For months, the Ministry of the Interior and the Office for the Protection of the Constitution have been calling for more options for monitoring messenger services such as Signal, Whatsapp, Telegram etc. By now, several supreme courts have categorised the interception of encrypted communication as a clear violation of fundamental rights. The ÖVP's attempt to legalise the state trojan in the draft law circulated today scores a clear F!

We have received the draft of the Ministry of the Interior in advance and analysed it for you:

The State Becomes a Hacker

After one of the biggest espionage scandals in Austria surrounding Egisto Ott, the calls for the surveillance of encrypted messages are getting louder. We are concerned because the Ministry of the Interior reacts to the abuse of surveillance powers by expanding surveillance powers. This is the fourth attempt by the ÖVP to introduce a state trojan. First, the Minister of Justice Brandstetter withdrew such a law in 2016 following enormous criticism during the review process. In 2017, the second attempt failed in parliament as part of a surveillance package. Under the Minister of Interior Kickl, the state trojan was adopted in 2018 and repealed by the Constitutional Court in 2019.

Deliberate Endangerment

Despite the obvious shortcomings in terms of fundamental rights, the ÖVP-led Ministry of the Interior is once again effectively calling for a state trojan in the draft law circulating today. The fact that the state would thus be investing in the insecurity of our entire IT system does not seem to bother the ÖVP.

The danger of a state trojan is primarily not mass surveillance, but the mass jeopardising of the security of all smartphones. For a state trojan, the state has to spend taxpayers' money on security loopholes. These are often paid for in subscription models with special spyware companies so that they are not closed by the manufacturers. This is where the absurd reversal of interests becomes clear: the state should actually be responsible for the security of the population and also has a positive duty of protection to safeguard individual communication according to the telecommunications secrecy.

However, if the state wants to use state trojans, this will only be possible if certain vulnerabilities in computer systems are deliberately not rectified and exploited to plant the malware. According to the current draft, the particularly dangerous class of security vulnerabilities is also used, through which a device can even be taken over remotely. The knowledge of such security gaps cannot be owned exclusively by a state. Everyone else, including criminals, might discover and use the same security gaps for attack purposes. The longer a security gap remains open, the greater the danger to the population. The only correct course of action would be to report it to the manufacturers immediately so that the gap can be closed.

Complete Access & Unusable Evidence

In order to infiltrate surveillance software for messengers, the entire device must be hacked. All data such as photos, documents, locations and even message drafts that have never been sent could be read and manipulated - by the trojan itself and any third parties who know about the security gap in the phone. This harbours an extremely high potential for abuse.

Since the entire device needs to be hacked with the state trojan, evidence on the target device is very likely to become unusable. The state trojan leads to considerable doubts about the quality and authenticity of the evidence obtained because of the circumstances under which it was acquired. This in turn can have an impact on the question of whether the proceedings as a whole were fair.

Even with a state trojan, there is a lot of communication that would be inaccessible to the Austrian authorities. People with sufficient motivation and know-how could still communicate undetected with certain operating systems such as GrapheneOS and specially hardened crypto phones and thus evade surveillance by a state trojan.

Presumably Unconstitutional - Again

Back in 2019, the Austrian Constitutional Court clearly established the enormous depth of interference with fundamental rights of a state trojan, which goes far beyond the surveillance tools available to date. Accordingly, the Supreme Court demanded a particularly high level of legal protection.

The law which was repealed by the Constitutional Court in 2019 already included all legal protection mechanisms available under the previous legal protection system: It also required judicial authorisation and the involvement of a legal protection officer. Nevertheless, the Constitutional Court considered the legal protection mechanisms to be inadequate. In the opinion of the Constitutional Court, "an accompanying, effective control of the ongoing implementation of this measure by a court (or by a body with equivalent guarantees of independence) - equipped with appropriate technical means and personnel resources - is required".

In the draft available to us, we only see lip service regarding the improvement in legal protection demanded by the Constitutional Court. We do not see any evidence of actual implementation, including the necessary technical and human resources.

Furthermore, the Constitutional Court already criticised the far too broad scope of application of the state trojan, which was extended to not sufficiently serious criminal offences. The draft from 2019 was even stricter than the current proposal. It was at least limited to concrete (criminally relevant) suspicions and not including abstract risk research, unlike the current draft.

Human Rights Violations by (Producers of) Spyware

Today, the legal requirements for a state trojan are not required to meet the requirements of 2019, but those of 2024. Since the Pegasus scandal, the public has become even more aware that the state trojan is a dangerous technology. In the case of Podchasov vs Russia, the European Court of Human Rights also clearly stated that restricting encryption should be rejected as a drastic encroachment on the fundamental right to privacy.

The producers of the spy software themselves must also take responsibility for the resulting human rights violations. The trade in such highly invasive surveillance products is subject to neither oversight nor accountability. The manufacturers operate in secrecy and on an almost industrial scale, as shown by an investigation by European Investigative Collaborations and Amnesty International. In such a sensitive area, where massive human rights violations are involved, transparency and strict regulation at EU level are needed. Otherwise, these highly dangerous surveillance products will continue to fall into the wrong hands and be misused by autocrats or other criminals of this world. By introducing a state trojan, Austria would be further supporting this highly problematic digital weapons industry with taxpayers' money.

epicenter.works received the draft for analysis, but cannot share it due to confidentiality. In the interests of a democratic debate, we hope that the draft will soon be published by those responsible (or leaked).

Since you're here

… we have a small favour to ask. For articles like this, we analyse legal texts, assess official documents and read T&Cs (really!). We make sure that as many people as possible concern themselves with complicated legal and technical content and understand the enormous effects it has on their lives. We do this with the firm conviction that together we are stronger than all lobbyists, powerful decision makers and corporations. For all of this we need your support. Help us be a strong voice for civil society!

Become a supporter now!

Related stories: