As the creator of FightChatControl.eu, x775 describes the legislative process as 'dumbfounding,' noting that despite Parliament voting for targeted monitoring on March 11, the Council continues pushing for broader scanning. They see the repeated reintroduction as a deliberate strategy to exhaust opposition.
Asks rhetorically 'So they will pass it until it's a yes?' — capturing the widespread perception that the EU's legislative machinery simply re-tables rejected proposals until opponents tire out and it eventually passes.
Argues that proponents 'never quit' and deliberately time reintroductions to coincide with major distracting events like the war, so the proposal can 'fly under the radar' when public attention is elsewhere.
The campaign site's core argument is that the proposal would require platforms to either abandon E2E encryption or implement client-side scanning before encryption, both of which fundamentally break the security model. They cite Apple's abandoned CSAM scanner and repeated statements from cryptographers as evidence that no technical middle ground exists.
Investigated the proposal independently because the campaign site didn't explain it well, and clarified that the current vote is about extending the 2021 temporary regulation allowing voluntary scanning. Their research confirms the underlying technical concern about what 'voluntary scanning' actually requires of encrypted platforms.
Argues that repeatedly shooting down individual surveillance proposals is an endless game of whack-a-mole. Instead, advocates for proactive 'opposite legislation' — a bill enshrining a fundamental right to private communications that would make proposals like Chat Control legally impossible to table. Notes the absence of a 'privacy lobby' powerful enough to push such legislation.
Argues that when you consider who actually controls the monitoring infrastructure, it's clear the proposal serves those in power rather than its stated purpose of child protection. Frames the initiative as a power consolidation tool disguised as a safety measure.
Characterizes EU citizens as 'subjects of an ultra-national government whose sole objective is ever increased control over your life and euros.' Frames Chat Control as part of a broader pattern of EU institutional overreach rather than an isolated policy debate.
Uses Hungary's support for the proposal as a heuristic litmus test — if an authoritarian-leaning government backs it, that signals the regulation is about control rather than legitimate safety. Implies the proposal's supporter profile reveals its true nature.
The EU's Chat Control proposal — formally an extension of Regulation (EU) 2021/1232 — is back on the legislative table. Again. The regulation, which has been in effect as a "temporary" measure since 2021, allows platforms to voluntarily scan private messages and photos for child sexual abuse material (CSAM). The current push aims to extend this temporary regime while the broader Chat Control 2.0 framework continues its slow grind through EU institutions.
On March 11, 2026, the European Parliament voted to replace the blanket mass surveillance approach with targeted monitoring of specific suspects, contingent on judicial involvement. This was a meaningful win for privacy advocates. But the EU Council — representing member state governments — continues to push for broader scanning capabilities that would apply to all users, not just suspects. The gap between Parliament's targeted approach and the Council's mass-surveillance preference is where the real fight is happening.
The activist site FightChatControl.eu, created to mobilize opposition, resurfaced on Hacker News with a score of 947, reflecting the developer community's sustained frustration with a proposal that keeps returning in slightly different packaging.
The technical reality beneath the policy language is straightforward: you cannot scan end-to-end encrypted messages without breaking end-to-end encryption. There is no magic "only for the bad stuff" backdoor. Cryptographers have said this repeatedly. The National Academy of Sciences has said it. Apple tried building a client-side CSAM scanner in 2021 and abandoned it after security researchers demonstrated how it could be abused. The math hasn't changed since then.
What the Council is proposing — whether they frame it as "voluntary" or "mandatory," "client-side" or "server-side" — requires messaging platforms to either abandon E2E encryption or implement client-side scanning before encryption occurs. Both options create attack surfaces. Both options establish infrastructure that can be repurposed. As one Hacker News commenter noted, Hungary's consistent support for the proposal is a useful heuristic for evaluating its civil liberties implications.
The "voluntary" framing of the current regulation deserves scrutiny. When a government creates a legal framework for scanning and then pressures platforms to use it, the line between voluntary and mandatory gets thin fast. The temporary regulation has been in place since 2021 — five years of "temporary" starts to look permanent. The pattern is familiar: establish voluntary compliance, normalize the infrastructure, then make it mandatory.
