The editorial argues that the cryptographic community settled this question in 2021 with the 'Bugs in Our Pockets' paper signed by Abelson, Anderson, Rivest, Schneier and others. Once plaintext is inspected on the sending device against an unauditable list, the property that made end-to-end encryption meaningful is destroyed — regardless of what proponents call it.
By submitting the Heise piece under the framing 'Chat Control passed first round in EU Parliament,' the submitter highlights that a proposal widely reported as blocked by Germany, Poland and others has quietly cleared a procedural hurdle in Strasbourg. The implication is that the file keeps moving through EU machinery even after being declared functionally dead.
Heise's plenary reporting frames the vote as an 'unexpected return' and a 'showdown in Strasbourg,' emphasizing that this wasn't final adoption but the kind of quiet procedural advance that keeps a controversial file alive. The framing implies that observers who wrote off Chat Control after Council-level opposition underestimated how the legislative process actually works.
Strasbourg just did the thing everyone was told wouldn't happen. According to Heise's reporting from the plenary, the European Parliament advanced a version of the so-called Chat Control regulation past its first procedural hurdle — a proposal that had, until very recently, been declared functionally dead after Germany, Poland, and a handful of others signaled they would block it in Council. The vote wasn't final adoption. It was the kind of quiet advance that lets a file keep moving through the machinery while the public conversation is looking somewhere else.
The file in question is the successor to the 2022 Commission proposal formally titled "Regulation laying down rules to prevent and combat child sexual abuse." Its core mechanism has never really changed: providers of "interpersonal communications services" — WhatsApp, Signal, iMessage, Matrix homeservers, your self-hosted XMPP — would be required, under detection orders, to scan user content for known CSAM hashes and, in some drafts, for unknown material and grooming patterns detected by AI classifiers. Because these services are end-to-end encrypted, the scanning has to happen on the client, before the message is sealed. That is the part engineers call client-side scanning, and it is the part the regulation's proponents have spent three years insisting is not a backdoor.
It is a backdoor. The cryptographic community settled this question in 2021, and nothing about the math has changed since. The 2021 paper "Bugs in Our Pockets" — signed by Abelson, Anderson, Bellovin, Diffie, Rivest, Schneier, and eleven others who are not exactly fringe voices — walked through why: once you've built a system that inspects plaintext on the sending device and reports matches to a third party, the property that made end-to-end encryption meaningful is gone. What remains is a channel whose contents are read before they're encrypted, by code the user cannot audit, against a list the user cannot see.
The reason this keeps coming back — and the reason engineers keep having the same argument in five-year cycles — is that the political incentives and the technical realities are running on completely different tracks. Politicians want a lever they can pull against a real, awful harm. Cryptographers want to preserve a property that, once broken, cannot be selectively restored for the good guys. Both groups are, in their own frame, correct. But only one of them gets to write the regulation.
What's different this round is timing. The first version of Chat Control stalled because Signal's Meredith Whittaker said publicly Signal would leave the EU market before complying, and because the German government — after a change in coalition arithmetic — went from ambivalent to opposed. Neither of those facts has changed. What has changed is that the file has been repackaged, the language around "upload moderation" softened, and the vote scheduled at a moment when Parliament's attention is elsewhere. This is a familiar playbook. The 2018 copyright directive that gave us Article 17 followed the same trajectory: declared dead, quietly revived, passed at a plenary that most observers weren't tracking.
The HN thread on the Heise piece — 362 points, which is a lot for a European regulatory story — is dominated by two clusters of reaction. The first is developers of messaging clients (a couple of Matrix and Delta Chat contributors weighed in) working out what "detection order" actually means for a self-hosted or federated deployment. The second is a much larger group of engineers realizing that "the EU killed this" was, always, a temporary win. The lesson of the last decade of EU tech regulation is that no file is ever really dead; it is either passed or paused.
There's also a specific technical wrinkle worth flagging. The current draft, per the reporting, still leans on perceptual hashing for known-material detection — PhotoDNA-style or NeuralHash-style. The 2021 collision attacks against NeuralHash, which produced arbitrary images that hashed to the same value as a target, have never been meaningfully answered. A regulation that mandates detection based on a matching primitive that can be adversarially collided is not merely a privacy problem; it is a denial-of-service surface against every user of a compliant client.
If you ship anything that lets EU users send content to each other — chat, comments, DMs, in-game messaging, collaborative docs with a share link — you are inside the scope of what "interpersonal communications service" is being stretched to cover. The practical implications, assuming this file eventually clears trilogue in something like its current form:
You will need a client-side hook, on every platform you support, that can be handed a hash list and required to run before your encryption or transport layer sees the message. That's not a config toggle. On iOS and Android that's an OS-integration story. On desktop that's a signed-binary story. On web that's, frankly, unclear — the draft has never adequately explained how a browser-based E2E app is supposed to comply, and nobody in Brussels seems eager to answer.
The secondary consequence is architectural. Federated and self-hosted systems — Matrix, XMPP, Delta Chat over IMAP, your own Signal fork — do not have a single vendor to serve a detection order on. The regulation's answer so far has been to push the obligation onto the client software author, which for open-source projects means a maintainer in Berlin being personally on the hook for compliance across every downstream fork. That is not a workable model, and it is the specific point at which the regulation transitions from "bad idea" to "unenforceable against the projects it most wants to reach."
If you're planning European launches on a 12-to-24-month horizon, the right move right now is to write down your threat model and your compliance surface *before* the final text lands, so you can evaluate the delta rather than react to a headline. The wrong move is to assume, again, that this will be killed in Council.
The file now moves into further Parliament committee work and, eventually, trilogue with Council and Commission. Germany's position remains the single biggest variable, followed by whether Signal and Threema make good on their exit threats — a real E2E provider walking out of the single market would reshape the political conversation overnight. Watch the Council working-party minutes, not the press releases: that's where the actual text gets negotiated, and that's where the last three versions of this proposal quietly grew or lost their teeth.
From a post on Mastodon:> democracy is when you repeatedly push for unpopular laws until they pass, and the more times you do it the more democratic it isIt is unlikely that 60 additional “no” votes can be found by Thursday to stop this.
So many comments about the EU constantly re-trying the same law with minor tweaks, and about how legislatures do this in general. I wanted to provide an explanation for this behaviour.The way legislation is expected to proceed in countries with parliamentary systems, especially with strong civil ser
“We decide on something, leave it lying around, and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back.”And“If it's a Yes, we will say 'on we go', and if it'
Even if you are not in the EU, this will affect you. Some countries really like to copy such regulations from others. Once services starts complying, other governments will go like "if you did for them, you can do it for us, right? so it's not technically impossible", and things only
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
"The procedure now chosen gives the proponents of Chat Control a significant tactical advantage. Since the law is in its second reading, an absolute majority of 361 votes of all parliament members is required for amendments or a renewed rejection on Thursday. In contrast, a simple majority of t