• Home /
• News /
• 2025 /
• July /
• Austria legalises state spyware amidst strong opposition

Austria legalises state spyware amidst strong opposition

Topic

Country/Region

25 July 2025

Austria is set to legalise the use of highly-intrusive spyware by state authorities. The government has justified the law in the name of monitoring encrypted messaging applications. Opponents warn that there is no way to prevent the authorities accessing reams of sensitive information on targeted individuals, despite official promises to the contrary. Civil society organisations and opposition parties have promised to challenge the law in court.

Image: Gilles Lambert, Unsplash

---

On 9 July, Austrian parliamentarians passed a highly controversial bill legalising the deployment of state-sponsored spyware, known as the Federal Trojan (Bundestrojaner), to enable the interception of encrypted communications.

State spyware

The Bundestrojaner bill would give law enforcement agencies the power to install malware on private devices (such as smartphones or laptops) to monitor encrypted messaging applications.

It would do so by amending several laws, including:

• the State Security and Intelligence Service Act;
• the Security Police Act;
• the Telecommunications Act;
• the Federal Administrative Court Act; and
• the Judges’ and Public Prosecutors’ Service Act.

The plan sparked widespread concern among privacy advocates, cybersecurity experts, and numerous civil society organisations.

The day before the vote more than 50 organisations, including Statewatch, wrote to legislators.

A joint letter (pdf) called on them to “vote against this dangerous instrument of state surveillance and against a historic step backwards for IT security in the information society.”

Parliamentary majority

Legislators in Austria’s lower parliamentary house, the National Council, voted in favour of the bill, 105 to 71.

The interior minister Gerhard Karner, described it as a “special day for security.”

Support for the bill came from the governing parties – the conservative Austrian People’s Party (ÖVP), the Social Democratic Party (SPÖ), and most members of the liberal NEOS party.

Two NEOS MPs, Stephanie Krisper and Nikolaus Scherak, broke ranks to vote against the measure, alongside the Greens and the far-right Freedom Party of Austria (FPÖ).

On 17 July, the Federal Council – the upper house of the legislature – voted by 40 to 19 not to object to the bill, completing the parliamentary process.

The bill now awaits unanimous approval from the governments of Austria’s nine states before it can become, a constitutional requirement triggered by the inclusion of certain provisions on the administrative judiciary.  

Nevertheless, opposition parties and civil society organisations have said they will file legal challenges against the measures.

Unenforceable limitations

Government officials insist that the spyware will be restricted to targeting messaging apps and that broader system-wide searches will not be permitted.

However, technical experts have repeatedly warned that such limitations are practically unenforceable in real-world applications.

Spyware with the capability to intercept encrypted communications inevitably provides access to a wide array of personal information stored on the device, including photos, files, emails, contacts, and location data.

Critics note that this effectively bypasses all existing security protections, raising serious questions about the proportionality, necessity, and legality of such intrusive surveillance powers.

Attempted procedural safeguards

The current legislation includes some procedural safeguards, in an attempt to respond to critiques of previous state trojan proposals.

These include an extension of the review period for the Legal Protection Commissioner (from two weeks to three months), and transferring the authority to approve spyware deployment from a single judge to a panel of judges at the Federal Administrative Court.

However, the Legal Protection Commissioner is part of the Ministry of the Interior – the very same ministry that authorises and deploys the spyware – raising significant concerns about impartiality and conflicts of interest.

Furthermore, the intelligence agencies themselves conduct the mandatory trustworthiness assessments for the Commissioner and their deputies, further undermining the potential for effective and independent scrutiny of surveillance activities.

Institutionalising state hacking

The bill was approved in the National Council despite extensive opposition from a broad range of civil society groups, professional bodies, and public institutions – including bar associations, universities, municipalities, press freedom advocates, and medical organisations.

Following the vote, civil society organisations describing the law as institutionalising state hacking by deliberately exploiting software vulnerabilities.

In a joint statement, they said that the government should be working to close these gaps to protect citizens from cyber threats.

The Bundestrojaner: a long and contentious history

The Bundestrojaner has a long and contentious legislative history in Austria.

Initial attempts to introduce similar surveillance powers date back to 2016, but they were repeatedly rejected or delayed due to sustained criticism and concerns about privacy violations.

In 2019, Austria’s constitutional court struck down an earlier version of the law, ruling that surveillance of encrypted communications constituted a serious breach of fundamental privacy rights protected under the constitution.

---

Author: Samaya Anjum. The author would like to thank Andras Csontos for his assistance with questions regarding Austrian constitutional law.

Further reading