English Court Finds No Sovereign Immunity in Spyware Case
August 30, 2022
The English High Court has applied a statutory exception to foreign sovereign immunity to claims arising from the alleged use of spyware by a foreign state to target and monitor dissidents in the United Kingdom. It is the first case to find an exception to sovereign immunity for allegations relating to spyware. In doing so, the English court declined to follow the “entire tort” doctrine of the United States.
On 19 August 2022, the English High Court ruled in Al Masarir v Kingdom of Saudi Arabia  EWHC 2199 that Saudi Arabia is not immune under the UK State Immunity Act (UK SIA) in a case alleging the use of spyware to infiltrate the iPhones of a prominent human rights activist.
The claimant is Mr Ghanem Al-Masarir, a satirist and human rights activist residing in the United Kingdom. Videos on his popular Ghanem YouTube channel have garnered over 230 million views (¶ 174). Mr. Al-Masarir alleged that the Saudi regime had infected his two iPhones with spyware known as “Pegasus” acquired from the Israeli company, NSO Group. He claims that the spyware enabled the “covert and unauthorised accessing” of information stored on and communicated by his phones (¶ 15). Mr. Al-Masarir also alleges he was followed and attacked in Knightsbridge, London, by men who were directed or authorised by Saudi Arabia (¶ 16). He brought a claim for damages for personal injury in the form of psychiatric injury resulting from misuse of private information, harassment, trespass to goods, and assault.
The UK SIA affords general immunity to foreign states from the jurisdiction of the English courts. However, section 5 provides for an exception “as respects proceedings in respect of – (a) death or personal injury; or (b) damage to or loss of tangible property, caused by an act or omission in the United Kingdom.” It was this exception that allowed Mr. Al-Masarir’s case to proceed against Saudi Arabia.
The court held that both the act of installing Pegasus on the iPhones and the assault fell within section 5 because that exception extends to any act of whatever type done by a foreign state in the United Kingdom that causes personal injury (¶ 116). Taking into account the extensive technical evidence of Dr. Marczak of Citizen Lab, the court found that Mr. Al-Masarir had adequately shown that his iPhones were infected with spyware, and that Saudi Arabia and/or those for whom it was vicariously liable were responsible (¶ 160).
The Territorial Nexus
Perhaps of greatest interest to the readers of this blog is how the English court dealt with the territorial nexus in addressing acts that took place in various jurisdictions.
The nature of spyware means that its operation crosses borders. The spyware can be implanted on a device in various ways, including by the user of the device clicking on a link in a malicious text message disguised as, for example, a package delivery update. Once implanted and installed, the spyware causes the device to communicate with a command-and-control server operated by a Pegasus customer, such as the foreign state that purchased the spyware, so as to receive commands from, and transmit data to, that state. These communications are usually conducted via intermediate proxy servers so that it is not possible to identify the internet address associated with the server nor to ascertain the identity or location of that server and the state customer (¶ 175).
Despite the digital smoke and mirrors, it was possible for Mr. Al-Masarir to point to discrete, self-contained acts that occurred on UK soil that could be said to have caused the damage forming the subject matter of his claim: the spyware was received in the United Kingdom, it was installed on his iPhones in the United Kingdom, the hardware on the phones such as camera, microphone, battery, and GPS receiver were activated in the United Kingdom, and his private data was transmitted from the United Kingdom.
What territorial nexus would suffice to bring the claim within section 5 of the UK SIA, which requires by “an act or omission in the United Kingdom”? The parties agreed that there was no authority directly on point (¶ 119).
Saudi Arabia submitted that section 5 requires the “whole tort to take place within the UK” (¶ 44). Saudi Arabia placed particular emphasis on the US case of Kidane v Ethiopia, which also arose out of a spyware attack on an human rights campaigner living in the United States. The US Court found that it lacked jurisdiction because the non-commercial tort exception in the Foreign Sovereign Immunities Act (FSIA) (28 USC 1605(a)(5)) did not apply since the entire tort did not occur on US soil. The US court observed that:
… at least a portion of Ethiopia’s alleged tort occurred abroad … whether in London, Ethiopia or elsewhere, the tortious intent aimed at Kidane plainly lay abroad and the tortious acts of computer programming likewise occurred abroad. Moreover, Ethiopia’s placement of the FinSpy virus on Kidane’s computer, although completed in the United States when Kidane opened the infected e-mail attachment, began outside the United States. It thus cannot be said that the entire tort occurred in the United States. (cited at ¶ 141).
