An Austrian law that allowed police to upload malicious software to targets computers has been declared unconstitutional by the Constitutional Court.
Austria is one of a number of countries that has tried experimenting with such a constitutional law. The law permits law enforcement to install spyware on a targets computer. It has been attempted twice before in 2016 and 2017 respectively. Eventually, a far right government took power and passed it as part of a broader surveillance package. Ultimately, the law was challenged in court for it’s potential unconstitutional provisions.
Now, it seems that the court has made a decision and declared the law unconstitutional. From EDRI:
In the judgement published on 11 December, the court pointed out, that there is a huge difference between traditional wiretapping and the infiltration of a computer system in order to read encrypted messages. Information about the personal use of computer systems provides insight into all areas of life and allows conclusions to be drawn about the user’s thoughts, preferences, views and disposition. The court criticised especially that the law allowed to use the spying software for prosecuting offences against property which have a low maximum penalty, like burglary (maximum penalty of five years).
Further, the court emphasised that the control mechanisms were insufficient. The law required a judicial approval at the beginning of the measure, and the control of the legal protection officer during the measure. The legal protection officer is a special Austrian institution that is supposed to protect the rights of those affected by secret investigations. Given the peculiarities and sensitivity of the surveillance measure this control mechanism was not enough of a safeguard for the Constitutional Court. The court required an effective independent supervision by an institution that is equipped with the appropriate technical means and human resources, not only at the beginning of the measure, but also for the entire duration of the surveillance.
The other provision that was challenged in front of the Constitutional Court was a mandatory data retention of car movements on Austria’s streets. The recognition of licence plates, car types and driver pictures in a centralised database of the Ministry of Interior was struck down as a form of indiscriminate data retention. A similar type of mass surveillance of telecommunication meta data was lifted in 2014. Austria is now one of very few EU countries without telecommunication data retention and government spyware. Uniquely, the debate in Austria was focused on the security risks that are inherent with government spyware. Through years of campaigning, most people have understood that the vulnerabilities required to infect a target device are a risk for everybody with the same operating system or application.
This isn’t the first time we’ve seen a European country try to experiment with laws that permit hacking and the uploading of malware by law enforcement. In 2009, France tried passing similar laws in a law known as LOPPSI 2. In 2011, a court ruled that the law was constitutional. The court specifically ruled that mass Internet censorship specifically passes constitutional muster in the country.
While the story in France is certainly a sad one, it seems that things turned out better in Austria. It’s unclear if the government intends to try and push to re-implement the laws. For now, though, citizens will get a minor reprieve from such a law.
Drew Wilson on Twitter: @icecube85 and Facebook.