An appeals court has barred an Ethiopian-born U.S. citizen from filing a civil suit against the African country, which allegedly infected his computer with spyware and monitored his communications.
The U.S. Court of Appeals for the District of Columbia Circuit ruled Tuesday that foreign states are immune from suit in a U.S. court unless an exception to the Foreign Sovereign Immunities Act (FSIA) applies.
The person, who is referred to in court documents by the pseudonym Kidane, was born in Ethiopia and lived there for 30 years before seeking asylum in the U.S. He lives in Maryland.
The court declined the exception claimed by Kidane, stating that it would abrogate Ethiopia's immunity only if the “tort” or wrongful act occurred entirely in the U.S. "Kidane, by contrast, alleges a transnational tort," the court said. Ethiopia's placement of the spyware on Kidane's computer, although completed in the U.S. when he opened an infected email attachment, began outside the U.S., it added.
The ruling could have far-reaching consequences as it would in effect deprive U.S. citizens of legal remedy if foreign states decide to hack their devices remotely, as long as the condition that most of the tort was done abroad is met.
The Electronic Frontier Foundation, which is representing Kidane in the case, said Tuesday that the appeals court had held “that foreign governments are free to spy on, injure, or even kill Americans in their own homes--so long as they do so by remote control.”
In late 2012 or early 2013 Kidane's family home computer was allegedly infected by sophisticated spyware, called FinSpy, that was delivered through an attachment to an email that was forwarded to him.
Once his computer had been attacked by the spyware his keystrokes and Skype calls was allegedly captured and then sent to a server controlled by the Ethiopian government, according to the EFF.
The role of FinSpy as a surveillance tool for intelligence and law enforcement agencies has been documented by researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs, who listed a number of command and control servers linked to FinSpy, including one in Ethiopia.
The Federal Democratic Republic of Ethiopia had asked the appeals court to uphold a previous order of the District Court for the District of Columbia, stating that U.S. courts lack subject-matter jurisdiction in the case, as the exception to the FSIA did not apply because all of the tort did not occur in the U.S.
“Here, the tortious intent was allegedly formulated in Ethiopia and the tortious acts allegedly took place in Ethiopia," according to a filing by a lawyer for the country.
"The actors who committed the alleged tort, according to Appellant, were operating in Ethiopia, the computer servers were located in Ethiopia, the spyware was maintained in Ethiopia, the commands came from Ethiopia, and, while there is no allegation that Ethiopia ever viewed Appellant’s materials, that viewing would have occurred, if ever, in Ethiopia,” it added.
EFF said it is evaluating its options to challenge the ruling.