Introduction
Austria has passed a law that allows its domestic intelligence service to deploy spyware on smartphones and computers in order to monitor encrypted messaging. The measure was approved by the lower house on July 9, 2025, after years of political false starts. The government argues it needs a targeted way to reach communications that investigators cannot otherwise see. Opponents warn that the law opens the door to broad and intrusive surveillance that threatens press freedom, legal privilege, and the security of everyone’s devices. Civil society groups and opposition parties are preparing to challenge the law in Austria’s Constitutional Court.
What Changed
On July 9, 2025, Austria’s lower house approved a bill that permits authorities to remotely install government spyware on devices used by a small number of high-risk targets. The measure expressly covers communications that move through end-to-end encrypted apps like WhatsApp and Signal. The country’s Directorate of State Protection and Intelligence, known as the DSN, is designated to use the tool in national security cases, with parallel paths for law enforcement in defined serious crime scenarios. Supporters pitched the program as narrow, judge-authorized, and focused on preventing terrorism and similar threats. The stated design is to target roughly a few dozen people per year, and each instance requires prior approval by a three-judge panel. Procurement and technical preparations mean the capability will not be active overnight, with officials pointing to a multi-year runway before routine use is possible.
A Fifth Attempt Finally Succeeds
This was not Austria’s first run at a “state trojan.” Earlier efforts stalled or were struck down, and public resistance was intense. Digital rights groups describe the 2025 push as the fifth attempt to legalize the capability, a detail that helps explain how organized and ready the law’s critics are for another round in court. In 2019, the Constitutional Court invalidated a previous hacking law, which set important guardrails that lawmakers have now tried to address with new language on necessity, proportionality, and oversight. Whether those revisions are sufficient will be at the heart of any constitutional challenge.
Why the Government Says It Needs Spyware
Investigators face a practical barrier when suspects use end-to-end encryption. Neither service providers nor carriers can decrypt content, and traditional wiretaps simply do not work. The Austrian government frames spyware as a last-resort tool that activates on the suspect’s device itself, capturing communications at the point of typing or display. Officials say they have repeatedly depended on foreign intelligence to close gaps, which is politically uncomfortable and operationally limiting. A recent threat incident, widely cited by policymakers, involved foreign-supplied leads that helped avert a possible attack in Vienna. Proponents argue that targeted device access, used sparingly and with a judge’s approval, brings Austria in line with tools used in other European countries to counter modern terrorism, organized crime, and espionage.
Why Opponents Say It Goes Too Far
Civil society organizations, press freedom advocates, and several political parties say the measure is risky by design. First, a government program that relies on device compromise must hold or buy knowledge of software vulnerabilities. Keeping those weaknesses unpatched can make everyone less safe because the same holes can be discovered and exploited by criminals or foreign intelligence. Second, the line between targeted and broad surveillance can blur over time. Even if the annual cap starts small, critics fear scope creep, where definitions of qualifying offenses expand or exceptional tools become routine. Third, spyware can reach all the sensitive parts of a device, including real-time microphone and camera access, location history, private photos, contact lists, cloud tokens, and drafts of messages never sent. That depth of access has serious implications for legal privilege, source protection, and the confidentiality expectations of doctors, therapists, and clergy who communicate with clients using digital tools.
What the Law Actually Allows
The text approved by the lower house creates a path for authorities to request authorization to use device spyware against specific individuals who present a materially significant threat to national security or are suspected of certain serious crimes. It ties approvals to a three-judge panel and anticipates independent oversight. Public briefings described a numerical ceiling on targets, with reporting requirements if exceptional circumstances demand more. Technical procurement will follow legislative approval, including competitive tenders for the software platform and red-team testing before deployment. Based on the government’s published timeline, routine operational capability would begin after those steps are complete.
Who Voted For and Against It
The law passed with the votes of the governing coalition, while the Greens and the Freedom Party voted against. Both parties voiced concerns about the breadth of surveillance powers and the risk to fundamental rights. Their opposition matters because they are engaged in active conversations with civil society about taking the matter to the Constitutional Court. This alliance creates a structurally strong plaintiff posture, combining parliamentary standing with expert support from digital rights organizations.
How State Spyware Works in Practice
Think of spyware as a custom implant that sits quietly on a phone or laptop, with the ability to exfiltrate information and activate sensors. Delivery can be through spear-phishing, a malicious link, a compromised app update, or a so-called zero-click exploit where the user does nothing more than receive a message. Once in place, the operator can capture keystrokes, screenshots, and the content of messaging apps at the point of use. Even when encryption is strong, the implant sidesteps it by reading the message in plain text before it is encrypted or after it is decrypted on the device. The most capable platforms can toggle microphones and cameras, access files, and follow movement through location services. This is why the technology is often described as a last resort, not a first step.
