The editorial argues the word 'voluntary' is doing enormous work in a text that still empowers regulators to compel any provider deemed non-compliant. It frames the proposal as the same fight as the Clipper Chip with better PR, noting the technical mechanism — client-side scanning before encryption — has not changed and pulls every E2EE service into scope.
By surfacing the CyberInsider piece to the top of HN, ggirelli amplifies the position that the EU is one procedural step from reviving mass private-message scanning. The submission frames the Danish presidency's revisions as a cosmetic workaround to peel off the blocking minority rather than a substantive fix.
The editorial catalogs an unusually unified opposition: 500+ cryptographers signed an open letter saying client-side scanning cannot be made safe, the European Data Protection Supervisor called it a red line, and even the Council's own legal service warned earlier drafts likely violated the Charter of Fundamental Rights. Despite this, the file keeps advancing — evidence that the policy process is decoupled from the technical and legal record.
The article portrays the Danish presidency's move as reviving a proposal that was killed twice by German and Polish opposition, using cosmetic edits — reframing scanning as 'voluntary' — to peel off swing states. It emphasizes that scope, mechanism, and detection orders remain intact, so the political maneuver, not the underlying policy, is what changed.
The EU Council is one procedural vote away from adopting the CSA Regulation — better known as Chat Control — after Denmark, holding the rotating Council presidency, pushed a revised text that its predecessors could not get past a blocking minority. The proposal has been ricocheting around Brussels since 2022, killed twice by German and Polish opposition, and is now back on the agenda with just enough cosmetic edits to peel off swing states.
The headline change from earlier drafts: scanning is no longer explicitly mandatory. Instead, providers are 'encouraged' to voluntarily scan user content for CSAM before it's encrypted, and platforms that decline face escalating regulatory scrutiny, risk assessments, and the standing threat of a Commission-issued detection order. The word 'voluntary' is doing an enormous amount of work in a text that also gives regulators the power to compel any provider they decide isn't doing enough.
The technical mechanism has not changed. Detection happens on the user's device, before the message enters the encrypted channel — so-called client-side scanning. Hashes and AI classifiers run locally, flag suspected material, and forward it to an EU Centre. Providers of end-to-end encrypted services (Signal, WhatsApp, iMessage, Matrix, Threema, Session, and every self-hosted chat stack the readers of this site have shipped) fall inside scope.
If you've been in this industry long enough to remember the Clipper Chip, this is the same fight with a better PR budget. The technical community has been unusually loud and unusually unified: over 500 cryptographers and security researchers signed an open letter last year saying client-side scanning cannot be made safe. The European Data Protection Supervisor called it a red line. The Council's own legal service warned the earlier version was probably illegal under the Charter of Fundamental Rights. None of that has slowed the file down.
The reason it keeps coming back is political, not technical. Chat Control is one of those rare files where the interior ministries of member states, the child-safety NGO ecosystem, and a handful of well-funded scanning vendors are all pushing the same direction, and the opposition is diffuse — cryptographers, civil liberties orgs, and a shrinking bloc of privacy-minded governments. The revised text is designed to give those governments a fig leaf ('it's voluntary now') to abstain rather than block.
Here is the part practitioners should internalize: voluntary client-side scanning is a contradiction in terms at the platform level. Once the regulation exists, insurers, app-store gatekeepers, and enterprise buyers will treat 'we chose not to scan' as a liability posture. The Commission gets to issue detection orders. National authorities get to demand risk assessments. Any provider that ships an E2EE product in the EU without a scanner will be answering questions for years. That is the point of the drafting.
Signal has been categorical. Meredith Whittaker has said repeatedly that Signal will leave the EU market before it will ship a build with client-side scanning, because the moment you concede the on-device scanner exists, you have destroyed the security property that makes Signal Signal. Matrix's core team has said the same thing in more measured language: a client that scans is not an end-to-end encrypted client, regardless of what the marketing says. WhatsApp has been conspicuously vague. Apple, which infamously proposed and then withdrew its own client-side CSAM scanner in 2022, has said nothing.
The scanning tech itself has a bad track record that keeps getting worse. When Meta reported its own numbers to the EU consultation, its automated CSAM detection produced false positive rates high enough that human reviewers had to look at millions of private images that turned out to be sunsets, medical photos, and consensual adult content. Apple's abandoned NeuralHash was collision-attacked within hours of release. The 'AI classifier' language in the new draft is even more aspirational — no one has demonstrated a production-grade grooming-detection model that works across 24 languages without a false positive tsunami.
If you ship a product with private messaging in the EU — and 'private messaging' here includes DMs in a marketplace app, therapist-patient chat, a Discord-style community feature, or a support inbox — you are in scope. Start with three concrete moves.
First, read your service's risk assessment obligations now, not after the regulation clears. The earlier drafts required providers to produce documented risk assessments and mitigation plans; the new text keeps that structure. If you have no compliance function, this is the first thing that will surprise you. Second, decide your posture on client-side scanning before your legal team decides it for you. The engineering answer and the legal-risk answer point in opposite directions, and the gap between them is where product managers get bulldozed. Third, map your dependency chain. If you use Matrix, XMPP, MLS, or the Signal Protocol via a library, your options are constrained by what those upstream projects decide to do. Signal will leave. Matrix will fight. The MLS ecosystem is going to have a very awkward conversation.
For self-hosters and OSS maintainers, the regulation as drafted still contains carve-outs for non-commercial software, but 'commercial' is defined loosely enough that a Patreon-funded Matrix homeserver could get pulled in. This is the part civil society groups are trying hardest to fix in the final trilogue, and it is the part most likely to be quietly walked back.
The Council vote could happen within weeks. If it passes, trilogue negotiations with the Parliament — which has taken a much more encryption-friendly line — begin immediately, and the fight moves to whether Parliament holds the line or trades it away for concessions elsewhere. The realistic scenario a year from now is a final text that removes the word 'mandatory', keeps every mechanism that makes scanning inevitable in practice, and hands the enforcement calendar to a Commission that has already made its preferences clear. Ship your architecture decisions accordingly, and if you build encrypted messaging, start writing the blog post explaining why your EU users are going to lose a feature.
The Chat Control 1.0 rule is simply that organisations like Meta are allowed to scan messages if they want to. In other words your Facebook messages are not private from Facebook. Surely we already knew and expected that.Chat Control 2.0 is the worrying one because it mandates scanning and bans E2EE
Tough week for euros. Cars that record your face while driving and now apps snooping on communications.
Of course they are. They will boil the frogs slowly until they get the frog soup they so desire. Each time the water gets a little bit too hot (public outrage) they will turn it back down for a bit.Every major global region has this problem. I would tell you the slope is slippery, but I already fell
For my fellow EU citizens, you can contact your representatives here: https://fightchatcontrol.eu/
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The Internet Watch Foundation, an organisation funded by almost all of big tech, is already at work pushing for client side scanning next [1], for the children, of course.[1] https://www.iwf.org.uk/policy-work/preventing-the-upload-of-...