In 2018, the then ÖVP-FPÖ coalition decided on a “federal trojan” to monitor messenger messages, but it was overturned by the Constitutional Court (VfGH) in 2019 before it came into force. After long resistance from the Greens, Interior Minister Gerhard Karner (ÖVP) has now sent a new draft law on messenger surveillance for review in the wake of the thwarted alleged attack plans on a Taylor Swift concert. Data protection advocates also reject this.
The ÖVP has long been pushing for the Directorate for State Security and Intelligence (DSN) to be given more powers to monitor messengers. The Greens continue to reject a new “federal Trojan” because of the infringement on fundamental rights and freedoms, but have recently shown themselves open to new options for the DSN to prevent terrorist acts of violence and have called for an assessment of the draft law to clarify open questions. The deadline for this ended today, Wednesday.
Data protection organizations are also against the new draft of the State Security and Intelligence Service Act (SNG) on messenger surveillance. In it, the Ministry of the Interior explicitly addressed the Constitutional Court’s requirement that surveillance of computer systems is only permitted “within extremely narrow limits”. However, the restriction of surveillance to a certain amount of data from a defined period of time provided for in the law is only a “legal fiction” for epicenter works, for example, because a “federal Trojan” only works with full administrative access to the mobile phone. The increased legal protection – approval by the Federal Administrative Court and involvement of the Legal Protection Commissioner at the Ministry of the Interior is planned – is “merely lip service” without a new institution such as a legal protection senate or without additional resources or competencies.
The Data Protection Authority (dsb) believes that the hurdles set out in the draft law for such a “far-reaching” intervention as messenger surveillance are too low. The dsb cannot even estimate whether the planned software is permissible from a data protection perspective because there is no precise description of the technical and organizational framework – a criticism that is also repeated several times in other statements. The Data Protection Council lacks concrete information on why the measure is necessary and suitable for averting serious threats. The data protection organization noyb also misses clear regulations that ensure that the software used meets the requirements of data protection and the constitution. In any case, for a use in accordance with the rule of law, protective mechanisms such as external audits, certifications and audit-proof logging would be needed.
Lawyers are divided. Representatives of the Institute for Criminal Law and Criminology at the University of Vienna agree with the planned regulation. Criminal law professors Farsam Salimi and Susanne Reindl-Krauskopf find it difficult to understand why, unlike in other constitutional democracies, communication content cannot be accessed at least in serious individual cases in order to prevent crimes and solve crimes that have been committed. Now this “gap” is being closed, at least at the Office for the Protection of the Constitution.
Neither sees the danger of widespread surveillance, as the measure should only be considered in cases of serious threats or espionage, and then only if the use of other measures would be futile. The multi-stage approval and control process limits the infringement of fundamental rights to the absolute minimum. The Attorney General’s Office at the Supreme Court (OGH) also expressed “no objections”, as the threshold for intervention is “set very high”.
The Institute for Austrian and European Economic Criminal Law at the University of Economics and Business (WU) is much more skeptical. It is not clear whether the technical possibilities for such surveillance without violating fundamental rights exist or whether the surveillance software can be removed without causing damage. WU experts Robert Kert and Raphaela Bauer-Raschhofer also question whether there are enough human and technical resources for the planned monitoring by the legal protection officer.
The Austrian Bar Association is clearly opposed to this. They see a disproportionate infringement on the fundamental right to privacy. The “cardinal errors” are the exploitation of security loopholes and the fact that the planned restriction of surveillance to certain communication processes is not technically possible. There is also criticism of the fact that there are no provisions to protect those who are bound by professional secrecy, such as lawyers or journalists.
For the “League for Human Rights”, spying through a program introduced is incompatible with fundamental and human rights despite the planned security precautions, and the authorities are making do with the available options. If incidents could not be prevented in the past, it was because of insufficient staff or human error in dealing with available information. Amnesty International also warns that the human rights-compliant use of spyware cannot be independently verified because its manufacturers do not disclose the source code to their government customers.
There are also question marks over the costs: The Ministry of Finance and the Court of Auditors (RH) complain that the actually obligatory estimate of the costs to be expected from the change in the law is missing. According to the RH, additional costs are to be expected due to the planned monitoring and the multi-stage approval and control procedure.
