Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
In Austria, the laws currently in force in this regard are very restrictive. For the time being, the use of spyware in the context of criminal and intelligence investigations is not permitted. It is unlikely that this situation will change in the near future following a decision of the Constitutional Court of December 2019 (see below). Investigation measures are regulated in detail in the Code of Criminal Procedure (Strafprozessordnung 1975). For instance, monitoring (surveillance) of messages (Section 134 lit. 3 in conjunction with Section 135 para. 3 of the Code of Criminal Procedure) means monitoring communication and information sent, transmitted or received by a natural person via a communication network or a Service of the Information Society. Monitoring messages thus concerns the content of messages (e.g. traditional telephone surveillance). It is permissible – under more closely defined conditions – in cases of suspected kidnapping; in the investigation of certain punishable acts committed with intent; in order to observe a criminal or terrorist association or a criminal organisation or in order to determine the whereabouts of a fugitive. However, this form of surveillance, which deals with not-encrypted messages, does not include the use of spyware. In 2018, a new Section 135a of the Code of Criminal Procedure was enacted, permitting the use of spyware to read encrypted messages. Section 135a and related provisions of the Code of Criminal Procedure (in particular the already mentioned Section 134 lit. 3a ) should have entered into force only on 1 April 2020 in order to have sufficient time to procure the necessary software as well as to take the necessary technical and personal measures. However, eventually, on 11 December 2019 the Austrian Constitutional Court repealed these provisions even before their entry into force. According to the Court, Section 135a and the corresponding provisions in the Code of Criminal Procedure violated several fundamental rights, above all the right to data protection (Section 1 of the Data Protection Act) and the right to respect for private life (Article 8 ECHR). Section 135a in conjunction with Section 134 para. 3a of the Code of Criminal Procedure provided (in specified cases and under certain conditions) for an authorisation to covertly monitor encrypted messages by installing spy software – a so-called "Federal Trojan" (Bundestrojaner) – on a computer system. Under certain circumstances, this could even include the power to intrude into and search apartments for the purpose of installing such a Trojan without the knowledge of the person concerned. In its decision, the Constitutional Court noted that surveillance within the meaning of Section 135a of the Code of Criminal Procedure had to be ordered by the public prosecutor's office on the basis of a court authorisation in accordance with Section 137 para. 1 leg.cit. Order, approval, authorisation and implementation of the measure were subject to review by the legal protection officer (Section 147 leg.cit.), who had to give his consent to certain measures and could lodge a complaint against the authorisation of the measure (para. of Section 147 leg.cit.). The Court held that covertly monitoring the use of computer systems constituted a serious interference with the right to privacy protected by Article 8 ECHR and was only permitted within extremely narrow limits in order to protect equally important legal interests. The "Federal Trojan" was a particularly intense form of surveillance measure, particularly because an overview of the data obtained by monitoring a computer system enabled conclusions to be drawn about individual users’ personal preferences and lifestyle, among others. Moreover, the Trojan affected a large number of people, including individuals who were not involved with the person who was subject to the surveillance. Section 135a of the Code of Criminal Procedure violated Article 8 ECHR because there was no guarantee that the surveillance measure would only take place if it was used to prosecute and solve sufficiently serious offences. Additionally, it was unconstitutional because the measure did not adequately secure the protection of the privacy of those affected by the Trojan. In view of the special features of the means used, an effective independent supervision would be required both at the beginning of the measure and the entire duration of the surveillance. The Constitutional Court pointed out that the legal protection officer could indeed inspect all documents relating to the investigative measure at any time and gain a personal impression of its implementation. However, there was no guarantee that after the ex-ante judicial approval of the measure, the legal protection officer would actually be able to effectively and independently monitor any ongoing covert surveillance. This would be particularly important here because the measure differed significantly from the surveillance measures previously envisaged in terms of its intensity of intervention. Finally, the authorisation to enter on premises for the purpose of installing such a monitoring program without the knowledge of the person concerned violated the right to inviolability of the home i.e., of private property. For all these reasons, the Constitutional Court annulled the contested provisions. Currently, not even the Austrian Directorate of State Security and Intelligence (Direktion für Staatsschutz und Nachrichtendienst – DSN), whose task is to protect against threats against constitutional institutions and their ability to act, is allowed to use spyware. According to Section 8 of the Law on State Security and Intelligence (Staatsschutz- und Nachrichtendienst-Gesetz), they might acquire and analyse information on the basis of information from domestic authorities etc. They may, under certain conditions, collect and process personal data, for instance by accessing data which is publicly available in the internet; by means of observation and covert investigation, or by obtaining information about traffic data and location data (cf. Sections 10 and 11 of the Law on State Security and Intelligence). However, there is no provision that enables them to use spyware. A public debate on this subject takes places regularly, however, no new legal provisions in this context have been enacted so far due to a lack of political agreement. The Ministry of Interior would appreciate surveillance methods for messenger services such as WhatsApp in order to prevent terroristic attacks. This could include using spyware in order to hack a laptop or smartphone of a potential terrorist in case of (imminent) danger. A respective bill law has already been drafted by the Ministry in the past already. Furthermore, the events of the last days (i.e. beginning of August 2024) regarding the planned terrorist attacks at the Taylor Swift concert in Vienna have raised once more the discussion whether the powers of the Directorate of State Security and Intelligence should be extended (in this context, Austria has received information from foreign intelligent services). However, as stated, no law has been enacted so far and with a view to the upcoming parliamentary elections in autumn 2024 no initiative is to be expected before 2025. In any case, when drafting such new legal provisions, the decision of the Constitutional Court of 2019 has to be respected. There is no legal definition of the term "spyware"; its prohibition rather results from the fact that there is no explicit regulation/permission for it. There would indeed have been a definition in the – repealed– Section 134 lit. 3a of the Code of Criminal Procedure. According to this definition, "monitoring of encrypted messages" would have meant the monitoring of encrypted messages and information sent, transmitted or received within the meaning of lit. 3 as well as the determination of related data within the meaning of Section 76a and Section 92 para. 3 lit. 4 and 4a Telecommunications Act by installing a program in a computer system (Section 74 para. 1 lit. 8 Criminal Code) without the knowledge of its owner or other authorised person in order to overcome encryption when sending, transmitting or receiving the messages and information.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
See answer to question 1; no regulation in force.
