Chat Control: EU to decide on requirement for tech firms to scan encrypted messages

Denmark’s compromise

The European Commission first put forward proposals to mandate tech companies to scan emails and messages for potential child abuse content in 2022, but the plans were put on hold after they were blocked by a minority of member states amid concerns the proposals would damage the security and privacy of EU citizens.

The Danish presidency proposed a compromise in July 2025, which sought to strike a balance between maintaining the security of encrypted communications services and identifying potentially illegal content.

The Danish draft asserts that nothing in the proposed regulation should be “interpreted as prohibiting, weakening or circumventing” encryption, and expressly permits technology companies to continue to offer end-to-end encrypted services.

But it also requires technology companies to introduce “vetted technologies” on phones and computers to scan messages for images, videos or URLs that could be associated with known child abuse content before they are encrypted and transmitted.

Tech companies will also be required to deploy artificial intelligence (AI) and machine learning algorithms to detect previously unknown abuse images.

As of 10 September, some 15 member states supported the Danish proposals, with six member states undecided and six in opposition.

Dissenters include Belgium, Poland, Finland and the Czech Republic, which have raised concerns about the mass surveillance of citizens’ communications.

Supporters include France, Italy, Spain and Sweden. Germany is as yet undecided. Each member state receives votes based on the number of representatives it has, with large countries having more sway over the final decision.

Suspicionless mass surveillance

Opponents claim that Chat Control effectively introduces “suspicionless” mass surveillance for hundreds of millions of Europeans.

In their open letter this week, cryptographers and security researchers warned that on-device detection, also known as client-side scanning, “inherently undermines the protections” of end-to-end encryption without any guarantee that it would improve protection for children.

The detection mechanism would become a high-value target for hackers and hostile nation states, which could reconfigure it to target other types of data, such as people’s financial or political interests, they said.

It would also undermine the security of encrypted messaging apps, such as WhatsApp and Signal, which are used by politicians, journalists, human rights workers, EU civil servants and law enforcement officers, as well as ordinary citizens, the letter stated.

The new proposals “unequivocally violate” the principles of end-to-end encryption and will weaken its protection, “threatening the public’s right to privacy,” the scientists warned, arguing there could be potentially serious consequences for democracy and national security.

Once introduced, scanning technology could be repurposed by less democratic regimes to monitor dissidents and opponents, or to censor communications, the security researchers claimed.

“The new proposals, similar to its predecessors, will create unprecedented capabilities for surveillance, control and censorship, and have an inherent risk for function creep by less democratic regimes,” they added.

Risk of people being wrongly targeted

The Danish proposals could put large numbers of innocent people at risk of investigation for sending images wrongly identified as suspicious, the security researchers, representing 30 countries, warned.

“Existing research confirms that state-of-the-art detectors would yield unacceptably high false positive and false negative rates, making them unsuitable for large-scale detection campaigns at the scale of hundreds of millions of users,” the letter stated.

Proposals for Chat Control to use AI and machine learning to identify unknown abuse images are also flawed, the scientists claimed, as “there is no known machine-learning algorithm that can identify illegal images without making large numbers of mistakes”.

Encrypted messaging services react

German encrypted email provider Tuta Mail said that if the EU’s Chat Control proposals are adopted, it would take legal action against the EU rather than betray its users by introducing backdoors into its encrypted messaging service.

CEO Matthias Pfau said the proposals would undermine trust in European technology. “By forcing providers to break encryption and enable mass surveillance, the EU would kill trust in European products and drive users to foreign tech giants,” he added.

Alexander Linton, president of the Session Technology Foundation, another encrypted messaging service, said it was not possible to introduce scanning without creating new security risks.

The Danish proposal states that scanning technologies that introduce security risks that cannot be mitigated should not be used, but Linton said this was not technically possible.

“None of the technologies available achieve this standard – all client-side scanning technologies introduce new unmitigable risks,” he added.

Backdoors could be used by bad actors

Matthew Hodgson, CEO of Element, a secure communications platform used by European governments, said the proposed Chat Control regulation was fundamentally flawed and would put the privacy and data of 450 million citizens at risk.

“Undermining encryption by introducing a backdoor for lawful intercept is nothing other than deliberately introducing a vulnerability, and they always get exploited in the end,” he added.

A years-long Chinese hacking operation, dubbed Salt Typhoon, used law enforcement backdoors in the US public telephone network to access call records and unencrypted communications of US citizens.

“The US is still urging its citizens into end-to-end encrypted systems as a result,” Hodgson told Computer Weekly.

Signal warned last year that it would pull its messaging service out of the European Union rather than undermine its privacy guarantees.

Callum Voge, director for government affairs and advocacy at the Internet Society, a non-profit organisation, said client-side scanning created opportunities for bad actors to reverse engineer and corrupt scanning databases on devices.

“If breaking encryption is like having the envelope ripped open while a letter goes through the Post Office, client-side scanning would be like someone reading over your shoulder as you write the letter,” he told Computer Weekly.

He said that even if AI scanning were 99.5% effective at identifying abuse, it would lead to billions of wrong identifications every day.

“That is a huge number that could overwhelm the system, but also lead to innocent people incorrectly being labelled as sharing illegal child abuse material,” he added.

No ‘technical fix’

The scientists argue that, rather than relying on a “technical fix”, governments should invest in education, reporting hotlines and other proven techniques for tackling abuse.

Voge told Computer Weekly that policymakers should prioritise approaches that protect children but also foster the open and trusted internet.

“That means more resources spent on targeted approaches – things like court-authorised investigations, metadata analysis, cross-border cooperation, support for victims, prevention and media literacy training,” he added.

Apple dropped its own plans to introduce client-side scanning to detect child abuse on the iPhone after the world’s top scientists published a paper that found the supplier’s attempts would not be effective against crime or protect against surveillance.