Open Letter: Refrain From Introducing Measures To Legalise State Hacking In The Austrian “Security Package”

Open Letter: Refrain From Introducing Measures To Legalise State Hacking In The Austrian “Security Package”

Dear Minister Dr. Wolfgang Brandstetter, Minister Mag. Wolfgang Sobotka, Minister Dr.in Pamela Rendi-Wagner, MSs, Minister Mag. Hans Peter Doskozil,

Privacy International is a United Kingdom-based non-governmental organization, which is dedicated to protecting the right to privacy around the world. Privacy International is committed to ensuring that government surveillance complies with the rule of law and the international human rights framework. As part of this commitment, Privacy International researches and investigates government surveillance to raise public awareness about technologies and laws that place privacy at risk.

Privacy International understands that the “security package” currently being considered by the Austrian government includes a proposal to legalise state hacking, i.e. the use of spyware, such as Trojans, on electronic devices infiltrated by the Austrian state (“Bundestrojaner”).

Like governments in other European countries and elsewhere, the Austrian government faces a difficult challenge where there is no easy solution: ensuring the privacy of communications as well as the security and integrity of our devices and networks, while detecting and preventing serious crimes and terrorism.

The Austrian proposal seems to be motivated by the perception that with the increased availability of end-to-end encryption, state authorities are not able to intercept communications, which may help to prevent or investigate serious crimes and serious national security threats, such as terrorist attacks.

In the last couple of years, new surveillance measures to address these threats have been advocated (and implemented) by many governments in Europe, including  France, Germany, the Netherlands and the United Kingdom. Many of these measures fall short of applicable human rights standards, as noted by European and international human rights mechanisms. These measures include legislation and policies authorising law enforcement agencies to hack devices and networks as well as compelling private manufacturers and service providers to provide backdoors to undermine encryption. Privacy International is concerned that these developments pose a serious threat to the protection of human rights, including the rights to privacy and freedom of expression, while imperilling the security of our devices and the modern telecommunications network.

Encryption

Encryption is an enabler of privacy and freedom of expression, and in turn, keeps individuals safe, by securing their data. Encryption protects individuals most vulnerable from reprisal – from the state, their fellow countrymen or other would-be oppressors – such as journalists, researches, lawyers and civil society. Thus, in the words of the U.N. High Commissioner for Human Rights “it is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered. In the worst cases, a Government’s ability to break into its citizens’ phones may lead to the persecution of individuals who are simply exercising their fundamental human rights.” But encryption protects ordinary individuals as well. As the U.N. Special Rapporteur for Freedom of Expression has observed, encryption permits all of us to “search the web, develop ideas and communicate securely.” It also protects all of our data from malicious attackers, such as criminals. 

Encryption is essential not only for the safety of individuals but also for communications infrastructure. Encryption protects the confidentiality of communications, while providing a way to both authenticate those communications and ensure their integrity. It therefore enables others to assess the legitimacy of the person or institution communicating with them and the legitimacy of the communication itself. This mechanism is essential for banks to protect financial transactions and for businesses to protect against fraud. For that reason, encryption underpins the secure functionality of the internet and facilitates global online commerce. The digital economy would be impossible without the use of encryption as it ensures that online transactions remain secure and personal data is not captured and exploited. As noted by a group of leading technology experts, “[it] is impossible to operate the commercial Internet or other widely deployed global communications network with even modest security without the use of encryption.” 

It is similarly nearly impossible to keep out unauthorised parties from accessing communications while somehow permitting exceptional access only by government officials.

The attempt to undermine encryption technologies or limit access to them is often justified by the claim that there should be no place for would-be-criminals or terrorists to “hide” – i.e. they should not be able protect their communications from government surveillance.