3. What kind of data, if any, could be collected with spyware?
N/A
4. Has there been any official evaluation of the need for, or added value of, spyware?
No, there has not been an official evaluation.
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Investigation measures and the conditions under which they are permissible are regulated in detail in the Code of Criminal Procedure (Sections 134 ff). According to Section 137 para. 1, the criminal investigation department (Kriminalpolizei) may carry out surveillance pursuant to Section 136 para. 1 lit. 1 leg.cit. on its own initiative. Information on master data pursuant to Section 135 para. 1a first case leg.cit. shall be provided at the requests of the criminal investigation department, the public prosecutor's office or the court. The public prosecutor's office shall order information on access data in accordance with Section 135 para. 1a second case and data retention for specific reasons in accordance with Section 135 para. 2b. The other investigative measures pursuant to Sections 135 to 136 leg.cit. (confiscation of letters, information on master data and access data, information on message transmission data, localisation of technical equipment, data retention for specific reasons and monitoring of messages pursuant to Section 135; repealed Section 135a leg.cit.; optical and acoustic surveillance of persons pursuant to Section 136) shall be ordered by the public prosecutor's office on the basis of a court authorisation, whereby entry into premises pursuant to (repealed) Section 135a para. 3 or Section 136 para. 2 leg.cit. requires a court authorisation in each case. Section 137 para. 3 regulates the duration of the measures, whereas Section 138 sets forth additional provisions on what the order and court authorisation must contain in the case of individual measures.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
There exist several national oversight mechanisms:
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
There exist several mechanisms in order to review the use of investigative measures, to control and ensure whether the legal requirements are complied with, as well as to redress situations where this is not the case. For the sake of completeness, ex-ante mechanisms will be mentioned briefly as well. As a form of ex-ante review mechanism, Section 137 para. 1 of the Code of Criminal Procedure provides for a judicial ex-ante approval of most of the investigative measure. The covert monitoring of encrypted messages by installing spy software provided for in the repealed Section 135a leg.cit. would have had to be ordered by the public prosecutor's office on the basis of a court authorisation as well (with even stricter rules in case a room etc. had been intruded). In case of illegal use of an investigative measure (including, theoretically, such spyware), the judge must not give his approval. The competences of the independent legal protection officer (Section 47a para. 4 in connection with Section 147 of the Code of Criminal Procedure) combine ex-ante and ex-post review mechanisms. The legal protection officer is competent to examine and control the order, approval, authorisation and implementation of the investigative measure (Section 147 para. 1 leg.cit.). (S)he may lodge a complaint against the authorisation of certain measures (Section 147 para. 3). This provisions would have also applied to repealed Section 135a leg.cit. The legal protection officer shall be given the opportunity at any time to gain a personal impression of the implementation of an investigative measure pursuant to Section 135a or Section 136 para. 1 lit. 3; for this purpose, he or she shall have access to all files, documents and data. This also applies to the results of an investigative measure (Section 147 para. 3a of the Code of Criminal Procedure). After completion of an investigative measure, the legal protection officer must be given the opportunity to inspect and hear the entire results before they are filed. She/he is also entitled to request the destruction of results or parts thereof (Section 147 para. 4 leg.cit.). The public prosecutor has to store all results of the measures and send them to the court (Section 145 para. 1 leg.cit.). As a form of redress mechanism, any person claiming that an investigative measure was ordered or carried out in violation of the provisions of the Code of Criminal Procedure and, therefore, a subjective right has been violated in the investigation proceedings by the public prosecutor's office may appeal to the court (Section 106 para. 1 of the Code of Criminal Procedure, "objection due to infringement of rights"). Furthermore, as for compensation for damages, the federal government is liable, inter alia, for pecuniary damage caused by the surveillance of persons pursuant to Section 136 para. 1 no. 3 (optical/acoustic surveillance in case of crimes punishable by more than 10 years' imprisonment, among others). This would have applied to surveillance of encrypted messages pursuant to repealed Section 135a as well.
