Saudi telco asks researcher Moxie Marlinspike to help it spy on residents
Senators introduce bill that would flag countries, products that benefit from espionage
A Saudi telecommunications company recently contacted a well-known security and privacy researcher for help in spying on its millions of subscribers, it was revealed Monday.
Moxie Marlinspike, the alias used by the white hack hacker who co-founded Android defense company Whisper Systems, acquired by Twitter in late 2011, exposed Monday in a blog post his exchange with a person representing Mobily, one of Saudi Arabia's largest telecom providers.
The Mobily rep said it was seeking Marlinspike's assistance in a government-sponsored surveillance project that was seeking to intercept "mobile application data" belonging to Twitter, WhatsApp, Viber and Line users.
"What's depressing is that I could have easily helped them intercept basically all of the traffic they were interested in," Marlinspike wrote, adding that the exception would have been Twitter, whose Transport Layer Security (TLS) encryption code, which he helped develop, likely would have prevented eavesdropping.
"They later told me they'd already gotten a WhatsApp interception prototype working, and were surprised by how easy it was," Marlinspike wrote. "The bar for most these apps is pretty low."
A WhatsApp spokesperson did not respond to a request for comment.
After a weeklong exchange of emails that he kept going in order to collect evidence of the surveillance project, Marlinspike, who has developed man-in-the-middle tools for research purposes, declined to help.
What's surprising is that he was solicited in the first place. A simple Google search would have revealed that Marlinspike probably wasn't the man for the job, considering he's publicly decried trust issues on the web and has engaged in research that may have caused him to experience border harassment when trying to re-enter the United States.
"It's hard to say exactly when it happened, but these days, the insecurity of the internet is now more predominantly leveraged by people that I dislike against people that I like," he wrote. "More often than not, that's by governments against people."
When he turned down the offer due to privacy reservations, the Mobily rep told Marlinspike that he understood his position, but that the Saudi initiative was being used to help catch "terrorists." The implication, according to Marlinspike, was that by failing to help, he was supporting terrorism by default, an argument that now is commonly invoked as justification for submitting to privacy intrusions.
"While this email is obviously absurd, it's the same general logic that we will be confronted with over and over again: Choose your team," Marlinspike wrote. "Which would you prefer? Bombs or exploits. Terrorism or security. Us or them."
Eva Galperin, the global policy analyst at the nonprofit digital advocacy group Electronic Frontier Foundation, told SCMagazine.com on Monday that the revelations produced by Marlinspike are not surprising for a country that has essentially "outlawed dissent."
About 1 1/2 months ago, news outlets reported that the Saudi government was considering blocking services such as WhatsApp and Viber if they failed to meet regulations. These applications regularly are used by Saudi protesters to organize actions.
"If anything good comes out of this blog post, I hope it will be greater awareness for Saudi Arabian activists about how closely their communications are being monitored," Galperin said.
But don't expect any outcry over this incident from the U.S. government, which maintains a close relationship with the Saudi monarchy led by King Abdullah.
"Given the strategic importance of Saudi Arabia, it's unlikely the U.S. is going to be particularly harsh on its ally for engaging in this sort of behavior," Galperin said, noting that the United States has engaged in similar "dragnet" spy operations on its citizens since at least 2003.
UPDATE: Neeraj Arora, head of business development at WhatsApp, told SCMagazine.com in an email: "The information in the blog post is unverified and unconfirmed. Until we are presented with evidence and data, we will treat the information as false."