Safeguards the Government Highlights
Officials point to a set of controls intended to prevent abuse. There is a requirement to convince a panel of judges that the target presents a significant threat and that other tools would not work. Each operation is time-bound and is supposed to be logged, with after-action documentation for oversight bodies. If the number of targets exceeds an annual threshold, additional scrutiny and reporting kick in. Supporters also emphasize parliamentary oversight of the DSN and auditing of the program’s use, as well as procurement rules that should ensure independent testing before any tool is used. These are design choices meant to address past constitutional objections and European human rights standards on necessity and proportionality.
The Main Legal Fault Lines
Expect the legal challenge to turn on a few core questions. First, necessity and proportionality. Judges will ask whether the same investigative goal could be achieved with less intrusive means, such as traditional metadata analysis, undercover work, or targeted device searches with physical warrants. Second, foreseeability and precision. Constitutional case law is skeptical of broad terms that let ministries decide what counts as a qualifying threat without tight definitions. Third, safeguards and oversight. Courts look for strong, independent controls on approvals, real-time supervision, and effective remedies for people who were surveilled unlawfully. Fourth, cybersecurity risk. Keeping vulnerabilities unpatched may be argued to violate the state’s positive obligation to protect citizens’ security in the digital domain. Finally, sensitive professions. Rules that allow spyware to capture communications with journalists, lawyers, doctors, or clergy can collide with constitutional protections for the press, the right to a defense, and privacy in medical and spiritual care.
How Prior Rulings Shape This Fight
Austria’s 2019 Constitutional Court decision that struck down an earlier hacking law will loom large. That ruling signaled that device hacking is among the most intrusive investigative methods and demanded strict limits and oversight. Lawmakers now claim they have responded with narrower triggers, independent judicial panels, and quantitative caps, along with a more detailed audit trail. The constitutional judges will evaluate whether those changes truly alter the balance or simply move familiar powers into new packaging. If the court concludes that the statute still allows capture of entire device life without sufficiently tight controls, it could block the measure or require further amendments.
Could It Really Stay “Small”?
One promise behind the new framework is the small number of yearly targets. That is an important political and legal selling point, but it is only a starting condition. History suggests that once a powerful tool exists, pressure to use it can grow. In Germany, for example, courts have recently tightened limits after agencies broadened spyware use beyond what lawmakers first envisioned. The lesson for Austria is that numerical caps are not a complete safeguard. The law will live or die on how clearly it defines qualifying threats, how often auditors say no, and how ready parliament is to intervene if use expands.
What Happens Next
The opposition parties that voted against the measure are in active discussions with civil society about a constitutional complaint. That filing can seek interim relief, which would freeze parts of the law while judges study the merits. Even without an injunction, a challenge could slow procurement or impose temporary guardrails through judicial guidance. Meanwhile, the executive branch will move forward with vendor selection, testing, and internal protocols so that, if the law stands, the system can operate as described. The government has publicly said that fully operational monitoring would not begin immediately but rather after technology and oversight processes are in place.
What It Means If You Live in Austria
If you are an ordinary user, the risk of becoming a direct target is low in absolute terms. The program is designed to focus on a small population that investigators classify as high-risk. Still, the policy has wider ripple effects. If the state holds unpatched vulnerabilities for long periods, everyone’s device security can be weaker than it should be. And if your communications are with someone who is targeted, your messages can be captured at the other end. For people in sensitive professions or with public-facing roles, there are extra considerations. Journalists may need to reassess source-protection practices. Lawyers should review privilege protocols, especially when using messaging for client communications. Doctors, therapists, and clergy may wish to separate personal devices from work devices more strictly and review client consent language about digital communications. Small businesses that handle confidential commercial data should consider practical hardening steps, such as managed device updates, application whitelisting, and better segregation between personal and company systems.
Practical Safety Steps You Can Take Today
Keep devices updated. Most infections exploit known vulnerabilities that patches can close. Use a modern phone with vendor support rather than an older device that no longer receives updates. Be cautious with links and attachments in messages, even if they appear to come from someone you know. Consider using separate devices or profiles for sensitive work, which limits the data available if one environment is compromised. Turn off automatic backups of highly sensitive communications if you do not need them, since cloud tokens can be a path to your history. On laptops, enable full-disk encryption and strong login credentials. For journalists and lawyers, a basic threat-modeling session can help you identify the two or three highest-impact changes to make first. Recognize that no checklist can guarantee immunity from a state-level attacker, but incremental improvements significantly raise the cost and lower the odds of compromise.
