Protecting children isn't a fig leaf, it's a duty. But a mechanism like Chat Control that scans private messages on a large scale is a scalpel with a mace handle. It creates an infrastructure too easy to repurpose for far less noble purposes. Today it's "just" child pornography. Tomorrow "extreme content." The day after tomorrow "anti-state sentiment." And before you can say "expand functionality," journalists, activists, and opposition politicians end up in the crosshairs. In an age where vocal fringes across the political spectrum confuse volume with legitimacy, it's naive to think that a mass inspection machine, once established, will never be used against inconvenient voices.
On 8 October 2025, the Council of the European Union was due to vote on the chat control proposal, formally known as Regulation for the prevention and fight against child sexual abuse (CSAR). He didn't. Germany has declared its opposition, and without Berlin, the required qualified majority has evaporated. The vote has been removed from the agenda. The proposal, however, remains in limbo, a legislative zombie that tends to return just when you think you've buried it. And that's why we need to stay vigilant; we'll talk about it again.
Client-side scanning, or: mandatory spyware. What it is, and what chat control would have been.
The proposal would have forced all messaging platforms operating in Europe (WhatsApp, Signal, Telegram, iMessage, email providers) to scan every message, photo and video before purchasing, that it was encrypted. The technique is called client-side scanning. In practice, this means installing analysis software directly on the user's device, which examines the content before it is sent and automatically reports any matches to databases of illegal material to the authorities.
The Danish presidency of the EU Council, which led the latest attempt to pass the law, argued that This does not compromise end-to-end encryption. because the scanning occurs “before” the encryption. It is a formally correct argument but substantially, and shamelessly false. If the government gains access to one of the terminals of an encrypted communication, that communication is no longer secure. It's like saying the boat has no holes because the hole is technically above the waterline.
From an engineering perspective, client-side scanning introduces a new attack surface. Once the mandatory scanning interface exists, it becomes a target for cybercriminals, authoritarian regimes, and anyone looking to turn devices into surveillance sensors. A study published in the Journal of Cybersecurity of Oxford explains how client-side scanning systems are vulnerable to multiple forms of attack and manipulation.
False positives and technical ineffectiveness
The detection algorithms are based on perceptual hashing, a technique that identifies known images by comparing them to existing databases. The problem is twofold. First: Simply modifying a file slightly (cropping, rotating, changing its metadata) is enough to alter its “fingerprint” and escape detection. Anyone who really wants to spread illegal material knows how to do it. According to: systems produce false positives. Carmela Troncoso, scientific director of the Max Planck Institute for Security and Privacy, stressed that Reporting even partial matches “opens the door to the possibility that thousands of people will be reported in error”.
In medical terms, it's like mass screening with a low-specificity test. When the actual prevalence of the phenomenon is low (the vast majority of people do not share child pornography), even a 1% false positive rate generates a deluge of incorrect reports that swamp investigators and ruin innocent lives. It's basic mathematics applied poorly.
Signal, WhatsApp, and the Threats of Exiting Europe
Meredith Whittaker, president of the Signal Foundation, had been clear: If chat control passes, Signal leaves EuropeNot out of whim, but because the company can't keep its security promises if it's forced to install surveillance mechanisms on users' devices. WhatsApp he echoed, with his head Will cathcart who explicitly spoke of “the end of end-to-end encryption as we know it.” Also Your MailGerman encrypted email provider , has threatened to leave the European market or take legal action.
The proposal, incidentally, exempted government and military communications from scanning. Politicians and public officials would have maintained their privacy. The 450 million European citizens would not. Their "letters" would have been "read" first and then "enveloped." This asymmetry tells us everything we need to know about the trust the proponents place in the system they intend to impose.
Chat control, the silent mobilization
Over 500 cryptography and computer security scientists have signed an open letter against chat control. Have you heard about it? Okay, Gaza and other issues have been a hot topic, but not even in the news? These aren't ideological activists, but researchers who work daily with algorithms, threat models, and risk analyses. The document explains point by point why client-side scanning can't work without creating systemic vulnerabilities. A 2021 study titled “Bugs in our Pockets”, signed by authentic luminaries such as Ross Anderson e Ronald rivest, had already anticipated all these problems.
The mobilization worked. Citizens across Europe (including us) sent emails to their representatives, explaining why the proposal was technically flawed and ethically dangerous. Public pressure helped shift some national positions. Patrick Breyer, a former German MEP and digital rights activist, called the result “a huge victory that shows that protest works.”.
But the threat has not disappeared. The European Commission will likely propose an extension of the interim chat control 1.0 regulation, which allows providers to scan messages on a voluntary basis. And sooner or later, a new version of the mandatory proposal will be back on the table, perhaps with some cosmetic changes to make it more politically digestible.
As a we have already reported, we will report again.
We need smart alternatives: more resources for targeted investigations, international cooperation, strengthening specialized units, and consistent prosecution where there are concrete indications. And yes, innovation in digital forensics and prevention that doesn't put everyone's privacy under general suspicion. In engineering terms, it is easier to keep secure systems safe and investigate intelligently than to deliberately make secure systems insecure and pray for miracle AI.
The weekend of preemptive emails about democracy has paid off. Today it works. Tomorrow, who knows.
