Inside the EU’s Encryption War: How ‘Chat Control’ Became Europe’s Most Dangerous Surveillance Proposal

The EU's "chat control" proposal would mandate scanning of encrypted messages across Europe, pitting child safety arguments against encryption, privacy rights, and near-universal technical consensus that the plan is both dangerous and unworkable.
Inside the EU’s Encryption War: How ‘Chat Control’ Became Europe’s Most Dangerous Surveillance Proposal
Written by Emma Rogers

Somewhere in the corridors of the European Council, a proposal keeps coming back from the dead. It has been rejected, revised, rebranded, and resubmitted so many times that even its critics have lost count. The European Union’s so-called “chat control” regulation — a plan to scan private messages for child sexual abuse material (CSAM) — has become the most contentious digital policy fight on the continent. And it isn’t close to being resolved.

The proposal, formally known as the Child Sexual Abuse Regulation (CSAR), would compel messaging platforms to detect and report CSAM, including in end-to-end encrypted communications. Proponents say it’s a necessary tool to protect children. Opponents — a coalition that spans privacy advocates, cryptographers, the European Parliament, and major tech companies — say it would effectively destroy encryption and create an unprecedented mass surveillance infrastructure across the EU.

Both sides claim to have the facts. Only one side does.

What the Proposal Actually Demands — and Why Technologists Say It Can’t Work

The core mechanism of chat control, as detailed extensively by European Parliament member Patrick Breyer, would require platforms to implement either client-side scanning or some other technical means to detect illegal content before or after encryption. The European Commission has repeatedly insisted this doesn’t mean “breaking” encryption. That claim has been systematically dismantled by virtually every independent technical authority that has examined it.

Client-side scanning means analyzing messages on a user’s device before they’re encrypted and sent. The content never leaves the device unencrypted, so technically, the encryption protocol remains intact. But this distinction is, as hundreds of cryptographers and computer scientists have argued, a semantic trick. If a third party can access the content of your message before encryption — and flag it, report it, or block it — then the privacy guarantee of end-to-end encryption is functionally void. The lock on the door still works. Someone is just standing inside the room.

Apple tried this approach in 2021, proposing a client-side scanning system for iCloud Photos. It abandoned the effort after a wave of criticism from security researchers who demonstrated that such systems could be exploited, produce false positives at scale, and be repurposed by authoritarian governments. Apple’s own internal assessment reportedly concluded the system couldn’t be deployed without unacceptable privacy risks.

The EU proposal goes further than what Apple attempted. It would apply not just to stored images but to real-time text communications. Detection orders could compel platforms to scan for previously unknown CSAM — meaning AI-based detection of new material, not just hash-matching against known databases. As Breyer’s comprehensive fact-check notes, the error rates for such AI detection are staggering. Even a 1% false positive rate, applied across billions of messages sent daily in the EU, would generate tens of millions of false alerts — each one representing a private conversation wrongly flagged and potentially reviewed by authorities or platform employees.

The European Parliament recognized these problems. In October 2023, it voted for an alternative approach that explicitly excluded end-to-end encrypted communications from scanning mandates and rejected indiscriminate surveillance of all users. The Parliament’s position focused on targeted measures: scanning only when there’s reasonable suspicion, and only with judicial authorization. That position was the product of extensive debate, expert testimony, and political negotiation.

It was supposed to settle the matter. It didn’t.

Several EU member state governments, working through the Council of the European Union, have pushed repeatedly to override the Parliament’s position. The Council’s various presidency rotations — Belgium, Hungary, and now Poland — have each produced modified versions of the proposal that, despite cosmetic changes, preserve the core requirement: mass scanning of private communications, including on encrypted platforms.

The Hungarian presidency’s attempt in late 2024 was blocked when a sufficient minority of member states — led by the Netherlands, Germany, Austria, Poland, and others — refused to support it. Germany’s position has been particularly firm. The German government has called the proposal incompatible with fundamental rights. The Netherlands commissioned an independent technical assessment that concluded there is no known technology capable of scanning encrypted messages without compromising security.

