No Jurisdiction in Federal Court Over Saudi Activist's Claims Against Alleged Hackers for UAE Government
"Plaintiff's allegations of political retaliation and torture are highly concerning. Nevertheless, this Court is bound by jurisdictional limits and grants Defendants' Motion to Dismiss for lack of personal jurisdiction."
From Alhathloul v. Darkmatter Group, decided today by Judge Karin Immergut (D. Or.) for the pointer:
Plaintiff {a Saudi human rights activist and leader of the movement to promote the rights of women and girls in the Kingdom of Saudi Arabia} brings three federal claims against Defendants, based on allegations that Defendants hacked Plaintiff's iPhone, surveilled her movements, and exfiltrated her confidential communications for use against her by the security services of the United Arab Emirates ("UAE"). According to Plaintiff, Defendants' actions led to her arrest by the UAE security services and rendition to Saudi Arabia, where Plaintiff states that she was detained, imprisoned, and tortured. Plaintiff's allegations of political retaliation and torture are highly concerning. Nevertheless, this Court is bound by jurisdictional limits and grants Defendants' Motion to Dismiss for lack of personal jurisdiction….
Defendants argue Plaintiff alleges no jurisdictionally significant connection between Defendants, the present litigation, and the United States, save for the fact that certain text messages allegedly sent by Defendant DarkMatter from a foreign location passed through U.S. servers on their way to Plaintiff's phone abroad. Plaintiff counters that Defendants contacts with the United States are jurisdictionally significant because Defendants caused Apple's U.S. servers to transmit malicious code to Plaintiff's phone.
For the following reasons, this Court concludes that it cannot exercise personal jurisdiction over Defendants….
If this Court were to base its determination of where the tortious conduct took place on the location where the Defendants sent the message, that location would be outside of the forum. Conversely, if this Court were to base its determination of where the tortious conduct took place on the location "that contain[ed] the hardware manipulated by the defendant to commit the tort," that location would also be outside of the forum, because the "computer … manipulated … to commit the tort" was Plaintiff's phone, not Apple's servers.
As alleged in Plaintiff's Complaint, the messages transmitted from Defendants to Plaintiffs "contain[ed] an exploit and malware" before they reached Apple's servers in the United States. Further, as alleged in Plaintiff's Complaint, the exploit is only activated on the target's phone and only after the phone, and not the server, "receives and processes the attacker's iMessage." Indeed, Plaintiff does not appear to allege that Defendants manipulate, transform, or otherwise commit any illegal act directly to Apple's servers, even if the attackers "interact[] with Apple's U.S.-based servers several times" in the process of sending an exploit and associated malware. As such, this Court finds that the tortious conduct itself took place outside of the forum….
Plaintiff argues that Defendants "intentionally aimed their exploit and malware at Apple's U.S. servers to leverage vulnerabilities in Apple's iMessage system and reach [Plaintiff's] iPhone." In other words, Plaintiff argues that Defendants' contacts with the United States were not "fortuitous" because they intended to use Apple's U.S.-based servers to hack Plaintiff's phone. But Plaintiff's argument would force this Court to stretch the Ninth Circuit's personal jurisdiction caselaw to cover conduct that has never been found sufficient to confer jurisdiction over a foreign-based defendant…. A survey of cases throughout the Ninth Circuit likewise supports this Court's conclusion that the choice by a third party to operate its servers in the forum is insufficient to show that a foreign defendant who uses those servers purposefully directs their actions at the forum….
Mere knowledge of the location of a third-party's servers, in sum, is not sufficient to constitute purposeful direction. "Due process requires that a defendant be haled into court in a forum State based on his own affiliation with the State, not based on the 'random, fortuitous, or attenuated' contacts he makes by interacting with other persons affiliated with the State." Plaintiff's argument would ask this Court to find personal jurisdiction based on the choice of a third party not before this Court. Such an outcome is foreclosed by existing precedent and this Court declines to find the purposeful direction prong satisfied here….
The third element of the purposeful direction test requires a defendant to "caus[e] harm that the defendant knows is likely to be suffered in the forum state." … This Court finds that, while the allegations in Plaintiff's Complaint support the inference that Defendants caused Plaintiff harm outside of the United States, the Complaint does not support the inference that Defendants knew that harm was likely to be suffered in the United State as opposed to some other forum. Plaintiff argues that "[b]y uploading malicious code to Apple's U.S. servers for delivery to [Plaintiff's] iPhone, Defendants broke the digital security that is critical to [Plaintiff's] human rights work and transformed Apple's secure messaging system into Defendants' personal malware delivery device." But the harm to Plaintiff's device—the hack itself, and the subsequent surveillance of that device—occurred outside of the forum state. As such, the only harm that Plaintiff alleges actually occurred in the United States is the "transform[ation of] Apple's secure messaging system into … [a] malware delivery device."
Plaintiff cites to no authority to support her theory that harm to a third party in the forum, rather than harm to the plaintiff, constitutes a "jurisdictionally sufficient amount of harm." …
This Court likewise finds that [another] factor—the forum's interest in adjudicating the dispute—weighs against the exercise of jurisdiction. While the United States has a strong interest in providing a forum for its residents who are injured by tortious conduct, Plaintiff is not a United States resident. The United States might have a strong interest in ensuring that its U.S.- based companies who rely on U.S.-based servers are not subject to transmissions of malware, but Apple is not a party to this action and its interests cannot be considered in determining whether jurisdiction is reasonable…. The Ninth Circuit has warned against expanding jurisdiction under Rule 4(k)(2) in situations where the foreign defendants have had only limited contacts with the United States….
This Court agrees with Plaintiff that [another] factor—the importance of the forum to the plaintiff's interest in convenient and effective relief—weighs in favor of jurisdiction. Plaintiff brings her claims under U.S. law, which heightens Plaintiff's interest in her claims being adjudicated by a U.S. court.
[And yet another] factor—the availability of an alternative forum—also favors Plaintiff. Plaintiff argues that "the Complaint's allegations show that the UAE is not a viable alternative forum." This Court agrees that Plaintiff's Complaint alleges conduct by the UAE that, if assumed to be true, would make the UAE a hostile forum to Plaintiff's claims. The fact that [these] … factors favor Plaintiff, however, is not sufficient to overcome the conclusion that the other reasonableness factors weigh against jurisdiction.
Congratulations to Nicholas F. Aldrich (Schwabe, Williamson & Wyatt, P.C.); Anthony T. Pierce, Caroline L. Wolverton, and Natasha G. Kohne (Akin Gump Strauss Hauer & Feld L.L.P.); and Clifford S. Davidson (Snell & Wilmer L.L.P.), who represent defendants.