On June 22 the Austrian Constitutional Court will sit in public session and hear arguments about whether the state may read your Signal messages. The hearing starts at 9:30 in the morning. I expect the courtroom to be full and the answers to be thin.
The law under review is the amendment to the Staatsschutz- und Nachrichtendienst-Gesetz that the Nationalrat passed on July 9 last year. It gives the DSN, Austria’s domestic intelligence service, the power to monitor messages on services like WhatsApp and Signal, encrypted or not. The trigger conditions are terrorism, activities that endanger the constitutional order, and espionage. Orders run for three months and can be extended. Before anything happens, the Rechtsschutzbeauftragter in the Interior Ministry reviews the request and the Federal Administrative Court has to approve it.
On paper that is a layered system. In practice I have yet to meet anyone in Vienna’s security community who can explain how a court is supposed to meaningfully review a surveillance technique it cannot inspect.
How we got here
The vote last July was ugly. ÖVP and SPÖ carried it, FPÖ and the Greens voted against, and even inside the coalition the NEOS deputies Krisper and Scherak broke ranks. That fracture mattered. In January, FPÖ and the Greens filed a Drittelbeschwerde, a constitutional challenge that requires one third of the Nationalrat. Sixty-two deputies signed. When the parliamentary far right and the Greens agree that a law goes too far, the Constitutional Court tends to listen carefully.
There is also precedent, and it is not on the government’s side. In 2019 the same court struck down Austria’s first attempt at a Bundestrojaner. The judges called covert surveillance of computer systems a grave intrusion into private life under the European Convention on Human Rights, permissible only within extremely narrow limits. The Interior Ministry’s lawyers have spent the years since trying to draft around that ruling. June 22 is the test of whether they succeeded.
The part nobody wants to say out loud
Here is the technical reality the political debate keeps avoiding. You cannot wiretap Signal. End-to-end encryption means there is nothing useful on the wire. There are only two ways in. Either the provider hands over the messages, which Signal will not and structurally cannot do, or the state installs spyware on the target device by exploiting a vulnerability in the operating system.
The second option is what this law actually authorizes, whatever the legislative language says. And the budget figures confirm it. The impact assessment attached to the reform set aside ten million euros from 2026, followed by roughly two million per year in license fees through 2029. License fees. Nobody pays recurring license fees for a tool they built themselves. Austria is shopping at an international spyware vendor, and the shortlist of companies selling state-grade mobile exploitation is not long. The same paperwork mentions an IMSI catcher for location data, almost as an afterthought.
So the state becomes a customer in the exploit market. That has consequences the law does not address. Every zero-day a government buys and keeps alive is a vulnerability deliberately left open in phones carried by everyone else, including ministers, judges and the DSN’s own officers. People in allied services have been blunt with me about this trade-off for years. You do not get a Trojan that only works on terrorists.
Why the timing is awkward for everyone
The government will argue necessity, and it has material. Sylvia Mayer, running the DSN since January, says openly that Russia is the largest espionage threat and that among Vienna’s thirteen thousand accredited diplomats, some delegations are more than one fifth intelligence officers. The Egisto Ott verdict in May, four years and one month for spying for Moscow from inside the old BVT, gave Austria its first major espionage conviction of the new era. The services finally have political momentum after a decade of being the embarrassment of European counterintelligence.
The opposition will argue proportionality, and it also has material. The 2019 ruling. The technical impossibility of limiting spyware once deployed. The fact that the agency asking for this capability is the institutional successor of the office Ott worked for. Trust is the currency here, and Austrian domestic intelligence has been printing very little of it.
The court has said it intends to announce its decision in the days after the hearing. Whichever way it falls, the law is supposed to enter into force in 2027, which means the procurement process is presumably already moving. That is the thread I find more interesting than the constitutional question. If the judges uphold the law, Austria signs a contract with a spyware vendor within months. The name on that contract, and the export jurisdiction behind it, will tell us more about the future of Austrian surveillance than anything said in court on June 22. I intend to find out what it is.