But the proposal keeps returning. The Polish presidency, which took over the Council rotation in January 2025, initially signaled a more cautious approach. Recent reporting suggests that caution is fading. A new compromise text circulated among member states in the spring of 2025 reportedly retains provisions that would allow detection orders for encrypted services, though with modified language about “cybersecurity safeguards.” Privacy advocates say the changes are cosmetic.

The political dynamics are revealing. According to Breyer’s analysis, internal Council documents show that several governments pushing hardest for chat control have done so with significant input from a specific set of actors: law enforcement agencies, the European Commission’s internal security directorate, and — more controversially — organizations with financial ties to companies that develop scanning technology. The Breyer fact-check documents lobbying efforts by Thorn, a U.S.-based tech nonprofit co-founded by Ashton Kutcher, which develops and sells CSAM detection tools. Thorn has been active in Brussels, advocating for mandatory detection. The financial incentive is obvious: if the EU mandates scanning, companies like Thorn stand to benefit enormously.

The Child Safety Argument — and Its Limits

Nobody involved in this debate questions the severity of child sexual abuse or the need to combat it. The disagreement is about whether this specific proposal would actually help — and whether the collateral damage is justified.

Proponents point to statistics. The National Center for Missing & Exploited Children (NCMEC) in the United States receives millions of reports annually from tech platforms. Europol has warned that CSAM distribution is growing. The emotional weight of these numbers is immense, and politicians who oppose chat control know they risk being accused of indifference to child suffering.

But the evidence that mass scanning would meaningfully reduce abuse is thin. As Breyer documents, the vast majority of NCMEC reports — over 80% by some analyses — are duplicates, irrelevant, or not actionable by law enforcement. The bottleneck isn’t detection. It’s investigation and prosecution. European law enforcement agencies are already overwhelmed with existing reports. Germany’s Federal Criminal Police Office (BKA) has publicly stated it doesn’t need more reports; it needs more resources to act on the ones it already has.

There’s a deeper problem. Most child sexual abuse happens offline, committed by family members or people known to the victim. Online detection of CSAM addresses distribution, not production or abuse itself. A comprehensive child protection strategy would prioritize funding for victim support services, training for educators and social workers, and resources for law enforcement investigations. The EU’s own impact assessment for the CSAR proposal acknowledged that the regulation alone would not significantly reduce the incidence of abuse.

So why the fixation on scanning?

Part of the answer is political convenience. Mandatory scanning is a visible, legislative action. It lets politicians say they did something. Funding social workers doesn’t generate headlines. And part of the answer is institutional momentum. The European Commission under Ylva Johansson, who championed the original proposal as Commissioner for Home Affairs, invested enormous political capital in chat control. The Commission doesn’t easily abandon flagship proposals.

Johansson’s term ended in late 2024, but the institutional machinery she set in motion continues. The new Commissioner for Home Affairs, Magnus Brunner, has signaled continuity on the file. Commission officials have continued to brief member state delegations in favor of detection orders, and internal documents obtained through freedom of information requests show the Commission actively working to undermine the Parliament’s position in trilogue negotiations.

The signal intelligence agencies of several EU member states have also quietly backed the proposal. France’s position has been notably hawkish, despite the country’s general reputation for defending civil liberties. Spain’s government submitted a Council position explicitly stating that it would be “desirable” to have access to encrypted communications. A leaked Spanish government document, reported by Wired, showed Madrid arguing for legislation that would effectively ban end-to-end encryption for messaging services operating in the EU.

The tech industry’s response has been uneven. Signal’s president, Meredith Whittaker, has been the most vocal, repeatedly stating that Signal would withdraw from the EU market rather than comply with a scanning mandate. “We will not undermine the privacy guarantees of Signal,” Whittaker said in a widely shared statement. “There is no way to implement these proposals that doesn’t fundamentally compromise encryption.” WhatsApp has made similar, if slightly more diplomatic, noises. Apple’s position remains ambiguous — the company abandoned its own scanning project but hasn’t taken a firm public stance on the EU regulation.

