State malware comes before the Constitutional Court of Austria

“The government is consciously accepting that highly sensitive data from citizens can leak to third parties, and consciously wants to keep security vulnerabilities open instead of closing them,” Austrian Member of Parliament Christian Hafenecker (FPÖ) is annoyed about the so-called messenger surveillance using the federal trojan. “Anyone who instrumentalizes security vulnerabilities for surveillance purposes is recklessly putting the privacy of the population and the security of state infrastructure at risk. We demand a return to clear rule-of-law principles and the protection of our fundamental freedoms,” says his colleague Alma Zadić (Greens). Together, the two opposition parties are bringing the amendment to the State Protection and Intelligence Service Act from last year before the Austrian Constitutional Court (VfGH).

This must examine whether the law is constitutional. It allows Austrian investigators to secretly infiltrate devices of citizens with malware in the near future to monitor them. Uninvolved third parties, including operators of messenger services, are legally obliged to cooperate in the surveillance. The suspicion of a criminal offense is not required by Austrian law. It is sufficient if a person is suspected of intending to commit a serious crime in the future.

Secret surveillance technically only works if there are security vulnerabilities, be they intentionally built-in backdoors or unintentional weaknesses. Information about this is offered for sale underground, where state spies or their suppliers would have to shop. The concept therefore only works if taxpayer money flows to organized gangs and the security vulnerabilities are not closed.

Harsh criticism from the opposition

With this, the government is “endangering cybersecurity throughout the country, especially critical infrastructure such as hospitals, energy supply, and authorities,” says Hafenecker, who is also the general secretary of his party. The goal of combating Islamist terrorism, proclaimed by the governing ÖVP party, is merely a “fig leaf.” In reality, “government-critical citizens, who only need to be stamped with the label 'constitutional threat'” are being targeted. He refers to Greece, Poland, and Spain, where similar access to mobile phones has been misused.

“When the state begins to use spyware, abuse inevitably follows. Throughout Europe, journalists and opposition figures as well as civil society have already been monitored with such state trojans,” confirms the Green spokesperson for network policy, Süleyman Zorba. “The question is not whether abuse will occur, but when.” Moreover, the mere possibility of surveillance has a detrimental effect: “The mere knowledge that the state could be reading along changes our behavior. People no longer communicate freely when they have to expect a digital eavesdropper.”

Rare Third-Party Complaint

The law comes about through a rarely used procedure before the VfGH: Austrian constitutional law provides that the court examines federal laws for their constitutionality if one-third of the members of either chamber of parliament (National Council or Federal Council) requests it. The FPÖ and the Greens together have sufficient votes in the National Council and initiated the so-called third-party complaint there on Wednesday.

In 2019, the VfGH declared a version of the law passed in 2018 by the FPÖ and ÖVP for state trojans and the covert recording and storage of vehicle license plates as unconstitutional (File Nos. G 72–74/2019 and G 181–182/2019). At that time, the VfGH examined the case based on two third-party complaints. These came from Social Democrats (SPÖ) and Liberals (NEOS); the parties then in opposition now form the government coalition with the right-wing conservative ÖVP and co-approved the new amendment in July.

The SPÖ and ÖVP expressed irritation on Wednesday about the FPÖ's “180-degree turn.” As Minister of the Interior, FPÖ leader Herbert Kickl had still pushed for messenger surveillance, wanting to monitor far more than just constitutional threats. The new wording is constitutional. The NEOS, although not in opposition, expressly welcome the examination by the VfGH.

(ds)