After the exposures by Edward Snowden, internet service providers reacted to the constant surveillance by companies and secret services, choosing to protect communication between users through encryption. Police authorities, secret services, and security politicians stress steadily that the surveillance of encrypted online communication is a necessity to combat crime. This is not, however, easy to accomplish on a technical level. So their solution is: The state should be allowed to hack into the devices of the affected people and tap into communication before it is encrypted / after it is decrypted. This process entails compromising the security of the world-wide IT infrastructure and of every single smartphone, tablet, and computer. In short: In order to monitor the chats of a few suspects, everyone's security is sacrificed. In Austria the government is currently trying for the third time to introduce the judicial basis for a state trojan. Twice we successfully fended off these plans. Now they are again part of the surveillance package of the government.

Update end of April 2018: On April 20, 2018, the legalisation of governmental spy software was adopted. The warnings of experts and political opposition were ignored. Use of the state trojan will be allowed starting April 1, 2020.

Encryption works: Mathematics elude governmental power

The surveillance of encrypted communication quickly finds its mathematical limits when up-to-date methods are used. The concept of cryptographic methods can be defeated neither by supercomputers nor by judicial orders. It is a necessity for our information society. Without working encryption we would no longer be able to trust the technologies currently in use.

What they really want: A state trojan

The only possibility to surveil encrypted communication is to read it before encryption or after decryption directly on the respective device. For that, access to these devices is necessary. In order to access these devices via spy software - the state trojan - security leaks in computer systems have to be exploited.

Security leaks cultivated by the government

Like any other computer virus, the state trojan has to use an existing security leak in common operating systems in order to infect the device. To use existing security leaks means that the state has to purchase information about them on the black market and keep them secret from the manufacturers. This way, millions of tax payers' money go into funding the INsecurity of the devices on which we rely every day. Installing back doors by the manufacturers themselves - as demanded by the German minister of interiour - means that every device and every application is susceptible to the security leak. The state does the exact opposite of what it is supposed to do: It creates dangers for everyone instead of protecting the population. It is an immense conflict of interest when the ministry on one hand is supposed to protect us against cyber crime - by finding and closing security leaks - and on the other hand needs to buy and keep, partly even the same, security leaks open and secret. This is like a door that is required by law to remain unlocked in order to catch burglars red-handed.

Security leaks are a danger for everyone

There are no "governmental" security leaks, there are only security leaks. Other than security leaks in cars and locks which are already incorporated today for the police, IT security leaks can be used to break into millions of systems at the same time. As long as a security leak in a software exists, it can be used by criminals, dictatorial regimes, other countries, and competing companies. Very soon after a security leak becomes known, computer viruses are developed that infect systems on a large scale. This happened with the malware WannaCry, which shut down critical infrastructure in dozens of countries. Hospitals in the UK were unable to open patient files prior to critical operations, the service of the Deutsche Bahn was affected, and a Spanish telecommunications company had large scale blackouts. Today we rely on computer systems in almost all areas of our lives. If the state actively compromises the security of these systems, this becomes a hazard to all of us!

Severe violations of personal rights

Technically, a state trojan that exclusively accesses online communication (full or partly) cannot exist. It always has to infiltrate the entire system. Complete surveillance of devices is the only way to ensure that the state trojan is not circumvented by simple measures (like reinstalling the operating system or using a different chat app). This is why a state trojan is indistinguishable from an online search, which means full access to the device. This is thus a severe violation of the right of privacy of the affected person: All data, pictures, notes, contacts, locations, and even deleted messages that were never sent are monitored. A high-ranking panel of experts of the ministries of interior and justice assessed in 2008 that an online surveillance is legal but an online search is not. See also the report of the expert panel led by the constitutional lawyer Prof. Bernd-Christian Funk, which determined that an online search of computer systems (infiltration and spying out IT systems) and, consequently, the use of a state trojan, are illegal.

