Breyer argues that every prior defeat of Chat Control happened in open Council votes where journalists could publish the math and trigger a blocking minority. Shifting the file into closed-door trilogue — no public minutes, no livestreams — is a deliberate procedural workaround that strips citizens and MEPs of the only lever that has previously worked, which is why he relaunched fightchatcontrol.eu to mobilize public pressure.
By submitting Breyer's alert to HN with the framing 'EU to legislate about Chat Control behind closed doors,' the submitter foregrounds the procedural objection — that the legitimacy problem is the trilogue venue itself, not just the substance of the text. The 627-point score signals broad endorsement of that framing among the HN readership.
Breyer warns that the Danish presidency's compromise drops the headline 'scan everything' language but keeps detection orders that can compel specific providers to scan specific user populations for known and unknown CSAM plus grooming patterns. Because the orders still require client-side scanning to function against end-to-end encrypted services, the encryption-breaking machinery is preserved — only the political optics have changed.
Breyer flags the age-verification regime as the 'double threat' alongside detection orders. Any service deemed high-risk for minor contact would have to identify every user, which in practice forces ID upload or government-eID linkage and eliminates anonymous accounts on messaging, forums, and social platforms — a structural change he argues is being smuggled in under the child-safety banner.
Multiple EU-based engineers in the 400+ comment thread ask why 'on-demand scanning against specific suspects' is treated as existential when wiretap warrants already exist in every member state. Their argument is that if the order is judicial and narrow, it is procedurally indistinguishable from lawful interception, and the catastrophizing framing weakens the privacy lobby's credibility.
The European Union's Child Sexual Abuse Regulation — universally known as Chat Control — has re-entered active negotiation after eighteen months of being declared dead at least four separate times. MEP Patrick Breyer (Pirate Party, the proposal's most persistent critic) published a detailed alert this week warning that the file has moved into trilogue: the three-way closed-door negotiation between the Council of the EU, the European Parliament, and the European Commission where the final text gets hammered out without public minutes, without livestreams, and without the kind of public Council votes that killed earlier drafts in 2024 and 2025.
The shift to trilogue matters because every previous defeat of Chat Control happened in the open — a Council blocking minority forming after journalists published the voting math 48 hours before the meeting. Trilogue strips that lever. Breyer's post points to a leaked Danish presidency compromise text circulating among permanent representatives that reportedly drops the most-publicized provision (mandatory scanning of all private messages including end-to-end encrypted ones) while preserving the legal architecture for detection orders — court or administrative orders compelling specific providers to scan specific user populations for known and unknown CSAM and grooming patterns.
The second piece of the compromise, per the same leaks, is a mandatory age-verification regime for any service classified as 'high-risk' for minor contact. Breyer's organization has relaunched fightchatcontrol.eu in response, and the HN thread (627 points, 400+ comments at time of writing) is dominated by EU-based engineers asking the same question: if scanning only happens 'on demand' against 'specific suspects,' how is that materially different from a wiretap warrant, and why is the privacy community treating it as existential?
The answer to that HN question is the part worth understanding, because it's the part the press release version of this story always elides. A detection order under the current draft is not a wiretap — it's an obligation to deploy scanning infrastructure on the client device or at the service boundary, maintained continuously, even if it's only 'activated' against narrow targets. Once that infrastructure exists, the threat model collapses. The keys are on-device. The classifier is on-device. The list of hashes and 'grooming indicators' is updateable over the air. A future detection order — or a future government, or a future leak of the classifier weights — operates against a fleet of devices already wearing the collar.
This is the same architectural critique that killed Apple's 2021 NeuralHash CSAM-scanning rollout, and it's the reason Signal's Meredith Whittaker has publicly committed to pulling Signal from any EU market that mandates client-side scanning rather than ship a compromised build. The Matrix.org foundation has made similar noises. The interesting development this cycle is that Meta has gone quiet — historically a loud opponent of scanning mandates because WhatsApp's entire premium positioning rests on E2EE — and EU policy watchers read that silence as Meta having gamed out that detection orders can be satisfied with the existing on-device ML they already ship for spam and 'safety' features. If Meta can comply by repurposing infrastructure it already runs, and Signal can only comply by abandoning its threat model, the regulation effectively becomes a moat around incumbents.
