The editorial argues that 'upload moderation' is a euphemism — once a regulator-controlled hash list runs inside Signal or any E2EE messenger before encryption, the threat model collapses. Cryptographers' position hasn't changed: this is not a privacy-safety compromise, it is the elimination of end-to-end encryption with extra procedural steps.
Breyer relaunched fightchatcontrol.eu specifically to warn that the revived CSAR text still mandates on-device scanning against server-supplied hash lists before encryption. He frames it as an 'unprecedented double-attack' on secure messaging that cannot be reconciled with E2EE guarantees.
Breyer's central alarm is procedural: the Council is reportedly trying to advance the file without a recorded open vote, deliberately sidestepping the public pressure that killed the 2023 and 2024 attempts. Combined with Commission President Metsola overriding MEPs at committee stage, he argues the file is being engineered through governance backchannels rather than democratic deliberation.
The HN submitter framed the story with the headline 'EU to legislate about Chat Control behind closed doors,' explicitly elevating the procedural backroom-deal angle over the technical mandate. The 641-point score suggests the community treats the opacity of the process — not just the policy content — as the core scandal.
Breyer's tally counts only Czech Republic, Italy, Netherlands, and Poland as firmly opposed, with Germany — historically the swing vote that killed previous drafts — now listed as undecided following a government reshuffle. He warns a qualified majority is within reach with only a handful of conversions, which is why the urgency this round is materially different from prior rounds.
Former MEP Patrick Breyer relaunched fightchatcontrol.eu this week with a blunt warning: the EU's Child Sexual Abuse Regulation — the file that the press shorthands as Chat Control — is being reanimated through procedural backchannels ahead of a critical Council meeting Friday and a follow-up Monday. The version on the table again requires providers of end-to-end encrypted messaging to scan messages on-device, before encryption, against a server-supplied hash list. The Commission calls it 'upload moderation.' Cryptographers call it client-side scanning. Functionally, it is a mandated backdoor that runs inside your Signal app.
The procedural twist is what makes this round different: the Council is reportedly trying to advance the file without a recorded open vote, sidestepping the public pressure that killed previous attempts in 2023 and 2024. According to Breyer's tally, only four member states — Czech Republic, Italy, Netherlands, and Poland — are firmly opposed. Germany, historically the swing vote that buried earlier drafts, is now reported as undecided after a government reshuffle. A qualified majority does not need many more conversions to flip.
The HN thread (641 points, climbing) surfaced the deeper context: in late June, an earlier reporting cycle flagged that Commission President Roberta Metsola had overridden MEPs to push the file through committee. That was already a constitutional eyebrow-raiser. What's happening now is the next stage — Council adoption — being engineered to happen with the lights off.
The technical claim under Chat Control has not improved since the last round, and the cryptography community has not changed its position. Client-side scanning is not a compromise between privacy and safety — it is the elimination of end-to-end encryption with extra steps. Once a regulator-controlled hash list lives inside the messenger, the threat model collapses: the scanner can be expanded, the list can be poisoned, the matching can be coerced, and there is no longer a meaningful distinction between 'we scan for CSAM' and 'we scan for whatever the current government considers a problem.' The 2021 open letter from 14 of the world's leading cryptographers — Abelson, Anderson, Diffie, Rivest, Schneier, et al. — already laid this out. Nothing about the math has changed since.
The political mechanics, though, have shifted in a way that should worry anyone shipping encrypted products. The HN commenter `kachurovskiy` asked the question that deserves a serious answer: who actually pays for the lobbying time, who walks the file through the Council secretariat, who drafts the compromise text? The honest answer is that this is the third attempt in three years, the proposal keeps coming back with the same core mechanism and different wrapping, and the institutions pushing it have learned that the open-vote path loses. So they're trying the closed-door path. The pattern is now indistinguishable from a regulator that has decided the policy outcome first and is shopping for a procedural route second.
The enforcement reality is messier than either side admits. As HN user `moniosi` noted, the internet is not a small set of providers — anyone can open an encrypted TCP socket, and Signal-protocol implementations are open source. Chat Control cannot meaningfully stop a determined user with a self-hosted Matrix server or a sideloaded build. What it *can* do is force every mainstream messenger distributed through the Apple and Google EU storefronts to ship the scanning hook. That captures roughly 99% of real-world traffic, which is the political point. The other 1% — journalists, dissidents, security researchers, criminals — will route around it, which is exactly the population the regulation claims to target.
The community reaction has been unusually unified across normally fractious camps. Signal's Meredith Whittaker has previously stated Signal will withdraw from the EU rather than ship client-side scanning. Threema has said the same. Matrix's Matthew Hodgson has been writing about this for two years. The position is not 'we don't care about child safety' — it is 'a backdoor for one is a backdoor for all, and that math is not negotiable.'
If you ship anything that does end-to-end encryption to EU users — a messenger, a backup product, a healthcare app, an enterprise secrets manager with a mobile client — you need a contingency document on the shelf, not in someone's head. The practical question is no longer 'will this pass?' but 'what does our EU posture look like the morning after it does?' Three concrete things to figure out this week:
First, geofencing. Can you cleanly disable the EU build, the way Signal has publicly committed to doing? If your release pipeline cannot ship a region-specific binary, now is the time to find out, not the day the regulation enters into force. Second, the scanning interface. If you decide to comply — which some commercial products will, because withdrawal is not an option for a B2B SaaS with EU enterprise contracts — what does the integration actually look like? The Commission has been deliberately vague about the technical specification, which means the implementation cost is unknown and the audit surface is unbounded. Third, your data residency story. EU customers will start asking 'is my data scanned before encryption?' the day this passes. You need an answer that is true.
The second-order effect worth pricing in: the moment the EU mandates a scanning hook, every other jurisdiction with an authoritarian streak gets a turnkey legal template. The UK's Online Safety Act already has the powers in latent form. India's IT Rules already require traceability. China would adopt the EU's hash-list architecture in a week. The cryptographic infrastructure of the open internet is being rewritten by precedent, and the precedent is being set in a room with no transcript.
Friday's meeting is the inflection point. If the file moves to trilogue, the substantive debate is effectively over — trilogues are negotiated in private, and the text that emerges is voted up or down without amendment. The window for engineering input is now. fightchatcontrol.eu has a per-country MEP contact tool that takes about ninety seconds. If you ship encrypted software to EU users, ninety seconds is a reasonable insurance premium against having to rewrite your threat model in Q3.
I have to admit that I don't understand how they can push for this so often! Wasn't this rejected not so long ago?
Just 4 countries are against: Czech Republic, Italy, Netherlands, and Poland.https://fightchatcontrol.eu/
Related recent discussion:>European Commission's Metsola Overrides MEPs to Force Through Chat Controlhttps://news.ycombinator.com/item?id=48657675 (45 comments)
Instead of the usual knee-jerk it would be nice to see some level-header analysis on mechanics of these things - who pays for the time of the people that decide to push this particular piece of legislation, how they manage to get into the door, who personally makes the proposal, how they gather supp
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The common fallacy people have regarding chat control (and should be clarified) is that it's not like internet is made of a few select providers, anyone can open an encrypted tcp connection from an ip to another, and the global traffic is too massive to be scrutinized, also the most widely avai