Nation-state hacking is fashionable: everyone is doing it,1 and everyone wants a say in its regulation.2 Recently, in Doe v. Federal Democratic Republic of Ethiopia,3 the D.C. Circuit turned back an effort to hold an intelligence service accountable in tort for one of its intrusions. Confronted with a claim that Ethiopia had deployed malware to monitor a Maryland resident’s home computer, the court found the suit barred by the Foreign Sovereign Immunities Act of 19764 (FSIA), which provides “the sole basis for obtaining jurisdiction over a foreign state” in American courts.5 The court squarely rejected the plaintiff’s effort to invoke in a novel context one of the Act’s few limits on immunity, the noncommercial tort exception.6 That caveat governs all cases of “personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of [a] foreign state,”7 though it was drafted with diplomats’ traffic accidents foremost in mind.8 To an extent, then, the instinct to deny recovery makes good sense; tort is not a counterintelligence regime, and suits like Doe are awkward vehicles for espionage anxieties. But the panel’s framework — a cramped understanding of whether the tort occurred in the United States — is an awkward fit in its own right. Doe’s spatial analysis is tangled, squares poorly with the text and purpose of the FSIA, and marks a significant twist on precedent. When facing new spying suits, other circuits looking to dismiss should look for other tools.
Kidane (a pseudonym, used here and throughout the suit9) was born in Ethiopia but found asylum in the United States in the 1990s.10 From his Maryland home, he apparently drew the attention of Ethiopian intelligence by dint of his support for human rights activists in the diaspora.11 Among the human rights abuses of which Ethiopia is commonly accused: extralegal surveillance.12 From late 2012 through spring 2013, Ethiopia allegedly monitored Kidane via a commercial spyware application — FinSpy — that had infected his home computer.13 The program had been delivered in an email forwarded to Kidane, though the message’s exact point of origin was a question that remained unclear throughout the litigation.14 A 2013 investigation by the University of Toronto’s Citizen Lab revealed, however, that the instance of FinSpy on Kidane’s device was communicating with a server in Ethiopia.15
Discovering as much, Kidane sued in the U.S. District Court for the District of Columbia, alleging intentional intrusion upon his seclusion — a Maryland tort — and a violation of the Wiretap Act.16 Ethiopia raised as its chief shield the FSIA,17 arguing that Kidane’s claims couldn’t fit through the noncommercial tort exception. The district court agreed and dismissed.18 As Judge Moss explained, the circuit applies the exception only if the “entire tort,” including “not only the injury but also the act precipitating that injury,” took place in the United States.19 Here, Judge Moss reasoned, at least some and possibly all relevant acts took place abroad.20 That decision was backed by a reluctance to disrupt the balance the FSIA strikes between citizens’ redress and international comity,21 to risk discord or even “foreign government retaliation.”22
The D.C. Circuit affirmed,23 though with substantially less focus on questions of novelty or comity. Writing for the panel, Judge Henderson24 held that both of Kidane’s claims flunked the entire-tort test.25 Though the court did not offer a generally applicable account of what constitutes a “tort” for entire-tort purposes, it identified two “integral aspects of the final tort” that fell abroad in Kidane’s case.26 First, the court insisted that “the tortious intent aimed at Kidane,”27 whose exact location it didn’t pin down,28 “plainly lay abroad.”29 Second, the court said, “FinSpy’s initial deployment” occurred abroad.30 The panel didn’t purport to locate this event with precision either, but Kidane had never alleged that the email infected with FinSpy originated in the United States.31
In explaining what made these two points “integral,” the court seemed to suggest a causal inquiry, noting that “[w]ithout the software’s initial dispatch or an intent to spy . . . Ethiopia could not have intruded upon Kidane’s seclusion” or violated the Wiretap Act.32 For the panel, this observation defeated Kidane’s effort to analogize his case to two suits that involved assassins directed from abroad: Liu v. Republic of China33 and Letelier v. Republic of Chile.34 Those cases stood, Kidane had argued, for the proposition that the entire-tort inquiry does not ask where an alleged wrong “was planned, commanded, or directed.”35 But while those suits may have featured some foreign facts, the court stressed, they also “involved actions ‘occurring in the United States’ that were — without reference to any action undertaken abroad — tortious.”36 In other words, the Letelier and Liu complaints would still recount complete wrongs — murders — if every reference to conduct abroad were excised. The allegations in Doe, by comparison, would have narrative holes where wrongful intent and the story of the spyware’s origins should be. Kidane would be left to complain of the bare fact of FinSpy sitting on his computer, siphoning his emails and calls.37
The court was not much taken with Kidane’s argument that this outcome clashed with the FSIA’s legislative history. He had pointed out that Congress considered — but did not for one reason or another adopt — the European Convention on State Immunity’s requirement that “the author of the injury or damage [be] present in that territory at the time” of the tort if immunity is to be abrogated.38 Without per se embracing that requirement itself, the panel disputed whether dismissal was really so dissonant with the intent of the drafters, observing that the “primary purpose” of the exception “was to eliminate a foreign state’s immunity for traffic accidents.”39 The court also noted in a footnote that “when the State Department Legal Adviser was asked whether there was any inconsistency between the European Convention and the FSIA, he responded that . . . there generally was not”;40 Doe leaves a shade unclear whether the court would adopt that suggestion wholesale. Ultimately, where the district court had seen a “close”41 and original42 question, the D.C. Circuit thought its own concise findings “unsurprising.”43
Even if sound intuition called for dismissal, though, the court’s nonchalance is too pat. Doe’s reasoning has significant internal tensions and, more to the point, creates tension with the text and aims of the FSIA. The intent requirement is a departure from precedent, one the court fails to justify; the panel’s analysis of the scope of the entire tort lacks a clear limiting principle; and its innovations on both points implicate questions of foreign relations better addressed by the political branches.