However, the U.N. Special Rapporteur for Freedom of Expression has noted that while “[e]ncrypted and anonymous communications may frustrate law enforcement and counter-terrorism officials . . . State authorities have not generally identified situations . . .  where a restriction has been necessary to achieve a legitimate goal.” He emphasized that “the public lacks an opportunity to measure whether restrictions on their online security would be justified by any real gains in national security and crime prevention.” He also highlighted that such restrictions would have “broad, deleterious effects on the ability of all individuals to exercise freely their rights to privacy and freedom of opinion and expression.”

Hacking

Among the tools governments in Europe are using to circumvent encrypted communications is hacking, including by deploying malware. In this regard, the recent report comparing the use of hacking across several European jurisdictions, commissioned at the request of the Parliament Committee on Civil Liberties, Justice, and Home Affairs (LIBE), paints a worrying picture.

Privacy International questions whether hacking can ever be a legitimate component of state surveillance. Because of its inherent and extensive interference with privacy, as well as the risks that it poses to the security of our devices, hacking for the purposes of surveillance is, prima facie, incompatible with international human rights law. For that reason, the U.N. Special Rapporteur on Freedom of Expression has observed: “Offensive intrusion software such as Trojans, or mass interception capabilities, constitute such serious challenges to traditional notions of surveillance that they cannot be reconciled with existing laws on surveillance and access to private information. These are not just new methods for conducting surveillance; they are new forms of surveillance. From a human rights perspective, the use of such technologies is extremely disturbing.”

Hacking has the potential to be far more intrusive than any other existing surveillance technique, including the interception of communications. Hacking permits governments to remotely access systems and therefore to the information stored on those systems. For an increasing number of individuals, personal digital devices contain the most private information they store anywhere, replacing and consolidating address books, correspondence, journals, filing cabinets, photo albums and wallets.

Hacking also permits governments control over the functionality of systems, permitting novel and grave forms of real-time surveillance. Through hacking, a government can potentially see anything typed into a device, including login details and passwords, internet browsing histories, and draft documents and communications the user never intended to disseminate. It can covertly turn on the microphone, webcam and GPS-based locator technology.

Hacking can even potentially permit governments to corrupt files or recover files that have been deleted. It can also allow them to plant or delete documents or data, send fake communications from the device, or re-write code to add new capabilities and erase any trace of the intrusion.

A growing number of devices making up the “Internet of Things” – such as a refrigerator that records when and what a person eats or a television that records what a person watches and his or her reactions – are documenting intimate details about the lives of individuals. By accessing this information – or by manipulating the functionality of these systems – government authorities can also acquire a deep and comprehensive view into a person’s life. 

Equally worrisome, hacking has the potential to undermine the integrity, not only of the targeted device, but also of the internet as a whole. Hacking techniques are fundamentally designed to allow an unauthorized party to access and control another party’s system. The vulnerabilities used by the government can be subsequently exploited by anyone with the relevant technical expertise. 

Computer systems and networks are complex and unpredictable. Hacking techniques commonly deploy malware, which may not be fully vetted to determine its effects on such systems. Moreover, when a government deploys malware, it will rarely be able to fully control its distribution.

Just as governments have struggled to clearly articulate why undermining encryption is necessary, they have similarly failed to make a robust, public case for why hacking is necessary – and if necessary, how it can be compliant with international human rights law.  In fact, the evidence points towards the opposite conclusion. As a threshold matter, governments already have a wide variety of existing investigative tools at their disposal through traditional policing as well as through international cooperation. Moreover, the modern evolution of communications has resulted in the creation of ever-increasing amounts of information about us, which governments may also use to investigate and prevent serious crimes and terrorism. For governments to undermine encryption and authorize hacking, they will have to do a much better job of explaining why these other methods have proven inadequate so as to require resorting to measures that undermine everyone’s privacy and security.

For the above reasons, we call on the Austrian government to refrain from introducing measures to legalise state hacking in the “security package” under discussion and to make clear to their intelligence and law enforcement agencies that state hacking is not permitted under current Austrian legislation.

Yours sincerely,

Tomaso Falchetta

Advocacy and Policy Team Lead

Privacy International