Earlier this week, EFF told the U.S. District Court for the District of Columbia that Ethiopia must be held accountable for its illegal wiretapping of an American citizen. Foreign governments simply do not have a get-out-of-court-free card when they commit serious felonies in America against Americans. This case is the centerpiece of our U.S. legal efforts to combat state sponsored malware.
In February 2014, EFF filed suit against the Federal Democratic Republic of Ethiopia on behalf of our client, Mr. Kidane, an Ethiopian by birth who has been a U.S. citizen over a decade. Mr. Kidane discovered traces of Gamma International's FinSpy, a sophisticated spyware product which its maker claims is sold exclusively to governments and law enforcement, on his laptop at his home in suburban Maryland. A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his web and email usage. The monitoring, which violates both the federal Wiretap Act and Maryland state law, was accomplished using spyware that captured his activities and then reported them back to a command and control server in Ethiopia controlled by the government. The infection was active from October 2012, through March 2013, and was stopped just days after researchers at the University of Toronto’s Citizen Lab released a report exposing Ethiopia's use of use of FinSpy. The report specifically referenced the very IP address of the Ethiopian government server responsible for the command and control of the spyware on Mr. Kidane’s laptop.
The Ethiopian government responded to the suit with the troubling claim that it—and every other foreign government—should be completely immune from suit for wiretapping American citizens on American soil. Ethiopia’s filing rests on several logic-challenged premises. Ethiopia claims that the recording of Mr. Kidane’s Skype calls and Internet activity at his home in Maryland actually took place in Ethiopia, and is therefore beyond the reach of any U.S. court. Worse still, Ethiopia claims that it had the "discretion" to violate U.S. law, reducing the Wiretap Act to something more like a traffic violation than a serious felony. Interestingly, Ethiopia does not actually deny that it wiretapped Mr. Kidane.
Yesterday, EFF and its co-counsel at Robins, Kaplan, Miller & Ciresi, filed a response knocking down each of Ethiopia’s arguments, noting that not even the U.S. government is allowed to do what Ethiopia claims it had the right to do here: wiretap Americans in America with no legal process whatsoever. We argue that Ethiopia must be held accountable for wiretapping Mr. Kidane, just as any other actor would be. Neither its status as a government nor the fact that it launched its attack on Mr. Kidane from Ethiopia gives it carte blanche to ignore the law. If Ethiopia legitimately needed to collect information about Americans for an investigation, it could negotiate a deal with the U.S., called a Mutual Legal Assistance Treaty, which would allow it to seek U.S. assistance for something like a wiretap. Otherwise, there simply is no “international spying” exception to the law for foreign governments, nor should there be. When sovereign governments act, especially when they invade the privacy of ordinary people, they must do so within the bounds of the law. And when foreign governments break U.S. law, U.S. courts have the power to hold them accountable.
This is the next step in what we hope will set an important precedent in the U.S., fighting back against the growing problem of state-sponsored malware. No matter what one thinks about the NSA spying on Americans inside the U.S. (of course EFF believes that this has gone way far too), it should be easy to see that foreign governments—be they Ethiopia, China, or as EFF itself experienced Vietnam—do not and should not have that right.