A United States citizen was rebuffed in his efforts to hold the government of Ethiopia legally responsible for his claims that it hacked his computer in his Maryland home. On March 14, 2017, the D.C. Circuit Court of Appeals issued an opinion finding that an individual’s claims against the Federal Democratic Republic of Ethiopia arising out of alleged computer spying were barred by Ethiopia’s sovereign immunity. The plaintiff, “Kidane” (a pseudonym), is now a U.S. citizen, but is an Ethiopian native. He received U.S. asylum in the 1990s and remains active in Ethiopian political issues, maintaining contact with associates who work to increase awareness of corruption and human rights abuse in Ethiopia. He claimed that several years ago he received an email with an attachment, purportedly sent by an acquaintance, but sent on behalf of the Ethiopian government. When Kidane opened the attachment, spyware was installed which monitored the activity of all users of the computer, even those of his ninth grade son. He further claimed that the spyware communicated the information collected back to a server in Ethiopia.
Upon discovering this spyware activity, Kidane filed a suit against Ethiopia asserting claims under the Wiretap Act and an intrusion upon seclusion tort under Maryland law. Ethiopia defended against the claims asserting, among other things, that the court did not have jurisdiction over it under the Foreign Sovereign Immunity Act (FSIA). The FSIA, which generally provides foreign states immunity from jurisdiction, subject to limited exceptions, was the sole basis for obtaining jurisdiction over a foreign state in U.S. courts.
To show that immunity did not exist, Kidane relied on the non-commercial tort exception of the FSIA, which allows a suit involving injury or damages “occurring in the United States and caused by the tortious act or omission” of a foreign state. The court held that the exception did not apply because the entire alleged tort did not take place in the U.S. Because Kidane alleged that many acts, including the tortious programming and the intent to intercept his activity, had occurred outside the U.S., the non-commercial tort exception of the FSIA did not apply and the court lacked jurisdiction.
Interestingly, the District Court also offered a brief discussion of whether Ethiopia’s actions violated criminal law, because Ethiopia offered an alternative argument that its actions were non-actionable as “discretionary functions” under the FSIA. However, the discretionary function protection does not apply to acts which are criminal in nature. The District Court first held that the analysis under this provision is whether the actions were illegal under U.S. law, not foreign law. It then concluded that the allegations in Kidane’s complaint raised the possibility that Ethiopia had violated criminal laws, most notably the Computer Fraud and Abuse Act. Therefore, the discretionary functions provision of the FSIA did not independently shield Ethiopia from suit. The Circuit Court, however, never addressed this issue, having determined that the non-commercial tort exception did not allow Kidane to bring suit in the first place.
This conclusion raises troubling concerns about whether foreign governments will be able to perform digital corporate espionage without fear of reprisal outside of the diplomatic/political arena. However, an important aspect of the Kidane case was that the plaintiff relied on the non-commercial tort exception in the FSIA. There is a separate commercial activity exception that allows claims based upon commercial activity carried on in the U.S. by a foreign government or based upon acts in connection with commercial activity elsewhere but which have a direct effect in the U.S. The D.C. Circuit distinguished the analysis under that exception, noting that it does not require the “entire tort” to have occurred in the U.S., but only that conduct which constitutes the “gravamen” of the suit have occurred here. Therefore, a company which has suffered a theft of intellectual property or other proprietary information by a foreign government via computer intrusion may have a better chance of seeking a remedy in a U.S. court by showing the conduct involved or affected commercial activity in the U.S. Accordingly, the D.C. Circuit’s opinion may turn out to primarily restrict suits by individuals, who will have a harder time showing an effect on commerce. Nonetheless, companies and individuals alike who may be the victim of interference from foreign nations should be aware of courts’ willingness to restrict access to remedies for that interference.