An American citizen living in Maryland has sued the Ethiopian government for infecting his computer with secret spyware, wiretapping his private Skype calls, and monitoring his entire family’s every use of the computer for a period of months.  EFF is representing the plaintiff in this case, who has asked the court to allow him to use the pseudonym Mr. Kidane – which he uses within the Ethiopian community – in order to protect the safety and wellbeing of his family both in the United States and in Ethiopia.

What is this case about?

EFF has filed a lawsuit in federal court in Washington, DC alleging that the government of Ethiopia, using notorious surveillance malware known as FinSpy, illegally wiretapped and invaded the privacy of our client, a U.S. citizen on U.S. soil.  Essentially, the malware took over our client’s computer and secretly sent copies of his activities, including Skype calls, web searches and indications of websites visited other activity, to the Ethiopian government.

Who does EFF represent in this case?

Our client in this case is an American citizen living in the U.S.  We are not revealing his name, and he is seeking to participate under a pseudonym in order to protect his family both in the United States and in Ethiopia. Sadly the Ethiopian government has a bad record of mistreating the family members of people who oppose it.  We have asked the court for permission to refer to him only by the pseudonym he uses in the Ethiopian community: Kidane.
 
Mr. Kidane was born in Ethiopia and lived his early life there. He came to the United States more than 20 years ago, sought asylum here, and is now U.S. citizen. He lives in Maryland. He is married with 2 children.

How is this different from an ordinary wiretapping case?

It’s not really different at all. This is a straightforward case challenging the wiretapping and invasion of privacy of an American citizen at his home in suburban Maryland.  Installing malware that intercepts someone else’s communications illegal in the U.S. and in most other countries of the world.  The only difference between this an ordinary domestic wiretapping case is that the wiretapping was conducted by the government of Ethiopia.  Wiretapping is a serious civil and criminal offense and a foreign country is not exempt from U.S. laws when it operates in the U.S. and attacks U.S. citizens.

Why is this case important?

This case is important because it demonstrates that state-sponsored malware infections and can indeed are occurring in the U.S. against U.S. citizens. It seeks to demonstrate that warrantless wiretapping is illegal and can be the basis of a lawsuit in the United States, regardless of who engages in it.   

How did the defendant’s computer become infected with FinSpy?

Mr. Kidane’s computer became compromised after he opened an email containing an infected Word document attachment sent by agents of the Ethiopian government and forwarded to him. After the attachment was opened, FinSpy was surreptitiously downloaded onto his computer from a server located at an Ethiopian IP address.  FinSpy then took complete control over his computer and began recording some, possibly all, of the activities undertaken by users of the computer, including both Mr. Kidane and members of his family.  It then sent copies of those activities, including Skype calls, to a command and control server located in Ethiopia and controlled by the government.

What are the surveillance capabilities of FinSpy?

Publicly available information about FinSpy confirms that it can do all of the things that occurred on Mr. Kidane’s computer.  FinSpy includes a number of features that the government operator may install on infected devices to facilitate different types of monitoring and the acquisition of different types of data.  For example, FinSpy includes a feature for extracting saved passwords from more than 20 different web browsers, e-mail programs, and chat programs, and capturing these passwords as the user types them in.

FinSpy can also record Internet telephone calls, text messages, and file transfers transmitted through Skype, record every keystroke on the computer, and take a picture of the contents displayed on a computer’s screen.  It can even covertly record audio from a computer’s microphone even when no Skype calls are taking place.

What did FinSpy record in our plaintiff’s case?

At a minimum, we know that between late October 2012 and March 2013 the FinSpy software  installed on Mr. Kidane’s computer made secret audio recordings of dozens of Mr. Kidane’s Skype internet phone calls, recorded portions or complete copies of a number of emails sent by Mr. Kidane, and recorded a web search related to the history of sports medicine, conducted by Mr. Kidane’s son for his middle school history class.

How do we know that our plaintiff’s FinSpy infection was controlled from Ethiopia?

The copy of FinSpy discovered in the Word documents on Mr. Kidane’s computer contained a configuration file specifying the FinSpy command and control server to which the infected computer would exfiltrate data with a single Internet Protocol (“IP”) address: 213.55.99.74.

The 213.55.99.74 IP address is part of a block of addresses registered to Ethiopia’s state-owned telecommunications company – Ethio Telecom – which indicates the relay is located inside Ethiopia, and also indicates that its operator is a customer or subscriber with Ethio Telecom.

Researchers have conducted several scans of various ranges of internet address numbers.  The existence of the FinSpy command and control server located at 213.55.99.74 was first disclosed on August 8, 2012 in a research blog post appearing on the website of Rapid7, a security firm.

Subsequent scans conducted by CitizenLab detected that the same address was a FinSpy command and control server.  These results were publicized on August 29, 2012, and March 13, 2013.  In both cases, the command and control server was still operational at the time of publication.  The March 13, 2013 CitizenLab publication also reported on the discovery of a FinSpy executable disguised as an image of Ethiopian opposition leaders, which contained a configuration file containing the address of the Ethiopian command and control server.

What company is behind the FinSpy surveillance software?

FinSpy is part of the FinFisher line of “IT Intrusion” products developed and marketed by Gamma International, Ltd, a United Kingdom-based company, now known as FinFisher GmbH.  Gamma produces FinSpy spyware for Windows, Macintosh, and Linux computers, as well as iPhone, Android, Nokia/Symbian, Windows Phone, and Blackberry mobile devices. FinFisher claims that this product is only sold to governments. 

How do we know the Ethiopian government was operating the FinSpy command and control server responsible for our plaintiff’s infection?

Gamma specifically asserts that “FinFisher solutions are sold to governmental agencies only.”

Who uncovered the evidence that FinSpy was being used to spy on democratic activists?

The use of FinSpy technology by governments to spy on human rights and democracy activists around the world has been investigated by CitizenLab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. CitizenLab focuses on advanced research and development at the intersection of digital media, global security, and human rights.

On March 13, 2013, the CitizenLab released a report on the proliferation of FinSpy called You Only Click Twice.  The report included a section describing Ethiopia’s use of FinSpy, and included identifying details of a FinSpy Master server in Ethiopia. 

A hearing on Defendant's Motion to Dismiss was held on July 14, 2015.