cross-posted from: https://hexbear.net/post/5696151 > >On 9 July, Austrian parliamentarians passed a highly controversial bill legalising the deployment of state-sponsored spyware, known as the Federal Trojan (Bundestrojaner), to enable the interception of encrypted communications. > > >The Bundestrojaner bill would give law enforcement agencies the power to install malware on private devices (such as smartphones or laptops) to monitor encrypted messaging applications. > > >It would do so by amending several laws, including: > >the State Security and Intelligence Service Act; the Security Police Act; the Telecommunications Act;the Federal Administrative Court Act; and the Judges’ and Public Prosecutors’ Service Act. > > >The plan sparked widespread concern among privacy advocates, cybersecurity experts, and numerous civil society organisations. > > >The day before the vote more than 50 organisations, including Statewatch, wrote to legislators. > > >A joint letter (pdf) called on them to “vote against this dangerous instrument of state surveillance and against a historic step backwards for IT security in the information society.” > > >Legislators in Austria’s lower parliamentary house, the National Council, voted in favour of the bill, 105 to 71. > > >The interior minister Gerhard Karner, described it as a “special day for security.” > Support for the bill came from the governing parties – the conservative Austrian People’s Party (ÖVP), the Social Democratic Party (SPÖ), and most members of the liberal NEOS party. > > >Two NEOS MPs, Stephanie Krisper and Nikolaus Scherak, broke ranks to vote against the measure, alongside the Greens and the far-right Freedom Party of Austria (FPÖ). > > >On 17 July, the Federal Council – the upper house of the legislature – voted by 40 to 19 not to object to the bill, completing the parliamentary process. > > >The bill now awaits unanimous approval from the governments of Austria’s nine states before it can become, a constitutional requirement triggered by the inclusion of certain provisions on the administrative judiciary. > > >Nevertheless, opposition parties and civil society organisations have said they will file legal challenges against the measures. > > >Government officials insist that the spyware will be restricted to targeting messaging apps and that broader system-wide searches will not be permitted. > > >However, technical experts have repeatedly warned that such limitations are practically unenforceable in real-world applications. > > >Spyware with the capability to intercept encrypted communications inevitably provides access to a wide array of personal information stored on the device, including photos, files, emails, contacts, and location data. > > >Critics note that this effectively bypasses all existing security protections, raising serious questions about the proportionality, necessity, and legality of such intrusive surveillance powers. > > >The current legislation includes some procedural safeguards, in an attempt to respond to critiques of previous state trojan proposals. > > >These include an extension of the review period for the Legal Protection Commissioner (from two weeks to three months), and transferring the authority to approve spyware deployment from a single judge to a panel of judges at the Federal Administrative Court. > > >However, the Legal Protection Commissioner is part of the Ministry of the Interior – the very same ministry that authorises and deploys the spyware – raising significant concerns about impartiality and conflicts of interest. > > >Furthermore, the intelligence agencies themselves conduct the mandatory trustworthiness assessments for the Commissioner and their deputies, further undermining the potential for effective and independent scrutiny of surveillance activities. > > >The bill was approved in the National Council despite extensive opposition from a broad range of civil society groups, professional bodies, and public institutions – including bar associations, universities, municipalities, press freedom advocates, and medical organisations. > > >Following the vote, civil society organisations describing the law as institutionalising state hacking by deliberately exploiting software vulnerabilities. > > >In a joint statement, they said that the government should be working to close these gaps to protect citizens from cyber threats. > > >The Bundestrojaner has a long and contentious legislative history in Austria. > Initial attempts to introduce similar surveillance powers date back to 2016, but they were repeatedly rejected or delayed due to sustained criticism and concerns about privacy violations. > > >In 2019, Austria’s constitutional court struck down an earlier version of the law, ruling that surveillance of encrypted communications constituted a serious breach of fundamental privacy rights protected under the constitution.