Mr. Al-Masarir argued that the US “entire tort” doctrine should not be followed in the United Kingdom. The plain meaning of section 5 of the UK SIA – “caused by an act or omission in the United Kingdom” – requires only “a single relevant act or omission causative of the death, injury or damage to take place within the UK in order to engage the exception” (¶ 30).
The English court agreed with the Mr. Al-Masarir, relying on the grammatical meaning of section 5 (¶ 120). It observed that for the section 5 exception to apply, there had to be “an act or omission in the UK which is causative of the requisite damage on a more than de minimis basis” (¶ 120). The court noted that where “a computer device located in the UK is manipulated and made to perform operations as a result of electronic instructions sent from a computer/operator located abroad then there is authority for the proposition that this is to be regarded as an act within the UK” (¶ 132).
As regards the US “entire tort” doctrine, the court was “unpersuaded” that this case law had a significant bearing on the issue despite “the high authority of the American courts” (¶ 144). This was for three reasons. First, the exception in question was formulated differently in the laws of different states, including the extent of the required territorial connection (¶ 145). Second, the wording of the FSIA (“the tortious act or omission of that foreign state”) differs from the wording of the UK SIA (“an act or omission”) (¶ 146). Third, the “entire tort” doctrine under the FSIA was “based in large part on the specific legislative history” of the law, which was not reflected in the UK Parliamentary history of the UK SIA (¶¶ 147-149).
Implications and Reflections
We are living in the age of spyware, cyberespionage, and digital warfare. Our smartphones are both an essential tool and a persistent vulnerability. Just recently Apple advised its users to immediately update their devices to protect against flaws that allow attackers to take complete control of the devices.
And spyware is not just being used by private hackers, but also by sovereign states.
The English High Court’s rejection of the “entire tort” doctrine is to be welcomed as a realistic approach to the law of immunity in the age of spyware and other transnational activities involving foreign states. As Seppälä and Peterson have noted, the phrase “an act or omission” is also found in the state immunity legislation of South Africa, Australia, Singapore and Malawi. “Act” or “action” is also referred to in the singular in the legislation of Japan and Russia. The 2004 UN Convention on Jurisdictional Immunities of States and their Property (not yet in force) refers to “the act or omission” that “occurred in whole or in part in the territory” of the forum state. The FSIA’s “entire tort” doctrine is looking more and more like an outlier.
A review of the instruments on state immunity also reveals a mixed approach as to whether the alleged perpetrator must be present in the territory at the time of the act or omission. In a case against a foreign state, this would require the claimant to show the state’s official or agent was physically present in the forum state at the time of the act or omission, in order for the exception to apply. This “presence requirement” is found in the UN Convention (“if the author of the act or omission was present in that territory at the time of the act or omission”, the 1972 European Convention on State Immunity, and the legislation of Japan and Russia. If Mr Al-Masarir’s case has been brought under those instruments, the exception would not have applied because the alleged use of the spyware did not involve the physical presence of Saudi agents in the United Kingdom. However, there is no express ‘presence requirement’ in the legislation of the United Kingdom, United States, South Africa, Canada, Australia, Singapore, Argentina, Malawi, or Israel. Given the array of ways in which injuries and loss may be inflicted remotely, whether by computer virus or drone, a “presence requirement” appears outdated.
The Al-Masarir judgment opens up the possibility of using the section 5 SIA exception – and its equivalents in other jurisdictions – to hold foreign states accountable for acts other than surveillance, such as poisoning the tea of an opponent or kidnapping a dissident off the streets, even if the planning for the acts took place abroad (see examples given at ¶¶ 1-2). It opens up a route for accountability for election interference and state-sponsored disinformation leading to harm. It is concerning that the “entire tort” doctrine under the FSIA has prevented the hearing of a case against the Russian Federation for alleged hacking of the Democratic National Committee’s computers. In the United States, parties harmed by Pegasus spyware have resorted to suing NSO itself.
The rejection of the “entire tort” doctrine by the English High Court may encourage a reconsideration of this doctrine in US courts – neither the text of the FSIA nor policy militate in favour of an outdated approach of shielding foreign states from accountability for insidious acts on the territory of the forum state.
Note: The author is counsel to the claimant in this case. This post represents her personal, academic views and not necessarily those of her client.