Under the Foreign Sovereign Immunities Act, Where Do Hacking Torts Happen?

The Democratic National Committee’s lawsuit against the Russian Federation will run aground, as Ingrid Wuerth notes, unless the DNC can find a way around Russia’s immunity in American courts. In that respect, the suit raises a question on which precedent remains thin: whether allegations of state-sponsored hacking can fit through the Foreign Sovereign Immunities Act exception for cases that involve “personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of the foreign state.”

That provision, the noncommercial tort exception, was written primarily to address traffic accidents, as the Supreme Court noted in Argentine Republic v. Amerada Hess. Very few plaintiffs have attempted to invoke it in challenges to nation-state spying, and the case most squarely on point—the D.C. Circuit’s 2017 decision in Doe v. Federal Democratic Republic of Ethiopia—suggests that the DNC will face an uphill battle. But as I recently argued in a case comment for the Harvard Law Review, and as this post summarizes, there are reasons for the Southern District of New York to think carefully before following Doe.

The “Entire Tort” Rule

The suggestion that the DNC might struggle to maneuver its case through the noncommercial tort exception might, looking to statutory text alone, seem surprising. The DNC certainly suffered injuries “occurring in the United States” and those injuries were “caused by” Russia. What more could anyone ask for? Yet courts have consistently interpreted the exception to require that some “domestic act” of the foreign sovereign also occur in the United States, and a number of circuits—along with the Restatement (Fourth) of Foreign Relations Law—take the position that the “entire tort” must take place domestically, or else the foreign government remains immune.

This reading turns in part on legislative history, as the House report that accompanied the Foreign Sovereign Immunities Act stated squarely that “the tortious act or omission must occur within the jurisdiction of the United States.” It also reflects skepticism that Congress would draft an exception for car crashes that incidentally covers elaborate cross-border courses of conduct, like, say, hacking an election. Of course, this reasoning is open to the usual textualist criticisms. As Judge Harry Edwards objected in Persinger v. Republic of Iran, the case in which the D.C. Circuit adopted the domestic act requirement, “Congress never enacted the language of the House Report.”

There are also intuitive practical objections to this approach: For one, it seems to reward gamesmanship on the part of foreign governments. As the Ninth Circuit pointed out in Olsen ex rel. Sheldon v. Government of Mexico, under the entire-tort rule, other sovereigns face a clear incentive to plead that some portion of their misconduct took place abroad. Or as one of the members of an American Bar Association working group warned more colorfully, “[I]f a country plotting a political murder in the United States were to ensure that some small part of the wrongful act ... took place abroad, no suit could be brought against the responsible foreign state in the United States.”

Even taking the entire tort rule as a given, it isn’t the easiest concept to apply with confidence. And however difficult locating a tort might be in an ordinary case, a tort involving the Internet immensely complicates the inquiry. In the district court opinion in Doe, Judge Randolph Moss noted that neither party had identified any tort exception cases that involved “torts facilitated by the Internet and directed from abroad.” If a court ends up addressing the scope of the noncommercial exception in the course of resolving the DNC’s lawsuit, it will confront the question whether to follow the D.C. Circuit’s lead or take a fresh run at articulating where hacking torts take place.

The D.C. Circuit’s Approach

Doe involved allegations that Ethiopia had hacked a Maryland resident’s home computer, violating the Wiretap Act and committing the state tort of intentional intrusion upon seclusion. (Lawfare previously covered the case in a pair of posts.) Doe’s reasoning isn’t perfectly clear, but in finding the claim barred by immunity, the D.C. Circuit panel emphasized two “integral aspects of the final tort” located outside of the United States: “the tortious intent aimed at” the plaintiff and “the software’s initial dispatch.” Intent seems to have been integral because it was an element of each tort, initial dispatch because it was causally critical to the plaintiff’s injuries.

