This takes advantage of long-standing vulnerabilities in a global messaging system called SS7, which routes mobile calls when a user from one country is traveling in another. According to the data shared with The Guardian, the Saudi telecoms sent millions of these PSI SS7 requests to US carriers, including AT&T, T-Mobile and Verizon (Engadget's parent company) between November 2019 and March 1st -- sometimes requesting data as often as two to 13 times per hour.

It isn't clear if the Saudi telecoms were spying on behalf of the government, but the kingdom doesn't have the best track record. Earlier this year, The Guardian reported that Amazon's Jeff Bezos's phone was hacked via a WhatsApp message from the personal account of Prince Mohammed. Twitter has banned thousands of accounts linked with a state-backed effort to promote the Saudi government's message, and the Department of Justice has charged former Twitter employees with spying for Saudi Arabia.

"I think they are surveilling not only those they know are dissidents, but those they fear may deviate from the Saudi leadership," Andrew Miller, a Middle East expert and former member of Barack Obama's national security council, told The Guardian. "They are particularly worried about what Saudi nationals will do when they are in western countries."

Ron Wyden, a Democratic senator from Oregon, previously warned the Federal Communications Commission (FCC) that "malicious attackers" were exploiting SS7 vulnerabilities.

In a statement to The Guardian, Wyden wrote, "Because of [Pai's] inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country."