Naked Security Naked Security

Court blocks American from suing Ethiopia over alleged hacking

Activists mull challenge to court's ruling that remote hacking can't be litigated in the US

A court has ruled (PDF) that an American citizen born in Ethiopia can’t sue his birth country for hacking his computer and monitoring him with spyware.

Due to fear of reprisals, the man goes by the pseudonym Kidane. He was granted asylum in the 1990s and has remained active in the Ethiopian community, living in Maryland as he works to raise awareness of corruption and human rights issues.

Kidane had told the court that in late 2012 or early 2013, he opened an attached Word document in a forwarded email that allegedly originated with, or was allegedly sent on behalf of, the Ethiopian government. He claims that the attachment infected his computer with FinSpy, a stealthy spyware sold exclusively to governments.

FinSpy is also known as FinFisher. It’s infamous for being used to spy on dissidents.

According to a 2012 report from the New York Times, the makers of FinSpy – a British company once called Gamma Group that’s now known as FinFisher GmbH – have claimed to sell the monitoring software to governments solely for criminal investigations. But researchers have linked it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain. No government has said they have used it for surveillance purposes.

But as the Electronic Frontier Foundation (EFF) describes it, the plug-in monitoring software is “dual-use”. The NYT quoted the EFF’s Eva Galperin:

If you sell it to a country that obeys the rule of law, they may use it for law enforcement. If you sell it to a country where the rule of law is not so strong, it will be used to monitor journalists and dissidents.

According to the EFF, which is representing Kidane, the copy of FinSpy found in the Word documents on his computer contained a configuration file that pointed to a command-and-control server in Ethiopia: that’s where the surveillance data was being sent.

A later investigation by Citizen Lab – an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto – also discovered a FinSpy executable lurking beneath an image of Ethiopian opposition leaders.

Further evidence pointed to the alleged surveillance of government spies from Ethiopia’s Information Network Security Agency (INSA).

Anti-surveillance and digital rights activists had hoped that Kidane’s case could demonstrate that warrantless wiretapping is illegal and can be the basis of a lawsuit in the United States, regardless of what country engages in it.

As it is, Motherboard points out, if his allegations are true, Kidane is just one of many activists and journalists who’ve been spied on by governments using spyware made by western companies.

Kidane sued the Ethiopian government for the FinSpy infection, for allegedly wiretapping his private Skype calls, and for allegedly monitoring his entire family’s use of the computer over the course of months.

According to the EFF, Kidane, a US citizen, has had all of his activities monitored, with copies of his Skype calls, web searches and web-browsing histories sent to the Ethiopian government, all while he’s been on US soil.

But at this point, it’s looking like his case is not to be the bellwether that some had hoped.

The US Court of Appeals for the District of Columbia Circuit on Tuesday ruled that foreign states are immune from lawsuits in a US court unless an exception to the Foreign Sovereign Immunities Act (FSIA) applies.

Kidane had alleged that the wrongdoing was transnational. The court rejected that as an exception to the FSIA, saying that Ethiopia would still have immunity unless the wrongful act  – the “tort” – took place entirely in the US.

From the ruling:

Ethiopia’s placement of the FinSpy virus on Kidane’s computer, although completed in the United States when Kidane opened the infected e-mail attachment, began outside the United States. It thus cannot be said that the entire tort occurred in the United States.

The EFF says it’s mulling a challenge to the ruling. But as it now stands, US citizens have no legal recourse if foreign states hack their devices remotely, as long as they do most of that hacking abroad instead of on US soil.

Motherboard quoted Nate Cardozo, a staff attorney at the EFF:

[The court’s decision] gives foreign governments carte blanche to do whatever they want to Americans in America so long as they do it by remote control.

If a foreign government can send a robot via software or physical [means] into the United States, this opinion gives foreign governments complete immunity for whatever their robots do within the United States.