Austria
[For all surveillance methods (information on telecommunication data, monitoring of messages etc.), the Code of Criminal Procedure sets out in detail the specific conditions under which each single method may be conducted (see Section 135 leg.cit.). The provisions repealed in 2019, in particular Section 135a leg.cit., had stipulated the conditions under which installing spy software on a computer system by could be authorised; including (under even more restricted conditions) by intruding into apartments. Naturally, most of these rules would have been stricter than the rules for the other – less invasive – methods. For instance, they would have applied to cases of (suspected) crimes punishable by more than five years' imprisonment (compared to 6 months or one year in case of the other surveillance methods). In part, the consent of the owner of the computer would have been necessary.]
The competent organisational units for the protection of the constitution are the Directorate for State Protection and Intelligence Service (Directorate) of the Directorate General for Public Security and, in each federal state, an organisational unit responsible for state security which belongs to the respective state police directorate. In enforcing the Law on State Security and Intelligence, the Directorate shall act on behalf of the Federal Minister of the Interior, while the organisational unit responsible for state security shall act on behalf of the respective provincial police directorate. The Directorate and the competent organisational units on state level are, under certain conditions specified in the law, allowed to process data (see question 1). The legal protection officer (Section 14 of the Law on State Security and Intelligence in conjunction with Section 91a Security Police Act – is responsible for monitoring data processing covered by Section 12 paras. 1 and 1a of the Law on State Security and Intelligence (see Section 12 para. 6 and Section 14 para. 1 leg.cit.). Furthermore, the legal protection officer is responsible for special legal protection in the tasks under Section 6 paras 1 and 2 leg.cit. (extended threat investigation and protection against attacks that jeopardise the constitution). Before carrying out tasks under Section 6 paras. 1 and 2 leg.cit., the competent organisational units shall obtain the authorisation of the legal protection officer via the Federal Minister of the Interior in advance. The same shall apply if it is intended to carry out special investigative measures pursuant to Section 11 leg.cit. (observation, undercover investigation, use of licence plate recognition devices, etc.) or to further process data collected pursuant to Section 10 para. 4 leg.cit. The Directorate and the unit responsible for state security on state level also have to provide insight to the legal protection officer into all necessary documents, records and processed date as well as grant him or her access to all premises under the conditions stipulated in Section 15 of the Law on State Security and Intelligence. If the processing of personal data has violated the rights of affected persons who are not aware of this processing, the legal protection officer is obliged to inform the affected persons or, if this is not possible, to lodge a complaint with the data protection authority (Section 16 leg.cit.; Datenschutzbehörde). Furthermore, each year, the legal protection officer reports to the Minister of the Interior on his/her activities and perceptions in the context of the fulfilment of his/her duties (Section 15 para. 4 leg.cit.). The Directorate also reports to the Minister of the Interior and publishes a yearly report about current and possible developments relevant to the protection of the constitution in order to inform the public (Section 17 leg.cit.). As a crucial oversight mechanisms, the "Independent Control Commission for the Protection of the Constitution" (Unabhängige Kontrollkommission Verfassungsschutz) has been established with the Minister of the Interior in order to guarantee the lawful fulfilment of tasks. The five members are independent and not bound by instructions (Section 17a para. 4 of the Law on State Security and Intelligence). The Control Commission shall be responsible for monitoring the activities of the organisational units (with the exception of matters that are subject to the legal protection officer). It shall investigate allegations against activities of the organisational units (Section 17a paras. 1 and 3 leg.cit.). The organisational units shall grant the Control Commission access to all premises and allow it to inspect documents and records (except in cases of danger to national security or the safety of persons etc.; cf. Section 17c para. 2 leg.cit.). The Control Commission shall submit an annual report to the Federal Minister of the Interior and the Standing Subcommittee of the Committee of Internal Affairs (of the National Council) as well as prepare an annual report informing the public about its activities. It may make recommendations to the Federal Minister of the Interior at any time (Section 17d leg.cit.). With regard to the classification of the oversight mechanisms, the legal protection officer pursuant to the Security Police Act is an independent executive organ, free from any instructions. The Independent Control Commission is also an executive organ. Due to its reporting obligation to the Standing Subcommittee of the Committee of Internal Affairs of the National Council, there is a parliamentary aspect involved. Finally, the data protection authority is also an executive organ. However, complaints may be lodged against decisions of the data protection authority with the Federal Administrative Court.