Troubling times ahead: Chat Control 2.0 is coming up, a law that would force all EU citizens to surrender their private messages, effectively breaking end-to-end encryption for everyone.
I’m sad to see this issue is back on the table again (after previous failed attempts), and even more saddened by the severe lack of critical thinking and media coverage around this topic. Just in case you missed it, here’s a brief explainer, courtesy of stopscanningme.eu:
Chat Control, formally known as Regulation to Prevent and Combat Child Sexual Abuse (Child Sexual Abuse Regulation, or CSAR) is the proposal for an EU-wide AI-powered Child Sexual Abuse Material (CSAM) scanner. Originally proposed by Sweden’s then European Commissioner for Home Affairs Ylva Johansson, version 2.0 is currently spearheaded by Denmark’s Minister of Justice Peter Hummelgaard, a strong opponent of privacy being a civil liberty:
Vi er nødt til at bryde med den totalt fejlagtige opfattelse af, at det er enhver mands frihedsrettighed at kommunikere på krypterede beskedtjenester, som bliver brugt til at facilitere mange forskellige alvorlige former for kriminalitet.
Translated:
We need to break with the totally mistaken perception that it is every man’s right to communicate on encrypted messaging services, which are used to facilitate many different serious forms of crime.
In its current form, Chat Control is an EU-sanctioned backdoor effectively breaking end-to-end encryption (E2EE) in all major communication platforms. This means obvious targets such as Signal, WhatsApp, and practically all social media platforms in general. But also less obvious targets, such as email, dating apps, your personal iCloud storage, you name it.
The EU has had their eyes on E2EE for quite a while, and explains it struggles to gain a "lawful" grip on usage of encryption when concealing harmful activities. Consistently mentioning child sexual abuse (CSA) as the main argument legitimising their endless crusade. We get it, who would oppose to protecting children?
Breaking encryption has been a recurring theme law enforcement and other opposing parties have traditionally lobbied for. This is effectively an AitM attack, where Mallory would be able to intercept messages:
Experts have long warned against weakening encryption, including the proposed use of the Clipper Chip, i.e. the government backdoor facilitating governmental mass surveillance, back in the 90s. Then, in the early 2000s, the NSA intentionally backdoored the Dual_EC_DRBG encryption algorithm, which the Snowden revelations confirmed, along with the clandestine Bullrun decryption program. Many, many more examples could be listed, and have in fact already been implemented without much of the public’s awareness.
Current attempts that are being publicly debated now propose adding mandatory government-owned keys. Their argument being encryption needs not to be tampered with this way, let alone breaking it. However, this effectively bypasses and nullifies E2EE. The whole point of E2EE is no-one but Alice and Bob have access, without Mallory snooping. Instead, we get:
We’re talking about surrendering our fundamental right to privacy (EU Charter of Fundamental Rights, articles 7 and 8) of all 450 million EU citizens, all because of a very few very bad apples. Experts are again warning against such measures, specifically mentioning:
[U]nprecedented capabilities for surveillance, control, and censorship and has an inherent risk for function creep and abuse by less democratic regimes.
Moreover, the experts argue:
[I]t is simply not feasible to perform detection of known and new CSAM for hundreds of millions of users with an acceptable level of accuracy, independently of the specific filter.
Indeed: scanning all private communications of all EU citizens, subjecting all our private communications to a non-transparent, error-prone, AI-powered surveillance machine. Not to mention flooding law enforcement with such a deluge of false positives. Today it’s flagging for CSAM; tomorrow it’s flagging political views and other 'undesirable' content or views, and who gets to decide what’s undesirable?
We would be much better off investing more in education and raising awareness. Police, teachers, care takers and parents should be more equipped with knowledge and skills needed to catch signs early and be able to act quicker. Victims should be able to report anonymously, and not be afraid to talk to police officers or service providers which should be able to answer their needs.
Here in The Netherlands we have De Kindertelefoon, a free helpline for children offering them a way to talk confidentially about subjects they feel uncomfortable talking about with others around them (e.g. friends, teachers, or even their care takers). Many more such child helplines exist in other countries, and children should be aware help is only a phone call away.
The Internet Society’s (ISOC) Online Child Safety Expert Working Group (OCSEWG) published a paper last year describing how encryption actually helps protect children online, rather than the other way around. In fact, the United Nations anchored privacy as a children’s right. There’s even a child-friendly version of this Convention.
Encryption plays a vital role in a free democracy and is keeping everyone safe, including our children. Meredith Whitaker put it well:
Either [encryption] works for everyone, the person you hate the most in the world, the person you love the most in the world, Both need to have access, or it doesn’t work.
On 2025-10-14, just two weeks from now, the EU will vote on implementing this backdoor in all chat apps serving any and all EU member states, pushing hard for passing this bill despite long-time strong opposition from technical experts, civil rights groups, and citizen-led initiatives.
If we don’t remain vigilant, this will mark a tipping point in history where the EU unwittingly relinquished its privacy in a manner one would typically expect of oppressive regimes such as China or Russia. Certainly not the EU, the same entity which implemented GDPR. So far it doesn’t look too good:
A totalitarian regime’s wet dream, unthinkable in a free democracy and fundamentally incompatible with our established human rights. Even harming our children’s rights, ironically obstructing the very issue it aims to prevent.
Every few years we see these kinds of misguided proposals repeatedly being debated, and experts and civil rights groups fighting it tooth and nail every time. It’s the crypto wars all over again, endlessly repeating itself. Each time dressed in slightly different wording, or dressed up with new justifications, all in an effort to keep finding new ways in, legitimising the exact same direful precedent: permanently weakening encryption, and binning privacy for everyone. A problem practically as old as time itself.
Unless we act, our rights will erode with it. Contact your MEPs, support civil rights groups, and spread the word, because silence is exactly what this proposal depends on.
In the immortal words of Inspirational Skeletor:
-
Proposal overview: https://stopscanningme.eu/
-
Current status: https://fightchatcontrol.eu/
-
Long reads: