With increased recognition of state-sponsored hacking come more questions about the remedy for such invasions. The U.S. government has responded in a number of ways: indicting foreign individuals, “naming and shaming” state sponsors, ordering economic sanctions, or “hacking back.” But there has been less discussion on the options available for the individual victims of state-sponsored computer intrusions.
In John Doe v. Federal Republic of Ethiopia, the D.C. Circuit is asked to evaluate one potential response: bringing a civil action against the state sponsor. The case centers on the Ethiopian government’s alleged hack of an American citizen’s computer in Maryland. On appeal, the court may determine whether the Foreign Sovereign Immunities Act (FSIA) bars Ethiopia from being sued in U.S. federal court. The answer could hinge on whether, under the FSIA, the hack “occurs” solely at the target’s infected computer, as argued by the plaintiff, or in part at the originating computers in foreign territory. Judges Henderson, Wilkins, and Sentelle will hear oral argument on Thursday, February 2.
The hacking target in Doe v. Ethiopia is a U.S. citizen living in Maryland who uses the pseudonym “Kidane” in connection with his activities as an Ethiopian dissident. Kidane was forwarded an email in the fall of 2012 with a Microsoft Word document attached. Opening the attachment caused a program called FinSpy to be surreptitiously downloaded onto his computer. FinSpy, a surveillance product sold to foreign governments, takes emails, passwords, and Skype calls from infected computers and sends them to external “command and control” servers. On March 13, 2013, security researchers at Citizen Lab published a report disclosing how foreign governments—including Ethiopia’s—used FinSpy to spy on political opponents. The report listed known command and control servers, including one in Ethiopia operated by Ethio, the state-run telecommunications company. FinSpy sent recordings of Skype calls and Internet searches from Kidane’s computer to the Ethiopian command and control server.
In February 2014, Kidane, represented by the Electronic Frontier Foundation (EFF), sued Ethiopia in federal district court in Washington, DC. The complaint charged Ethiopia with violating the federal Wiretap Act, as well as the Maryland common-law tort of intrusion upon seclusion. Judge Randolph Moss granted Ethiopia’s motion to dismiss in May 2016. The court first held that private plaintiffs cannot sue foreign states for Wiretap Act violations. Judge Moss next ruled that the FSIA barred Kidane’s state-law claim. The FSIA generally gives foreign states immunity, but contains an exception for non-commercial torts that take place entirely within the United States (such as traffic accidents caused by foreign diplomats). Though Kidane’s injury—the recording of his computer activities—took place in Maryland, “all of the acts by Ethiopia or its agents that allegedly precipitated the [hack] occurred outside of the United States,” depriving the court of jurisdiction over Ethiopia.
On appeal, Kidane and the EFF argue that the relevant acts took place entirely within U.S. borders, relying on the D.C. Circuit’s 2014 decision in Jerez v. Republic of Cuba. Jerez alleged that he was purposefully injected with the hepatitis C virus while imprisoned in Cuba. Though the virus spread throughout Jerez’s body while he was in the United States, the court ruled that the “infliction of injury on Jerez occurred entirely in Cuba.” In dicta, the Jerez court hypothesized that a foreign government that mailed an anthrax package to the United States would be denied immunity under the FSIA, as any infection would take place entirely within American borders. To Kidane, the infected email is like the hypothetical anthrax package: though sent from abroad, it only caused injury within U.S. borders. And once FinSpy was downloaded, it automatically sent Kidane’s information to the command and control server, without any additional steps by Ethiopian actors.
Ethiopia frames the alleged hack as an action that took place mostly abroad. Both parties agree that the hackers never set foot in the United States: to Ethiopia, the hackers’ keystrokes at a computer in Ethiopia caused the injury. In their brief, the lawyers representing Ethiopia describe what happened in Maryland as the “results or effects of Ethiopia’s acts.”
In an amicus brief, a group of three United Nations special rapporteurs argue that giving federal courts jurisdiction over Kidane’s claim would enable the U.S. to meet its commitments under the International Covenant on Civil and Political Rights (ICCPR). Because Ethiopia allegedly violated rights guaranteed in the ICCPR—such as Kidane’s right to freedom of opinion and privacy—the special rapporteurs urge the United States to allow suit to substantiate the purpose of the treaty. Ethiopia responds with an international law argument of its own: declining to exercise jurisdiction would keep U.S. courts in line with their foreign counterparts. Both the European Convention on State Immunity and the U.N. Convention on Jurisdictional Immunities of States and Their Property require the actor causing injury to be physically present in the territory of the state seeking to exercise jurisdiction. Though a “physical-presence” test is absent from the text of the FSIA, Ethiopia encourages the D.C. Circuit to adopt a position consonant with other sovereigns.
Doe v. Ethiopia represents the latest attempt to apply a territorial-based jurisdictional framework to the contemporary technological landscape. When computers and data can be accessed across borders, location becomes increasingly fluid. In his brief, Kidane frames the Second Circuit’s decision in Microsoft v. United States as part of an emerging consensus that “remote intrusions occur at the location of the trespassed device or data.” In the Microsoft case, the government downplayed the extraterritoriality of seizing electronic data stored in Ireland, as Microsoft technicians could obtain the data while remaining in the United States. The Second Circuit rejected this argument, highlighting the fact that the data itself was in Ireland and “within the jurisdiction of a foreign sovereign.” Insulating foreign nations from liability for state-sponsored hacks would cast doubt on the existence of any post-Microsoft consensus, and remove a bow from the quiver of the individual victims of cyberwarfare.