Saudi Arabian authorities recently announced that they have hacked and disabled about 9,000 Twitter accounts associated with the publication of pornographic materials and arrested many of the handles' owners. The Commission for the Promotion of Virtue and Prevention of Vice (a.k.a. Haia, the Saudi religious police) organized the sting, sweeping up many Saudis and expats accused of organizing alcohol- and gambling-fueled parties. But in an apparent first for the Kingdom, Haia acknowledged that it did not act alone, instead relying upon a group of "ethical hackers" to access users' accounts and personal information, leading to physical arrests.
Saudi Arabia has been cracking down hard on all manner of ill-defined immorality online for at least the past six years. Like gambling or blasphemy, many in Saudi Arabia like to link porn to social ails such as spiking divorce rates and label its viewers as social misfits. But maybe because they're irked about findings claiming their citizens are among the world's top porn consumers , they seem to devote special and highly visible efforts to stamping it out.
They've been known to conduct random searches of laptops, disks, and flash drives at immigration . And in 2013 alone, the state's Communications and Information Technology Commission (CCITC) blocked 400,000 porn sites, a process requiring the review and repression of one page at a time with over 2,000 censorship requests made every day. Those caught producing or disseminating porn, like the detainees picked up in yesterday's raid, face up to five years in prison and a fine not to exceed 3 million Saudi Riyals (roughly $800,000).
Yet Saudi authorities have been particularly consternated by porn on social media sites like Facebook (with 7.8 million local users) and Twitter (5 million). The state does not feel it can block these sites in full and outright. But it also has trouble playing whack-a-mole with content generators who can just pop up under a new name if authorities report their accounts for deletion on a case-by-case basis, and whose true identities are not easily ascertained. As of March 2014, Haia, the CCICT the Ministry of the Interior (and its cybercrimes division), and the Audiovisual Commission, with advice from the National Center for Youth Research, an affiliate of King Saud University, announced they were collaborating on new strategies to address this dilemma. Nothing in these reports indicated an intention to employ hackers—much less ethical hackers
Ethical hacking (also known as Certified Ethical Hacking [CEH] or White Hat Hacking) is actually a respectable and recognized profession. They're skilled hackers, often with certification and training in cyber security, employed by corporations or governments to monitor traffic on and attempt to hack their own networks, helping to predict breaches and beef up security.
Private actors in Saudi Arabia have trained and employed ethical hackers since at least 2011 . In 2013, Saudi Aramco, the largest company in the Kingdom and the world's leading energy giant, put out a major call for their own White Hats. This was likely prompted by an attack the previous summer by a hacker collective called the Cutting Sword of Justice who stole data from and disabled 30,000 Aramco computers, taking down the company's computer systems for ten days.
In May 2014, almost one year after hackers defaced government websites, the Saudi Ministry of the Interior's National Information Center announced that it too would train and recruit ethical hackers—all ex-average hackers, but none with a record of striking out against government sites. But they gave no indication that these new cyber allies would be used for moralistic purposes, or against Saudi citizens, or really for anything other than security building.
Most nations, from the USA to North Korea , maintain a dedicated and government-controlled force of cyber security experts—basically hacker armies. Whether these armies move against national or international targets is usually well hidden. And whenever hackers do operate openly on behalf of a government—like the pro-Assad Syrian Electronic Army and Syrian Malware Team , or the Twitter-hacking pro-regime N33 group in Venezuela —the nature of their connection to the governments involved is obscured, likely because hacking is widely illegal, and it'd be a huge fiasco to be implicated in such activities against your own countrymen.
(A Saudi, self-styled Wahhabi [the brand of Islam practiced and promoted by the royal family] hacker collective called Group-XP waged one major attack, leaking tens of thousands of Israeli credit card details in 2012. But this group never claimed connection to the Saudi state. There does not appear to be a correlate to the Syrian or Venezuelan groups in the Kingdom.)
Right now we're not sure who the ethical hackers involved in the Haia Twitter sting were. We just know that they helped finger real-life users behind handles. They could have been members of the government, or the cadre of ex-hackers hired this spring by the Ministry of the Interior, or some other group of unaffiliated hackers roped in to aid the religious police. Either way you slice it, openly admitting that your regime has used hackers against your own citizens is a unique and questionable tact. But that just seems to be how they roll down in the Kingdom of House Saud.
Follow Mark Hay on Twitter.