Special Considerations for Journalists, Lawyers, and Activists
Journalists should assume that source communications might be captured at the source if a device is targeted. Consider moving initial outreach to channels that minimize digital footprints and using inboxes or drop boxes that do not require persistent accounts on your daily driver device. Maintain an old-fashioned contact protocol for emergencies that does not rely entirely on one device. Lawyers should ensure that client confidentiality clauses and privacy notices explain digital risk and align with bar rules. Set up documented procedures for segregating privileged communications, including avoiding client chats over personal accounts. None of these steps are perfect, but each reduces exposure if targeted surveillance occurs in your circle.
How Austria Fits Into the European Picture
Austria’s move arrives amid a broader European debate about spyware. Austrian lawmakers say they designed the new law to meet these expectations, with limited targeting and multi-judge approvals. Critics counter that any system built on stockpiling vulnerabilities cannot be squared with the obligation to protect citizens’ security in the digital environment. The Constitutional Court will measure the new framework against European human rights standards and Austria’s own constitutional doctrine.
Myths and Facts
Myth: Encryption is broken by this law. Fact: The law does not require service providers to decrypt messages. Instead, it allows authorities to capture content on the device, before encryption or after decryption. This is why spyware is so invasive. Myth: This is mass surveillance. Fact: The framework is pitched as targeted, with numerical caps and multi-judge oversight. The real question is not the starting scope but whether future practice stays within narrow limits. Myth: Only criminals are at risk. Fact: If your communications are with a targeted person, your side of the conversation can be collected, and data from your device can be indirectly exposed through shared files or tokens. Myth: A VPN will protect me. Fact: A VPN protects data in transit across networks. Spyware lives on the device, so it can access content before it reaches the VPN tunnel. Myth: Open-source phones are immune. Fact: Security depends on patching and maintenance. Unmaintained devices, whether open or closed, are easier to compromise.
Likely Paths for a Court Challenge
Opponents are expected to argue that device hacking is the most intrusive form of surveillance and therefore requires near-impossible justification unless the state can prove that nothing else would work. They will point to the 2019 ruling, arguing that the new statute still fails on precision and foreseeability. If not, the law could be struck down in whole or in part, or the court could impose conditions that force new amendments.
What To Watch For Next
Watch for the formal filing of a constitutional complaint by opposition lawmakers backed by civil society groups. Look for any request for interim measures that would pause implementation. Keep an eye on procurement notices and tenders, which will hint at the technical architecture and vendor selection. Expect more detailed guidance from the justice and interior ministries about how the three-judge approvals will work in practice, what counts as a qualifying threat, how logging and auditing will be done, and how privileged communications will be handled. Parliament’s oversight committees will likely schedule hearings to question agency heads about readiness, safeguards, and early lessons once the system goes live.
Frequently Asked Questions
Is this legal today, or does something else need to happen first? The lower house passed the bill on July 9, 2025. Additional steps and implementation work follow, including procurement. The government has signaled that operational use is expected after those steps are complete.
How many people can be targeted each year? Public descriptions reference a small, capped number of annual targets, with additional oversight if that ceiling is exceeded. The cap is a policy promise tied to legal text that the court will scrutinize.
Does the law force companies to weaken encryption? No. The concept is to capture content on a device that is already in plain text, not to compel providers to build back doors.
When would this start affecting real cases? Not immediately. Procurement, testing, and internal procedures must be in place first. Officials have referenced a multi-year runway before routine use begins.
What are the most important personal steps I can take? Keep devices updated, be careful with links and attachments, consider device separation for sensitive work, and use strong authentication. None of these steps guarantee immunity, but they reduce the risk that you or your contacts become collateral in a targeted operation.
Conclusion
Austria’s new spyware law is a watershed moment in the country’s surveillance policy. The government has finally secured legislative approval for a tool it has pursued for years, and it has done so with language meant to answer previous constitutional critiques. At the same time, the risks that come with any state hacking program are real. Spyware reaches deep into devices that store the most personal parts of modern life, and any system that depends on unpatched vulnerabilities creates trade-offs that affect far more people than the handful of yearly targets. The Constitutional Court will decide whether the safeguards on paper are strong enough in practice. Until then, this debate is not just about one country’s technique for reading a chat thread. It is about how liberal democracies balance digital security, individual privacy, and the state’s obligation to protect the public when the core communications of our lives are encrypted by default.