A Twitter user has accused Jacob Riggs, an information security analyst at the Guardian, of using PayPal as a way of phishing her to obtain her real name and private email address.
@RooKay3, in a tweet posted on Monday, shared screenshots of emails between her and Riggs, where he admits that he sent her a micropayment of $0.01 to see if PayPal would email him back her personal information, which, he warned, “she might wish to keep private”.
There is no suggestion that Riggs’ conduct was illegal or an attempt to defraud @RooKay3, but it does raise questions over why a security expert would attempt to obtain her information in a way she said made her feel “unsafe”.
@RooKay3, an anarcho-communist artist based in the US, has asked for her name not to be included for personal safety reasons. Her Twitter account is well-known among leftist and social justice activists. She uses her PayPal for art commissions.
She told BuzzFeed News that when she first received the $0.01 micropayment from Riggs, who is based at the Guardian’s HQ in London, she emailed him to make sure it wasn’t a mistake.
“PayPal made a point of telling me it could take 21 days to clear,” @RooKay3 said. “I wondered if it was just showing up as 1 cent until his bank cleared the larger transaction or something.”
When you transfer money to another user on PayPal, the service sends back a receipt that typically will include the user’s real name and personal email address.
@RooKay3 said that before receiving the payment, she had only communicated with Riggs once before. In a Twitter DM that BuzzFeed News obtained a screenshot of, Riggs messaged @RooKay3 on Sept. 16.
“You’re the epitome of Marla Singer,” Riggs said, a reference to the character from Fight Club.
“Yeah, I’ve gotten that before,” @RooKay3 replied.
According to screenshots of emails seen by BuzzFeed News, @RooKay3 wrote to Riggs after his micropayment: “I’m not sure where I know you from, you sent me money via PayPal and it’s telling me it’s $0.01, but that the money is also going to take 21 days to process, I’m just not sure what this means exactly.”
He replied: “We follow each other on Twitter. Your shitposts make me laugh. You can disregard the payment, I’m just a security researcher that noticed you seemed to have purposely hidden your name in your Twitter profile. I was curious if your real name was attached to the PayPal address in your bio.”
As well as being an infosec analyst for the Guardian, Riggs is also listed as the founder of Elpis, an app that is described as a “dead man’s switch to protect data owners.”
@RooKay3 told BuzzFeed that Riggs’ response made her uncomfortable. She emailed him back, writing, “that’s awfully weird.”
“I like pizza,” Riggs then replied.
In another email, @RooKay3 told Riggs that she felt the PayPal micropayment was a violation of her privacy. “It’s not cute, it’s not endearing, it’s made me feel unsafe and this ‘I like pizza’ shit just tells me that you don’t respect me enough to at least have the decency to feel bad.”
“Brb, adding you on Facebook,” Riggs replied.
In a follow-up email, Riggs continued to defend his use of the micropayment, writing: “Privacy is actually very important to me, which is why I made an effort to flag the risk to yours. I won’t be shamed for it.”
@RooKay3 tweeted several screenshots of the exchange, mentioning the Guardian in her tweet.
“After I posted the screenshots on my twitter, he first replied to the tweet ‘yeah what an asshole,’ like he still thought it was a big joke,” she said.
After @RooKay3 tweeted about the interaction, there were hundreds of shocked responses on Twitter from many users who were unaware PayPal distributes users’ real names and personal emails. Users were also angry that the Guardian did not immediately respond to @RooKay3’s tweets.
@RooKay3 @guardian I found all your personal information just to "Flag it" because you would hate for a man on the internet to do this with bad intentions
@RooKay3 @guardian "Hello, I just broke into your house to show you how easily it could be burglarized! You should be thanking me!"
The Guardian contacted @RooKay3 on Wednesday, three days after her initial tweet, she said, instructing her to DM them. “I've been reaching out to them via twitter and their website for like three-to-four days and now they suddenly care,” she said.
As of Wednesday night, she said she had heard nothing back.
“We have contacted the woman concerned and are following up. We are looking into the issue and taking it very seriously,” a Guardian News & Media spokesperson told BuzzFeed News. There is currently no move to terminate Riggs from his current position.
BuzzFeed News has reached out to PayPal for comment and a spokesperson said the company is looking into the situation.
UPDATE: After publication, Jacob Riggs sent a statement to BuzzFeed News defending his actions in attempting to discover the private details of @Rookay3.
"I find it disappointed to see ethical and lawful efforts to educate others on basic security practices so easily skewed, but I realise this can sometimes happen when dealing with non-technical audiences.
I'm a long-term supporter of those that wish to remain anonymous, but to participate in any social media today with an expectation you're not at risk of inadvertently compromising your identity is a cartoonist description of reality.
OPSEC is a common object of study in the security field and I don't believe security professionals that discover such vulnerabilities should allow this type of response to deter them from making responsible disclosures in the future. We must all be mindful of what information we volunteer online, and I believe sharing our experience in this way contributes significant value to protecting others."