Case of the Day: Doe v. Ethiopia
Posted on March 21, 2017
The case of the day is Doe v. Federal Democratic Republic of Ethopia (D.C. Cir. 2017). This is the appeal from a case of the day from June 2016. Here was my statement of the facts from then:
The plaintiff, who sued using a pseudonym, was an Ethiopian who had been given political asylum in the US in the 1990s and who was now a US citizen. He alleged that he was an activist in the Ethiopian community, and that the Ethiopian government engaged in electronic surveillance against him and others. The details of the alleged surveillance, as summarized by the court, are interesting. Doe alleged that his personal computer at home had been infected with “FinSpy.”
FinSpy is “a system for monitoring and gathering information from electronic devices, including computers and mobile phones, without the knowledge of the device’s user.” It is allegedly “sold exclusively to government agencies and is not available to the general public.” Kidane [Doe’s pseudonym] attributes the FinSpy infection of his computer to an email “sent by or on behalf of Ethiopia that was thereafter forwarded to” him by a third party. The complaint does not state where the original third-party recipient was located; Ethiopia argues, however, that the content of the email, which is appended to the complaint, suggests that the original recipient may have resided in London. In any event, Kidane does not allege or argue that Ethiopia sent the email directly to him or to anyone else located in the United States.
The email contained a Trojan Horse attachment that “trick[ed]” Kidane into opening it, “caus[ing] a clandestine client program to be surreptitiously downloaded onto his computer,” and resulting in the installation of the FinSpy software, id. The FinSpy software allegedly “took what amounts to complete control over the operating system” of his computer. …
Kidane further alleges that the FinSpy software installed on his computer communicated with a computer server located in Ethiopia. As explained in the complaint and attached exhibits, computers that have been infected with the FinSpy software typically communicate with a designated “FinSpy Master” server via a “FinSpy Relay.” The “FinSpy Master” determines whether, under the applicable FinSpy license terms, a given copy of the software will be activated. Once the software is activated, the FinSpy Master “sends commands to [the] infected device[ ] and receives gathered information” from that device. According to a report attached to the complaint, “a recently acquired [FinSpy] malware sample” shows that the malware has used “images of members of the Ethiopian opposition group, Ginbot 7, as bait, and that it has communicated with a FinSpy Command & Control server in Ethiopia.” In particular, the malware communications “can be found in [an] address block run by Ethio Telecom, Ethiopia’s state owned telecommunications provider.” Kidane alleges that “the FinSpy Relay and FinSpy Master servers with which [his] computer in Maryland was controlled are located inside Ethiopia and controlled by Defendant Ethiopia,” and that the FinSpy installation “took instructions from a FinSpy relay controlled by Defendant Ethiopia.” He further alleges that FinSpy, but not all of the distinct trace files, “appears to have been removed” from his computer just five days after the publication of a report that disclosed “the technical details of the FinSpy Relay” used by Ethiopia.
The claims were for violations of the Wiretap Act and for a privacy tort at common law.
The district court had dismissed the case, holding that the domestic tort exception to FSIA immunity did not apply and therefore that the court lacked subject-matter jurisdiction. In today’s decision, the DC Circuit affirmed.
In Jerez v. Republic of Cuba, 775 F.3d 419 (D.C. Cir. 2014), the court had held that Cuba was immune from suit in a claim where the plaintiff alleged he had been injected with hepatitis C in Cuba; the court rejected the plaintiff’s far-fetched theory that a new tort occurred each time the virus replicated in his body and that the tort thus took place in the United States. But the Jerez court, in dicta, had noted that the case would have been different if the Cuban government had, say, mailed a package of anthrax to the United States and the plaintiff had been injured after receiving the package. In today’s case, the court had to confront the dictum. It focused on the holding of Jerez, which was that for the non-commerical tort exception to apply, the entire tort must take place in the United States. Here, at least part of the tort occurred in Ethiopia. The tort is intrusion on seclusion. It’s an intentional tort, and one of the elements of the tort is, therefore intent. The intent, at least, existed and occurred outside the United States. The malware was also “dispatched” from abroad. Since the entirety of the tort did not occur in the United States, Kidane could not prevail.
I should say that my criticism of the decision, from the prior post, still holds:
Suppose it were 1982 and instead of hackers in Ethiopa, we were considering our favorite Soviet spies, Phillip and Elizabeth Jennings. They stealthily break in to a dissident emigré’s apartment and copy his private diary from his IBM PC onto a floppy disk, which they spirit back to the Center via the diplomatic bag. Then there would be no question that all the elements of the tort would have occurred within the United States. Does the change in the technological mechanics of how the theft of private information was accomplished matter? Should it? I am not so sure.