Chat Control: you can't scan only the bad guys

Chat Control: you can't scan only the bad guys
ContenidoContents

This week the European Union came back at it with scanning private messages —and this time it went through—. It goes by many names —CSAR, “CSAM detection”, the regulation extension— but on the street it’s known as Chat Control. And since I’ve spent this blog arguing that the data stays at home and that you can measure without spying on anyone, I can’t look the other way.

But before I get angry, I want to do something almost nobody does with this topic: state precisely what is actually being voted on. Because good criticism doesn’t need to exaggerate, and if you exaggerate, they’ll rebut you in two tweets.

To set the scene, first of all: what was approved this week is renewing the voluntary scanning (Chat Control 1.0). It is not the mandatory scanning that would break end-to-end encryption (Chat Control 2.0), which remains blocked. If you see headlines screaming “the EU approves Chat Control”, this is it: the soft version. Mixing the two is the most common mistake with this topic, and the one that loses you the argument. Everything that follows starts from there.

There are two Chat Controls, and they are not the same

This is the first thing to get straight, because the headlines mix them up constantly.

A heads-up before we go on: the nicknames “Chat Control 1.0” and “2.0” appear in no legal text —they’re the slang we know it by. The real instruments have a name and a number, and it’s worth citing them, because that’s what separates analysis from a headline.

Chat Control 1.0 is, in fact, Regulation (EU) 2021/1232 —the “Interim Regulation”—, a temporary, voluntary regime. Technically it’s a derogation from Articles 5(1) and 6 of the ePrivacy Directive: it allows —doesn’t require— messaging providers like WhatsApp or Messenger to scan for child sexual abuse material. It was born as a temporary patch pending the definitive framework. It expired on April 3, 2026, and this week —on July 9— the European Parliament approved extending it until April 3, 2028. And here’s the murky part: Parliament had already rejected the extension in March, so it was revived through an urgent procedure (Rule 170), backed by 331 votes to 304. That procedure has a key twist: the text is adopted unless an absolute majority —361 MEPs— actively blocks it. That number wasn’t reached. Translated: it’s not that a majority said “yes”; it’s that the opposition didn’t have the numbers to say “no”. And the fast track was chosen precisely to avoid the amendments that would have limited its scope. The extension covers scanning of already-identified material —images and videos with a known fingerprint— and remains voluntary.

Chat Control 2.0 is the proposed CSAR Regulation (official reference COM(2022) 209, May 2022): the permanent framework meant to replace the interim one. That’s the genuinely scary one, because it would make scanning mandatory through detection orders, and it opens the door to the client-side scanning that would break end-to-end encryption. It’s still stuck: negotiation rounds with no deal, and the supposedly final one, in late June 2026, derailed yet again over suspicionless scanning. Encryption remains the red line nobody has managed to cross. Yet.

So let’s be fair, even now that it’s gone through: what was approved is NOT the mandatory scanning that breaks encryption. It’s the extension of the voluntary version. If someone tells you “they’ve approved reading all your encrypted messages”, they’re running ahead of the facts: the mandatory one (2.0) is still stuck. But normalizing the soft version —and doing it through a route that dodges debate— is exactly what paves the way for the hard one.

That said, “voluntary” and “yet” are two words that don’t reassure me at all. Let me explain why.

“Voluntary” is a euphemism

Voluntary scanning sounds harmless: if the platform wants to, it scans; if not, it doesn’t. The problem is that reviewing everyone’s messages to find a few is still mass surveillance, regardless of whether it’s the company doing it instead of the state.

I’m not the one saying it. The EU Council’s own Legal Service said it: generalized scanning, even voluntary, constitutes communications surveillance incompatible with the Charter of Fundamental Rights without reasonable suspicion and prior judicial authorization. In other words, the mechanism they want to normalize is born flagged by the house’s own lawyers.

And “voluntary” has a catch: when you build “risk mitigation” obligations, age verification and regulatory pressure around it, voluntary stops being voluntary in practice. Nobody puts a gun to your head; they just make not scanning very expensive.

The part that isn’t a matter of opinion: no backdoor for the good guys only

Here’s where I drop the politics and put on my developer hat, because this part is not about sensibilities. It’s technical, and it’s stubborn.

End-to-end encryption means one very specific thing: the message travels encrypted and only the two endpoints —you and whoever you’re talking to— can read it in the clear. Not the platform, not the operator, not whoever taps the cable. That’s the whole value. It’s what makes a conversation actually private and not private “until someone finds it interesting”.

How do you scan content that, by design, nobody in the middle can read? There’s only one answer: looking at it on your device, before encrypting it. That’s client-side scanning. And the moment you put a component on everyone’s phone that inspects what you write before it’s encrypted, you’ve hollowed out the encryption of content. It doesn’t matter how nice it looks on paper: you’ve put an eye inside the locked room.

And that eye is a problem for three reasons, all textbook:

  1. A backdoor doesn’t tell whose hand opens it. The scanner, its database of “what to detect”, and its update mechanism are, together, a backdoor. And a backdoor doesn’t know whether whoever walks through it is the police with a warrant, a less friendly government five years from now, or whoever breaks the update system. The capability, once it exists, exists for everyone.

  2. False positives are not a detail. Detecting already-known material by its fingerprint is one thing; detecting new material with AI classifiers is a very different one, and those models get it wrong. At the scale of billions of messages, a tiny error rate means flooding the system with innocent people —a system that, remember, decides on the most sensitive matter there is. The photo of your kids at the beach, sent to grandma, enters that lottery.

  3. The infrastructure stays. Building the scanning apparatus is the expensive part. Once it’s installed on every phone, expanding what you search for is trivial: today CSAM, tomorrow “terrorist content”, next “disinformation”, and eventually whatever the government of the day decides to add to the list. You don’t need to be paranoid to see it: it’s the history of every surveillance capability ever built.

Why it’s my problem (and why it’s yours)

I self-host. I have my email, my tools, my cookieless analytics, my video calls on a Mac mini at home. I don’t do it as a pose: I do it because I believe the data is mine and the conversation is private, and that this shouldn’t depend on anyone’s goodwill.

Chat Control is exactly the opposing force. It’s the idea that privacy is a negotiable luxury, something you switch on and off as convenient. And the argument it’s sold with —“if you have nothing to hide”— is the same as always, and just as false: privacy isn’t about hiding, it’s about you deciding who sees what.

Let me be clear, because it’s easy to be misread on this: protecting children from abuse is a goal I share without reservation. That’s not what this is about. It’s about the fact that the proposed method is technically unfeasible without breaking everyone’s security, is disproportionate according to the EU’s own lawyers, and opens a door that doesn’t close afterward. You can —you must— pursue crime without turning every citizen’s phone into a listening post.

The takeaway

What was approved this week is “only” the extension of the voluntary version. It’s the soft version. But the soft one is what normalizes the mechanism, and the hard one —mandatory scanning that breaks encryption— has been waiting underneath for years, coming back every time attention drifts. That the soft one passed, and through a route that dodged debate, isn’t the end of the story: it’s the dress rehearsal.

That’s why it’s worth understanding it well and saying it clearly, without exaggerating and without staying quiet: you can’t scan only the bad guys. The day you put the eye inside the room, the room stops being private for everyone. And that, technically, is not an opinion.

CompartirShare