Abdulaziz v. Twitter, Inc.

• Decision Date: 18 February 2021
• Docket Number: Case No. 19-cv-06694-LB
• Parties: OMAR ABDULAZIZ, Plaintiff, v. TWITTER, INC., Defendant.
• Court: U.S. District Court — Northern District of California

OMAR ABDULAZIZ, Plaintiff, v. TWITTER, INC., Defendant.

Case No. 19-cv-06694-LB

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA San Francisco Division

February 18, 2021

ORDER GRANTING MOTION TO DISMISS

Re: ECF No. 99

INTRODUCTION

The plaintiff Omar Abdulaziz is a political dissident who moved to Canada in 2009 and was granted political asylum there in 2014 based on the Kingdom of Saudi Arabia's persecution of him.¹ In this lawsuit, he alleges that in 2014, Saudi authorities recruited two employees of the social-media company Twitter to access his confidential Twitter data and thereafter used malware in 2018 to hack his phone (and obtain texts, emails, and other information) and then targeted his family.

In an earlier complaint, the plaintiff sued Twitter for violating the Stored Communications Act, California's Unfair Competition Law, and state law. The state claims included Twitter's negligent hiring, supervision, and retention of employees.² The court dismissed the claims for lack of ArticleIII standing and, alternatively, for the plaintiff's failure to plausibly plead that Twitter ratified its employees' conduct or otherwise had vicarious liability. This disposed of all claims except the negligent-hiring claims, which the court held were barred by the statute of limitations.³

In his amended complaint, the plaintiff sued Twitter for negligent supervision and retention of its employees and negligence. Twitter moved to dismiss the claims for failure to establish causation for Article III standing or negligence, as barred by statute of limitations and its terms of service, and because the plaintiff did not plausibly allege its negligence. The court grants the motion on all grounds except for the terms of service, which the court does not reach on this briefing.

STATEMENT

1. The Plaintiff's Political Activism

In 2009, the plaintiff moved from Saudi Arabia to Canada to attend a Canadian university and was granted asylum in 2014 based on his fear of persecution in Saudi Arabia.⁴ As a student, the plaintiff discussed Saudi Arabian politics on Twitter and other social-media platforms, criticizing the governing regime, the royal family, and human-rights violations.⁵ The plaintiff was a close ally of Jamal Khashoggi, who was assassinated in October 2018 — by order of the Crown Prince Mohammad Bin Salman (according to the CIA) — in the Saudi consulate in Istanbul.⁶ The plaintiff and Mr. Khashoggi had been collaborating on a "range of political activities with the objective of educating the public in Saudi Arabia."⁷ The plaintiff has a large social-media following: over a half-million followers on Twitter and over 163,000 subscribers to his YouTube channel.⁸

2. Saudi Arabia Obtained Information About the Plaintiff

In addition to its access to publicly available information about the plaintiff, Saudi Arabia obtained information about him through two means: (1) his private Twitter information accessed unlawfully by Twitter employees and (2) planting malware on his phone and then hacking the phone.

2.1 Twitter Employees Gain Access to the Plaintiff's Twitter Information

Saudi Arabia allegedly recruited two Twitter employees — Ali Alzabarah (a Saudi citizen and a U.S. resident since 2005 and a site-reliability engineer for Twitter from August 2013 to December 2015) and Ahmad Abouammo (an American citizen and a Media Partnerships Manager for Twitter for the Middle East and North Africa region from November 2013 to May 2015) — to access certain Twitter accounts without Twitter's authorization.⁹ Abouammo began the unauthorized access in December 2014, and Alzabarah began in May 2015.¹⁰ The plaintiff alleges that Alzabarah accessed his confidential information, including his passwords, IP addresses, and direct messages, in June and July 2015.¹¹ Federal prosecutors investigated the unauthorized access and ultimately charged both former employees criminally in November 2019 with acting as agents of a foreign government in violation of 18 U.S.C. § 951.¹²

The TAC alleges that the FBI met with Twitter in late 2015, said that Alzabarah was the mole and that the FBI investigation was sensitive and ongoing, and "expressly asked Twitter not to tell Alzabarah what was going on as it could hurt the case[.]"¹³ Twitter allegedly refused to comply with this request and instead, confronted Alzabarah with accusations that he improperly accessed user accounts.¹⁴ He admitted that he had done so. Twitter did not detain Alzabarah (despite allegedly having the legal authority to do so under California Penal Code § 837) so that the FBIcould arrest him and instead escorted him out of the building and suspended him.¹⁵ Alzabarah then decamped to Saudi Arabia on December 3, 2015.¹⁶ The Justice Department officials were "livid" because Twitter had "blown up their case by tipping off a man they were hoping to arrest."¹⁷Abouammo left his job at Twitter earlier that year.¹⁸