Community reactions highlight a deeper structural problem. As one commenter asked: why is no one proposing opposite legislation — a bill enshrining a right to private communications that would make proposals like Chat Control impossible to table? The absence of a "privacy lobby" with the institutional weight to match law enforcement lobbying creates an asymmetry where surveillance proposals keep returning while privacy protections remain defensive and reactive.
For developers building messaging or file-sharing systems, the implications are concrete. Client-side scanning — the technically "preferred" approach among Chat Control proponents — means running detection models on user devices before messages are encrypted. This requires:
1. A hash database maintained by a government-adjacent entity that your app must query or embed. Who controls what goes in the database? How do you audit it? Apple's NeuralHash was reverse-engineered within days of announcement, and researchers generated false positives trivially.
2. Mandatory reporting infrastructure that transmits flagged content to authorities. This creates a side channel that exists alongside your encrypted transport. Any system that can flag and exfiltrate content before encryption is, by definition, a surveillance backdoor — regardless of what the flagging criteria claim to be.
3. Update mechanisms that allow the scanning criteria to change without user consent. Today it's CSAM hashes. The regulatory text doesn't architecturally prevent expanding to terrorism content, copyright material, or political speech. The infrastructure is the precedent.
For platforms already operating under the temporary regulation's voluntary framework, the compliance burden is manageable — you can choose not to scan. But if the Council's vision prevails and scanning becomes mandatory, every E2E encrypted messaging app serving EU users faces a build-or-exit decision.
If you maintain any product that handles private communications in the EU market, start scenario planning now. The three likely outcomes are:
Targeted monitoring wins (Parliament's position): Minimal impact for most developers. Law enforcement gets tools to surveil specific suspects with judicial oversight — similar to existing wiretap frameworks. Your E2E encryption stays intact. You may need to comply with lawful intercept orders for specific accounts, which most platforms already handle.
Broad scanning mandate passes (Council's position): Significant architectural impact. You'll need client-side scanning infrastructure, hash databases, reporting pipelines, and audit mechanisms. If you're a small team running an encrypted messaging service, this could be an existential compliance burden — the kind of regulation that consolidates the market around players large enough to absorb the cost.
Extended limbo (most likely in the near term): The temporary regulation gets extended again, scanning remains "voluntary," and the political battle continues. This is where we've been for five years. The risk here is complacency — building as if the issue is resolved when the regulatory threat remains active.
Practical steps: audit your data flows for EU user communications, understand where encryption is applied in your pipeline, and have a documented position on how you'd respond to a mandatory scanning order. If you use Signal Protocol or similar E2E frameworks, review their compliance documentation — the protocol maintainers are tracking this closely.
The EU Chat Control saga is now in its fifth year of "temporary" existence, which tells you something about how EU tech regulation actually works: slowly, then all at once. Parliament's March vote toward targeted monitoring was a genuine inflection point, but the Council hasn't conceded. The next trilogue negotiations between Parliament, Council, and Commission will determine whether Europe gets a surveillance infrastructure that would make authoritarian governments envious, or a targeted law enforcement tool with actual judicial safeguards. Developers building privacy-preserving systems should be paying attention — and contacting their MEPs — because the architecture decisions being made in Brussels will constrain the architecture decisions you can make in your codebase.
So... if we all care so much about shooting down the bad idea, why is nobody proposing opposite legislation: a bill enshrining a right to private communications, such that bills like this one would become impossible to even table?Is it just that there's no "privacy lobby" interested i
Okay so I had to look in to it because the site is not really doing a good job explaining it at all. Turns out[0] that they are voting for the extension of the temporary regulation thats been in effect since 2021 (Regulation (EU) 2021/1232). So this is about the "voluntary scanning of priv
I would like to share here that the author of this site made it very easy to call. If you read this and are in the EU, I urge you to try this.Find a representative you think is at least somewhat likely to change their mind, and call their phone nr listed on the site. I tried one rep and couldn'
The proposal was rejected: https://chaos.social/@maxim/116294966670838045
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I am the creator of Fight Chat Control.Thank you for sharing. It is unfortunately, once again, needed.The recent events have been rather dumbfounding. On March 11, the Parliament surprisingly voted to replace blanket mass surveillance with targeted monitoring of suspects following judicial involveme