The France precedent looms over all of this. France's 2023 SREN law included a near-identical age-verification mandate that has, two years in, produced exactly the dynamic critics predicted: small EU-headquartered services geofencing France out, large US platforms either accepting fines or implementing the cheapest possible compliance (a checkbox), and a thriving market in VPN subscriptions among French teenagers. The Commission's own impact assessment from the original 2022 Chat Control proposal — which the EU ombudsman later ruled had been improperly redacted — estimated false-positive rates for unknown-CSAM classifiers between 10% and 28% depending on the modality. At EU scale that is millions of innocent images and conversations routed to human reviewers per day. No one in the current trilogue has proposed a different number.
The community reaction on HN and on the EU tech-policy Mastodon is unusually unified for an internet-rights story: the consensus is that the Danish presidency compromise is worse than the original maximalist draft precisely because it's plausible-sounding enough to pass. The 2022 version was easy to oppose — 'scan everyone's messages' is a clean villain. 'Detection orders issued by a competent authority against high-risk services with age verification for minors' polls fine in every member state, and that's the version going into the closed room.
If you ship anything with a messaging primitive, a file upload, or user-to-user content delivery to EU users, three things change in your near-term roadmap. First, the compliance ask is no longer 'add a backdoor' — it's 'be ready to run a classifier we specify on content before it leaves the device,' which is a much harder ask to refuse politically because it doesn't break encryption on the wire. Start documenting now where in your pipeline content becomes ciphertext, because that line is where the legal fight will happen and your lawyers will need a clear diagram.
Second, age verification is going to be the wedge. Even if detection orders get watered down further in trilogue, the age-gate provisions look likely to survive in some form, and the implementation burden lands on every service classified as accessible to minors — which, post-DSA, is a much broader category than you'd guess. Hosting providers, code-sharing platforms, even technical forums have been swept into 'high-risk' designations in member-state implementations of adjacent regulations. Budget for ID-document handling, eIDAS wallet integration, or third-party age-estimation vendor contracts. None of those are cheap and all of them are GDPR landmines.
Third, watch what Signal, Matrix, Threema, and Wire do. They are the canaries — their threat models cannot accommodate client-side scanning, and their public response to the final trilogue text will tell you whether the regulation as passed has teeth or whether the carveouts (open-source exemptions, federation exemptions, sub-threshold-userbase exemptions) actually hold. If Signal stays in the EU after the vote, the regulation got defanged. If it leaves, the regulation has teeth and your product is next.
Trilogue typically produces a final text within three to six months once it begins in earnest, which puts a vote on the consolidated regulation somewhere in Q4 2026 or Q1 2027. The fightchatcontrol.eu relaunch is targeting MEPs in member states with shaky positions — Germany, the Netherlands, Poland — because Parliament is still the most movable institution and a strong Parliament position narrows what the Council can extract behind closed doors. The lesson from the last three years is unambiguous: this regulation does not die when it loses a vote. It mutates, rebrands, and comes back through a different door. The current door is closed, and the people inside it are not the ones you elected.
I have to admit that I don't understand how they can push for this so often! Wasn't this rejected not so long ago?
Just 4 countries are against: Czech Republic, Italy, Netherlands, and Poland.https://fightchatcontrol.eu/
Related recent discussion:>European Commission's Metsola Overrides MEPs to Force Through Chat Controlhttps://news.ycombinator.com/item?id=48657675 (45 comments)
Instead of the usual knee-jerk it would be nice to see some level-header analysis on mechanics of these things - who pays for the time of the people that decide to push this particular piece of legislation, how they manage to get into the door, who personally makes the proposal, how they gather supp
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The common fallacy people have regarding chat control (and should be clarified) is that it's not like internet is made of a few select providers, anyone can open an encrypted tcp connection from an ip to another, and the global traffic is too massive to be scrutinized, also the most widely avai