AILSA CHANG, HOST:
The Justice Department has accused Saudi Arabia of spying in the U.S. and using Twitter to do it. In a complaint unsealed in federal court yesterday, prosecutors describe a low-tech scheme. They accuse the kingdom of bribing two Twitter employees for information on Twitter users. Those employees are no longer at Twitter. But the allegations raise questions about how vulnerable our social media platforms are, not just to external hackers but to attacks from the inside.
For some perspective on this, I'm joined now by Mark Rasch. He's a former head of the Justice Department's computer crime unit. Welcome.
MARK RASCH: Thank you.
CHANG: So I understand that Twitter is very popular among Saudis. And this complaint against these former Twitter employees alleges that the Saudi kingdom wanted the phone numbers and email addresses of people who had been critical of the Saudi government. What would the government want to do with that contact information, you think?
RASCH: Well, once they are able to identify somebody who thinks that they're anonymous on Twitter, they can then go back, and they can have them arrested. They can have them detained. They can have them questioned. They can have them interrogated, prosecuted and ultimately even worse.
CHANG: I mean, should we even be surprised that Saudi Arabia or any country that wants information on people inside the U.S. would do something like this?
RASCH: By and large, countries go where the data that they are looking for is found.
RASCH: So the weakest link in any of these technology things - we always worry about hacking in sophisticated attacks, but it's much easier to pay somebody off than it is to try to break into a computer or a computer network. It's almost always the weakest link, and it almost always works. That's why you do it.
CHANG: When you were at the Justice Department, did you see similar attempts by countries such as China or Iran or Russia trying to recruit spies inside social media platform companies here in the U.S.?
RASCH: Well, what you see is what's called classic grooming behavior. Whenever a foreign country identifies information that they want, whether it's technology secrets or information about social media, they're going to identify people who have access to that information, and then they're going to groom them. They're going to see if they're amenable to bribery, to other forms of pressure. And they're going to try to get them to give them the information. This is true in classic espionage cases and spies, and now it's true in identifying people with access to social media.
CHANG: Right. So with respect to this risk of grooming, how should companies like Twitter or Facebook or Google better protect against this kind of risk? I mean, let's start with just the vetting that happens during the hiring process. What should that look like?
RASCH: Well, one of the things you're going to look for is you're going to look for people who have loyalty to the company in the country in which it's operating. That's really difficult because these social media companies operate in many, many countries. So you're not going to sit there and say, we're not going to hire people who aren't loyal to America. They're going to have a whole diverse group of people.
The more important thing is what Twitter claims to have done subsequent to this case, which is limiting access and monitoring access by their employees to only the data that that person should be seeing. What happens in these cases is they ask the groomed employee to get access to data that they shouldn't be having and they shouldn't be looking at. And that's the thing that Twitter and Facebook and other social media entities need to monitor their own employees to see when they're going out of bounds.
CHANG: I see. So these companies should more closely track what kind of information - internal information these employees are accessing day to day.
RASCH: And the complaint filed by the Justice Department by the FBI says that Twitter has, quote-unquote, "fixed that problem." But the truth is it's not just a single problem. It has to do with the whole nature of social media and access to data.
CHANG: That more scrutinizing monitoring that you're suggesting, would that raise privacy concerns for employees at these companies then?
RASCH: It does, but that's a balance that you need to be able to reach and tell the employees, this is what we're doing. This is what we're collecting. We're going to look at what you're accessing and why. And if we find it to be unusual, we're going to ask you about it. And that's one of the balances that you have to strike when you're working at a company like that.
CHANG: Mark Rasch is a former head of the Justice Department's computer crime unit. Thank you very much for joining us.
RASCH: Thank you. Transcript provided by NPR, Copyright NPR.