The Austrian government is likely to face legal challenges after it succeeded on its fifth attempt to pass a law this month that gives the country’s intelligence service legal powers to deploy spyware on phones and computers.
Civil society groups are holding discussions with MPs on far-right Freedom Party (FPO) and the Greens, both of which voted against the new surveillance measures, regarding a legal challenge to Austria’s constitutional court.
Austria’s lower house passed the law on 9 July 2025, giving the Austrian intelligence service – the Directorate of State Protection and Intelligence (DSN) – the capability to deploy spyware, known as “a state trojan”, to monitor encrypted communications on services such as WhatsApp and Signal.
The three coalition governing parties, ÖVP, SPÖ and NEOS, agreed to changes to the State Protection and Intelligence Service Act (SNG), the Telecommunications Act 2021, the Security Police Act (SPG) and other laws to allow the state to spy on encrypted messages and gather other data stored on electronic devices.
The coalition government, headed by chancellor Christian Stocker, argued that Austria should have a legal framework to enable it to monitor encrypted messaging services in line with countries such as the UK and the US.
Austrian politicians pressed the case after a tip-off from the US Central Intelligence Agency (CIA) warning of an impending attack at a Taylor Swift concert, part of the Eras Tour, in August 2024 led to the cancellation of three concerts in the country. US intelligence reportedly identified that one of the suspects pledged to ISIS-K on the Telegram messaging app.
The new law has been criticised by civil society groups and some technology companies, which argue that the introduction of a “state trojan” will undermine internet security for Austrian citizens.
In July, 50 civil society groups from 16 countries wrote an open letter to MPs and the Austrian National Council, warning that the move to increase state surveillance would be a historic step backwards for IT security.
The civil society groups said the draft law was based on a “legal fiction” that would mean that, rather than protecting the population from cyber security risks, the state would instead promote and maintain security vulnerabilities, which will inevitably be discovered and exploited by hackers and hostile nation-states.
They point to the WannaCry ransomware attacks, which exploited a security vulnerability developed by the US National Security Agency (NSA) to infiltrate computer systems, causing severe disruption of hospitals, trains and mobile phone networks in 2017.
Thomas Lohninger, executive director of digital rights organisation Epicenter.Works, told Computer Weekly, that his organisation will “try everything” to challenge the new law in Austria’s constitutional court. This includes bringing a constitutional challenge from the opposition Green Party and far right FPÖ MPs before the law is enacted – a move that requires support from a third of MPs.
The law only allows individual messages, but of course, technically speaking, you have to hack the whole smartphone. That gives you far more access than what is legally allowed Thomas Lohninger, Epicenter.Works
He said there is an intrinsic problem with state spyware that requires the state to invest taxpayers’ money into making people’s devices less secure and exposes critical security vulnerabilities in essential infrastructure.
Security vulnerabilities would be ‘huge problem’
“We see this as a huge problem, and legally speaking, it’s also a reversal of the interest the government is supposed to take in keeping us safe, and that also includes the IT security of our infrastructure,” he said.
Lohninger is concerned about intelligence services going further than the law allows, as once they deploy a state trojan on a target phone, intelligence agents will be able to do far more than simply read messages.
“The law only allows individual messages, but of course, technically speaking, you have to hack the whole smartphone. That gives you far more access than what is legally allowed,” he said.
There are also concerns that the DSN will be legally able to deploy spyware to target individuals before there is a reasonable suspicion of wrongdoing. Immigrants or climate activists could be targeted, Lohninger suggested.
Spyware used against journalists, lawyers and politicians
European governments have used spyware to monitor journalists, lawyers and political opponents. In Spain, the secret service uses the Israeli spyware Pegasus to monitor the phones of activists, journalists, politicians and supporters of Catalan independence.
In the “Predatorgate” scandal, the Greek intelligence service used spyware to monitor politicians and journalists. And Pegasus spyware was deployed in Poland against 600 individuals, including opposition figures and lawyers.
The Austrian spyware law requires the DSN to seek approval from a panel of three judges who will assess whether its deployment is proportionate. A legal protection officer, usually a retired judge, will have oversight of the use of the spyware when it is deployed.
Lobbying by civil society groups and opposition MPs has ensured that the new law contains protections for judges and lawyers, to ensure that legally privileged material is not compromised, and for journalists, to protect confidential journalistic sources and material.
Conflict of interest
However, critics point out that the legal protection officer’s oversight function is part of the Ministry of Interior, the same department responsible for deploying government spyware, rather than a fully independent body, raising potential conflicts of interest.
Austria’s DSN intelligence agency is responsible for vetting legal protection officers and, in effect, can veto candidates for the role, raising further questions about independent oversight.
Lohninger said a law to allow state use of spyware in Austria would not have been necessary to detect the threat to Taylor Swift, as US agents infiltrated a chat group on Telegram, which was not encrypted.
Austria’s failed attempts at spyware laws
The Austrian Parliament has made several previous attempts to introduce laws to permit the use of state-sponsored spyware.
In 2016, the Austrian People’s Party (ÖVP) attempted to introduce a state trojan, but abandoned the idea after the proposal attracted widespread criticism.
In 2017, a second attempt failed to get off the ground.
In 2018, Austria adopted a state trojan law to permit law enforcement to deploy spyware for criminal investigations, until it was repealed by Austria’s Constitutional Court in 2019.
The court found that the legal protection mechanisms in place for monitoring encrypted communications were inadequate and they lacked proper oversight from the courts and an independent oversight body.
The 2024 coalition government attempted to resurrect a law that allowed state spyware by Austria’s intelligence service, prompting widespread criticism from lawyers, the high court and academics.
In February 2025, a new coalition government, made up of the centre-right ÖVP, the Social Democrats (SPÖ) and the liberal NEOS, succeeded in pushing the new law through, allowing the deployment of spyware for intelligence gathering.
The Austrian government plans to issue a tender for monitoring technology and is expected to begin deploying spyware in 2027. It has a budget of €50m to run the operation between 2025 and 2030.
The DSN has not disclosed what spyware it will deploy, but is expected to buy off-the-shelf spyware – such as Pegasus, which continues to be supplied by the Israeli NSO Group.
Austrians have also speculated that Dream Security, a security company founded by former Austrian chancellor Sebastian Kurz and NSO Group co-founder Shalev Hulio, might also be in the running for a contract.
Legal challenge before 2027
Lohninger said there was a “high likelihood” that opposition MPs would agree to bring a joint legal challenge before 2027. If that fails, a legal challenge could be brought by an Austrian citizen targeted by state spyware.
Kee Jeffreys, co-founder of Session, an encrypted messaging app based in Switzerland which runs on a decentralised network, said that the Austrian government stockpiling vulnerabilities for use in spyware posed wider security risks.
“If those vulnerabilities don’t get exposed or don’t get told to the developers of software, you are leaving those vulnerabilities out there for non-government hackers or other government hackers,” told Computer Weekly.
He said it was disproportionate to monitor people’s encrypted messages without grounds for suspicion.
“Does that mean that to catch criminals who undertake crimes in households we should install security cameras in every single house and monitor those feeds at all times so that we can catch a lot more criminals?” he said.
