The campaign site documents how successive Council presidencies have repackaged the same proposal with different language, but cryptographers consistently find that client-side scanning fundamentally compromises E2E encryption. They argue there is no known method to scan encrypted messages without destroying the privacy guarantees encryption provides.
As the creator of Fight Chat Control, they note that the Parliament voted on March 11 to replace blanket mass surveillance with targeted monitoring requiring judicial involvement, yet the Council continues pushing broader scanning mandates. They express frustration that the proposal keeps returning despite repeated technical and political objections.
Asks pointedly whether the EU will simply keep holding votes until the answer is yes. This frames the concern not as a one-time policy debate but as a systemic flaw where rejected proposals face no meaningful barrier to reintroduction.
Argues that proponents deliberately wait for major news events like the war to dominate the cycle, then reintroduce the proposal under reduced public scrutiny. They see this as a calculated strategy of attrition rather than legitimate democratic deliberation.
Questions why privacy advocates only play defense against proposals like Chat Control instead of pushing affirmative legislation that would constitutionally enshrine a right to private communications. They suggest the absence of a 'privacy lobby' with legislative ambitions is the core problem, leaving the community in a perpetual reactive posture.
Argues that considering who actually operates the surveillance infrastructure makes it obvious the proposal serves those in power, not child safety. They frame Chat Control as a pretext for broader monitoring capabilities that benefit the state.
Characterizes the EU as a supranational government whose primary objective is increasing control over citizens' lives and finances. They see Chat Control as part of a broader pattern of EU overreach rather than an isolated policy misstep.
After independent research, notes the current vote is specifically about extending a temporary voluntary scanning regulation (EU 2021/1232) that has been in effect since 2021, not passing the full mandatory Chat Control proposal. They criticize the campaign site for failing to clearly explain what is actually being voted on, which undermines informed advocacy.
The EU's CSA Regulation — widely known as "Chat Control" — is back on the legislative agenda. The proposal, originally introduced by European Commissioner Ylva Johansson in May 2022, would require messaging platforms, email providers, and cloud storage services to detect and report child sexual abuse material (CSAM) by scanning users' private messages and photos. The regulation would apply to end-to-end encrypted services, meaning platforms like Signal, WhatsApp, and iMessage would be legally required to inspect message contents before or after encryption.
The proposal has been through multiple iterations. The EU Council — representing member state governments — has repeatedly attempted to find a qualified majority to advance the text, with successive Council presidencies (Belgium, Hungary, Poland) each producing modified versions. Despite the European Parliament adopting its negotiating position in November 2023 that explicitly rejected mass scanning and protected encryption, the Council continues to push variants that civil liberties organizations and cryptographers say amount to the same thing with different language.
The campaign site fightchatcontrol.eu, which reached the top of Hacker News with over 400 upvotes, catalogs the ongoing legislative push and provides tools for EU residents to contact their representatives. The sustained community reaction reflects a developer base that has watched this proposal die and resurrect multiple times over three years.
The technical core of this debate hasn't changed, and that's precisely the problem. There is no known method to scan end-to-end encrypted messages for specific content without fundamentally compromising the encryption guarantees that make E2E meaningful. The EU's proposed workaround — client-side scanning, where content is analyzed on the user's device before encryption occurs — has been systematically dismantled by cryptographers and security researchers.
Apple tried this approach in August 2021 with its NeuralHash system for iCloud Photos, designed to detect CSAM on-device before upload. Within weeks, researchers demonstrated hash collisions — benign images that triggered false positives. Apple quietly shelved the entire project by December 2022, calling it insufficient from a privacy standpoint. If Apple, with its vertically integrated hardware-software stack and billions in R&D, couldn't make client-side scanning work without unacceptable false positive rates, the notion that a regulatory mandate will solve the underlying computer science problem is not credible.
The false positive problem isn't academic. At the scale of EU messaging — hundreds of billions of messages per year — even a 0.1% false positive rate would flag millions of innocent messages for human review. Each false positive means a private conversation, a family photo, a medical image reviewed by a government-designated authority. The chilling effect on communication is not a side effect; it's the predictable outcome of the math.
Signal president Meredith Whittaker has been unequivocal: Signal would rather leave the EU than implement client-side scanning. This isn't posturing. Signal's entire value proposition is cryptographic privacy. A version of Signal with a scanning backdoor isn't Signal — it's a regular messaging app with extra steps. The same logic applies to any open-source E2E implementation: if the protocol requires pre-encryption inspection, the "end-to-end" label becomes marketing fiction.
Germany, Austria, Poland, and several other member states have consistently opposed the regulation in Council votes, but the required blocking minority has been fragile. Each new Council presidency repackages the proposal — sometimes exempting "audio-only" communications, sometimes adding "voluntary" language that becomes mandatory through detection orders — and tests whether the political dynamics have shifted.
If you build or maintain any application with messaging, file upload, or user-generated image features that serves EU users, this regulation is directly relevant to your architecture decisions.
Under the proposed regulation, "detection orders" could be issued to any service where CSAM could be shared — which functionally means any service with a file upload or messaging feature. This isn't limited to consumer chat apps. Enterprise collaboration tools, developer platforms with comment features, healthcare applications with image sharing, and even code review tools with screenshot attachments could fall within scope depending on how detection orders are interpreted.
The practical implications for developers are significant. If you use end-to-end encryption as a privacy feature (for HIPAA compliance, attorney-client privilege, source protection in journalism tools), the regulation as proposed would require you to either remove E2E encryption or implement client-side scanning that breaks its guarantees. There is no third option that satisfies both the regulation's detection requirements and the mathematical properties of E2E encryption.
For teams evaluating messaging infrastructure, the safest architectural bet is to track the regulation's progress through trilogue negotiations and plan for two scenarios: one where E2E encryption is preserved (Parliament's position wins), and one where server-side scanning of unencrypted metadata becomes required but content scanning is limited to non-encrypted services. Building your encryption layer as a separable module rather than a hardwired assumption gives you flexibility either way.
The EU's legislative process — Commission proposal, Parliament position, Council position, then trilogue negotiation — means this regulation is still months from final text, assuming the Council can even reach a common position. But the pattern of persistent revival despite technical objections from the EU's own advisors (the European Data Protection Supervisor has called mass scanning "disproportionate") suggests the political will behind this regulation is not driven by technical feasibility assessments. Developers should treat this as a slow-moving but genuine regulatory risk, not a theoretical one. The question isn't whether the EU will try to regulate encrypted communications — it's whether the final text will be technically coherent enough to implement without breaking the internet's trust infrastructure.
So... if we all care so much about shooting down the bad idea, why is nobody proposing opposite legislation: a bill enshrining a right to private communications, such that bills like this one would become impossible to even table?Is it just that there's no "privacy lobby" interested i
Okay so I had to look in to it because the site is not really doing a good job explaining it at all. Turns out[0] that they are voting for the extension of the temporary regulation thats been in effect since 2021 (Regulation (EU) 2021/1232). So this is about the "voluntary scanning of priv
If you're ever unsure about whether a proposed EU regulation may be good or bad, just look at whether Hungary supports it: if so, it's bad; if not, it might be good. Egészségére!
Where are all those "as an EU citizen" commenters? You are but a subject of an ultra-national government whose sole objective is ever increased control over your life and euros.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I am the creator of Fight Chat Control.Thank you for sharing. It is unfortunately, once again, needed.The recent events have been rather dumbfounding. On March 11, the Parliament surprisingly voted to replace blanket mass surveillance with targeted monitoring of suspects following judicial involveme