Why the EU's voluntary version of Chat Control hasn't quelled privacy fears
Chat Control has dominated headlines for the EU in 2025, but with the council passing a new version of the measure, what happens now?
EU
One of the EU’s biggest issues in 2025, its controversial measure to monitor private messages, took a big step forward toward the end of the year: the EU Council agreed on a watered-down version of Chat Control, making the message scanning rules voluntary.
First unveiled in 2022, the proposal caused an uproar. The EU published a technical analysis in June 2025 suggesting it would require messaging services to scan private communications for child sexual abuse material.
Chat Control is part of a clampdown on the sharing of child sexual abuse material (CSAM) but the broad measure prompted concerns it could lead to further erosions of privacy and cybersecurity.
See also: EU tech chief says AI and data rules are too "bureaucratic"
Encryption and privacy-focused platforms have been the loudest critics, with Signal President Meredith Whittaker threatening to pull the app out of the EU market if mandatory message scanning were to be introduced.
By the year’s end, the EU Council had finalised the new law, making scanning voluntary. Still, many in the tech industry remain concerned. So what’s in the proposal, why are people concerned, and what’s next?
The new proposal
The newest version of Chat Control, proposed by the Danish Presidency and approved by the EU Council, entrenches the original – voluntary – “Chat Control 1.0” rules introduced as a temporary measure in 2021.
The bill now awaits approval of its new form by the European Parliament before it becomes law. If approved, it will require online service providers to complete a risk assessment measuring the likelihood their services could be used for the dissemination or production of CSAM.
They will be sorted into low, medium and high-risk categories, with those deemed high risk required to develop technologies to mitigate the risk of CSAM spreading, potentially including age verification. Implementation is to be monitored by a new EU agency.
What’s the issue?
To many, a law that permits the scanning of "encrypted" messages, even on a voluntary basis, sets a precedent for companies to encroach on digital privacy, David Frautschy, senior director for European government and regulatory affairs at the non-profit Internet Society, tells The Stack.
It "totally breaks the purpose of encryption”, Frautschy says. "Encryption is like sending a closed envelope to someone and the envelope arrives closed and you make sure that only the recipient opens the envelope and reads the content.
"Client-side scanning is like having somebody looking from behind your shoulder while you are reading the letter."
A "green light" for surveillance
The decision to keep client-side scanning an optional measure in the new version of the bill was touted as a victory by campaigners pleased it would not be enforced on all companies. However, Patrick Breyer, a former MEP and vocal anti-Chat Control campaigner, says the bill still gives a "green light" for surveillance.
He wrote on his blog the law "allows providers like Meta or Google to scan all private chats, indiscriminately and without a court order... The mandate allows for the scanning of private text messages, unknown images and metadata using unreliable algorithms and AI."
Secure messaging services like Signal, Proton, and Wire are used by militaries and governments across the globe to protect communications, while whistleblowers like Edward Snowden have also endorsed such apps.
Wider security concerns have also seen apps such as WhatsApp and Telegram offer end-to-end security for civilian users. The Chat Control law, if approved by the EU Parliament, invites companies to voluntarily scan messages before they’re encrypted, without having to alert users at a personal level.
An EU USP
Julian Mair, head of operations and project development at Phoenix R&D, a Berlin-based company developing a secure messaging platform based on the MLS protocol, worries the back and forth may have also damaged the EU’s reputation on the global stage.
He tells The Stack the region had been seen as a safer place to do business for some thanks to its strong data privacy regulations, such as GDPR, but says the Chat Control conversation is "eroding trust".
See also: GrapheneOS exits French servers and French cloud provider over security concerns
Mair says the Chat Control measures could scare off founders and customers alike.
"I think this hits hardest in the messaging space, because secure messaging is a space which is deeply personal.”
"If this trust is disrupted in some way, because you're not sure if the system you're using is secure, then you will just alienate more and more users.”
He says the current situation is "completely the opposite from where we started" with the EU as a haven for data protection, and worries "secure messengers might just say: 'Well we'll leave this hostile market because we cannot build, or offer, trusted technologies in the EU.'"
During the debate over Denmark’s initial Chat Control proposal, Signal’s Whittaker said the service would leave the EU if mandatory rules were introduced.
Nothing new
Pushback against Chat Control is reminiscent of many prior security conversations, Whittaker tells The Stack: “What we're talking about is a form of magical thinking that has been around in this iteration since the 90s; we can look at the Crypto Wars.”
“But anyone who's serious, anyone who understands the technology at even a basic level, understands this is perilous.”
The Crypto Wars is the name given to a series of cryptography-related controversies in the late 20th century, including the UK’s attempt to enforce key escrow on encryption providers and US President Bill Clinton’s introduction of the backdoored Clipper chip.
On Chat Control, Frautschy claims there is little evidence that the bill will do much to achieve its intended goal of reducing abuse, explaining perpetrators could easily convert images to non-suspect file types so they aren't scanned. "Perpetrators would be free to continue while everybody else's photos are monitored," he says.
He highlights alternative, less-invasive monitoring techniques such as metadata analysis to flag users exhibiting suspicious behaviour, which could include sending significant amounts of multimedia content in group chats while exchanging money.
It’s not just the EU
Governments across the world are trying to balance increasing online safety with privacy measures. The UK introduced age verification rules through its Online Safety Act and this year has reportedly twice tried to push Apple to introduce an encryption backdoor to its iCloud software to access the data of UK citizens.
Whittaker tells The Stack she’s not as concerned about the backdoor threats from governments though. She says such proposals are a “cheap way to score political points” and, while she doesn’t expect the issue to disappear, “I am optimistic that we can continue to win it.”
See also: Shifting to post-quantum cryptography: It's not easy, but we need to act
“A handful of companies have incredibly intimate and sensitive information about people and many governments have gotten used to pillaging those archives,” Whittaker adds.
“But then there are precious slivers of infrastructure, Signal being chief among them, that enable the norm that has existed for hundreds of thousands of years among human beings – that conversations between us are ephemeral – to persist.”
A crisis averted?
Following up with The Stack, Frautschy says the new proposal removes the “most concerning aspect” of Chat Control by making it voluntary.
But, he adds, even “a voluntary scan would break the nature of encrypted communications services because it would require introducing vulnerabilities on their system.
“I don’t see incentive for service providers to be doing this, undermining the privacy guarantees promised by encryption.”
Breyer is more pessimistic, writing: "What the Council endorsed today is a Trojan Horse. By cementing ‘voluntary’ mass scanning, they are legitimizing the warrantless, error-prone mass surveillance of millions of Europeans by US corporations, while simultaneously killing online anonymity through the backdoor of age verification.”
Mair also says it does not settle his concern, predicting if the “small exception” becomes the norm then “in five years when [campaigners] say ‘well nothing has changed with the root problem’, they’ll say ‘we probably need to make it mandatory.’”
He is similarly concerned about the potential for age verification rules to eliminate anonymous communication: "You will be asked at every service to provide a government ID, and that might lead to a world where we are not able to express ourselves anonymously."
