Frames the return of Chat Control as a 'showdown' in Strasbourg, emphasizing that proponents deliberately chose the second-reading procedure right before summer recess. This tactic requires an absolute majority of 361 MEPs to block — meaning any no-show counts as a de facto yes vote, making legislative brute force the whole point of the maneuver.
Argues the procedural choice IS the story: proponents keep tabling variants of the same substance since 2022, hoping one clears a low-attendance vote. Characterizes it as legislative brute force rather than genuine democratic deliberation.
Did the concrete arithmetic showing it is 'unlikely that 60 additional no votes can be found by Thursday to stop this.' The absolute-majority threshold combined with the compressed pre-recess timeline means opponents face a nearly insurmountable mobilization problem.
Argues the engineering claim is straightforwardly wrong to most cryptographers: bolting a mandatory scanner onto the sending end of an E2E channel adds a second, non-user endpoint by definition, so the channel is no longer end-to-end encrypted. Cites Apple's 2021 NeuralHash retreat as proof that even the company with the most resources couldn't defend this design in public.
Surfaces that this is at least the third serious push for essentially the same regulatory substance under slightly different branding since 2022. Frames the pattern as proponents refusing to accept prior rejections and simply relabeling until a variant slips through.
Proponents of the EU's Child Sexual Abuse Regulation — better known to anyone who's followed it as Chat Control — pulled the file back onto the Strasbourg agenda days before the summer recess, and they did it under second-reading procedure. That procedural choice is the whole story. Under second-reading rules, blocking or amending the text requires an absolute majority of all MEPs — 361 votes — not a simple majority of those present. A no-show is functionally a yes.
The heise.de report frames it bluntly as a "showdown," and the HN thread reads the same way. One commenter did the arithmetic that matters: it's "unlikely that 60 additional 'no' votes can be found by Thursday to stop this." Another surfaced the recurring critique — this is at least the third serious push for the same substance under slightly different labels since 2022. The tactic is legislative brute force: keep tabling variants until one of them clears a low-attendance vote.
The substance hasn't materially changed from earlier drafts. Providers of "number-independent interpersonal communication services" — which is EU-speak for basically every chat and email app you use — would be compelled to detect known and, in stronger variants, unknown CSAM material in user content, including in end-to-end encrypted channels. The mechanism everyone actually implements for that is client-side scanning: hash or classify content on the device before it's encrypted, then report matches.
Strip the politics away and the engineering claim being made is straightforward and, to most cryptographers, wrong. You cannot bolt a mandatory scanner onto the sending end of an E2E channel and still call the channel end-to-end encrypted; you have added a second, non-user endpoint by definition. Apple learned this in public in 2021, shelved its NeuralHash rollout, and hasn't seriously revived it. The EU is now asking every messenger vendor to ship the thing Apple couldn't defend.
The threat model gets worse the moment you look at it. Client-side classifiers have false positives; at Signal or WhatsApp scale, even a 0.01% FP rate is millions of innocent messages routed to a reviewer queue. The perceptual-hash approaches that dominated the 2021 debate were shown to be adversarially collision-prone within weeks of publication. And once the scanning API exists on the device, the list of things it scans for is a config file — which is exactly the point critics have been making since the first draft: the infrastructure is the policy, and the policy is trivially expandable.
The procedural mechanics are worth naming honestly, because they'll be used again. A second-reading absolute-majority threshold, tabled the week before a recess, is how you pass a law that a straight up-or-down vote on a normal Tuesday would lose. One HN commenter quoted Jean-Claude Juncker's famous line about EU legislative attrition: "We decide on something, leave it lying around, and wait and see what happens. If no one kicks up a fuss... we continue step by step until there is no turning back." That's not cynicism, that's a description of the calendar.
The international spillover is the part developers outside the EU keep missing. Once Signal, Meta, or Apple ship a client-side scanning code path to satisfy Brussels, every other regulator on Earth gets to point at it and say "you built it, turn it on for us." The UK's Online Safety Act already contains a dormant "accredited technology" notice power that assumes exactly this capability exists. India's IT Rules 2021 traceability requirement was fought off partly on the grounds that it was technically impossible; it stops being impossible the day the scanning binary ships.
If you ship anything with a messaging surface — a support chat, an in-app DM, a collaboration tool with comments, a status page with a subscribe-and-notify — this is your regulation too. The regulation's scope is written broadly enough that "number-independent interpersonal communication" catches a lot of B2B SaaS that doesn't think of itself as WhatsApp. Read the current text before you assume you're exempt.
For teams building on federated or self-hostable protocols — Matrix, XMPP, ActivityPub, Nostr, self-hosted Mattermost — the calculus is different but not friendlier. Federation doesn't route around a client-side scanning mandate, because the mandate targets the client, not the server. The historically comfortable answer of "just run your own homeserver" only helps if the client software on the phone isn't compelled to scan. It also puts small self-hosters in an awkward compliance posture they're not resourced for.
The more interesting technical question is what the actually-uncensorable stack looks like. Tor hidden services, IPFS-based messaging like Berty, Briar's mesh mode, and Session's onion routing all operate outside the assumed architecture of "identifiable provider serving identifiable user." Regulations like Chat Control accelerate the split between compliant mainstream messengers and a smaller, weirder, more resilient tier of protocols that the regulation can't reach because there's no vendor to serve papers on. That split is bad for normal users and good for the specific set of people who most need to evade lawful surveillance — the exact inversion of the stated policy goal.
Practically: if you have EU users and a messaging feature, get your DPO involved this quarter, not next. If you contribute to an open-source messenger, the client-side scanning API is the design decision to fight about — server-side compliance is negotiable, on-device scanning is the trapdoor.
The Thursday vote is the near-term milestone, but the pattern is the story. Whether Chat Control 1.0 passes this week or gets kicked to the September session, the vote-arithmetic playbook — second reading, pre-recess timing, absolute-majority-to-reject — will be reused on the next digital file, and the next. For developers, the honest planning horizon is not "will this specific text pass?" but "how much of my architecture assumes end-to-end encryption remains a legally protected default in the EU?" That assumption is now something you should be pricing at less than 100%.
From a post on Mastodon:> democracy is when you repeatedly push for unpopular laws until they pass, and the more times you do it the more democratic it isIt is unlikely that 60 additional “no” votes can be found by Thursday to stop this.
So many comments about the EU constantly re-trying the same law with minor tweaks, and about how legislatures do this in general. I wanted to provide an explanation for this behaviour.The way legislation is expected to proceed in countries with parliamentary systems, especially with strong civil ser
“We decide on something, leave it lying around, and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back.”And“If it's a Yes, we will say 'on we go', and if it'
Even if you are not in the EU, this will affect you. Some countries really like to copy such regulations from others. Once services starts complying, other governments will go like "if you did for them, you can do it for us, right? so it's not technically impossible", and things only
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
"The procedure now chosen gives the proponents of Chat Control a significant tactical advantage. Since the law is in its second reading, an absolute majority of 361 votes of all parliament members is required for amendments or a renewed rejection on Thursday. In contrast, a simple majority of t