This analysis seems fatal to any of the intentional torts the DNC alleges, at least under the noncommercial tort exception. (The complaint also invokes the FSIA’s exception for commercial activity, which will require a difficult spatial analysis of its own, as the federal district court in D.C. recently confronted in Azima v. RAK Investment Authority.) Indeed, it’s hard to see how any transnational spying suits could make it through the exception under Doe. But there’s room to dispute whether Doe represents the best way to go about the “entire tort” inquiry in these cases.

Where Do You Find a Hacker’s Intent?

For one, the decision to bring the situs of intent into the analysis isn’t an obvious one. I wasn’t able to identify other noncommercial tort precedents that deal with this question, and Ethiopia’s brief in Doe didn’t cite any authority for the proposition that its intent was located abroad. It did, however, stress a key consequence of its position: if intent is located wherever intentional tortfeasors are, then the “entire tort” rule will block claims in which the foreign sovereign’s agents weren’t physically present in the United States when they committed the harm

It’s at least somewhat ambiguous whether that outcome is faithful to congressional intent. The D.C. Circuit pointed out that, during hearings on the FSIA, the State Department’s Legal Adviser testified that the Act largely tracks the European Convention on Sovereign Immunity—and the Convention requires that “the author of the injury or damage [be] present in that territory at the time.” But as the plaintiff in Doe emphasized, Congress was well-familiar with that language when it drafted the FSIA, and lawmakers still took a distinct approach to the exception’s text.

More fundamentally, a de facto physical-presence requirement raises the question whether Congress would want remote-control torts treated differently than analog ones. As the district court opinion in Doe acknowledged, “Ethiopia’s alleged surveillance would fall squarely within the ‘entire tort’ rule had it sent a ‘flesh-and-blood agent into [plaintiff’s] house to install a recording device.’ Technology has simply rendered the human agent obsolete.” Should the passage of time and those technical advances make all the difference in the immunity analysis?

Which of a Hacker’s Actions Form Part of the Tort?

Even if we exclude intent from the framework, Doe would seem to block the DNC’s claim if any of the “tortious act[s] of computer programming” alleged took place abroad. But it’s a little difficult to articulate why these acts—sending spyware on its way, for instance—necessarily formed part of the “entire tort” in Doe. As a result, it’s difficult to judge which of Russia’s actions should count if a court were to apply the same analysis to the causes of action set out in the DNC complaint. While Doe is sometimes described as looking to the elements of a tort, malware’s “initial deployment” certainly isn’t an element of a Wiretap Act claim—in fact, the plaintiff was the one who urged an element-by-element analysis in Doe, because the argument that interception occurs where the compromised computer is located seems like a fairly strong one.

Instead, the D.C. Circuit’s language on this point sounds causal, emphasizing that “[w]ithout the software’s initial dispatch ... Ethiopia could not have” committed the torts alleged, and that the placement of malware on the plaintiff’s computer “began” abroad. It’s hard to know how far this inquiry reaches. Should it be limited to proximate causes, or does it reach “merely preparatory acts,” as the plaintiff’s petition for rehearing charged? To what extent does it turn on the particular cause of action? Whether or not other courts follow Doe, it’s not clear Doe answers these questions. The stakes, though, are relatively plain: The broader the sweep of an “entire tort,” the sharper the concern that foreign states will escape liability by tacking on collateral conduct abroad, and the less likely that any plaintiff will recover for state-sponsored hacking.

A Way Forward?

Of course, whether the DNC can invoke the noncommercial tort exception is just one of a tangle of questions that complicate suing a foreign government for digital espionage. The litigation in Doe also touched on the act of state doctrine, the political question doctrine, the discretionary function exception to the noncommercial tort exception, and the question whether the Wiretap Act provides a cause of action against other sovereigns, to name just a few obstacles to recovery.

Unpacking these and other issues presented by the DNC’s lawsuit won’t be an easy or enviable task. If lawsuits in this style become increasingly popular, there may be no substitute for a clear congressional statement whether the federal courts are in the business of hearing spying claims.