No secured proof of evidence

Complete access to a device makes the gathered informations worthless as proof of evidence. The state trojan accesses not only sent messages, but the entire device. So all informations on the device can be manipulated, either by the state trojan or by third parties that use the same security leaks. Under those conditions, it is impossible to establish a complete chain of evidence. Even without manipulation, the state trojan is problematic during trials. If the suspect can claim plausibly that the evidence was manipulated, the prosecutors have to prove the opposite - which is impossible on hacked devices.

Sensible alternatives

For these reasons it is more sensible to rely on classical forensic methods. In case of probable cause, and with approval of a judge, it is possible to confiscate and analyse the device. With physical access, most encrypted data can be accessed. Furthermore, common observation and other methods of audio surveillance are already at the disposal of the authorities, and these methods do not require access to the devices of the target person. Those methods are cheaper and less dangerous for all, and they can be used to access encrypted communication in the case of a specific suspicion.

Resistance against the state trojan

Because of these good arguments and continuous educational work, the introduction of the state trojan failed twice. After the first try and after we disassembled a wooden Trojan Horse in front of the ministry of justice, the then minister of justice Brandstetter announced the withdrawal of the draft due to massive criticism because it "is not sensible in this form." The second try to introduce the state trojan as part of the surveillance package was withdrawn my the minister of the interior Wolfgang Sobotka in September 2017. The campaign "Stoppt das Überwachungspaket!" (stop the surveillance package!) was successful for the time being.

Governmental contradictions

In the coalition agreement of the current government the necessity to "close digital security leaks" in "IT systems“ is mentioned repeatedly. It also says that "the digital security is crucial for a successful digitalisation." This blatant contradiction can only be resolved by not introducing a state trojan.

OUR DEMANDS

  • A ban on governmental spy software in Austria
  • Consolidation of the integrity of IT systems in the constitution
  • Diplomatic efforts to internationally condemn the use of cyber weapons
  • Cyberpeace, not cyberwar. Stop the military armament on the internet
  • Evaluation of all anti-terror-measures with regard to their compatibility with the constitution, suitability, and effectiveness (sum of surveillance according to HEAT, manual for the evaluation of anti-terror-laws)

Documents

The European Parliament is just about to vote on the draft report of the European Media Freedom Act. With this vote it has the unique opportunity to protect public access to independent, trustworthy reporting. To do so it must ban the use of spyware against journalists without exceptions. In this…

Mandatory disclosure of unmitigated vulnerabilities undermines the security of digital products and the individuals who use them. Sadly, this is in the proposal of the EU Cyber Resilience Act. Together with 10 digital rights NGOs we highlight the problem with this open letter.

 

The European Cyber Resilience Act has the potential to strengthen cybersecurity rules and to ensure more secure hardware and software products. To do so, however, the EU co-legislators have to effectively address the serious shortcomings of the EU Commission’s proposal.

 

Position paper by EDRi,…

These are the oral statements provided by Policy Advisor Tanja Fachathaler on behalf of Eticas Foundation in the plenary (and in informal groups) of the UN during the 4th session of the Ad Hoc Committee on the new Cybercrime Convention.

 

11.01.2023: Plenary statement on the procedural and law…

Am 28.07.2022 haben wir bei der Staatsanwaltschaft Wien Anzeige gegen eine wiener Firma erstattet, die laut Medienberichten und Analysen von Microsoft illegale Angriffssoftware im In- und Ausland zum Einsatz brachte.

 

All stories on this topic

This was 2023 from a digital rights perspective: We look back on an eventful year.

The rapid speed at which digital technologies are becoming increasingly connected and penetrate all areas of life also requires constant adaptation of legal regulations. This development also extends to the fighting of crime. Despite existing regulations at the regional level (for example, the…

The Austrian constitutional court decided on 11.12.2019 that the surveillance law that permits the use of spying software to read encrypted messages violates the fundamental right to respect for private life (article 8 ECHR), the fundamental right to data protection (§ 1 Austrian data protection…