EU does not give up: Chat Control opens the door to mass surveillance of the population

It seems that the European Union has not given up on Chat Control, a proposal that would enable the monitoring of all private messages of EU residents. The revised version of the content monitoring proposal aimed at combating child sexual abuse online (CSAR), publicly known as Chat Control, has officially returned to the table of European governments and is receiving a significantly warmer reception than before. However, while the EU Council speaks of a ‘successful compromise’, digital rights experts warn that this is a political manipulation that still opens the door to mass surveillance of the population.

The new version of the law removes all provisions regarding the direct obligation to scan communications and at least formally introduces a model in which the scanning of message content is ‘voluntary’ for service providers. After more than three years of blockage, many in the Council believe that this is the way to an agreement.

What is changing

According to the latest draft, chat and messaging service providers would no longer be required to automatically scan all URLs, photos, and videos exchanged by users. Instead, they could ‘voluntarily’ choose to scan content in search of suspicious materials.

However, the key is hidden in the details, as Article 4 introduces a new formulation regarding ‘risk mitigation measures’. For services assessed as ‘high-risk’, competent authorities could require them to take ‘all appropriate measures’ to reduce the risk of abuse, which means that it is not truly voluntary if assessed otherwise.

For critics, this is the real problem. In practice, service providers, from WhatsApp and Signal to email providers, can be de facto forced to implement scanning, even though it is ‘voluntary’ on paper.

Political deception

Long-time critic of Chat Control, digital rights lawyer and former MEP Patrick Breyer, calls the new proposal ‘a political deception of the highest order’.

– This is a political deception of the highest class. After loud protests, several countries, including Germany, the Netherlands, Poland, and Austria, said ‘no’ to indiscriminate chat control. Now it is coming back to us through the back door, disguised, more dangerous, and more comprehensive than ever. The public is being made a fool of – warns Breyer.

In his assessment, the provision on ‘risk reduction’ in Article 4 makes the removal of the explicit obligation to scan practically worthless, as it allows for the same demands to be made again through risk assessment and regulatory pressure, which is scanning everything, for everyone.

Breyer particularly warns that such a loophole in the law could very quickly impose client-side scanning (CSS), scanning directly on smartphones and computers before messages are encrypted, which, Breyer warns, would mean the ‘end of secure encryption’.

And the breaking or circumventing of encryption, the technology that services like Signal, WhatsApp, and VPNs use to protect private communication, is the key reason why the original proposal faced so much resistance.

In other words, the text says ‘voluntary’, but the power structure and the formulation ‘all appropriate measures’ allow authorities to pressure platforms to implement exactly what the public rejected, which is mass scanning.

From images to texts and metadata

Another controversial novelty, emphasizes Breyer, is that the compromise draft goes further than the previous proposal. While the old proposal primarily focused on scanning photos, videos, and links, it now explicitly opens the space for the analysis of textual messages and user metadata.

This means that algorithms and AI tools would not only review the files we send but also the words we write and information about who, when, and how often we communicate. For critics, this is a shift from targeted measures to an infrastructure that looks and functions like mass surveillance.

– No artificial intelligence can reliably distinguish between flirting, joking, irony, and the crime of grooming. Imagine your phone scanning every conversation with your partner, child, or therapist and sending them to unknown people just because the words ‘love’ or ‘let’s meet’ appear somewhere. This is not child protection; it is a digital witch hunt – warns Breyer.

A new feature is also a strong focus on mandatory age verification, as the draft foresees mechanisms by which platforms must know who is a minor and who is not, which practically means that users would have to show ID, use ‘digital IDs’, or biometrics (facial recognition, documents), as otherwise, you cannot reliably distinguish a 15-year-old from a 25-year-old. That is precisely why the EU wants to introduce the EU Digital Identity Wallet, which is announced for next year.

If this ultimately happens, we arrive at the consequences that Breyer and others have previously pointed out. This is de facto the end of anonymity on the internet because to open an account for chat or email, you would first have to prove who you are.

No means no

Breyer is not alone in his criticisms. Among many critics is the encrypted email service Tuta (formerly Tutanota), which warns of the consequences of the new rules for communication security. On the social network X, Tuta states that Danish Minister of Justice Peter Hummelgaard, whose country is leading the Council and pushing the compromise text, ‘does not understand that ‘no’ means ‘no’, alluding to the previous rejection of mandatory scanning orders. For these providers, this is not an academic discussion but a matter of user trust because if the EU establishes a legal framework in which ‘voluntary’ scanning can easily turn into a business condition, the entire model of strong encryption and privacy becomes shaky.

What’s next

The proposal is now in the hands of Coreper, the committee of permanent representatives of member states that prepares decisions for the EU Council. If Coreper confirms it as a common position of the Council, Chat Control in its new form will move to the next phase, which is negotiations with the European Parliament. For advocates of digital rights, this is a crucial moment. Member state governments are ready to accept a compromise that allows them to show the public ‘concessions’, without an explicit obligation to scan but at the same time retain sufficiently broad formulations to practically obtain almost everything they originally sought.

How long this ‘compromise’ will withstand legal and political scrutiny will only be known after MEPs once again put privacy, encryption, and the limits of state surveillance on the table.