Washington, D.C.—Ethiopia must be held accountable in the United States for an illegal malware and digital spying attack on an American citizen, the Electronic Frontier Foundation (EFF) told a federal appeals court Monday in a case where a foreign government claims it is immune from liability for wiretapping a man’s Skype calls.
Malicious digital surveillance and malware attacks against perceived political opponents, dissidents, and journalists have become all-too-common tactics used by governments with poor human rights records, such as Ethiopia, Kazakhstan, and Vietnam. When foreign governments carry out these digital attacks on Americans in their homes, violating our wiretapping and privacy laws, their victims must be allowed to take them to court, EFF and its co-counsels said in a filing at the U.S. Court of Appeals for the District of Columbia Circuit.
EFF, Robins Kaplan LLP, and Guernica 37: International Justice Chambers represent a Maryland man whose home computer was infected by state-sponsored malware known as FinSpy. The program recorded his private Skype calls, monitored his web searches and emails, and tracked his family’s use of the computer for weeks. Forensic analysis showed the information was surreptitiously sent to a secret server located in Ethiopia and controlled by the Ethiopian government. EFF’s client is an Ethiopian by birth who is a U.S. citizen and has worked with other members of the Ethiopian diaspora. The courts have allowed him to use the pseudonym Mr. Kidane to protect himself and his family from retaliation.
The spying program unleashed on Mr. Kidane was contained in an attachment to a Microsoft Word document that Mr. Kidane inadvertently opened. A government agent in Ethiopia planted the malware on the Word document, but the program to wiretap his conversations resided on his computer in Maryland and automatically began recording, with no one in Ethiopia having to pull the trigger.
The Ethiopian government, which hasn’t denied it wiretapped Mr. Kidane, won dismissal of a 2014 lawsuit after claiming it has immunity because the malware attack was initiated in Ethiopia and thus outside the reach of U.S. courts. It has made the absurd assertion that spyware—marketed to repressive regimes by companies like Gamma International and Hacking Team—gives countries the ability to invade Americans’ homes, wiretap their conversations, violate their privacy, and face no consequences.
“The court’s decision is out of step with the times and completely ignores how other laws treat computer attacks, allowing a prosecution or lawsuit to be brought where the attacked computer is. The appeals court should overturn this ruling and let Mr. Kidane have his day in court,” said EFF Executive Director Cindy Cohn, “Cybersecurity is one of the most important issues of our time, and when foreign governments invade Americans’ privacy, just as with foreign-based criminals, our laws must let victims like Mr. Kidane go to court to hold them accountable.”
If a foreign state’s agent had placed a recording device in Mr. Kidane’s home or on his telephone line, Mr. Kidane could indisputably sue the government in U.S. courts, said EFF Senior Staff Attorney Nate Cardozo. The fact that Ethiopia used software instead of a person to launch a wiretap attack against Kidane in no way allows the country to evade legal liability.
“Today, all governments have to do to illegally spy on people is purchase the right software,’’ said Cardozo. “The D.C. Circuit should recognize that the malware in this case took the place of a human spy, and reinstate Mr. Kidane’s lawsuit.”
“Giving Ethiopia immunity for state-sponsored hacking would strip away one of the few protections Americans have against cyberattacks by foreign powers,” said Scott Gilmore, counsel at Guernica 37. “The invasion of our client’s home, through his computer, could happen to any of us. We all should have the right to seek justice.”