Hacking Immunity: Computer Attacks on U.S. Territory by Foreign Sovereigns
36 Pages Posted: 31 May 2016 Last revised: 15 Jun 2016
Date Written: May 1, 2016
Note: As this paper went to print, the case of Doe v. Ethiopia was pending in the United States District Court for the District of Columbia in front of Judge Randall Moss. It was decided on May 24, 2016 and is likely to be appealed.
Mr. Kidane, a former citizen of Ethiopia, traveled to the United States and sought asylum more than twenty years ago. His government had become increasingly hostile to dissent, and he was afraid to return. He eventually became a naturalized U.S. citizen. He now lives in Maryland. For several years, he has provided technical support to a diaspora group that protests abuses by the Ethiopian government. Because of his activities, the government of Ethiopia allegedly began spying on him — not with agents on the ground, but through his computer.
This paper evaluates the capacity of the American legal system to respond to cross-border computer attacks. Section I provides an overview of the Foreign Sovereign Immunities Act ("FSIA") in the context of hacking. Part A lays out the civil and criminal bases for foreign sovereign immunity. Part B introduces § 1605(a)(5), the "non-commercial tort exception," which is essential to Mr. Kidane's civil claim. Section II examines the two issues that any foreign sovereign hacking claim that proceeds under § 1605(a)(5) will encounter — delimiting the situs of the tort and defining whether the tortfeasor had "discretion" to act. Part A describes the weaknesses of a narrowly construed "whole tort" rule for determining situs and suggests that courts applying such a test exercise flexibility or adopt a more appropriate "territory of intended effect" rule. Part B chronicles the confused jurisprudence on the "discretionary exception" to liability, recommending that international law is the proper place to find clarity and suggesting that domestic courts should look to established practices of other nations in order to remain true to immunity law as articulated by the Supreme Court. Section III considers the many legal tests for situs and "discretion" in the context of Mr. Kidane's claims, concluding that his claims under § 1605(a)(5) should prevail. Even though criminal law is applicable to the conduct of foreign sovereigns only in narrow circumstances, well-established law counsels that sovereigns should not be immune from liability in the United States for cross-border hacking.
Keywords: foreign sovereign immunity; FSIA; hacking; cyberlaw; wiretap; privacy
JEL Classification: K33; K14
Suggested Citation: Suggested Citation