Consider first the court’s analysis of intent. Though Ethiopia had certainly argued that its alleged tortious intent was formulated abroad,44 the parties might justifiably have been surprised to see the court rest its holding on that point. The alleged situs of intent figured in none of the circuit’s entire-tort precedents, nor does the situs of intent appear in the tort exception precedents of other circuits.45 And for good reason. The statutory language doesn’t ask about the tortfeasor’s intent; it requires only an “injury . . . occurring in the United States and caused by the tortious act or omission of [a] foreign state.”46 The idea that intent has a situs at all is somewhat strange on its face.47 If intent is located where intentional acts are located, the requirement is duplicative; if intent is located where intentional tortfeasors are located, Doe’s analysis establishes an actual presence requirement, a significant development that would deserve a clear statement.48 Doe could be read to stand for either of these propositions, in part because neither is convincingly justified.
At minimum, imposing an actual presence requirement requires a more careful study of statutory purpose than Doe undertook. As Judge Moss acknowledged, “Ethiopia’s alleged surveillance would fall squarely within the ‘entire tort’ rule had it sent a ‘flesh-and-blood agent into [Kidane’s] house to install a recording device.’ Technology has simply rendered the human agent obsolete.”49 Given that the rationale for imposing the entire-tort rule turns on congressional intent — the text does not require it50 — it seems appropriate to ask whether Congress meant to attach significance to that distinction. The answer is at least ambiguous. The strongest case in favor would be the one that Ethiopia mounted: international law favors the actual presence requirement,51 and the FSIA was broadly intended to codify international law.52 Of course, this fails to explain the absence of the requirement from the plain text. It bears mentioning, too, that Congress recently chose to challenge the international law of immunity on just this point. Passed over fierce objections from scholars53 and the executive branch,54 the Justice Against Sponsors of Terrorism Act55 (JASTA) rejects any requirement that suits within its reach allege even one domestic tortious act.56 Whether that rule is wise or not, such immunity questions — especially one as ambiguous as the actual presence requirement — “inherently involve[] a political judgment”57 better left to a representative branch.
The court’s analysis of the acts that make up the tort has similar problems. As with intent, the panel’s decision to focus on the spyware’s dispatch was made in a precedential vacuum.58 Courts haven’t faced pressure to define an act’s nature or a tort’s scope with specificity: most entire-tort precedents deal with courses of conduct that took place entirely outside the United States.59 But the question has stakes. As the Ninth Circuit recognized in Olsen ex rel. Sheldon v. Government of Mexico,60 defining the scope of an “entire tort” too broadly incentivizes states to dodge suit by pleading collateral acts abroad.61 Such a regime would threaten statutory purpose. It is “hardly likely” that Congress intended the FSIA to immunize, say, letter-bomb campaigns so long as “a country plotting a political murder in the United States were to take steps to ensure that some small part of the wrongful act . . . took place abroad.”62 But Doe suggests such a result obtains in hacking cases, and its framework is vague enough that it may undermine the inquiry elsewhere.
After all, the D.C. Circuit’s designated “precipitating act” is fairly remote from the alleged injury. The court’s emphasis on the spyware’s transmission would do more to limit the scope of the analysis if the infected email had been sent directly to Kidane; instead, it was delivered via a third party whose role none involved seemed to fully understand.63 Similarly, it might have been easy enough to identify a unique precipitating act if a keystroke in Ethiopia were required to intercept Kidane’s communications after infection. Here, though, FinSpy operated automatically after taking root,64 and the court seems to have been reluctant to characterize FinSpy’s operations as “acts” attributable to Ethiopia.65 Future courts are left to guess what standard Doe applied in choosing to incorporate transmission into the “entire tort.” Was it the proximate cause?66 A but-for cause? The last significant act?67 Kidane, for his part, argued in his petition for rehearing en banc that Doe had expanded the entire-tort inquiry to embrace “merely preparatory acts.”68 In that light, the entire-tort rule, as elaborated in Doe, threatens to become overstrong medicine in the effort to foreclose antihacking suits.
None of this is to say foreclosing recovery would be unwise. Abrogating immunity may well pose diplomatic risks and would certainly constrain the United States in any effort to set international norms on hacking. After all, the FSIA is meant to play a harmonizing function, “to subject foreign states that commit torts in the United States to the same rules of immunity applied against the United States abroad.”69 And as one of Kidane’s attorneys acknowledged, “[e]ven if such claims do not directly implicate the legality of U.S. surveillance, they may risk exposing the United States to reciprocal treatment in the courts of foreign countries.”70 The United States would hardly favor a global rule of no-immunity for an activity in which it engages with at least as much enthusiasm — and often more — than any other state.71 Nor is hacking for intelligence or law enforcement ends so obviously wrongful that the United States should lend its courts’ weight to stigmatizing the habit.72
Contra suggestions that Congress should smooth the way for spying suits,73 then, lawmakers might want to block such claims more clearly than the entire-tort rule does. But certainly other circuits, in light of the strain Doe places on the noncommercial tort exception, should be wary of embracing its approach to the inquiry. There may well be better tools if courts hope to exclude these suits; Kidane for one seemed concerned that the political question and act of state doctrines had underpinned the district court’s reasoning.74 Ultimately, though, whether or not these approaches would shut the door to hacking suits, and whether or not abrogating immunity here might have consequences not anticipated by the lawmakers who drafted the FSIA, Congress “did not confer common law authority on the courts to adjust the rules of foreign sovereign immunity to new and unanticipated events that might arise.”75 In stretching the (already judge-made) entire-tort rule to new lengths, Doe highlights the thickets into which those adjustments can plunge the courts.