Ethiopia was accused by a U.S. citizen with links to opponents of the East African nation’s government of spying on him with surveillance software on his home computer, according to a first-of-its-kind lawsuit in Washington.
The complaint cites a decades-old federal anti-bugging law, the Wiretap Act, to challenge a foreign government’s electronic snooping against an American.
“We’re trying to apply an old law to a new context,” said Cindy Cohn, legal director of the Electronic Frontier Foundation, a privacy group that brought the complaint in federal court on behalf of a plaintiff identified in court papers under the pseudonym Kidane. “The U.S. government can’t do this without a warrant. It’s OK for the Ethiopian government do this without a warrant?”
The request to file under a pseudonym was made Feb. 13 and approved by a federal judge on March 5. The complaint appeared today on the court’s public docket. Kidane, an Ethiopian native now living in Silver Spring, Maryland, asked to file anonymously citing fear of “harmful retaliation from members of the Ethiopian government,” according to his request.
Spying software, known as FinSpy, surreptitiously installed on Kidane’s computer in suburban Washington made audio recordings of Skype Internet phone calls, copied e-mail and logged websites and sent the information to a FinSpy master server in Ethiopia, according to his complaint.
The case highlights what human rights and privacy advocates say is the growing use of spying software by governments against political opponents.
“I think it’s absolutely part of a trend,” said Bill Marczak, a research fellow at Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, who has tracked the use of spyware, including FinSpy, by country.
FinSpy, developed by U.K.-based Gamma Group, is marketed to governments and is supposed to be used for so-called lawful intercepts involving law enforcement or security tasks such as tracking pedophiles, drug dealers or terrorists.
“But once a sale is made to a government, they can use it, really, however they want,” Marczak said.
Citizen Lab began tracking FinSpy after Bloomberg News in July 2012 reported on evidence of the malware’s use against Bahraini pro-democracy activists in locations including Washington and London.
Martin J. Muench, managing director of Gamma’s Munich-based unit, Gamma International GmbH, didn’t immediately respond after regular business hours to an e-mail seeking comment on the lawsuit.
Marczak and other Citizen Lab researchers said they suspect Ethiopia and 20 other countries have used another spyware product known as Hacking Team, marketed by an Italian company, according to a report released Feb. 17.
The Economist’s 2012 Democracy Index gave nine of the countries, including Ethiopia, its lowest ranking, “authoritarian,” according to the report.
Kidane’s complaint alleges violations of the Wiretap Act, which prohibits electronic eavesdropping, and seeks a court order declaring the surveillance an unlawful intrusion and awarding as much as $10,000 in damages, the maximum allowed by law.
Ethiopia is a U.S. ally, although according to a 2012 State Department report cited in the complaint, “restrictions on freedom of expression and association” are the country’s “most significant human rights problems.”
The Ethiopian Embassy in Washington didn’t immediately respond to phone messages seeking comment on the lawsuit.
Kidane’s suit “is kind of a test case,” Marczak said. “If successful, others will follow.”
The challenge for Kidane’s lawyers will be to convince a judge that U.S. courts have authority over a foreign government, something they have been reluctant to do, said Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center.
“I think they’re going to need something more than the federal Wiretap Act to establish jurisdiction,’ Rotenberg said.
The cyber surveillance of Kidane began in October 2012 after he opened an e-mail containing a Microsoft Word document infected with elements of FinSpy designed to take over the targeted computer, according to his suit.
Kidane discovered FinSpy on his computer after he had it checked following publication of Citizen’s Lab March study.
He found that ‘‘the FinSpy master server in Ethiopia disclosed in Citizen Lab’s report is the same server that controlled the FinSpy target installation on Mr. Kidane’s computer,” according to his complaint.
“The infection appears to have been removed on March 18, 2013, at 8:58:27, just five days after Citizen Lab’s publication of its report disclosing Ethiopia’s use of FinSpy and the technical details of the FinSpy relay in use in Ethiopia,” Kidane’s lawyers wrote.
The global dispersion of players and the involvement of new technology should not obscure the basic simplicity of the case, Cohn said.
“Wiretapping is wiretapping. It doesn’t matter if it’s neighbor or a foreign government,” Cohn said. “People have a right to privacy in their homes.”
The case is John Doe a.k.a. Kidane v. Federal Democratic Republic of Ethiopia, 14-cv-372, U.S. District Court, District of Columbia (Washington).