DC Appeals Court Says You Have No Recourse If Hacked By A Foreign Government

March 18, 2017 CyberCecurity Leave a comment

A U.S. citizen of Ethiopian heritage was hacked a few years ago by the Ethiopian government here in the U.S. The victim, who goes by the pseudonym of Mr. Kidane to protect his family here and in Ethiopia, is being represented by the EFF, the Jones Day law firm and the law firm Robins Kaplan.

Mr. Kidane lives in Maryland and came to the U.S. 20 years ago, first getting asylum and then citizenship. He is a critic of the Ethiopian government and, as a result, according to court documents, the Ethiopian government hacked his computer and monitored his communications.

He filed suit against the Ethiopian government in 2014 and the case was dismissed.

This month, the DC Circuit Court of Appeals upheld the lower court’s dismissal. The logic is interesting and affects anyone that a foreign government is interested in.

In 1976 Congress passed and President Ford signed a bill called the Foreign Sovereigns Immunities Act. The idea was to stop people from suing foreign governments in U.S. courts for things those governments did to U.S. citizens with certain exceptions.

Without going into a lot of detail, the act defines the situations when a foreign country is immune and those exceptions when it is not immune. Sovereign immunity is not new; in fact, the origins of it go back to the 1800s.

Recent laws such as the Defense Appropriations Act of 2014 add a couple of more exceptions such as terrorism committed in the U.S., torture and extrajudicial killings, but, for the most part, governments are immune.

In this particular case, the appeals court reasoned that since this plot to hack Mr. Kidane was plotted in Ethiopia and also carried out from Ethiopia, and it doesn’t fall into one of the exceptions, sovereign immunity applies.

How far this extends is not completely clear to me, but it would seem that if, for example, the Chinese hacked your computer, broke into your brokerage account and stole all your money, you have no right to go after them if the hacked your from China.

The EFF suggested that if the Russians wanted to do you in and hacked your car and drive it off the road (although this might fit into the exception of extrajudicial killings if you wind up dead – but not if you were only injured), targets you for a drone strike or sends a virus to your pacemaker, you couldn’t go after them unless you were dead and even then, only if the killing was deemed extrajudicial.

Another scenario is that if a foreign government hacks into your computer from overseas and steals your money or your intellectual property, you might not have any recourse against them. In the case of bank accounts for INDIVIDUALS but not for BUSINESSES, there certain laws (such as Check 21) that protects you if your money is stolen, but that just makes the bank eat the loss and not the person who committed the crime. There are no laws that I am aware of that make you whole if someone steals your information . Normally, your recourse is to sue them. If you win and are entitled to collect damages, you can TRY to collect those damages. This process could go on for years and maybe even decades and the odds of you seeing any money may be very low.

I speculate that this law – the FSIA – is quid pro quo because our government does not want to be sued in some court in an unfriendly foreign country and wind up having our assets frozen and/or seized. While the FSIA does not provide legal cover for our government, it certainly provides a basis for us to request similar protections from other governments.

In 1976 when this bill was signed, the concept of hacking me and stealing my money, information or just eavesdropping on my mail and phone conversations from the other side of the globe was the stuff of science fiction, but a lot has changed in 40 years. Now, the ability for a foreign government to hack you from half way around the globe and never set foot in the U.S. is pretty easy.

In some cases (like your personal bank account), you may be able to get recourse from a third party who is also a victim (like your bank), but in many other cases, you may have no recourse at all. Typically, insurance policies do not consider sovereign immunity as an exclusion, so IF you have an insurance policy that covers the particular situation, your insurance company may have to pay.

On the other hand, insurance policies have exclusions such as acts of terrorism, so that might not provide you any coverage either.

It sounds like the best bet is to work hard to keep the bad guys out and failing that, to detect it quickly if they do get in. Not a great situation.

Information for this post came from Network World and Wikipedia.