The European Union's Chat Control regulation - formally known as the Child Sexual Abuse Regulation (CSAR) - has become the most controversial surveillance proposal in modern European history. Since its introduction in 2022, it has survived a wave of legal challenges, multiple failed Council votes, and a united front of opposition from privacy advocates, cryptographers, and the messaging platforms it targets. The core of the controversy is simple: Chat Control would require every messaging app operating in the EU to scan private messages automatically - including those protected by end-to-end encryption.
What Is Chat Control
In May 2022, European Commissioner Ylva Johansson introduced a proposal requiring communications platforms to detect, report, and remove child sexual abuse material (CSAM) in user messages. The regulation would give national authorities the power to issue "detection orders" compelling any messaging service - regardless of its encryption model - to scan content before delivery.
The stated goal is to fight child abuse. The technical implication is something else entirely: to scan encrypted messages, a service must read them before they are encrypted. This is called client-side scanning (CSS) - the app scans your message on your device, before sending it, and flags matches against a database of prohibited content. The result is end-to-end encryption that is no longer end-to-end.
How Client-Side Scanning Breaks Encryption
The technical community has been nearly unanimous on this point. A 2021 paper by cryptographers at MIT, Stanford, and other institutions described client-side scanning as "a backdoor by another name." The problem is not just privacy - it is security. Any scanning system that can flag CSAM can be repurposed to flag political speech, journalism, or anything else a government decides to add to the detection database.
Signal's president Meredith Whittaker warned that scanning demands from UK authorities follow the same logic as Chat Control - and that no technical implementation can limit scanning to a single category of content once the infrastructure exists. The database of what gets flagged is controlled by the authority issuing the detection order, not by the messaging platform.
The UK's National Crime Agency went further, publicly framing end-to-end encryption as a child safety threat - a narrative Chat Control backers have adopted at EU level. Telegram founder Pavel Durov called this framing a deliberate strategy to build public support for surveillance infrastructure under the cover of protecting minors.
The Timeline: Votes, Vetos, and Stalemates
The Chat Control proposal has faced repeated rejection at the Council of the EU, where a qualified majority of member states must agree before legislation advances to trilogue with Parliament.
- 2022: European Commission publishes CSAR proposal. Immediate backlash from civil society and technical experts.
- 2023: European Parliament adopts its position, explicitly excluding end-to-end encrypted communications from detection orders - a major win for privacy advocates.
- June 2024: Belgium, holding the Council presidency, calls a vote. Germany, Austria, the Netherlands, and several other states vote against. No qualified majority. Vote collapses.
- Late 2024: Hungary presidency attempts a modified version. Same result - no majority.
- 2025: Poland presidency allows the proposal to stall. No new vote scheduled.
The gap between the Parliament's position (exclude E2E) and the Commission's original text (scan everything) has never been bridged. The file remains open but effectively frozen.
Who Opposes It and Why
Opposition to Chat Control spans an unusually broad coalition. Germany's position has been the most consistent - the German government stated explicitly that it would not support any legislation requiring the breaking of encryption. The Netherlands, Austria, Estonia, Finland, and Luxembourg have expressed similar positions.
The messaging platforms affected have taken a harder line than in most regulatory disputes. Signal stated it would exit the EU rather than implement scanning. Threema and ProtonMail made similar commitments. Apple, which had briefly proposed its own client-side scanning system for iCloud in 2021 before withdrawing it after privacy criticism, has opposed mandatory EU implementation.
Canada's Bill C-26 and Australia's TOLA Act follow a parallel logic - mandating technical assistance to law enforcement in ways that effectively require backdoors. As our comparison of backdoor laws across Russia, UK, Canada, and Australia shows, the "child safety" framing recurs across jurisdictions while the underlying surveillance infrastructure is identical.
What Happens If It Passes
If Chat Control becomes law in any form that includes E2E-encrypted services, the practical consequences are predictable. Messaging apps would face a choice: implement scanning, exit the EU market, or face fines. For platforms with large EU user bases, exiting is economically painful but legally clean.
For users who remain in the EU, the result is the permanent end of private digital communication through any platform that complies. Every message would pass through an automated filter before delivery. The filter's database would be controlled by EU authorities and updated without user visibility or consent.
Secondary effects would include accelerated adoption of decentralized protocols (Matrix, Nostr, Briar) that cannot easily be forced to comply, along with a probable surge in VPN usage to reach platforms that have exited the EU market. These are the same patterns visible in countries with active censorship regimes - Chat Control would simply apply them to a democratic bloc of 450 million people.
Where This Leaves Privacy Tools
A VPN encrypts your traffic between your device and the VPN server. It does not protect message content from client-side scanning, because the scan happens on the device before the message enters any network. Against Chat Control, a VPN is not a technical countermeasure - it is a way to access services that have exited the EU, assuming those services remain available over a non-compliant connection.
The more relevant category of tools is jurisdictional choice: services headquartered outside the EU, running on infrastructure outside the EU, subject to legal processes outside the EU. Open-source, decentralized protocols where no single entity can be served a detection order are the most resistant architecture. The broader lesson from Chat Control is that privacy increasingly depends on where servers are, which laws govern them, and whether any single point of control exists - not just on what encryption algorithm is used.
