A lawsuit being heard by the US Court of Appeals for the District of Columbia Circuit seeks to answer the question of whether foreign governments can hack Americans with impunity. In the case of Kidane v. Ethiopia, lawyers for the Electronic Frontier Foundation (EFF) and the law firm of Jones Day and Robins Kaplan are representing a man from Maryland, who is going by the pseudonym of Mr. Kidane, in a lawsuit where Mr. Kidane alleges the government of Ethiopia infected his computer with spyware.
The lawsuit alleges that the secret malware, known as FinSpy, allowed the government of Ethiopia to conduct wiretaps on his Skype calls and monitor everything he and his family did on the computer for a period that lasted months. The court has allowed the man to use a pseudonym that he had used in the Ethiopian community, because the Ethiopian government has a history of punishing the family members of people who dare to oppose it. Mr. Kidane was born in Ethiopia and moved to the United States 20 years ago, where he sought asylum and became an American citizen.
Kidane became infected with the spyware after he opened a Word document that was sent to him by agents of the Ethiopian government. After opening the document, FinSpy was secretly downloaded onto his computer from a server with an IP address located in Ethiopia. All activities, including Skype calls, keystrokes, passwords, e-mails, chats, and web browsing was monitored, recorded, and uploaded to a command and control server with an IP address located in Ethiopia and controlled by the Ethiopian government. FinSpy is developed and marketed by FinFisher, formerly known as Gamma International, a company based in the United Kingdom. It is part of a line of “IT intrusion” software made by FinFisher, which are only sold to government agencies. Their software is frequently used to spy on activists around the world.
Kidane continues his lawsuit, which is being appealed. Recently, attorneys for Mr. Kidane argued before a 3 judge panel that the lawsuit should be allowed to continue. Under the Foreign Sovereign Immunities Act, foreign governments are only liable for acts committed within the United States. Kidane’s attorneys argued that his computer was located in Maryland and remained there the entire time it was being spied upon. Attorneys for Ethiopia argued that they should not be held liable because they did not have a human agent who was physically located within the United States. One of the judges on the panel asked the attorneys representing Ethiopia if they believed that they could be held liable for mailing a letter bomb to the United States, or for remotely hacking a self driving car in the United States and causing it to crash. The attorneys for Ethiopia responded to the judge’s question by saying that they believed they could not be sued for such actions.
Kidane was spied on from at least late October of 2012 until March of 2013. The lawsuit was originally filed in February of 2014. Previously in the case, a federal court ruled that foreign governments could not be held liable for wiretapping American citizens within the United States. The DC Circuit Court is expected to rule on the appeal within a few months.