infiltration ultimately led to the arrest of Abdulrahman al-Sadhan, the brother of Areej al-Sadhan, and the exposure of the identities of numerous anonymous Twitter users. Some of these individuals were reportedly detained and subjected to torture as part of the government’s crackdown on dissent.
Attorneys representing Al-Sadhan recently updated their legal claim to include fresh allegations regarding Twitter’s actions under the leadership of then-CEO Jack Dorsey. The lawsuit alleges that Twitter willfully ignored or was aware of the Saudi government’s efforts to target critics. However, due to financial considerations and its desire to maintain close ties with the Saudi government, a major investor in the company, Twitter provided assistance to the kingdom.
The new lawsuit outlines how X, formerly regarded as a vital platform for democratic movements during the Arab Spring, became a cause for concern for the Saudi government as early as 2013.
These legal developments come shortly after Human Rights Watch criticized a Saudi court for sentencing an individual to death solely based on their Twitter and YouTube activities, describing it as an “escalation” of the government’s crackdown on freedom of expression.
The individual who was convicted, Muhammad al-Ghamdi, aged 54, is the brother of a Saudi scholar and government critic residing in exile in the United Kingdom. According to Saudi court records scrutinized by HRW, al-Ghamdi was charged with maintaining two accounts, collectively amassing a mere 10 followers. Both accounts had fewer than 1,000 tweets in total and primarily featured retweets of well-known government critics.
The Saudi government’s crackdown can be traced back to December 2014 when Ahmad Abouammo, later convicted in the United States for clandestinely acting as a Saudi agent and providing false information to the FBI, began accessing and transmitting confidential user data to Saudi authorities. The new lawsuit alleges that he sent a message through the social media company’s messaging system to Saud al-Qahtani, a close associate of Mohammed bin Salman, stating, “proactively and reactively we will delete evil, my brother.” The lawsuit contends that this message referred to the identification and targeting of perceived Saudi dissidents using the platform. Al-Qahtani was subsequently accused by the US of masterminding the murder of journalist Jamal Khashoggi in 2018.
The Guardian reached out to Ben Berkowitz, the lawyer representing the company in the case from Keker, Van Nest & Peters, but did not receive a response. Additionally, The Guardian attempted to contact Block, Inc., the company associated with Jack Dorsey, the former Twitter CEO, for a comment, but did not receive a response.
Following Abouammo’s resignation in May 2015, he allegedly continued to communicate with Twitter regarding requests he was receiving from Bader al-Asaker, a senior aide to Mohammed bin Salman, for the identification of confidential users. According to the lawsuit, he explicitly stated that these requests were made on behalf of his “former associates within the Saudi government.”
The lawsuit further asserts that Twitter had “sufficient warning” about security vulnerabilities related to the internal personal data and the potential for insiders to unlawfully access it, based on public reports available at that time. The lawsuit contends that Twitter did not merely disregard these warning signs but was aware of the malicious campaign.
On September 28, 2015, Twitter received a complaint from a Saudi user reporting the compromise of their accounts. However, the lawsuit asserts that Twitter did not take action to restrict access to confidential user data for one of the Saudis, Ali Hamad Alzabarah, despite his previous access to the user’s account.
The lawsuit claims that Saudi authorities would initiate formal follow-ups with Twitter upon receiving confidential user data from their agents within the company. They did this by submitting emergency disclosure requests (EDRs) to obtain documentation confirming a user’s identity, which was subsequently used in legal proceedings. Often, these EDRs were swiftly approved on the same day.
In May 2015, when two Twitter users posted tweets related to the kingdom that Bader al-Asaker found objectionable, Albabarah allegedly accessed the users’ data within hours. EDRs concerning these users were then sent and automatically approved by Twitter, according to the lawsuit.
Between July and December 2015, the lawsuit asserts that Twitter fulfilled information requests from the kingdom “significantly more frequently” than from many other countries during that period. These countries included Canada, the UK, Australia, and Spain.
On November 5, 2015, just days before the FBI confronted Twitter about its concerns regarding Saudi infiltration of the company, Alzabarah, who is now a fugitive living in Saudi Arabia, was promoted by Twitter. In response to the promotion, Alzabarah sent a note to his Saudi government contact, al-Asaker, expressing his “unimaginable happiness.” The lawsuit claims that this note is evidence that Alzabarah believed al-Asaker had played a role in arranging or influencing the promotion.
After Twitter became aware of the FBI’s concerns, they placed Alzabarah on leave and seized his laptop, although they did not confiscate his phone, which he used extensively to communicate with his Saudi state contacts. According to the lawsuit, Twitter “had every reason to anticipate that Alzabarah would immediately flee to Saudi Arabia, which is exactly what he did.”
The US attorney’s office in San Francisco, which was responsible for the case, did not respond to The Guardian’s request for comment regarding the company’s handling of the matter.
Twitter would subsequently notify users who might have been affected, informing them that their data “may” have been targeted. However, the company did not provide specific details about the extent or certainty of the breach.
The lawsuit contends that by “failing to provide this critical information, Twitter exposed thousands of its users to risk,” suggesting that some users might have had the opportunity to evade the kingdom had they been aware of the danger. Even after becoming aware of the breach, Twitter continued to engage with Saudi Arabia and strategize with the nation as one of its key partners in the region. Approximately six months after the FBI alerted the company to the issue, Jack Dorsey met with Mohammed bin Salman, and they discussed methods to “train and qualify Saudi cadres.”
