[thaumasiotes]

The argument that being a victim of espionage constitutes per se negligence seems like a stretch.

For spies to exist at all, they need to fool whatever supervision is in place. For missing them to be negligence, it would have to be easy to prevent spying from happening.

When a warbler feeds a cuckoo chick and lets his own chicks starve, is that because he's a bad parent who could be fixed with a lawsuit, or is it just a fact about the ecosystem?

[jkaplowitz]

I have only read the article and not the text of the legal complaint, but according to the article, he is specifically not basing his complaint on them being a victim of espionage and is making more specific allegations:

> "While Twitter may wish to play the victim of state-sponsored espionage, Twitter's conduct in punishing the victims of this intrigue, including Mr. Al-Ahmed, tells a far different story: one of ratification, complicity, and/or adoption tailored to appease a neigh beneficial owner and preserve access to a key market, the KSA," Randy Kleinman, the attorney for Al-Ahmed, wrote in the complaint.

I have no idea if their allegations are correct, but the argument you're dismissing is explicitly not what they're saying.

[thaumasiotes]

The allegation you quote is not an espionage allegation. It's saying that because this activist's Twitter account received unfavorable treatment from Twitter, we should assume that the unfavorable treatment of his account is evidence that Twitter is an arm of the Saudi government, and therefore the separate incident involving espionage must have happened with Twitter's cooperation or at least without Twitter's objection.

Note that the quoted allegation does not even allege any misconduct on Twitter's part! The only purpose is to ask you to draw an adverse inference about what Twitter was thinking when they became the victim of espionage.

[jkaplowitz]

I didn't say it was an espionage allegation. It's quite possibly not. The quote alleges complicity among other terms. I don't know if that's legally a type of misconduct - my guess is that the legal terms for both are more precise and this is just the press release version. But in everyday parlance, calling someone complicit does suggest some active form of inappropriate knowing participation in something bad. Not necessarily in espionage specifically.

[thaumasiotes]

> But in everyday parlance, calling someone complicit does suggest some active form of inappropriate knowing participation in something bad.

Let's say this guy's Twitter account was shut down because Mohammed bin Salman personally called Jack Dorsey and asked for a favor. That would be complicity, in shutting down the Twitter account. It would not be complicity in espionage.

[jkaplowitz]

Agreed. Nothing you are saying is contradicting anything I am saying, nor anything in the quote we're discussing.

I'm not sure why you're spending so much time to emphasize that the quote in the article doesn't allege espionage by Twitter when nobody is claiming it does, but indeed we are in full agreement that it doesn't. (Having not read the legal complaint itself, I express no opinion on what that alleges.)

[thaumasiotes]

You used that quote to support that claim that he is not basing his complaint on Twitter being a victim of espionage.

That claim is incorrect. Your quote does not state a cause of action against Twitter. Its only purpose, in the lawsuit, is to support, through innuendo, the claim that Twitter was complicit in an espionage "attack" against themselves. The complaint is based only on the espionage incident.

The quote is mostly irrelevant, which is the type of support you'd expect this complaint to be able to muster.

That's what I'm saying.

[onionisafruit]

I get what you’re saying, but one way or another personal data twitter was entrusted with was leaked and people were murdered as a result. I don’t know if twitter was actually negligent here, but it seems worthwhile to find out through this law suit.

[thaumasiotes]

> but it seems worthwhile to find out through this law suit.

If Twitter could assess a huge penalty on the plaintiff for filing a frivolous lawsuit, maybe.

Otherwise, no. We already know that Twitter specifically tried to deal with one of these spies when he came to their attention, shortly before he escaped. There is no reason to believe that Twitter did anything wrong, and excellent reason to believe they didn't.

Lawsuits aren't cost-free; the off-chance that, against all expectations, you might find something that almost definitely isn't there is not a good reason to entertain one.

[hluska]

If Twitter could assess penalties this wouldn’t be a legal system. Courts and judges assess penalties. Companies can sue for damages but they don’t assess penalties.

