Alumni Spotlight: Surveillance and the State Trojan in Austria
Last week the new right-wing government of Austria agreed on a "security package" which includes a wide range of intrusive surveillance measures: the police-use of private real-time CCTV footage and data from highway control, increased use of ISMI-catchers to localise mobile phones, a prohibition of anonymous pre-paid SIM cards, retention of telecommunications data (“Quick Freeze”), easier police access to private letters, and more. The most controversial part, however, is the introduction of government malware, a so-called State Trojan (Bundestrojaner). As policy advisor for the civil liberties organisation epicenter.works I advocate against this surveillance package.
Time to read
For many years police officers have been able to intercept mobile communications, and they have commonly used this method to investigate organised crime, for example drug trafficking, etc. Since communications are increasingly moving to encrypted online chats such as WhatsApp and Signal, the police is now struggling to gain access to these messages. They argue that if it is legal to intercept a text message, it should also be legal to intercept the same message though encrypted. But the comparison is flawed because hacking into devices is unequivocally more intrusive than traditional interception of communications and poses a danger to everyone’s computer security.
The state is on shaky ground when resorting to hacking, as this can potentially be seen as a violation of human rights. The implications for computer security are also troubling. Spyware that gives authorities access to mobile devices or computers relies on vulnerabilities in the security of the operating system. A system can only be kept secure when vulnerabilities that are found are mitigated as soon as possible. This process is impeded if the state has stakes in keeping vulnerabilities a secret. A security flaw left intact for the use of police can hence also be used by criminals for identity theft, fraud or ransomware like the virus WannaCry, which had 200,000 victims in May 2017. Furthermore, when buying the necessary exploits for spyware, authorities would be investing in a market for vulnerabilities which resides in a legal grey area. State authorities might find themselves bidding alongside criminal hackers for so-called zero-day exploits, which have not been yet mitigated.
Another important question is how sound the evidence coming from an infected system can be. If a system is hacked, it can be actively manipulated by anyone who exploits the same security flaw as the authorities. It is not clear how courts will determine if evidence could have been fabricated in such cases. There is a contradiction between wanting to fight crime with more and more surveillance and at the same time enabling cybercrime by destabilizing computer systems. For years, Austria has been seeing an overall decrease in crime and a rise in clearance rates: only internet crime is increasing. All in all, it seems unwise if not outright dangerous to introduce government malware.
The surveillance package on hand already has some history. It was first proposed in July 2017 and faced heavy criticism from experts, academics and civil society. We, the NGO epicenter.works campaigned against it. In the end, it could not be passed before the elections in October. Since December Austria has had a new government: a coalition of the conservative People’s Party and the far-right Freedom Party, which had been strongly against the surveillance bill while in the opposition. “It would mean the end of the rule of law as we know it,” their spokesperson Kickl had said in July of last year. Now, Kickl is the minister of the interior and is proposing the same package with minor amendments.
Working for epicenter.works, an NGO dedicated to civil liberties in the internet age I see it as my job to protect citizens and their privacy from government overreach. Our topics vary widely, though, and also include net neutrality, protecting the freedom of assembly, ensuring data protection in EU legislation and preserving the freedom of the internet from threats through copyright upload filters, internet blocking, and other actions. We will continue to fight surveillance measures that aren’t necessary and proportional, to defend the right to privacy in the digital age and we are looking forward to yet another intense campaign against the surveillance package and state malware.
Angelika Adensamer is an alumni of the Centre for Criminology, University of Oxford.
Twitter handle: @abendsommer