Chat control - zombie law edition

WTF is chat control?

  • Two EU laws that introduce mass scanning of private messages and private data on the internet
  • Both laws have been complete train wrecks
  • But some politicians keep pushing for them anyway

Surveillance as the solution

Well established principle: Secrecy of correspondence

Personal correspondence should remain confidential, unless there is a targeted warrant

The two chat control laws

  • Regulation 2021/1232 chat control 1.0: Scanning of private messages is possible
  • 2022/0155(COD) chat control 2.0: Scanning of private data is required

Current status:

  • chat control 1.0 is dead and might soon be revived 🧟
  • chat control 2.0 is still stuck in the negotiations 🗯️

A threat to encryption and IT security

  • Chat control also originally required detection of CSAM in encrypted messages, effectively making IT systems insecure.
  • That threat seems to have been averted for now (after a lot of public outcry)

🇩🇰 The Danish Council Presidency

July - December 2025

🇩🇰 Vi er nødt til at bryde med den totalt fejlagtige opfattelse af, at det er enhver mands frihedsrettighed at kommunikere på krypterede beskedtjenester

Peter Hummelgaard on TV 2 on 21st August 2024

🇬🇧 We need to stop the completely wrong idea that everyone has a right to the use of encrypted communication services

🇩🇰 Danish presidency compromise text 🇪🇺

  • Mandatory detection orders and online service risk classification
  • Consent banners for violating confidentiality of communication
  • Detection of visual content and URLs
  • Detection of new CSAM is in scope (false positives, here we come!)
  • Detection in E2E should be done via client-side-scanning
  • Still mass surveillance 🤦

🇩🇰 Danish presidency compromise text (updated!)

  • Mandatory detection orders and online service risk classification
  • Consent banners for violating confidentiality of communication
  • Detection of [fighting against] visual content and URLs
  • Detection of new CSAM is in scope (false positives, here we come!)
  • Detection in E2E should be done via client-side-scanning
  • still mass surveillance 🤦 ["targeted" based on risk criteria and not suspicion]

The Internet Awakens

August 2025: The website fightchatcontrol.eu goes online

Sending e-mails to politicians was never easier

Politicians confirm that the many e-mails had a positive effect

Danish Newspaper Debates

Peter Hummelgaard, 10. September 2025:

🇩🇰 Derfor har vi også som formandskab præsenteret et kompromisforslag, som vi mener rammer en fornuftig balance mellem hensynet til forebyggelse og bekæmpelse af online misbrug af børn på den ene side og hensynet til retten til privatliv på den anden side.

Jesper Lund, 15. September 2025

🇩🇰 Det er grunden til, at kritikerne kalder forslaget for masseovervågning: alle brugere på en beskedtjeneste, som modtager et påbud, vil blive overvåget efter instruks fra staten.

Meanwhile in Germany ...

  • Civil society mobilizes in large numbers
  • Internal conflict between Ministry of Justice and Ministry of Home Affairs
  • Germany's largest tabloid has chat control as the cover story

Jens Spahn 7th August 2025:

🇩🇪 Wir als CDU/CSU-Bundestagsfraktion sind gegen die anlasslose Kontrolle von Chats. Das wäre so, als würde man vorsorglich mal alle Briefe öffnen und schauen, ob da etwas Verbotenes drin ist. Das geht nicht, das wird es mit uns nicht geben.

Back to the Newspaper Debates in Denmark

The chief editor of politiken.dk wrote this in a leader-article:

🇩🇰 Pjat, sagde Peter Hummelgaard og slog fast i et debatindlæg her i avisen: Kritikken er ganske enkelt »ikke korrekt«.

Det er meget muligt, hr. minister, men vi ser frem til at høre ham forklare, hvordan Tyskland åbenbart også har fået alle dine forslag galt i halsen. For den tyske regering har nu valgt at forkaste Hummelgaards plan med en argumentation, der vil være denne avis’ læsere ganske bekendt:

[Statement from Jens Spahn from the previous slide]

Vi ser frem til at se, hvordan Peter Hummelgaard nu vil tage sine tyske kolleger i skole om borgernes basale frihedsrettigheder. [...]

Victory!

30th October 2025: Peter Hummelgaard drops detection orders from the Council's compromise text. That means no required scanning!

Enough EU countries agree and the law moves to the Trilogue

DK Final Danish presidency compromise text (additional requirements)

  • Make chat control 1.0 permanent
  • Delisting order for search engines to hide CSAM instead of deleting it
  • Explicit requirement to not weaken IT-security, including not weakening (end-to-end) encryption
  • Requirement for risk assessment and implementation of mitigations (EP position: Security by design)
  • High-risk services must develop relevant technologies to mitigate risk of CSAM on their service

Interlude: The European People's Party (EPP)

  • National Parties form larger groups in the european parliament
  • The EPP is the largest group
  • Consisting mostly of christian democrats and (liberal-)conservatives
  • Danish members: Konservative Folkeparti, Liberal Alliance

The politics of the EPP

From their official priorities for 2026:

We will focus on the Action plan against cyberbullying and on further measures to protect minors on digital platforms and to end digital anonymity.

