Austrian Government Approves Bundestrojaner for Messenger Surveillance

The Austrian government has officially sanctioned the use of malware, referred to as the Bundestrojaner, to monitor encrypted messages on mobile devices and computers. This controversial decision aims to enhance the capabilities of national security agencies in accessing communications, even for individuals not suspected of any criminal activity, provided that other investigative measures have failed.

The ruling coalition, comprising the ÖVP, SPÖ, and NEOS parties, reached an agreement on amendments to several legal frameworks, including the State Protection and Intelligence Service Act, the Security Police Act, and the Telecommunications Act. This decision comes despite a significant public outcry during the consultation phase, where numerous objections were raised against the proposed surveillance measures.

The government's approach is outlined in official documents which state two primary objectives for implementing this surveillance: firstly, to prevent serious constitutional threats that carry penalties of ten years or more in prison, and secondly, to facilitate the monitoring of encrypted communications. Notably, the presence of a criminal suspicion is not a prerequisite for initiating surveillance.

Moreover, private companies will be compelled to assist in the surveillance efforts, a move that echoes criticisms aimed at similar policies in other countries, such as China. The Austrian government estimates that these companies will incur costs of approximately 2.5 million euros annually to support such operations, as they will only receive reimbursement for 80% of their expenses.

The Ministry of the Interior anticipates submitting around 30 requests per year for the surveillance of unencrypted messages and between 5 to 15 requests for encrypted communications. If there are 30 instances of encrypted message monitoring within a single calendar year, the Interior Minister is obligated to inform a permanent subcommittee of the National Council, which is the directly elected chamber of the Austrian Parliament.

Each surveillance method will require case-by-case approval from the Federal Administrative Court. The process involves a legal protection officer from the Ministry of the Interior, who will have three business days to respond to any request. Following that, a panel of three judges from the Federal Administrative Court will review the case. In urgent situations, an individual judge may grant approval, supported by a 24-hour judicial service system.

The court may only authorize the infringement of confidentiality concerning confession, editorial, or attorney-client privileges if deemed proportionate. However, patient confidentiality is only protected in specific contexts, such as for psychiatrists, psychologists, psychotherapists, probation officers, registered mediators, and recognized psychosocial counseling institutions.