If the Russian government breaks into your email, if the Chinese politburo runs off with your identity, or if Ethiopian state-sponsored spies start monitoring your every Skype call -- well, you won't get any help from the court system. On Tuesday, the D.C. Circuit ruled that U.S. courts have no jurisdiction to hear claims against state sponsors of hacking.
The case involves an American-Ethiopian political activist who claimed that the Ethiopian government spied on him through malware, but the implications are far-reaching, according to the Electronic Frontier Foundation. Not only can governments hack your laptop without legal repercussions under the court's logic, they may even get away with hacking into your car or pacemaker or even sending a drone your way.
Can't Sue State Hackers, D.C. Cir. Rules
Sovereign immunity generally protects governments, foreign and domestic, from civil suit. That doctrine is enshrined in the Foreign Sovereign Immunities Act. Under FSIA, U.S. courts can't hear claims against foreign governments unless those claims fall into a few specific exemptions.
In the case before the D.C. Circuit, Kidane v. Ethiopia, an American-Ethiopian advocate of democratic reform claimed that the Ethiopian had tricked him in to installing FinSpy, a malware program that allowed the government to monitor his every keystroke. He sued for violations to the Wiretap Act and Maryland privacy laws, arguing that his case fell in to the FSIA's exemption for noncommercial torts.
But such torts, the D.C. Circuit ruled, must have occurred entirely within the United States.
You can spot the problem here. When dealing with foreign governments and international cyberespionage, it's virtually impossible that such torts will have occurred wholly in the U.S. As the court wrote:
[W]hether in London, Ethiopia or elsewhere, the tortious intent aimed at Kidane plainly lay abroad and the tortious acts of computer programming likewise occurred abroad.
That foreign nexus made it impossible for the court to hear Kidane's claims.
From Malware to Hacked Pacemakers to Targeted Drone Strikes
The court's logic makes virtually any foreign state sponsor of international hacking immune to suit. And it's not just Ethiopian malware that is implicated. The Electronic Freedom Foundation, which represented Kidane (a pseudonym), said that the "stunningly dangerous" ruling puts Americans at risk:
Under [the court's ruling], you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil. It flies in the face of the idea that Americans should always be safe in their homes, and that safety should continue even if they speak out against foreign government activity abroad.
The organization says it's currently considering how best to challenge the ruling.Have an open position at your law firm? Post the job for free on Indeed, or search local candidate resumes.
- You Can't Sue Foreign Governments for Hacking, D.C. Cir. Rules (FindLaw's D.C. Circuit Blog)
- Russian Hacker Targets Top Am Law 100 Law Firms (FindLaw's Technologist)
- 5 Types of Law Firm Data Breaches, From Human Error to Hacktivism (FindLaw's Technologist)
- Online Adultery Leads to Cyber Warfare? (FindLaw's Technologist)
FindLaw has an affiliate relationship with Indeed, earning a small amount of money each time someone uses Indeed's services via FindLaw. FindLaw receives no compensation in exchange for editorial coverage.