The editorial argues that 'voluntary' in regulatory language means 'voluntary until it isn't,' noting that every technical integration platforms build today for CSAM scanning becomes a compliance obligation tomorrow. It frames the current regulation as policy infrastructure for a future mandatory regime, pointing to the pattern of at least three major pushes to expand chat scanning powers since 2021.
The editorial lays out that the only ways to reconcile scanning with E2E encryption are breaking encryption before transit (client-side scanning), breaking it after receipt (recipient-side scanning), or abandoning encryption altogether. This is presented as a hard technical constraint, not a policy trade-off, making the debate existential for developers implementing secure communications.
The editorial highlights the Parliament's rejected amendment that would have replaced blanket voluntary scanning with targeted monitoring contingent on judicial involvement. It explicitly states that 'the distinction between blanket voluntary scanning and targeted judicial monitoring is not semantic — it is the difference between a surveillance architecture and a law enforcement tool.'
The Fight Chat Control campaign creator shared the campaign page on Hacker News with the comment that opposition is 'unfortunately, once again, needed,' emphasizing the recurring nature of the threat. The campaign urges citizens to learn about the proposal and directly contact their representatives to protect digital privacy and encryption.
On March 11, 2026, the European Parliament voted on extending Regulation (EU) 2021/1232 — the temporary framework that has allowed platforms to voluntarily scan private messages and photos since 2021. The vote was expected to be procedural. It was not.
The Parliament considered an amendment that would have replaced the blanket voluntary scanning regime with targeted monitoring of specific suspects, contingent on judicial involvement. That amendment represented a meaningful shift: moving from "platforms may scan everyone" to "authorities may request scanning of individuals with court approval." The distinction between blanket voluntary scanning and targeted judicial monitoring is not semantic — it is the difference between a surveillance architecture and a law enforcement tool.
The Fight Chat Control campaign, run by digital rights advocates, has been tracking this legislative thread since its inception. As the campaign's creator noted on Hacker News: "It is unfortunately, once again, needed." The "once again" is doing heavy lifting — this is at least the third major push to expand or entrench chat scanning powers in the EU since 2021.
The current regulation is "voluntary," which in regulatory language means "voluntary until it isn't." Platforms like Meta, Google, and Apple already perform some form of client-side or server-side scanning for child sexual abuse material (CSAM) under this framework. The voluntary phase is the policy infrastructure for a future mandatory regime — every technical integration built today becomes a compliance obligation tomorrow.
This matters to developers because the scanning requirement is architecturally incompatible with end-to-end encryption as currently implemented. You cannot scan content you cannot read. The only ways to reconcile scanning with E2E encryption are: break encryption before transit (client-side scanning), break encryption after receipt (recipient-side scanning), or abandon E2E encryption entirely. Apple explored and abandoned client-side CSAM scanning in 2021 after security researchers demonstrated that the hash-matching system could be repurposed for political censorship. The technical objections have not changed. The political pressure has.
Community reaction on Hacker News was pointed. One commenter raised the fundamental question: "Why is nobody proposing opposite legislation — a bill enshrining a right to private communications, such that bills like this one would become impossible to even table?" The answer is structural. Privacy advocacy is diffuse and poorly funded compared to law enforcement lobbying. There is no "privacy lobby" with the institutional weight of Europol or national interior ministries. The asymmetry isn't technical — it's political. The people who want scanning have permanent institutions and recurring budgets. The people who oppose it have campaigns that reactivate every time a vote approaches.
Another commenter offered a sardonic heuristic: "If you're ever unsure about whether a proposed EU regulation may be good or bad, just look at whether Hungary supports it." Hungary, which has the EU's weakest press freedom record and a documented history of deploying Pegasus spyware against journalists, has consistently supported expanded surveillance powers. The company you keep in a coalition vote tells you something.
