Surveillance Package

The Conservative Far-right Government Wants to Massively Extend Surveillance

CC0

On April 20, 2018, the surveillance package passed the vote in parliament despite massive resistance from the civil society and incisive criticism from the opposition. Also in the Bundesrat this completely overblown extension of surveillance measures was waved through. In the beginning of June 2018 the first measures came into power - among others the data retention through the back door ("quick freeze") and the increased surveillance of road traffic.

History

In the year 2017, the campaign "Stoppt das Überwachungspaket!" (stop the surveillance package!) contributed to impeding the surveillance package of the government at that time. In a new try, the conservative - far-right government was able to implement this unprecedented derogation of your basic and freedom rights almost unchanged. During the entire process we offered massive resistance and we will continue to do so. We are convinced: Austria needs security, not surveillance.

These to proposals were in parliamentary review

  1. Amendment of Sicherheitspolizeigesetz, Straßenverkehrsordnung 1960 and Telekommunikationsgesetz: The statement of epicenter.works can be found >>here
  2. Amendment of the code of criminal procedure: The statement of epicenter.works can be found >>here.

Additionally to the possibility to contribute to the consultation, people could also agree to critical statements on the website of the parliament until the end of the review period.

The list of all statements regarding the Sicherheitspolizeigesetz, etc. can be found >>here, and the ones regarding the code of criminal procedure >>here.

The contents in detail 

Contents of the surveillance package:

State trojan

The first draft for the legalisation of governmental spy software was presented by the ministry of justice already in 2016. Due to massive criticism concerning juristical as well as technical aspects, the minister of justice Brandstetter withdrew the draft. In the failed surveillance package of 2017 and also again in the new one, there is again the demand for the possibility to surveil encrypted messages which inevitably means the demand for a state trojan.

It is particularly alarming that according to the current draft, everyone can be a victim of the state trojan: The law enforcement authorities are allowed to break into the computer systems of every person, every company, and every association from who/which they assume that they communicate with suspects (§ 135a Abs 1 Z 3 lit b StPO). The "remote hacking" of devices is also included. Such a remote infection requires particularly dangerous security leaks in the common operation systems. Apparently, the state trojan is allowed to cause permanent damage on the target system if it disabled after the end of the use (logical consequence of § 135a Abs 2 Z 1 StPO).

On our website for the state trojan there are further informations and materials regarding this topic.

Increased video surveillance

The ministry of interior is supposed to receive access to video and audio surveillance of all public and private institutions with a public supply contract. Consequently there will be a centralised governmental control of all public places and the life that is taking place there. No specific suspicion is required to justify the access to these data. Similar to the PStSG, the prevention of a probable attack (§ 53 Abs 5 SPG) suffices as justification. The security authorities can demand a data retention of the entire video surveillance of a supplier for four weeks with a simple administrative notice (§ 93a SPG).

In a next step this video material could be analysed to automatically register distinctive behaviour or to track individual persons with the means of facial recognition. In Austria there already are such research projects (see for example iObserve).

It is doubtful that video surveillance is an appropriate way to prevent terrorist attacks. After all, the entire shore promenade in Nice is under video surveillance which did not prevent the attack. Quite the contrary: Video cameras could encourage terrorists because their atrocities aim at unsettling the population as much as possible and video footage gives them more publicity. In January it was announced that the LPD Wien (Vienna police force) removed 15 of 17 surveillance cameras, because the costs were too high and their benefit for combatting crime was indiscernible.

IMSI-Catcher

Also the use of IMSI-catchers for the surveillance of mobile telephony is planned. These devices pretend to be a base station of the phone network for mobile phones. This way it is possible to localise mobile phones without the assistance of the network service provider. But it is more likely that the IMSI-catchers are also intended to be used to eavesdrop on conversations. Although this is the primary function of an IMSI-catcher, there is still no legal basis for this (§ 135 Abs 2a StPO). Update April 2018: There was an improvement in the final version. Initially there was no requirement of judicial approval planned for the use of an IMSI-catcher, but this has now been included.

Road surveillance

In future, the driver, licence plate, brand, model, colour, etc. of every car should be registered on all Austrian roads. The data which are either collected by the security authorities themselves or handed over by ASFINAG upon request can be stored for up to 5 years in cases of suspicion (§ 53a Abs 6 SPG). The data and the video material can be retained for up to two weeks (in the previous draft it was 48 hours). This means that there is a new kind of unfounded mass surveillance and every driver is put under general suspicion. From the perspective of basic rights, this step towards total surveillance of all cars is very problematic. The Austrian Constitutional Court decided in his ruling regarding Section Control in 2007 that surveillance of drivers is only permissible on specific, especially dangerous routes and only with a decree. Additionally, it ruled that licence plate data can only be transferred to the authorities if the vehicle was too fast or already circulated as wanted. But instead the draft of the law contains a kind of data retention and it is not compatible with this ruling. Furthermore, the draft contradicts the rulings of the European Court of Justice of the case Watson/Tele 2 Sverige, according to which a data retention - among other prerequisites - can only be permissible to combat serious crime.

