A serious threat is looming in the European Union: the “Chat Control” bill (officially — CSAR) proposes that all user messages be scanned by algorithms before encryption. This marks a transformation from protecting children online to mass surveillance of private communications.
1. What is Chat Control / CSAR
Officially called the Regulation to Prevent and Combat Child Sexual Abuse (CSAR), it was proposed by the European Commission on May 11, 2022.
Critics call it “Chat Control 2.0.” It seeks to extend mandatory scanning — including client-side scanning — to all communications, even encrypted ones.
2. How It’s Supposed to Work — the Mechanism of Total Scanning
Client-side scanning means checking the message content on a user’s device before encryption. If suspicious material is detected, the message can be blocked or flagged for review.
The bill introduces “detection orders” requiring platforms to scan messages and report findings to authorities.
The mechanism could target not only known CSAM materials but also “unknown” patterns detected by AI.
The control would also apply to non-EU services if they operate within the European market.
Some versions of the law propose exceptions for government communications, creating double standards.
3. Key Dates and Legislative Timeline
- September 12, 2025 — EU member states must finalize their positions in Council working groups.
- October 14, 2025 — possible date for the Council vote.
- Late 2025 / early 2026 — the start of trilogue negotiations between the Parliament, Council, and Commission, if the text is approved.
- April 3, 2026 — end of the temporary derogation period, extended earlier to maintain the current framework.
The existing temporary regulation (Regulation 2021/1232) was extended until April 3, 2026.
4. Concerns: A Tool for Mass Surveillance
While the bill is presented as a measure to protect children, critics argue it’s an extreme step toward full control over private communications.
Scanning all messages isn’t a targeted approach — it’s universal monitoring with vast potential for abuse.
The risk of “function creep” is high: today it’s about CSAM, tomorrow it could be used against political activists, journalists, or dissenters.
Algorithms are imperfect — false positives can lead to the blocking of innocent content.
It undermines end-to-end encryption: if the device reads plaintext, it creates a new vulnerability.
Legal concerns have been raised about the bill’s compatibility with the EU Charter of Fundamental Rights (Articles 7 and 8).
5. Industry Response: A Warning Signal from Signal and Others
Signal has stated that if the law mandates client-side scanning, they are willing to leave the EU market rather than compromise on privacy and encryption principles.
Signal president Meredith Whittaker said: if it comes to a choice between building a surveillance system or leaving — they’ll leave.
Signal compares Chat Control to malware — message scanning that acts like spyware on a user’s device.
Other providers, such as Tuta Mail, have also expressed readiness to take legal action and resist the legislation.
• ComplianceHub — EU Chat Control: Final Hours Before September 12 Deadline
• TechRadar — The EU could be scanning your chats by October 2025
• EuroParl — Proposed Chat Control law presents new blow for privacy
• ComputerWeekly — Chat Control: EU to decide on scanning encrypted messages
• Tuta Mail — Chat Control criticism
• EFF — Chat Control Is Back on the Menu in the EU
• Signal statement PDF — For Signal, Chat Control is existential threat
• ComputerWeekly — Chat Control plans pose catastrophic risk
• PPC Land — Signal threatens to exit Germany over Chat Control