Shortly after Alzabarah fled, Saudi authorities interrogated the plaintiff's father and brother in Saudi Arabia, cancelled the brother's financial assistance, and summoned three of the plaintiff's friends and roommates in Canada to the Saudi Cultural Bureau between March and July 2016.¹⁹

On December 11, 2015, by email and through an in-app message, Twitter notified the owners of the accounts that had been compromised, including the plaintiff, that their Twitter accounts may have been targeted by state-sponsored actors to obtain IP addresses, emails, and phone data.²⁰ It did this in two ways: through email (here, the email address that the plaintiff gave to Twitter) and through an in-app safety alert.²¹ The plaintiff alleges that he did not receive the notices and instead learned about the unauthorized access when he read about it in the New York Times on October 20, 2018.²² If he had known that his account had been compromised, then he would have been more careful about clicking on hyperlinks in text messages and would not have clinked on the link that put malware on his phone and allowed Saudi operatives to hack his phone.²³

In support of his contention that Twitter is responsible for the unauthorized act of its employees (even though those actions violated company policy), the plaintiff alleges the conductwas a "red flag" that should have alerted Twitter to the illegal activity.²⁴ The plaintiff also alleged that the danger "was inherent in Twitter's manner of operation:"

First, Twitter furnished Alzabarah and Abouammo with the access, hardware and software tools that enabled them to raid Plaintiff's private information. This would not have been possible were they not employed by Twitter. Second, Twitter implemented and benefited from policies that allowed and encouraged its technical and professional staff to work offsite, from multiple locations. Although Twitter benefitted from the greater productivity this allowed, it even further reduced Twitter's ability to monitor sensitive employees' conduct. Finally, Twitter implemented and benefitted from policies allowing its professional and technical staff flexibility as to when and where they performed their work, further complicating any monitoring Twitter should have been doing. With hundreds of millions of active users and a great many employees who had access to their data, the risk that confidential data would be exposed was broadly incident to Twitter's mode of operation.²⁵

Despite the known risks, Twitter "failed to institute adequate safeguards to protect this data or even alert Twitter senior management that private account data was being raided."²⁶ Also, Twitter did not institute appropriate safeguards or notify the plaintiff or other victims that it wanted to maintain its relationship with Saudi Arabia (shown in part by Saudi holdings in Twitter and a meeting that Twitter CEO Jack Dorsey had with Crown Prince Mohammed Bin Salman six months after Alzabarah fled to Saudi Arabia).²⁷

2.2 Saudi Operatives Hack the Plaintiff's Phone

In May 2018, two Saudi agents contacted the plaintiff, asked to meet with him, and met with him in several meetings.²⁸ The agents said that they worked for Crown Prince Bin Salman and Saud Al-Qahtani (who was "entangled with the murder of" Jamal Khashoggi) and demanded thatthe plaintiff stop his political activities and return to Saudi Arabia.²⁹ The plaintiff refused.³⁰ A few months later, Saudi operatives assassinated Mr. Khashoggi at the Saudi Consulate in Istanbul.³¹

On June 23, 2018, Saudi agents planted Pegasus malware on the plaintiff's phone in a phishing direct message masquerading as a message from the shipping company DHL to manage a delivery.³² As a result, the agents exfiltrated the plaintiff's SMS chats, emails, photographs, location data, and other information and were able to spy on the plaintiff "real time" through control of the phone's camera and microphone and receipt of information that the plaintiff typed into the phone or received from others.³³

In late July and early August 2018, Saudi agents raided the plaintiff's family's home, arrested and imprisoned his two brothers and dozens of his friends and associates, and continue to imprison and torture his brothers to pressure the plaintiff to stop his activism.³⁴

In mid-August 2018, the Citizens Lab at the University of Toronto told the plaintiff about the compromise of his phone through the Pegasus malware.³⁵ In October 2018, two weeks after the assassination of Mr. Khashoggi, a team of Saudi nationals traveled to Canada to assassinate the plaintiff.³⁶ In December 2018, in a separate lawsuit filed in Israel, the plaintiff sued N.S.O. Technologies, which manufactures the Pegasus software, on the ground that is liable for the hacking of his phone and the resulting harm that he and his family and friends suffered.³⁷

3. Procedural History

The plaintiff sued Twitter and McKinsey & Co. in October 2019 and then amended his complaint.³⁸ The court subsequently granted the defendants' motion to dismiss.³⁹ The plaintiff dismissed McKinsey...