The editorial argues the technical objection is unchanged in three years: relocating the match from server to device doesn't restore E2E's mathematical guarantees, it just moves where they break. Cites Signal's Meredith Whittaker and Threema publicly committing to withdraw from any market that mandates client-side scanning as evidence that the industry treats this as an encryption-breaking measure, not a compromise.
As rapporteur, Zarzalejos framed the LIBE-approved text as a compromise: text messages are now excluded from scanning, and detection orders would be issued per-service rather than as a blanket mandate on every provider. His position is that these narrowings address the worst civil-liberties concerns while retaining the enforcement mechanism needed to detect CSAM.
Whittaker has publicly committed that Signal will withdraw from any market that mandates client-side scanning, treating the requirement as incompatible with Signal's core guarantee rather than something to be engineered around. Threema has taken the same position, suggesting a coordinated industry stance that the EU will lose access to privacy-preserving messengers rather than force them to comply.
The reporting frames the 51-30 LIBE vote as an unexpected revival of a file most observers had left for dead after Belgium, Poland, and Hungary each failed to secure a Council majority between 2023 and 2025. Denmark holding the rotating presidency and being one of the loudest proponents of the original 2022 text signals a serious push for adoption in trilogue before the end of its term.
By submitting the heise story with the framing 'Chat Control passed first round in EU Parliament' and driving it to 460 points, the submitter signals that the developer community should treat this as a live legislative threat rather than another failed attempt. The high engagement reflects a shared view that the proposal's revival matters and warrants attention now, before plenary and trilogue.
On July 3, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) narrowly approved a revised version of the CSA Regulation — the file better known to engineers as Chat Control. The vote, reported first by heise online from Strasbourg, revives a proposal that most observers had left for dead after Belgium, Poland, and finally Hungary each failed to muster a Council majority between 2023 and 2025.
The new text keeps the core mechanism that cryptographers have objected to since the 2022 draft: mandatory client-side scanning of images, videos, and URLs before they are encrypted and sent. Rapporteur Javier Zarzalejos (EPP, Spain) framed the revision as a compromise — text messages are now excluded from scanning, and "detection orders" would be issued per-service rather than blanketing every provider. But the on-device hash-matching and AI-classifier requirement remains, and it still applies to end-to-end encrypted messengers including Signal, WhatsApp, iMessage, and Matrix.
The committee vote was 51 to 30 with a handful of abstentions. It sends the file to a plenary vote later this summer and then into trilogue with the Council, where Denmark — currently holding the rotating presidency and one of the loudest proponents of the original 2022 text — is expected to push hard for adoption before the end of its term.
The technical objection has not changed in three years and it will not change now. Client-side scanning is a backdoor with better PR — the fact that the match happens on your phone rather than on a server does not restore the mathematical guarantees of end-to-end encryption; it just relocates where they break. Meredith Whittaker of the Signal Foundation has said publicly that Signal will withdraw from any market that mandates client-side scanning, and Threema has said the same. WhatsApp's position is more ambiguous, but Will Cathcart's 2023 statement — that WhatsApp would rather lose EU users than compromise its cryptographic guarantees — has not been retracted.
The more interesting shift is on the government side. The revised text tries to defuse the "mass surveillance" framing by making detection orders targeted and judicially reviewed. In practice, engineers who have read the annexes note that the targeting criteria ("significant risk of the service being used for CSAM") are broad enough to cover essentially any general-purpose messenger. The Chaos Computer Club's Linus Neumann called the compromise "a rebranding, not a redesign" in a Mastodon thread that was making the rounds on HN yesterday.
There's also the AI-classifier problem, which has gotten worse since 2022, not better. The original proposal assumed a perceptual-hash lookup against a known-CSAM database; the new text explicitly permits "AI-based detection of previously unknown material," which means a neural classifier running on every image you send. False-positive rates for these classifiers, based on the leaked Meta and Apple internal numbers from 2022, sit somewhere between 1-in-10,000 and 1-in-1,000 depending on threshold. At EU-wide message volume, that is millions of innocent images per day being forwarded to human reviewers at a national coordination center — the exact mass-surveillance outcome the compromise is supposed to prevent.
Apple's abandoned 2021 CSAM-scanning project is the elephant in this room. Apple built the system, security researchers ripped it apart within weeks (including a demonstrated hash collision), and Apple quietly shelved it in 2022 while telling the New York Times that client-side scanning "is not possible to implement without ultimately imperiling the security and privacy of our users." The EU is now on track to legally require the exact architecture Apple's own engineers concluded was unsafe to ship voluntarily.
If you ship an E2EE product with EU users, this is no longer a policy problem you can outsource to your trust-and-safety team. Start modeling three things now.
First, the SDK question. A mandated on-device classifier is a large binary that has to be updated out of band, run in the same process as your messaging code, and have access to plaintext. That is a new and very juicy attack surface. Your bug bounty scope just doubled, and you inherit the classifier vendor's supply chain — which, based on the current shortlist circulating in Brussels, means Thorn or a similar NGO-adjacent vendor with no track record of shipping production mobile code. Pin your dependencies now, because the political timeline is faster than your procurement one.
Second, jurisdictional splits. If Signal and Threema actually pull out, and if WhatsApp forks its EU build, you will be dealing with a fragmented messenger landscape for the first time since the Blackberry era. Products that rely on universal reach — 2FA over WhatsApp, customer support over iMessage, Signal-based whistleblower intake — need a fallback. SMS is not it; a mandated scanner would apply to any operator-of-record messaging service. Matrix self-hosting inside the EU might become the compliance-friendly middle path, which is a strange thing to write in 2026 but here we are.
Third, the storage angle that most coverage is missing. The regulation's scope extends to "hosting services," which means Nextcloud, Proton Drive, Tresorit, and self-hosted encrypted backup solutions. If you're shipping a product where users encrypt files client-side and you store the ciphertext, you may be required to run a classifier on the plaintext before upload. That breaks the entire zero-knowledge model most of these products are sold on.
The plenary vote is not a foregone conclusion — the 2024 attempt died in Council after Germany and the Netherlands flipped, and both governments have publicly restated their opposition since. But the Danish presidency is aggressive, the LIBE margin was wider than expected, and the political energy around online child safety has only intensified since the UK's Online Safety Act came fully into force. The technically correct answer — that mandatory client-side scanning cannot coexist with end-to-end encryption — has been on the table since 2022 and has not moved a single vote. The engineering community should stop assuming the argument will be won on merit and start planning for the world in which it isn't.
From a post on Mastodon:> democracy is when you repeatedly push for unpopular laws until they pass, and the more times you do it the more democratic it isIt is unlikely that 60 additional “no” votes can be found by Thursday to stop this.
So many comments about the EU constantly re-trying the same law with minor tweaks, and about how legislatures do this in general. I wanted to provide an explanation for this behaviour.The way legislation is expected to proceed in countries with parliamentary systems, especially with strong civil ser
“We decide on something, leave it lying around, and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back.”And“If it's a Yes, we will say 'on we go', and if it'
Even if you are not in the EU, this will affect you. Some countries really like to copy such regulations from others. Once services starts complying, other governments will go like "if you did for them, you can do it for us, right? so it's not technically impossible", and things only
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
"The procedure now chosen gives the proponents of Chat Control a significant tactical advantage. Since the law is in its second reading, an absolute majority of 361 votes of all parliament members is required for amendments or a renewed rejection on Thursday. In contrast, a simple majority of t