Russian hackers, Chinese cyberterrorists, Ethiopian malware -- if you're a victim of any of state-sponsored hacking, you may be out of luck. Individuals who accuse foreign governments of hacking have virtually no access to the federal courts, the D.C. Circuit ruled on Tuesday. That's because the Foreign Sovereign Immunities Act prevents suits against other nations, and its exception for noncommercial torts doesn't apply to hacking organized from abroad, the court explained.
The ruling is a "dangerous decision for cybersecurity," critics claim.
Ethiopian Cyberspies and the FSIA
The case, Kidane v. Ethiopia, involves a U.S. citizen who was born in Ethiopia. The man, suing under the pseudonym of "Kidane," alleges that he was tricked into downloading malware, FinSpy, that sent every keystroke he made and every Skype session he participated in over to the Ethiopian government.
Kidane sued for violations of the Wiretap Act and for the Maryland common law tort of intrusion upon seclusion. But the FSIA presents an insurmountable roadblock to his suit, the D.C. Circuit ruled. That act provides the "sole basis for obtaining jurisdiction over a foreign state" in U.S. courts, and includes a blanket prohibition against suing foreign governments. The only way around that prohibition is to fall into one of the act's few exceptions.
Kidane argued that his suit met the exception for noncommercial torts. Under that exception, sovereign immunity is abrogated for torts involving personal injury, death, and property damage or destruction. But, those torts must occur in the United States.
"The phrase 'occurring in the United States' is no mere surplusage," the D.C. Circuit explained. That requires that the entirety of the tort occur in the U.S. That was fatal to Kidane's claims, since Maryland's intrusion upon seclusion law requires intent to intrude.
"[W]hether in London, Ethiopia or elsewhere," the court wrote, "the tortious intent aimed at Kidane plainly lay abroad and the tortious acts of computer programming likewise occurred abroad." Even the spyware, though it was downloaded in the United States, originated extraterritorially.
For the same reasons, Kidane's Wiretap Act claims could not stand either, the court concluded.
Carte Blanche for Digital Espionage, Even Murder?
Under the ruling, virtually any suit against foreign governments over hacking is bound to fail, as even the slightest extraterritorial connection would prove fatal.
The D.C. Circuit's ruling was strongly denounced by the Electronic Frontier Foundation, the digital rights nonprofit who had represented Kidane. Describing the ruling as "stunningly dangerous," the group said it left victims of state cyberattacks with "no recourse under law".
The court's logic doesn't stop at spyware either, the EFF said. It would leave victims helpless "if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil." The group is currently evaluating whether to challenge the ruling.