The Constitutional Court of Austria recently struck down the government’s spyware & licence plate recognition law. Alina Hanel & Thomas Lohninger of Austrian digital rights NGO epicenter.works, which had campaigned against the law for years, explain the ruling’s context and significance.
The Austrian Constitutional Court decided on 11 December 2019 that the surveillance law that permits both the use of spying software to read encrypted messages and the indiscriminate recording of vehicle licence plates violates the fundamental right to respect for private life (Art 8 ECHR), the fundamental right to data protection (§ 1 Austrian data protection law), and the constitutionally granted right that prohibits unreasonable searches (Art 9 Austrian bill of rights — “Staatsgrundgesetz”).
This judgement comes after the legalisation of government spyware in Austria had been prevented two times already. In 2016, a draft bill was withdrawn by the justice minister after heavy criticism from civil society, technical experts, and academics. On a second attempt in 2017, the legalisation of government spyware was included in a broader surveillance package. The draft bill had already reached committee stage in the parliament but was withdrawn after a record number of consultation responses from individuals and high-profile institutions, like the Economic Chamber, the Supreme Court of Justice, and the Data Protection Board. In 2018, the far-right government adopted the now-contested surveillance package, including government spyware and indiscriminate licence plate recognition on Austria’s streets. The constitutionality of this law was subsequently challenged by a third of the Members of Parliament.
Government Hacking
The court pointed out that there is a huge difference between traditional wiretapping and the infiltration of a computer system in order to read encrypted messages. Information about the personal use of computer systems provides insight into all areas of life and allows conclusions to be drawn about the user’s thoughts, preferences, views, and disposition.
In light of these particular sensitivities, the court also admonished that the control mechanisms in place, high though they were by Austrian standards — a surveillance measure needed to be judicially approved before and controlled by a legal protection officer[1] during its execution — were insufficient for computer system surveillance measures. The court required effective independent supervision by an institution that is equipped with the necessary technical means and human resources, not only at the beginning of the measure, but also for the duration of the surveillance.
Further, the Constitutional Court made it clear that the measure could only be used in the case of particularly serious crimes. The repealed law also allowed the use of spy software to investigate property offences with a maximum sentence of up to five years, such as burglary.
The court ruling spells the end for governmental ‘Trojan horse’ software, at least for the time being. Even though the Constitutional Court did not describe the use of spy software as unconstitutional in itself, it demanded requirements that currently make it uninteresting for the Austrian government to use this surveillance measure to read encrypted messages.
Street Surveillance
The other provision that was successfully challenged in front of the Constitutional Court was the mandatory data retention of car movements on Austria’s streets. The recognition of licence plates, car types, and driver pictures in a centralised database at the interior ministry was struck down as a form of indiscriminate data retention. A similar type of mass-surveillance of telecommunication meta data had been repealed in 2014. Uniquely, the debate in Austria that surrounded this case was focused on the security risks that are inherent with government spyware. Through years of campaigning most people have understood that the vulnerabilities required to infect a target device constitute a risk for everybody with the same operating system or application. We are happy that we could contribute to this awareness having spent the last 3.5 years publicly advocating on this issue (see our campaign against the law and against government spyware).
[1] The legal protection officer is a special Austrian institution that is supposed to protect the rights of those affected by secret investigations
In the surveillance package, the government demands also the reintroduction of the data retention through the back door. This law has been abolished multiple times by the high courts in Europe. In December 2016, the European Court of Justice ruled that the national regulations for the data retention in the UK and Sweden are incompatible with basic rights. In Austria, due to a complaint that was filed by AKVorrat (the previous name of epicenter.works), unfounded data retention without suspicion was anulled by the constitutional court because of its incompatibility with basic rights. By order of the public prosecutors, telecommunication service providers will be required to retain data for up to a year (§ 135 Abs StPO).