Mobily Can Monitor Saudi Users of WhatsApp, US Researcher Says

Saudi mobile operator Mobily approached a US software engineer to help them organize a program to intercept messages sent via apps like WhatApp, Twitter and Viber. Moxie Marlinspike wrote Monday on his blog that Mobily told him they already have a “WhatsApp interception prototype working” and that they were surprised how easy it was to make.

Saudi Arabia said in March that it could block several messaging apps because they do not meet the country’s regulatory requirements and laws. The Communication and Information Technology Commission (CITC), the local regulator of telecoms, said in a statement it has asked licensed mobile operators in to work with developers of these apps to ensure that they meet the regulatory requirements.

This step by CITC raised concerns about government surveillance of communication on these apps. Local media reported at the time that CITC has asked the telecom companies to do what is required to monitor apps like Skype, Viper and WhatsApp, and that if communication through such apps cannot be monitored due to encryption than the telecoms will have to block access to them.

When Marlinspike told Mobily that he was not interested in the job for privacy reasons, a manager at the Saudi telecom company told him that the program to monitor users data on messaging apps was not about “freedom and respecting privacy” but rather about combating terrorism. The manager even went further to suggest that, by not taking the job, Marlinspike will be “indirectly helping” the terrorists “who curb the freedom with their brutal activities.”

According to Wikipedia, Moxie Marlinspike is the pseudonym of a computer security researcher based in San Francisco. He was the co-founder of Whisper Systems, a mobile security and privacy company that was acquired by Twitter in 2011. Marlinspike said he hopes that by publishing the story about Mobily approaching him to monitor users we can have a conversation about what can be done to stop such practices.

“Really, it’s no shock that Saudi Arabia is working on this,” he wrote. “but it is interesting to get fairly direct evidence that it’s happening.”

Through CITC, the Saudi government has earlier this year forced mobile operators to add a user’s National ID number while topping up mobile phone credit. The government decision to link mobile prepaid cards to National IDs was justified as a security measure to prevent criminal uses of mobile phones. Linking mobile numbers to IDs means it is now harder to obtain numbers for temporary use, aka “burners,” which makes surveillance easier for authorities.

In March, English-language daily Arab News pulled a story about plans by CITC to link Twitter accounts of Saudi citizens to their national IDs. The newspaper has not explained why they pulled the front page story which said the plan was inspired by CITC’s successful implementation of the government decision to add the user’s ID numbers for topping up mobile credit.

Social networks and messaging apps are extremely popular in Saudi Arabia. It is estimated that there are 4 million active Saudi users and Twitter and as much as 12 million users of WhatsApp. In a country with many restrictions on free speech, these apps provided new platforms for citizens to communicate and exchange messages away from government censorship.

Even though there was no update from CITC since they released their statement last month regarding surveillance on messaging apps, the fact that Mobily has been working to design such tools and hire engineers to work on them suggest that the telecoms might have chosen to work quietly with the government to monitor these apps, despite protests by the their customers and local human rights groups.

Al-Hayat daily reported that two Saudi human rights organizations warned that the government plan to monitor messaging apps could infringe on international accords that the government has signed. A spokesman for the official Human Rights Commission (HRC) told the newspaper they stand by citizens’ rights to protect their information privacy. “Denying citizens access to these tools under any justifications is something HRC does not agree with,” the spokesman said.

UPDATE: Mobily has denied asking Moxie for help. “We never communicate with hackers,” the company said. “Moreover, it is not our job to spy on customers.”