Mobily, a Saudi Arabian telecommunications company with 4.8 million subscribers, is working on a way to intercept encrypted data sent over the Internet by Twitter, Viber, and other mobile apps, a security researcher said Monday.

Moxie Marlinspike, the pseudonymous cryptographer who has identified several security bugs in the secure sockets layer protocol used to protect website transactions, said he learned of the project after receiving an e-mail from company officials. Carrying the subject line "Solution for monitoring encrypted data on telecom," it said the project was required by "the regulator." Marlinspike believed this meant the government of Saudi Arabia. In follow-up e-mails, the Mobily officials said they were looking for ways to bypass the protections built into the SSL and Transport Layer Security protocols so telecom workers could monitor messages spreading terrorism.

"One of the design documents that they volunteered specifically called out compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception," Marlinspike wrote in a blog post. "A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities."

Mobily representatives didn't respond to an e-mail seeking comment for this article.

Marlinspike, who recently left Twitter after working in the company's security department, continued:

"Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over five billion in revenue, so I’m sure that they’ll eventually figure something out. What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter—I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working and were surprised by how easy it was. The bar for most of these apps is pretty low."

Marlinspike said it was "rude" of him to publish the details of a private correspondence but that it was "substantially more rude of them to be engaged in massive-scale eavesdropping of private communication." He warned readers about the influence wealthy governments are having on hackers and security researchers. That is primarily driven by the large scale purchase of security exploits used to compromise computers and eavesdrop on citizens. For a good understanding of how it all works, see this article published Friday by Reuters reporter Joseph Menn.

"Really, it’s no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that it’s happening," Marlinspike wrote. "More to the point, if you’re in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they’re watching. For the rest of us, I hope we can talk about what we can do to stop those who are determined to make this a reality, as well as the ways that we’re already inadvertently a part of that reality’s making."