Despite three years of debate, the EU is bringing back Chat Control. Researchers denounce intrusive monitoring of communications and the weakening of end-to-end encryption.
Context
First Chat Control proposal: 2021
Successive open letters: 2021, May 2024, Fall 2024, September 2025
Presidencies involved: Belgium, Hungary, Denmark
Main targets: WhatsApp, Signal, Messenger, other encrypted apps
Expected EU Council vote: October 15, 2025
Supporters: France, Austria, 13 other countries
Opponents: Netherlands, Poland, undecided Belgium
Light version adopted by Parliament: October 2023
The Council of the European Union is once again debating the Chat Control project, a law aimed at scanning communications and images to fight child sexual abuse. Presented as a compromise, the latest Danish draft still preserves client-side scanning and the option to extend surveillance to text and audio messages. Researchers like Bart Preneel (KU Leuven) denounce this as a serious attack on end-to-end encryption and fundamental rights. After four open letters and several compromise attempts, the project remains contested. The October 15 vote will decide whether the EU chooses privacy protection or preventive surveillance.
A contested return despite compromises
Chat Control resurfaced in 2024 after a brief retreat. The proposal would force messaging apps to enable scanning on the sender’s device, blocking the transmission of known CSAM (Child Sexual Abuse Material). But this also means systematic analysis of private images, including ordinary family photos.
Under the Belgian and then Hungarian presidencies, several compromises circulated. Each time, researchers responded with an open letter. In 2021, more than 150 signatories raised concerns. In May 2024, a second letter brought together 250 experts. In Fall 2024, a new version claimed to soften the project. But Preneel denounced these as “fictional measures” that left the surveillance logic untouched.
For him, end-to-end encryption, comparable to a sealed envelope, loses all meaning if an algorithm inspects the message before sending. “It’s like a postal company installing a camera in your home to check what you put in the envelope,” he told Belgian newspaper LeVif.
The 2025 Letter
The letter, dated September 9, 2025 and signed by 617 researchers from 35 countries, responds to the new compromise proposal of July 24, 2025 regarding the EU regulation against child sexual abuse. The authors welcome procedural improvements such as easier reporting and faster handling of notifications. But they warn the core remains unchanged: client-side scanning makes end-to-end encryption meaningless and introduces a single point of failure. The proposed technologies (AI, image and URL detection) are deemed scientifically ineffective, easy to bypass, and prone to massive false positives. Implementation would create a tool of generalized surveillance, opening the door to broader uses (function creep) by less democratic regimes. Mandatory age verification undermines anonymity, increases censorship risks, and could lead to banning privacy tools like VPNs. The researchers stress that combating abuse must rely on education, prevention, victim support, and trauma-informed hotlines, not intrusive technologies that undermine Europe’s digital security. Among the 617 signatories, 50 are affiliated with French institutions.
Technological and legal flaws
The latest Danish proposal of July 2025 temporarily excludes text and audio messages, focusing on images and URLs. But the text explicitly allows adding these formats later. For researchers, this is a maneuver to defuse criticism without changing the substance.
Another novelty: the category of “high-risk services,” subject to detection obligations. It includes the main encrypted messaging apps used daily by hundreds of millions of Europeans. The system therefore targets not marginal services but mainstream communication channels.
The return of AI for detecting new images also draws criticism. Previously dropped in a 2024 compromise, the mechanism has reappeared. Preneel calls it technologically uncertain and likely to produce a flood of false positives, misclassifying medical or family photos as suspicious. Law enforcement would be overwhelmed, while thousands of innocent users would be flagged.
Finally, mandatory age verification is highlighted as a source of complexity and vulnerability. It would compromise anonymity, open the door to censorship, and be easily bypassed with VPNs or third-party accounts, while weakening security systems.
A democratic risk
Beyond technical aspects, Preneel warns of a slippery slope. Chat Control starts with child abuse, but once the technology is in place, nothing prevents its expansion. “Today it’s CSAM. Tomorrow it will be terrorism. The day after, political dissidents,” he warns.
He recalls that Apple attempted in 2021 to introduce a similar client-side scanning system before abandoning it, judging the implementation too complex and risky. “If this intent is maintained, the legislation will miss its goal,” he concludes.
For the signatories of the open letters, the real answer lies elsewhere: education, prevention, victim support, and stronger funding for specialized centers. Generalized scanning, they argue, will not stop abuse at its source.
Despite three years of negotiations, the project still preserves client-side scanning, which renders encryption meaningless. The central question remains: can Europe reconcile child protection with unbreakable encryption, without tipping into mass surveillance? [ZATAZ News English version]