With all due respect, this is the second ignorant thing you’ve said on this article. You don’t have a fucking clue what you’re talking about. Please stop…

[thaumasiotes]

Sorry, I responded to "this is a good idea" with "in case of X, it might be, but in reality, it isn't", and you think "but X is not true" undermines that argument?

[hluska]

Look, if you’re going to engage with me, cut the shit. You wrote:

“If Twitter could assess a huge penalty on the plaintiff for filing a frivolous lawsuit, maybe.”

If Twitter could assess a huge penalty, it would violate absolutely every single tenet of both the western justice system and all principles of natural justice. Companies don’t get to assess penalties when they think they’ve been wrong. Companies can sue for damages and Twitter has the right to do that here. However, companies don’t assess damages - JUDGES DO!

This is so simple that I can’t believe I just had to explain it on Hacker News. Tune in next time, when we do “Hello world” in Python.

[thaumasiotes]

There's nothing unusual about private parties being able to assess penalties against other private parties. Your bank does it all the time. It does not make a mockery of the justice system.

The justice system frequently does make a mockery of the justice system by assessing penalties, such as when someone is arrested, proves to have been someone other than the target, and then gets charged for the time they spent in jail.

If a failed frivolous lawsuit against Twitter automatically gave Twitter a claim on the plaintiff's assets, that would in fact not violate every tenet of the western justice system, nor would it violate all principles of natural justice. It is a system that has obtained elsewhere and that people frequently advocate for.

[southerntofu]

> There is no reason to believe that Twitter did anything wrong, and excellent reason to believe they didn't.

Why do they ask for personal information in the first place? Why are DM messages not e2e-encrypted? That's plenty of wrong already.

If you're building a public/global microblogging platform, enable nicknames for all and never ask for any personal information. If you're building a private messenger, enable e2e encryption (or at least at-rest inbox encryption).

If you're building both, and ignoring all security best practices, and encouraging people to give away their phone numbers, i would hold you responsible to any harm that comes their way because of this.

[curryst]

I think that depends on the organization we're talking about. There exist organizations where spies getting in probably should be per se negligence. The CIA and NSA are indisputably in this list. We just don't punish them via lawsuits, because there are better mechanisms for public groups.

The question at hand is whether Twitter belongs in that group. In the general case, I tend to believe no. Twitter has no deterministic means to tell whether a candidate is a risk or not, and they cannot be held liable for actions they couldn't know were illegal.

I do believe they can be held responsible for espionage in the event that they knowingly hired a spy, which seems to be the case here.

If the government believes it is important to national security to prevent Twitter from even unknowingly hiring spies, I think the onus is on the government to nationalize whatever parts need protecting. In this case, they could probably just nationalize the background check portion via security clearances. It doesn't sound like we're at that point, though.

[hluska]

Yes, the argument that being a victim of espionage constitutes negligence is a stretch. However, that’s not what Mr. Al-Ahmed’s suit alleges - it alleges they were victims of espionage because of their negligence.

I have a suggestion. In the future, keep the analogies to yourself and talk about facts.

[colinmhayes]

I imagine the argument is that twitter was negligent in allowing employees access to the security tool this guy used to track Saudi dissidents without oversight and shouldn't have warned him that the FBI was investigating him?

[thaumasiotes]

Not even close:

> The claim filed Thursday in California alleges [among other things] that Twitter should have known that these two men were unfit employees

[southerntofu]

> For missing them to be negligence, it would have to be easy to prevent spying from happening.

Well it is! Tech companies should not act as surveillance/intelligence companies: stop gathering personal info on people, and suddenly you've raised the bar considerably for spies to harm your users.

Sure, an insider spy could probably still setup a special-cased JS payload to infect a specific user, but that's more convoluted and more easily detected during review, compared to simply accessing one of the many troves of data companies keep on their users.

[quartesixte]

My thoughts exactly. Sometimes you will lose the cat and mouse game and often the spies just have a huge upper hand on you.

[vmception]

eh they were indicted by the Federal Government and so the civil suit by this person has a lot of ammunition already that they otherwise would not have

mayyybe they went amateur hour with the negligence angle, but maybe they didn't