In future, the driver, licence plate, brand, model, colour, etc. of every car should be registered on all Austrian roads. The data which are either collected by the security authorities themselves or handed over by ASFINAG upon request can be stored for up to 5 years in cases of suspicion (§ 53a Abs 6 SPG). The data and the video material can be retained for up to two weeks (in the previous draft it was 48 hours). This means that there is a new kind of unfounded mass surveillance and every driver is put under general suspicion. From the perspective of basic rights, this step towards total surveillance of all cars is very problematic. The Austrian Constitutional Court decided in his ruling regarding Section Control in 2007 that surveillance of drivers is only permissible on specific, especially dangerous routes and only with a decree. Additionally, it ruled that licence plate data can only be transferred to the authorities if the vehicle was too fast or already circulated as wanted. But instead the draft of the law contains a kind of data retention and it is not compatible with this ruling. Furthermore, the draft contradicts the rulings of the European Court of Justice of the case Watson/Tele 2 Sverige, according to which a data retention - among other prerequisites - can only be permissible to combat serious crime.

General data retention 2.0

In the surveillance package, the government demands also the reintroduction of the data retention through the back door. This law has been abolished multiple times by the high courts in Europe. In December 2016, the European Court of Justice ruled that the national regulations for the data retention in the UK and Sweden are incompatible with basic rights. In Austria, the unfounded data retention without suspicion was anulled by the constitutional court because of its incompatibility with basic rights; due to a complaint that was filed by AKVorrat (the previous name of epicenter.works). By order of the public prosecutors, telecommunication service providers will be required to retain data for up to a year (§ 135 Abs 2b StPO).

Registration of pre-paid SIM-cards

Anonymous pre-paid SIM-cards shall be abolished. Every purchase of a SIM-card should entail the registration of the identity of the buyer - yet another possibility to communicate unsurveilled is removed. Criminals can easily circumvent this measure with foreign SIM-cards and freely available anonymous messaging services. But for the majority of the users in Austria this simply means one less way to communicate anonymously. With this, 4.5 million users are put under general suspicion. The highly doubted benefit to fight crime is offset by the violation of the right of countless people to communicate freely and without being observed. This leads to believe that this measure is not proportionate.

A study of the interest representation of the telecommunication industry found no proof that the registration of SIM-cards results in an increase of solved crimes or help against terrorism. Mexico even abolished the ban on anonymous SIM-cards because the crime rate rose and it led to a black market for SIM-cards. The Czech Republic, New Zealand, Canada, Romania, the UK, and the EU commission analysed this measure and decided against it due to lacking proof of any benefits. After the London terror attacks of 2005, even a dedicated commission of security authorities analysed it and advised against its introduction because there was no evidence for the usefulness and for security benefits.

Additionally, this measure would weaken the flourishing scene of cheap virtual mobile communication providers. Only a few of these discounters currently have the infrastructure to validate the identity of the customers when they buy a SIM-card.

Limitation of the secrecy of letters

Die vorgeschlagene Novelle der Strafprozessordnung sieht folgende Streichung vor:

§ 135. (1) Beschlagnahme von Briefen ist zulässig, wenn sie zur Aufklärung einer vorsätzlich begangenen Straftat, die mit mehr als einjähriger Freiheitsstrafe bedroht ist, erforderlich ist und sich der Beschuldigte wegen einer solchen Tat in Haft befindet oder seine Vorführung oder Festnahme deswegen angeordnet wurde.

(The confiscation of letters is permissible, if it is necessary to solve a premeditatedly committed crime which is punishable by imprisonment of more than a year and if the suspect is currently in prison or there is a warrant for their apprehension or arrest.)

This change results in a massive limitation of the secrecy of letters, a basic right that is guaranteed by the constitutions of democratic states. This prejudices a major achievement which was arduously obtained after overcoming the Metternich surveillance state.

Our main points of criticism

  1. The security of the Austrian IT infrastructure is severely compromised.
  2. New forms of mass surveillance are introduced. They concern all federal roads and public locations.
  3. The demanded total account of surveillance was not carried out.
  4. With "Quick Freeze", data retention is introduced through the back door.
  5. A lot of (further) regulations with police state tendencies will be introduced into the Austrian legislation. This is increasingly creating the impression that Austria is being turned into a police and surveillance state.
  6. There is no impact assessment with regard to basic rights and society in the consultation draft.
  7. The planned measures have high intensity of intervention and are very expensive, yet it has been proven that they do not increase the security.
  8. The legal protection is not sufficiently warranted in many items of the drafts. Many measures still do not require the permit of a judge.

SECURITY INSTEAD OF SURVEILLANCE

In the surveillance package of the government there is no real security. Instead of "subjective" sense of security, scaremongering, and populism we need an "objective" security package:

  • more well-trained police officers instead of cameras
  • improved analysis capacities for security authorities: More highly skilled data analysts instead of more data
  • multilingual police officers and/or more translators
  • more prevention work to counter tendencies towards radicalism
  • a better connection to communities as confidence-building measures for an early recognition of radical tendencies
  • legal anchoring of the integrity of IT systems in the constitution
  • an "expiry date" for new surveillance laws ("sunset clauses" with scientific evaluation and withdrawal of ineffective measures)
  • an evaluation of all existing surveillance laws with regard to their compatibility with the constitution

How you can support us