Digital rights activists sued Ethiopia in what they hoped could become a landmark case against government spyware.
A court of appeals in Washington D.C. ruled that an American citizen can't sue the Ethiopian government for hacking into his computer and monitoring him with spyware.
The decision on Tuesday is a blow to anti-surveillance and digital rights activists who were hoping to establish an important precedent in a widely documented case of illegitimate government-sponsored hacking. Kidane, an Ethiopian dissident, is just one of many cases where governments have used spyware created by Western companies to target activists or journalists.
In late 2012, the Ethiopian government allegedly hacked the victim, an Ethiopian-born man who goes by the pseudonym Kidane for fear for government reprisals. Ethiopian government spies from the Information Network Security Agency (INSA) allegedly used software known as FinSpy to break into Kidane's computer, and secretly record his Skype conversations and steal his emails. FinSpy was made by the infamous FinFisher, a company that has sold malware to several governments around the world, according to researchers at Citizen Lab, a digital watchdog group at the University of Toronto's Munk School of Global Affairs, who studied at the malware that infected Kidane's computer.
"This opinion gives foreign governments complete immunity for whatever their robots do within the United States."
For Kidane's lawyers, the decision sets a dangerous precedent.
"[It] gives foreign governments carte blanche to do whatever they want to Americans in America so long as they do it by remote control," Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, a digital rights group who represented Kidane in this first-of-its-kind lawsuit, told Motherboard.
"If a foreign government can send a robot via software or physical [means] into the United States," Cardozo said, paraphrasing something the EFF director Cindy Cohn said, "this opinion gives foreign governments complete immunity for whatever their robots do within the United States."
The Ethiopian embassy in D.C. did not respond to a request for comment via email.
Read more: The Tragedy of Ethiopia's Internet
The U.S. Court of Appeals for the District of Columbia Circuit ruled that Kidane didn't have jurisdiction to sue the Ethiopian government in the United States. Kidane and his lawyers invoked an exception to the Foreign Sovereign Immunities Act (FSIA), which says foreign governments can be sued in the US as long as the entire tort on which the lawsuit is based occurred on American soil.
According to the court, however, the hacking in this case didn't occur entirely in the US.
"Ethiopia's placement of the FinSpy virus on Kidane's computer, although completed in the United States when Kidane opened the infected email attachment, began outside the United States," the decision read.
For Cardozo and the EFF, the court is simply wrong.
"Our client was in the United States the whole time. What Ethiopia did to my client, they did to him in his living room in Maryland. They didn't do it in Ethiopia, they didn't do it in London. They did it in Maryland," Cardozo said.
Cardozo said that they haven't decided whether to appeal the decision yet. But he said he was "disappointed" because this was "the best case" to challenge the use of spyware by governments given that they had "perfect forensic evidence of exactly what happened, and exactly who did it, and exactly where."
Subscribe to pluspluspodcast , Motherboard's new show about the people and machines that are building our future.