Breyer, a Pirate Party MEP and leading opponent of Chat Control, declared this the 'end of Chat Control' and framed the Parliament's rejection as a win for both privacy and child safety. He argues the vote paves the way for alternative approaches to combating CSAM that don't require undermining encryption infrastructure.
The editorial synthesizes the technical community's consensus that there is no way to scan encrypted messages without fundamentally compromising the encryption. It argues that client-side scanning creates a programmable surveillance infrastructure that, once deployed, cannot be limited to CSAM — any government could expand the target list to political speech, journalism, or dissent.
As Signal's president, Whittaker repeatedly stated that Signal would not comply with any mandate requiring client-side scanning. Her position represents the technical community's firm stance that the proposed workaround of on-device scanning before encryption is fundamentally incompatible with the security guarantees of E2EE.
The Commission proposed the regulation in 2022, arguing that messaging platforms, email providers, and cloud storage services should be required to deploy automated detection systems to scan all user content for CSAM. Their position was that child protection justified mandating scanning even on encrypted services, and they promoted client-side scanning as a viable technical compromise.
The European Parliament has voted to reject the most controversial provisions of the proposed Child Sexual Abuse Material (CSAM) regulation — the legislative package widely known as "Chat Control." The vote, described as a "thriller" by opponents of the measure, effectively kills the European Commission's plan to mandate mass scanning of private messages, including those protected by end-to-end encryption.
The regulation, first proposed by the European Commission in 2022, would have required messaging platforms, email providers, and cloud storage services to deploy automated detection systems to scan all user content for CSAM. For encrypted services like Signal, WhatsApp, and iMessage, compliance would have required some form of client-side scanning — breaking the fundamental guarantee that only sender and recipient can read a message. The vote marks the end of one of the most consequential digital rights battles in EU legislative history.
Patrick Breyer, a Pirate Party MEP and one of the regulation's most prominent opponents, declared the result the "end of Chat Control," framing it as a victory for both privacy and genuine child protection. The Parliament's position now paves the way for alternative approaches that don't require undermining encryption infrastructure.
### The technical stakes were existential for E2EE
This wasn't a theoretical policy debate. The technical community had been unambiguous: there is no way to scan encrypted messages for specific content without fundamentally compromising the encryption. Client-side scanning — the proposed workaround where content is analyzed on-device before encryption — creates a programmable surveillance capability that cannot be limited to a single use case. Once the scanning infrastructure exists on a device, any government can expand the target list from CSAM to political speech, journalism, or dissent.
Signal president Meredith Whittaker had repeatedly stated that Signal would leave the EU rather than implement client-side scanning. Apple, which briefly deployed a client-side CSAM scanner in 2021 before abandoning it under pressure, had also signaled opposition. The practical consequence of Chat Control passing would have been either a mass exodus of encrypted services from the EU market or the creation of EU-specific weakened versions — neither outcome serving users or security.
### The three-year fight exposed a fault line
The Chat Control debate crystallized a tension that developers and platform operators will face repeatedly: legitimate law enforcement objectives versus the mathematical reality of encryption. The EU's own legal service had questioned whether mandatory scanning of encrypted communications was compatible with the Charter of Fundamental Rights. Multiple EU member states, including Germany and Austria, opposed the scanning mandate in the Council.
What made this fight particularly instructive was the shifting arguments from proponents. The Commission initially presented scanning as a targeted measure. When cryptographers pointed out that "targeted" scanning of encrypted messages is an oxymoron — you can't know what's in an encrypted message without breaking the encryption — proponents pivoted to framing opposition as indifference to child safety. This rhetorical pattern will recur in future encryption debates, and the EU Parliament's rejection establishes an important precedent: the argument that "if you oppose scanning, you support abuse" was not sufficient to override technical and legal objections.
### The lobbying was intense on both sides
The fight drew an unusual coalition. Digital rights organizations like EDRi and the EFF worked alongside tech companies, academic cryptographers, and even some law enforcement officials who argued that mass scanning would actually hamper investigations by overwhelming systems with false positives. On the other side, the European Commission, Europol, and several child protection organizations pushed hard for the scanning mandate, arguing that voluntary detection by platforms was insufficient.
The vote's narrow margin reflects how effective the pro-scanning lobbying was — this was not a comfortable victory for privacy advocates, and the political pressure to "do something" about online CSAM remains intense.
### If you operate a messaging or communications platform in the EU
The immediate compliance pressure is gone. You do not need to architect client-side scanning systems, and you don't need contingency plans for EU market exit. However, this is a legislative pause, not a permanent resolution. The European Commission is expected to return with revised proposals that focus on metadata analysis, voluntary detection improvements, and non-encryption-breaking approaches to CSAM detection. If you're building a messaging service, keep your architecture clean of scanning hooks — but budget time for monitoring whatever comes next.
### If you're building on encrypted protocols
The Signal Protocol, Matrix, and other E2EE implementations remain legally viable across the EU without modification. This matters for the growing ecosystem of applications built on these protocols — from healthcare communications to financial messaging to journalistic source protection. Developers who chose E2EE as a design principle don't need to maintain a "break glass" scanning bypass, which would have been the most dangerous technical debt in the history of messaging software.
### If you work in trust and safety
The rejection of mandatory scanning doesn't mean the CSAM problem is solved — it means the EU has acknowledged that mass surveillance isn't the solution. Expect increased regulatory interest in:
- Metadata-based detection that doesn't require reading message content - Hash-matching on unencrypted content (uploads, profile images, public posts) - Behavioral signals and network analysis that work at the platform level - Improved reporting mechanisms and faster law enforcement response times
Trust and safety teams should prepare for regulations that mandate these approaches instead, which are technically feasible without breaking encryption but still require significant engineering investment.
The EU Parliament's vote is decisive for this particular legislative text, but the underlying political dynamics haven't changed. Child safety remains a powerful political motivator, and the Commission will try again with a repackaged approach. The precedent set here — that encryption cannot be legislated away through scanning mandates — is valuable but fragile. For developers, the lesson is strategic: build systems where privacy is a structural property, not a policy choice. When the next Chat Control arrives (and it will, possibly under a different name), the best defense is architecture that makes compliance with scanning mandates technically impossible without a complete rewrite. That's not defiance — it's engineering for durability in a shifting regulatory landscape.
Here is the EPP's plea to get this passed earlier.They even used a teddy bear image.https://www.eppgroup.eu/newsroom/epp-urges-support-for-last-..."Protecting children is not optional," said Lena Düpont MEP, EPP Group spokeswoman on Legal and Home Affairs. "We
I’m confused by> This means on April 6, 2026, Gmail, LinkedIn, Microsoft and other Big Techs must stop scanning your private messages in the EUIt had already passed and started?
What I find very alarming is that very few citizens in the EU knew about that. Mainstream media almost never reported this and other similar news, so I had to actively look for them. In this last case, I learned about it here on HN. Votes like that, with so much impact on citizens' digital live
It seems like an almost never ending hamster wheel of chat control being introduced, voted down, then introduced again in the next session.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
> Despite today’s victory, further procedural steps by EU governments cannot be completely ruled out. Most of all, the trilogue negotiations on a permanent child protection regulation (Chat Control 2.0) are continuing under severe time pressure. There, too, EU governments continue to insist on th