Smaller encrypted services — Threema, Tutanota (now Tuta), Element — have been even more direct, warning that compliance would be technically impossible without rebuilding their systems from scratch. These companies, many of them European, would face an existential choice: break their core product or exit the market.

What Happens Next — and Why It Matters Beyond Europe

The trilogue negotiations between the European Parliament, Council, and Commission are the final stage of EU lawmaking. They’re where the three institutions hash out a compromise text. The Parliament’s position is clear: no mass scanning, no undermining encryption. The Council’s position remains in flux, with different member states pulling in different directions. The Commission acts as a mediator but has its own institutional preference for the strongest possible scanning mandate.

If the Council coalesces around a position that includes detection orders for encrypted platforms, the Parliament’s negotiators will face enormous pressure to compromise. The Parliament has historically been the weaker institution in trilogues, often conceding to Council positions in exchange for concessions on other files. The risk is that encryption protections get traded away in a package deal.

The legal challenges would be immediate. The European Court of Justice has already ruled, in cases like Digital Rights Ireland (2014) and La Quadrature du Net (2020), that indiscriminate data retention and mass surveillance violate the EU Charter of Fundamental Rights. A scanning mandate that applies to all users of a messaging platform — without individualized suspicion — would almost certainly face a legal challenge under these precedents. But legal challenges take years. In the meantime, the infrastructure would be built.

And that’s the real danger. Once a scanning infrastructure exists, its scope can be expanded. Today it’s CSAM. Tomorrow it could be terrorism. Then copyright infringement. Then political dissent. This isn’t a slippery slope argument — it’s a documented pattern. The UK’s Investigatory Powers Act started with terrorism and now covers everything from tax fraud to food safety violations. China’s surveillance infrastructure was built incrementally, each expansion justified by the last.

The EU’s decision will also set a global precedent. If Europe mandates client-side scanning, other democracies will follow. Australia, which already passed the Online Safety Act, is watching closely. So is Canada. And authoritarian governments will use the EU’s framework to justify their own surveillance demands. If the EU says scanning encrypted messages is compatible with human rights, Beijing and Moscow will happily agree.

The technical community has been remarkably unified on this point. In an open letter organized in 2023, over 300 scientists and researchers warned that there is no technical solution that allows scanning of encrypted messages without creating vulnerabilities exploitable by malicious actors. The letter was signed by cryptographers from MIT, Stanford, ETH Zurich, and dozens of other institutions. Their conclusion was unambiguous: what the EU is proposing is not technically feasible without making everyone less safe.

The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) have both issued opinions warning that the proposal, as drafted by the Commission, would violate fundamental rights. The EDPS called it “a disproportionate interference with the right to privacy.” These aren’t advocacy organizations. They’re the EU’s own independent data protection authorities.

Meanwhile, the debate on platforms like X has intensified. Digital rights organizations including European Digital Rights (EDRi), the Electronic Frontier Foundation (EFF), and Digitale Gesellschaft have maintained sustained campaigns against the proposal, framing it as the most significant threat to digital privacy in European history. The hashtag #ChatControl regularly trends when new developments emerge.

The coming months will be decisive. If the Polish presidency secures a Council general approach — the formal negotiating position — that includes detection orders for encrypted services, trilogues could begin before summer 2025. Parliament’s lead negotiators, including members of the Civil Liberties Committee (LIBE), have signaled they won’t accept mass scanning. But political pressure is building, and the child safety framing makes opposition politically costly.

Here’s what’s at stake in plain terms: whether the EU will require every messaging app used by 450 million Europeans to include a surveillance mechanism that monitors private conversations. Not targeted surveillance with a warrant. Not monitoring of specific suspects. Blanket, automated scanning of everyone’s messages, all the time.

The proponents of chat control have framed the debate as encryption versus child safety. That framing is false. The real question is whether mass surveillance is an acceptable response to a problem that existing tools and resources — properly funded — could address more effectively. Every independent technical assessment says the answer is no. Every data protection authority in the EU says the answer is no. The European Parliament says the answer is no.

Whether that will be enough remains an open question.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us