Carter: DNC’s hacking suit is a missed opportunity

The Democratic National Committee's lawsuit against President Donald Trump, his presidential campaign, WikiLeaks and the Russian Federation had barely been filed before the first fundraising email hit my inbox. The party was bragging about the litigation, how this bold stroke would fix Trump, fix what's wrong with democracy and put two apple pies in every garage. But reading over the 66-page complaint, filed Friday in U.S. District Court in New York, one can hardly avoid being saddened at what might have been. The case could have provided the opportunity to resolve a vexing legal problem about liability for hacking. Instead, the DNC preferred a publicity stunt.

Although the complaint includes a handful of details that don't seem to have been previously reported, it nevertheless reads less like a legal document than like a poorly sourced magazine story. The suit is unlikely to survive a motion to dismiss, in part because the tangled conspiracy theory it presents is not (to use lawspeak) properly pleaded and, in part, because much of the complaint's substance consists of what lawyers call conclusory allegations. Whether the theory that Trump colluded is true makes no difference; the theory doesn't work as a lawsuit. But, as my inbox suggests, the point of the suit isn't to win. It's to stir up the base.

Which is too bad.

Because if you subtract the political defendants and consider only the lawsuit against Russia, the DNC could potentially be on to something both interesting and important. So far, no foreign government has been successfully sued for hacking U.S. computers. But this time the evidence just might be strong enough to give a federal court jurisdiction.

The essential claim is that by hacking the DNC's computers, Russia committed a trespass in the U.S. The problem, of course, is that Russia is generally protected by sovereign immunity. But the Foreign Sovereign Immunities Act includes an exception for torts committed on U.S. soil. The idea that hacking falls within the exception has lately been raised in the law reviews but has yet to be tested successfully in court.

Consider, for example, an appealing 2015 article by Scott Gilmore of the Center for Justice and Accountability. When a foreign government hacks a domestic U.S. server, Gilmore writes, the actual hacker may be overseas, “but the act that proximately causes injury - the intrusion or interception - occurs here.” He draws an analogy to cases allowing suits against foreign governments when an assassination plan was hatched abroad and carried out on U.S. soil.

But in a hack, does the intrusion really occur “here”? At this point things could get a bit metaphysical. Thoughtful people have long debated whether cyberspace actually possesses a “here” - a physical place where events occur. After all, it's an invented word describing a virtual construct. As Lawrence Lessig of Harvard Law has pointed out, it's hard to call cyberspace a place, given that you enter without going anywhere. Whether you're texting a friend, reading the news or playing a game, you haven't budged. But you're still in a different world.

Russia might argue, then, that even hacking a server located within the U.S. does not involve any physical presence. This isn't like firing a missile. No tangible thing has left one country and entered another. Instead, the entire event has occurred in cyberspace, a place that exists but also doesn't, a place that lies within no nation's borders because it has no real-world presence. As I said: highly metaphysical.

Gilmore seeks to sidestep that conundrum: “By installing code on a hard drive located in the United States, the foreign state has committed a form of trespass in U.S. territory.” This seems plausible. After all, wherever cyberspace might be located, installing code involves changing the internal state of a machine. That's arguably a physical act. In its cyberwarfare planning, the U.S. government takes an analogous view, considering that digital attacks on domestic targets are just like physical attacks. Following Lessig's lead, the Department of Defense argues that software “blurs the line between the cyber and physical world.” In short, although the battle might take place within cyberspace, the effects occur outside of it.

Judging the cyberattack on the DNC by this standard, we can take two routes to show that it took place on domestic territory. In the first place, the Russia hack of the DNC (as well as the failed hack of the Republican National Committee) took place via a phishing email purporting to be from Google, prompting the user to choose a new password. According to news reports, the hackers tried 30 times before someone at the DNC clicked on the bogus link and was fooled into turning over login credentials. That click took place somewhere on U.S. soil.

In addition, the physical harm the DNC suffered - damage to its servers - took place within the U.S. According to the complaint, repair and remediation costs were more than $1 million. Of all the harms the DNC pleads in its lawsuit, this is the one that most plausibly and directly links the Russian Federation to an act that occurred on domestic soil. If the infiltration of the servers rather than the alleged conspiracy were the predicate for the entire lawsuit, we would now be exploring a vital new area of law that could greatly influence the future. Instead, the DNC preferred a publicity stunt.

Too bad: There's so much to explore. Maybe a court wouldn't buy the theory. Maybe the U.S. government would oppose jurisdiction, worried about being sued overseas for doing pretty much the same thing. Maybe the forensic evidence that the Russians did it would prove flimsier than we think. But whatever happened, we'd be traveling through new and exciting areas of law, setting a precedent that would matter. Maybe after this DNC lawsuit is dismissed, the party will return to court with a serious suit to solve a serious problem.

Stephen L. Carter, a law professor at Yale, is a columnist for Bloomberg View.