On 9 July, Austrian parliamentarians passed a highly controversial bill legalising the deployment of state-sponsored spyware, known as the Federal Trojan (Bundestrojaner), to enable the interception of encrypted communications.

The Bundestrojaner bill would give law enforcement agencies the power to install malware on private devices (such as smartphones or laptops) to monitor encrypted messaging applications.

It would do so by amending several laws, including: the State Security and Intelligence Service Act; the Security Police Act; the Telecommunications Act;the Federal Administrative Court Act; and the Judges’ and Public Prosecutors’ Service Act.

The plan sparked widespread concern among privacy advocates, cybersecurity experts, and numerous civil society organisations.

The day before the vote more than 50 organisations, including Statewatch, wrote to legislators.

A joint letter (pdf) called on them to “vote against this dangerous instrument of state surveillance and against a historic step backwards for IT security in the information society.”

Legislators in Austria’s lower parliamentary house, the National Council, voted in favour of the bill, 105 to 71.

The interior minister Gerhard Karner, described it as a “special day for security.” Support for the bill came from the governing parties – the conservative Austrian People’s Party (ÖVP), the Social Democratic Party (SPÖ), and most members of the liberal NEOS party.

Two NEOS MPs, Stephanie Krisper and Nikolaus Scherak, broke ranks to vote against the measure, alongside the Greens and the far-right Freedom Party of Austria (FPÖ).

On 17 July, the Federal Council – the upper house of the legislature – voted by 40 to 19 not to object to the bill, completing the parliamentary process.

The bill now awaits unanimous approval from the governments of Austria’s nine states before it can become, a constitutional requirement triggered by the inclusion of certain provisions on the administrative judiciary.

Nevertheless, opposition parties and civil society organisations have said they will file legal challenges against the measures.

Government officials insist that the spyware will be restricted to targeting messaging apps and that broader system-wide searches will not be permitted.

However, technical experts have repeatedly warned that such limitations are practically unenforceable in real-world applications.

Spyware with the capability to intercept encrypted communications inevitably provides access to a wide array of personal information stored on the device, including photos, files, emails, contacts, and location data.

Critics note that this effectively bypasses all existing security protections, raising serious questions about the proportionality, necessity, and legality of such intrusive surveillance powers.

The current legislation includes some procedural safeguards, in an attempt to respond to critiques of previous state trojan proposals.

These include an extension of the review period for the Legal Protection Commissioner (from two weeks to three months), and transferring the authority to approve spyware deployment from a single judge to a panel of judges at the Federal Administrative Court.

However, the Legal Protection Commissioner is part of the Ministry of the Interior – the very same ministry that authorises and deploys the spyware – raising significant concerns about impartiality and conflicts of interest.

Furthermore, the intelligence agencies themselves conduct the mandatory trustworthiness assessments for the Commissioner and their deputies, further undermining the potential for effective and independent scrutiny of surveillance activities.

The bill was approved in the National Council despite extensive opposition from a broad range of civil society groups, professional bodies, and public institutions – including bar associations, universities, municipalities, press freedom advocates, and medical organisations.

Following the vote, civil society organisations describing the law as institutionalising state hacking by deliberately exploiting software vulnerabilities.

In a joint statement, they said that the government should be working to close these gaps to protect citizens from cyber threats.

The Bundestrojaner has a long and contentious legislative history in Austria. Initial attempts to introduce similar surveillance powers date back to 2016, but they were repeatedly rejected or delayed due to sustained criticism and concerns about privacy violations.

In 2019, Austria’s constitutional court struck down an earlier version of the law, ruling that surveillance of encrypted communications constituted a serious breach of fundamental privacy rights protected under the constitution.