Last Tuesday, the D.C. Circuit ruled in Doe v. Ethiopia that Ethiopia cannot be sued in U.S. court for allegedly hacking the computer of a political dissident living in Maryland. The unanimous decision affirmed the district court’s dismissal for lack of subject-matter jurisdiction. Writing for a three-judge panel, Judge Karen Henderson held that Ethiopia was entitled to sovereign immunity because the alleged hack was plotted, programmed, and sent from outside the United States.
As explained previously on this site, Doe—proceeding under the pseudonym “Kidane”—sued the Federal Republic of Ethiopia in 2014 for allegedly infecting his computer with spyware that tracked his activities. The Foreign Sovereign Immunities Act (FSIA) usually exempts foreign states from suit in U.S. courts, but Doe argued the courts had jurisdiction in this case under an exception in the FSIA for noncommercial torts occurring within the United States.
The court rejected Kidane’s argument. Under circuit precedent, plaintiffs seeking to invoke the noncommercial-tort exception need to show that the entire tort occurred in the United States. Because “at least a portion of Ethiopia’s alleged tort occurred abroad,” the noncommercial-tort exception did not apply, and Ethiopia was entitled to sovereign immunity.
In deciding whether the tort took place abroad, the court looked to the elements underlying Kidane’s claims. Kidane had alleged that Ethiopia violated Maryland’s intrusion-upon-seclusion tort, as well as the federal Wiretap Act. Judge Henderson noted that intent constitutes a threshold element of both causes of action. Because the “tortious intent aimed at Kidane plainly lay abroad,” the entire tort could not have occurred in the United States, and the foreign state was entitled to sovereign immunity.
The court’s opinion did not address when, if ever, a foreign-directed hack could take place solely within the United States. But Judge Henderson’s opinion indicates that it may be difficult for hacking victims to convince courts that they have jurisdiction over foreign-directed hacks. The court mentioned that “the tortious acts of computer programming likewise occurred abroad” and that the infected e-mail “began outside the United States.” Under this logic, even torts not requiring intent will be outside U.S. jurisdiction, so long as the computer code was created or sent from abroad.
The Electronic Frontier Foundation (EFF), which represented Kidane, criticized the court’s logic in a statement issued after the decision: “Under [the decision], you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil.” In light of Doe, hacking victims may have to allege that the infected computer code was written in the United States and the infection was directed from the United States to invoke the FSIA’s noncommercial-tort exception. And, logically, such hacks are unlikely to be directed by foreign states.
The decision in Doe will certainly limit the ability of hacking victims to bring civil suits against foreign states irrespective of the merits. As a result, victims of state-sponsored hacks may have to rely solely on their own government for redress.