The editorial argues the cosmetic shift to 'voluntary' scanning is misleading because the full legal architecture — detection orders, risk assessments, and the EU Centre — remains wired up in the text. Once passed, flipping to mandatory becomes a Council implementing act rather than a fresh legislative fight, meaning the hard political battle effectively ends now.
CyberInsider's reporting frames the Danish presidency's revival as one qualified-majority vote away from advancing, after Belgian and Spanish presidencies failed to get earlier drafts across the line. The piece treats the procedural moment as decisive precisely because the underlying detection infrastructure survives intact.
The editorial argues CSS doesn't break E2EE cryptographically — it makes it moot by moving the adversary inside the endpoint. Messages are still encrypted in transit but hashed and matched against a state-controlled database before the cipher runs, which functionally collapses the security model that Signal, WhatsApp, iMessage, and Matrix depend on.
The 15-author cryptography paper — cited approvingly in the editorial — concluded CSS is structurally incompatible with E2EE. Their argument informed Apple's 2022 decision to abandon its own on-device scanning proposal, and the editorial invokes them as the technical consensus against the EU approach.
By surfacing the CyberInsider piece to the top of HN with 383 points, the submitter signals alignment with the technical community's view that reviving CSS-based scanning threatens the encrypted messengers developers rely on. The high engagement reflects the developer audience treating this as a direct threat to E2EE rather than a policy nuance.
The EU's long-running "Chat Control" file — formally the Regulation to Prevent and Combat Child Sexual Abuse (CSAR) — is back on the Council's agenda and, according to CyberInsider's reporting, one qualified-majority vote away from moving forward. The Danish presidency, which took over from Belgium, has revived a version of the text that the previous Belgian and Spanish presidencies could not get across the line.
The headline change from earlier drafts is cosmetic: scanning is now framed as voluntary for providers, with the mandatory regime deferred. In practice, the legal architecture — detection orders, risk assessments, and a coordinating EU Centre — is all still there, wired up and waiting. Once the "voluntary" scaffolding is law, flipping the switch to mandatory is a Council implementing act, not a fresh legislative fight. That is the part practitioners should read carefully.
The technical requirement has not changed since the 2022 draft: providers of "interpersonal communications services" would have to detect known CSAM, new CSAM, and grooming in private messages. For any service that ships end-to-end encryption — Signal, WhatsApp, iMessage, Threema, Tuta, Matrix, Session, Wire — that detection can only happen on the client, before the message is encrypted. That is client-side scanning (CSS), and it is what Apple abandoned in 2022 after its own researchers, plus Abelson, Anderson, Rivest, Schneier, and 11 others published "Bugs in Our Pockets" arguing CSS is structurally incompatible with E2EE.
The political story here is familiar; the engineering story is not. A mandatory CSS regime doesn't weaken end-to-end encryption in the cryptographic sense — it makes E2EE irrelevant by moving the adversary inside the endpoint. Your messages are still encrypted in transit. They are simply also read, hashed, and matched against a state-controlled database on the device you own, before the cipher ever runs. From a threat-modeling perspective, this collapses the distinction between "the platform can't see my messages" and "the platform can see my messages," because the scanner is a platform-controlled process with root-equivalent access to plaintext.
The false-positive math is the other quiet problem. The Commission's own leaked impact assessment estimated detection accuracy in the high 90s. That sounds fine until you multiply by traffic. At WhatsApp's ~100 billion messages a day in the EU, even a 99.9% specificity rate generates roughly 100 million false hits every 24 hours, all of which are legally required to be reviewed by humans at the EU Centre. No agency on Earth is staffed for that. The realistic outcome is either aggressive pre-filtering (which reintroduces bias and drops the actual detection rate) or automated forwarding to law enforcement (which is what privacy advocates have been warning about since 2022).
The provider response has hardened. Meredith Whittaker at Signal has repeatedly said Signal will leave the EU rather than implement CSS — a position she reiterated as recently as this spring. Threema and Tuta have taken the same line publicly. Matrix's Matthew Hodgson has written that a scanner is a "backdoor with better PR." The interesting silence is from Meta and Apple: both technically comply with lawful-intercept regimes elsewhere, both have the engineering capacity to ship CSS, and neither has said they'd withdraw. WhatsApp's EU market is roughly 300M users; iMessage ships on every iPhone sold in the bloc. If the mandatory switch flips, those two are the actual test.
There's also a jurisdictional wrinkle developers keep missing. CSAR applies to any service "offered in the Union," which under the Digital Services Act precedent means any service with EU users, regardless of where it's hosted. A self-hosted Matrix homeserver run by a hobbyist in Berlin is in scope. A US-based Signal fork on F-Droid is in scope the moment an EU user installs it. The regulation reaches through the app store, which is why Apple and Google's compliance postures matter more than any individual provider's.
If you're shipping anything with private messaging — a support chat, a team collaboration feature, a dating app DM, a Matrix bridge — your threat model needs a new row. It's no longer sufficient to say "we use E2EE." The relevant question is: where does the plaintext live before it's encrypted, and who can subpoena a scanner into that path? The answer used to be "only the OS." Under CSAR, it becomes "the OS, plus any regulated scanning module the OS is required to run."
Concretely: audit your dependency on Apple's and Google's ML frameworks (Vision, ML Kit, Core ML). If CSS gets mandated, both platforms will almost certainly ship the scanner as an OS-level API that messaging apps are required to call, the same way they handle NSFW detection today. Your app's compliance surface shrinks to "do we call the API," but your users' privacy surface expands to "whatever the API decides to hash and report." If your product's value prop includes confidentiality — legal tech, healthcare, journalism, whistleblower tooling — you need a contingency plan for a Union where iOS and Android are effectively compromised endpoints.
The practical hedges are unglamorous. Ship a web client with a service worker so users can bypass the app store if CSS lands. Support Matrix federation or an XMPP fallback so users can move off your infrastructure without losing history. Document your data-handling in a way that survives a detection order — meaning, don't retain plaintext or metadata you don't need, because a detection order can compel handover of anything you have. And, less comfortably, decide now whether you'd geo-block the EU rather than comply. Signal has made that decision publicly. Most VCs' portfolio companies have not.
The Council vote is the near-term flashpoint, but the real fight is 18–36 months out, when the "voluntary" regime gets its first detection order and the case law starts. Watch for the first provider to refuse — it will almost certainly be Signal or Tuta — and watch what the Court of Justice does with the inevitable Article 7 and 8 challenge. If the Court strikes it down, the pattern repeats with a fresh acronym in 2028. If it doesn't, the global template is set, and the UK's Online Safety Act CSS provisions (currently in stasis) come off the shelf within a quarter. Either way, "encrypted messaging" as a product category is about to become a jurisdictional question, not a technical one.
The Chat Control 1.0 rule is simply that organisations like Meta are allowed to scan messages if they want to. In other words your Facebook messages are not private from Facebook. Surely we already knew and expected that.Chat Control 2.0 is the worrying one because it mandates scanning and bans E2EE
Tough week for euros. Cars that record your face while driving and now apps snooping on communications.
Of course they are. They will boil the frogs slowly until they get the frog soup they so desire. Each time the water gets a little bit too hot (public outrage) they will turn it back down for a bit.Every major global region has this problem. I would tell you the slope is slippery, but I already fell
For my fellow EU citizens, you can contact your representatives here: https://fightchatcontrol.eu/
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The Internet Watch Foundation, an organisation funded by almost all of big tech, is already at work pushing for client side scanning next [1], for the children, of course.[1] https://www.iwf.org.uk/policy-work/preventing-the-upload-of-...