For engineering teams at messaging platforms, the regulatory uncertainty creates a genuinely difficult architecture problem. If you design for mandatory scanning, you are building surveillance infrastructure that may never be legally required — and that creates liability if it's breached or misused. If you design purely for E2E encryption, you risk a costly retrofit if scanning becomes mandatory.
The practical move for most platform teams right now is to implement E2E encryption with modular key management — architecture that can support lawful-intercept hooks at the transport layer without compromising the core encryption protocol. This is not capitulation; it's engineering pragmatism. The EU regulatory process moves in years, not quarters, and the final shape of any mandatory scanning regime will depend heavily on what's technically feasible without breaking everything else.
There's also a compliance surface area question. The current voluntary regulation applies to "providers of interpersonal communications services" — a definition broad enough to cover not just WhatsApp and Signal but also Slack, Discord, any SaaS with a chat feature, and arguably even GitHub Issues if you squint hard enough. If you serve EU users and your product has a messaging component, you are within scope.
The cost of compliance is non-trivial. Microsoft's 2024 transparency report indicated that CSAM scanning across its consumer services cost approximately $45 million annually in infrastructure, personnel, and legal review. For a startup with a chat feature, even a fraction of that cost is existential.
If you're building or maintaining messaging infrastructure that serves EU users, three concrete things to consider:
1. Audit your encryption architecture now. Map where plaintext exists in your pipeline — at rest, in transit, in backup. If mandatory scanning arrives, the regulatory ask will target those plaintext touchpoints. Understanding your own attack surface is step one regardless of regulation.
2. Watch the metadata angle. Several EU proposals have floated metadata-based detection (behavioral signals, traffic analysis) as a "privacy-preserving" alternative to content scanning. If your platform logs message metadata — timestamps, frequency, recipient graphs — that data may become a compliance asset or a liability depending on which version of the regulation survives.
3. Budget for legal monitoring. The regulation's next inflection point is the European Commission's proposal for a permanent framework, expected in late 2026 or early 2027. The Fight Chat Control campaign maintains a timeline at fightchatcontrol.eu. Your legal team should be tracking this with the same rigor they track GDPR enforcement actions.
For open-source messaging projects — Matrix, XMPP servers, Signal forks — the stakes are different but equally real. Voluntary scanning is ignorable if you're a community project with no legal entity in the EU. Mandatory scanning would require either technical compliance or geo-blocking EU users. Neither option is free.
The EU's chat control saga follows a pattern familiar to anyone who has watched surveillance legislation evolve: propose the maximum, settle for a "temporary" compromise, extend the temporary measure, then propose the maximum again with the temporary measure as the new baseline. The 2021 voluntary regulation was the temporary compromise. Its extension is the new baseline. The next proposal will treat voluntary scanning as established practice and argue that making it mandatory is merely closing a loophole. The technical community's window to influence the architecture of any mandatory regime — to insist on judicial oversight, targeted application, and encryption-compatible approaches — is measured in months, not years. Contact your MEP. The code you write next year may depend on the vote they cast this year.
So... if we all care so much about shooting down the bad idea, why is nobody proposing opposite legislation: a bill enshrining a right to private communications, such that bills like this one would become impossible to even table?Is it just that there's no "privacy lobby" interested i
Okay so I had to look in to it because the site is not really doing a good job explaining it at all. Turns out[0] that they are voting for the extension of the temporary regulation thats been in effect since 2021 (Regulation (EU) 2021/1232). So this is about the "voluntary scanning of priv
I would like to share here that the author of this site made it very easy to call. If you read this and are in the EU, I urge you to try this.Find a representative you think is at least somewhat likely to change their mind, and call their phone nr listed on the site. I tried one rep and couldn'
The proposal was rejected: https://chaos.social/@maxim/116294966670838045
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I am the creator of Fight Chat Control.Thank you for sharing. It is unfortunately, once again, needed.The recent events have been rather dumbfounding. On March 11, the Parliament surprisingly voted to replace blanket mass surveillance with targeted monitoring of suspects following judicial involveme