  • How about just tackling "bullying" in general?
  • Personal observation: The EPP members have been the most clueless about the internet
  • Yet they want to impose their priviledged mainstream views on it!

It's no secret. We know what they want!

Analog Analogy: Alcoholics Anonymous

  • People need to be able to seek help and community without revealing their identity
  • Stigma can cause people to not seek help
  • It is a well-established principle and the internet is perfect for it
  • Anonymity is a very effective protection for minors!

🇨🇾 The Cypriot Council Presidency

January - June 2026

Chat control 1.0 is about to run out

  • Chat control 1.0 was designed to be a temporary emergency law.
  • In effect for almost 5 years, because chat control 2.0 was stuck
  • Has already been extended once and will expire on 3rd of April 2026

Negotiating an updated chat control 1.0 law

  • More changes than just a new expiry date
  • LIBE committee: Created an updated version, which did not receive enough votes, because some people rejected chat control entirely and EPP members wanted to prevent changes except for the expiry date
  • Accepted amendments against:
    • mass surveillance
    • detection of new CSAM (high error rate)
  • The compromise text moved forward to Trilogue
  • The Council deliberately let the negotiations fail
  • Date for making more amendments and for accepting trilogue results already scheduled
  • Removing the vote from the agenda failed (why vote again?)

Second vote result

  • Plot twist: EPP wasn't happy with the new vote and voted against the updated compromise text
  • Chat control 1.0 expired on the 3rd of April 💀

Big Tech: We gonna scan anyway

4th of April: Open Letter from Google, Meta, Microsoft, Snap: "Reaffirming our commitment to child safety in the face of European Union inaction"

  • Unprecedented move: The President of the European Parliament (member of EPP group) teams up with the Council, to arrange for a second reading in Parliament by using the urgent procedure just before the summer holidays
  • This further undermines the authority of the European Parliament

🇮🇪 The Irish Council Presidency

July - December 2026

European Parliament votes on chat control 1.0 again

  • Rejection or updates require at least 50% of all MEPs, even if not all are present to vote (early summer holidays)
  • Automatic approval of proposal if threshold for rejection is not reached

Third chat control 1.0 vote results

voting on majority? absolute majority?
full rejection ✅ ❌
targeted scanning ✅ ❌
only known CSAM ✅ ❌
no scanning in E2EE ✅ ✅
  • Amendments to protect end-to-end encryption were successful 🥳
  • Council needs to approve amended text
  • Side note: Chat control 2.0 negotiations likely to continue in September

Other things that happened in the past year

Broken tech: Microsoft PhotoDNA

11th March 2026: First analysis of Microsoft's PhotoDNA detection software

the hash value only depends on the sum of the RGB values of each pixel, and it is trivial to find images with hash value equal to all zeroes.

The same techniques can be used to recover the rough shapes of an image from its hash value, disproving the claim from the designer that PhotoDNA is irreversible.

it is also shown that it is easy to produce high-quality perceptually identical images with a hash value that is far from the original image allowing to avoid detection

This is what Microsoft wants to keep using to scan for CSAM! This is the best Microsoft can do!

Broken tech: Microsoft Bitlocker

  • The YellowKey backdoor was discovered in Microsoft's Bitlocker hard disk encryption software that allows local attackers to decrypt a hard disk without knowing the key.
  • Thieves can now extract data from stolen Computers
  • Backdoors just for the good guys?

Better ways to fight CSAM

  • Educate children to recognise abuse
  • Delete CSAM instead of just blocking or delisting it.
  • Give police more resources to find and infiltrate CSAM sharing groups
  • Help pedophiles to stop (next slide)

There are alternatives!

Project Intercept (United Kingdom)

  • Intercept requests for CSAM files and help pedophiles reach out to get help
  • Mega (File hosting): After deleting reported CSAM, any further access to the URL leads to a help page
  • Google & Bing: Searches for CSAM show warning that CSAM is illegal and point towards help hotline

No problems with encryption or privacy. Constructive preventive method to prevent sexual abuse of children.

Questions?

Subscribe to the mailing list on chatcontrol.dk to stay updated

Chat control is surveillance of *your* private communication and *your* private data. And it is about *you*, because chat control is *mass surveillance*

"A letter of explanation" by ~Aphrodite is licensed under CC BY-NC-ND 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/2.0/