Case of the Day: Doe v. Ethiopia
Posted on June 16, 2016
The case of the day is Doe v. Federal Democratic Republic of Ethiopia (D.D.C. 2016). The plaintiff, who sued using a pseudonym, was an Ethiopian who had been given political asylum in the US in the 1990s and who was now a US citizen. He alleged that he was an activist in the Ethiopian community, and that the Ethiopian government engaged in electronic surveillance against him and others. The details of the alleged surveillance, as summarized by the court, are interesting. Doe alleged that his personal computer at home had been infected with “FinSpy.”
FinSpy is “a system for monitoring and gathering information from electronic devices, including computers and mobile phones, without the knowledge of the device’s user.” It is allegedly “sold exclusively to government agencies and is not available to the general public.” Kidane [Doe’s pseudonym] attributes the FinSpy infection of his computer to an email “sent by or on behalf of Ethiopia that was thereafter forwarded to” him by a third party. The complaint does not state where the original third-party recipient was located; Ethiopia argues, however, that the content of the email, which is appended to the complaint, suggests that the original recipient may have resided in London. In any event, Kidane does not allege or argue that Ethiopia sent the email directly to him or to anyone else located in the United States.
The email contained a Trojan Horse attachment that “trick[ed]” Kidane into opening it, “caus[ing] a clandestine client program to be surreptitiously downloaded onto his computer,” and resulting in the installation of the FinSpy software, id. The FinSpy software allegedly “took what amounts to complete control over the operating system” of his computer. …
Kidane further alleges that the FinSpy software installed on his computer communicated with a computer server located in Ethiopia. As explained in the complaint and attached exhibits, computers that have been infected with the FinSpy software typically communicate with a designated “FinSpy Master” server via a “FinSpy Relay.” The “FinSpy Master” determines whether, under the applicable FinSpy license terms, a given copy of the software will be activated. Once the software is activated, the FinSpy Master “sends commands to [the] infected device[ ] and receives gathered information” from that device. According to a report attached to the complaint, “a recently acquired [FinSpy] malware sample” shows that the malware has used “images of members of the Ethiopian opposition group, Ginbot 7, as bait, and that it has communicated with a FinSpy Command & Control server in Ethiopia.” In particular, the malware communications “can be found in [an] address block run by Ethio Telecom, Ethiopia’s state owned telecommunications provider.” Kidane alleges that “the FinSpy Relay and FinSpy Master servers with which [his] computer in Maryland was controlled are located inside Ethiopia and controlled by Defendant Ethiopia,” and that the FinSpy installation “took instructions from a FinSpy relay controlled by Defendant Ethiopia.” He further alleges that FinSpy, but not all of the distinct trace files, “appears to have been removed” from his computer just five days after the publication of a report that disclosed “the technical details of the FinSpy Relay” used by Ethiopia.
The claims were for violations of the Wiretap Act and for a privacy tort at common law. Ethiopia moved to dismiss for lack of jurisdiction, citing the FSIA, and also moved to dismiss the Wiretap Act claim on the grounds that the statute did not provide a cause of action against a foreign state. Although the court invited the United States to give its views, the government declined at the present stage of the case.
The court decided the statutory question about the Wiretap Act first. The statute makes it illegal for “any person” to intercept certain communications, as as we know from some § 1782 cases, the word “person” in a statute is not construed to include the sovereign. There were some additional wrinkles, which I won’t go in to, but the bottom line is as I just stated: because the relevant statute applies to “persons,” it did not reach Ethiopia’s alleged conduct.
The court still had to address the FSIA argument, because Kidane had also alleged a common law tort claim. The relevant exception to FSIA immunity was the non-commercial tort exception, 28 U.S.C. § 1605(a)(5), which applies to actions “in which money damages are sought against a foreign state for personal injury or death, or damage to or loss of property, occurring in the United States and cause by the tortious act or omission of that foreign state or of any official or employee of that foreign state while acting within the scope of his office or employment.” The most interesting question was whether the tort “occurred in the United States.” Under the precedents, the entire tort must occur in the United States. There was no question that the injury occurred in the United States. But Ethiopia argued that the other aspects of the tort occurred in Ethiopia, where the servers were located, the spyware was maintained, the private material was reviewed, and the hackers did their thing. Kidane argued that the installation of the spyware and the interception of the communications occurred in the United States.
While the court thought the question was close, it ultimately sided with Ethiopia. This is somewhat surprising to me. Suppose it were 1982 and instead of hackers in Ethiopa, we were considering our favorite Soviet spies, Phillip and Elizabeth Jennings. They stealthily break in to a dissident emigré’s apartment and copy his private diary from his IBM PC onto a floppy disk, which they spirit back to the Center via the diplomatic bag. Then there would be no question that all the elements of the tort would have occurred within the United States. Does the change in the technological mechanics of how the theft of private information was accomplished matter? Should it? I am not so sure.
Interestingly, the court held that the “discretionary function” exception to the non-commercial tort exception does not apply, because it cannot shield illegal conduct, and there is no question that if Ethiopia did what is alleged, someone committed a serious violation of federal criminal law. So if the case is appealed, it’s possible that the court’s view on the location of the tort may turn out to be dispositive. Stay tuned.