ÖVP plan polarizes

Data protectionists warn against messenger surveillance

Interior Minister Gerhard Karner (ÖVP) is campaigning for an expansion of surveillance options on smartphones.

(Bild: APA/Georg Hochmuth)

In 2018, the then ÖVP-FPÖ coalition decided on a "federal Trojan" to monitor messengers, which was overturned by the Constitutional Court (VfGH) in 2019 before it came into force. After long resistance from the Greens, Interior Minister Gerhard Karner (ÖVP) has now sent a new draft law for review in the wake of the suspected attack plans on a Taylor Swift concert being prevented. However, data protectionists also reject this.

The ÖVP has been pushing for more powers for the Directorate for State Security and Intelligence (DSN) to monitor messengers for some time. Although the Greens continue to reject a new "federal Trojan" due to the encroachment on fundamental rights and freedoms, they have recently shown themselves to be open to new possibilities for the DSN to prevent violent terrorist acts and have called for the draft law to be reviewed in order to clarify open questions. The deadline for this ended today, Wednesday.

Data protectionists castigate "legal fiction"
The new draft of the State Protection and Intelligence Service Act (SNG) on messenger surveillance has also fallen foul of data protection organizations. In it, the Ministry of the Interior has explicitly addressed the Constitutional Court's stipulation that the monitoring of computer systems is only permitted "within extremely narrow limits". However, for epicenter works, for example, the restriction of surveillance to a certain amount of data from a defined period of time provided for in the law is only a "legal fiction" because a "federal Trojan" only works with full administrative access to the cell phone. Increased legal protection - the plan is for the Federal Administrative Court (BvWG) to grant approval and refer the matter to the Legal Protection Commissioner at the Ministry of the Interior - is in turn "merely lip service" without a new institution such as a legal protection senate or without additional resources or powers.

The data protection authority (dsb) believes that the hurdles envisaged in the draft law for such a "far-reaching intervention" as messenger monitoring are too low. The dsb cannot even assess whether the planned software is permissible from a data protection perspective because there is no precise description of the technical and organizational framework conditions - a criticism that is also repeated several times in other statements. The Data Protection Council lacks concrete information as to why the measure is necessary and suitable to avert serious threats. The data protection organization noyb also misses clear regulations that ensure that the software used meets the requirements of data protection and the constitution.

Legal opinions differ
Legal experts are divided. Representatives of the Institute for Criminal Law and Criminology at the University of Vienna agree with the planned regulation. Criminal law professors Farsam Salimi and Susanne Reindl-Krauskopf find it difficult to understand why, in contrast to other constitutional democracies, the content of communications cannot be accessed, at least in serious individual cases, in order to prevent crimes and solve crimes that have been committed. This "gap" is now being closed, at least in the area of constitutional protection.

Neither of them see the danger of blanket surveillance, as the measure should only be considered in cases of serious threat or espionage and only if the use of other measures would be futile. The multi-stage authorization and control procedure limits the interference with fundamental rights to what is absolutely necessary. The General Procuratorate at the Supreme Court (OGH) also expressed "no objections", as the threshold for interference was "very high". The BvWG also has no constitutional objections, but in its opinion calls for additional staff for the new task.

The Institute for Austrian and European Commercial Criminal Law at the Vienna University of Economics and Business (WU) is far more skeptical. It is not clear whether there are even the technical possibilities for such monitoring that does not violate fundamental rights, or whether the monitoring software can be removed without causing damage. WU experts Robert Kert and Raphaela Bauer-Raschhofer also question whether there are sufficient personnel and technical resources for the planned monitoring by the Legal Protection Commissioner. For the Association of Judges, an unlimited application of the law seems to be ruled out. However, it fears that, for technical reasons, the monitoring options promised in the law "can only be achieved to a limited extent and with the risk of negative effects for IT security as a whole".

Clear rejection comes from the Austrian Bar Association. They see a disproportionate encroachment on the fundamental right to privacy. "Cardinal errors" include the exploitation of security loopholes and the fact that the planned restriction of surveillance to certain communication processes is not even technically possible. There is also criticism of the fact that there are no provisions to protect persons subject to professional secrecy, such as lawyers or journalists.

Numerous NGOs express concerns
For the "Liga für Menschenrechte" (League for Human Rights), spying through a program that has been introduced is incompatible with fundamental and human rights despite the planned security precautions; for the Austrian Trade Union Federation (ÖGB), the protection of fundamental rights and freedoms demanded by the Constitutional Court has not been achieved and the project is also technically impossible to implement. Amnesty International also warns that the human rights-compliant use of spyware cannot be independently verified because its manufacturers do not disclose the source code to their state customers. The Chaos Computer Club Vienna (C3W) sees this as a threat to the Austrian IT landscape. The Internet Service Providers Austria (ISPA) also warns of "incalculable security risks" for providers and their users, as the draft does not rule out spying on cloud systems or other devices with an internet connection, such as smart home systems.

The Austrian Bishops' Conference in turn criticizes the fact that - unlike in the Code of Criminal Procedure - the "protection of clerical confidentiality", which is intended to guarantee the secrecy of confession, is not enshrined in the SNG. The Ministry of Finance and the Austrian Court of Audit (ACA) criticized the fact that the mandatory assessment of the costs to be expected as a result of the change in the law was missing.

In a statement to the APA, Interior Minister Karner emphasized that he would continue to fight vehemently for messenger surveillance, the aim of which is to prevent terror and protect people. "Protecting people is more important than data protection", said Karner.