Government reading your text messages? EU debates child safety measures, facing widespread opposition to Chat Control 2.0
By willowt // 2025-09-13
Copy
 
  • Technical Feasibility and Security Risks: The proposed detection systems are 'technically infeasible' and would introduce significant security vulnerabilities, making users susceptible to exploitation by malicious actors and hostile governments. The high false positive and false negative rates make them unsuitable for large-scale detection campaigns.
  • The requirement for on-device scanning inherently undermines the protections that end-to-end encryption is designed to guarantee. This approach introduces a single point of failure and gives external parties access to data meant to remain private.
  • The broad and ambiguous language of the regulation creates a significant risk of misapplication, potentially leading to costly litigation and over-censorship. The technology could be used to monitor other types of content, leading to a significant erosion of online privacy and freedom of expression.
  • Several member states, including Austria, the Netherlands and Poland, have voiced strong opposition to the proposal. Germany could play a decisive role in blocking the proposal. The European Parliament is expected to continue pushing for a more balanced and privacy-friendly approach.
  • The debate over the Chat Control 2.0 regulation highlights the need for a nuanced and evidence-based approach that balances the protection of vulnerable children with the preservation of individual freedoms and digital security.
On the eve of a critical European Council meeting on September 12, a coalition of over 500 cybersecurity experts, cryptographers and computer scientists from 34 countries has issued a stark warning against the European Union’s proposed Chat Control 2.0 regulation. The regulation, aimed at combating child sexual abuse material (CSAM), has sparked intense debate and criticism from privacy advocates, tech experts and several EU member states. The proposed law would mandate that messaging apps, email platforms, cloud services and even providers of end-to-end encrypted communication scan all user content, including texts, images and videos, for suspicious material. Critics argue that this sweeping surveillance undermines privacy, security and civil liberties, while doing little to effectively combat the issue it aims to address.

Technical feasibility and security risks

The open letter, signed by leading experts from institutions such as KU Leuven, ETH Zurich, Johns Hopkins University and the Max Planck Institute for Security and Privacy, emphasizes that the proposed detection systems are "technically infeasible." The scientists argue that large-scale scanning would introduce significant security vulnerabilities, making users susceptible to exploitation by malicious actors and hostile governments. "Existing research confirms that state-of-the-art detectors would yield unacceptably high false positive and false negative rates, making them unsuitable for large scale detection campaigns at the scale of hundreds of millions of users," the letter states. This means that ordinary users could be falsely flagged and subjected to unwarranted investigations, while those intent on spreading harmful content could easily sidestep detection using simple technical workarounds.

Undermining end-to-end encryption, privacy

A key point of contention is the regulation's requirement for on-device scanning, which involves checking content on users' devices before encryption. The researchers assert that this practice inherently undermines the protections that end-to-end encryption is designed to guarantee. "Client-side scanning, regardless of its technical implementation, inherently undermines the protections that end-to-end encryption is designed to guarantee," the letter notes. This approach introduces a single point of failure and gives external parties access to data meant to remain private. Signal, a popular encrypted messaging app, has already stated it would withdraw its service from the EU if the regulation requires mandatory on-device scanning.

Legal and ethical implications: Function creep and over-censorship

Critics also warn of the potential for "function creep," where the same technology used for CSAM detection could later be applied to monitor other types of content, such as political messages, copyright infringement, or even dissent. This could lead to over-censorship and a significant erosion of online privacy and freedom of expression. "The proposal opens the door to unprecedented capabilities for surveillance, control and censorship," the experts caution. They argue that the broad and ambiguous language of the regulation creates a significant risk of misapplication, potentially leading to costly litigation and over-censorship.

Divergent stances among EU member states

While the European Commission's proposal has gained support from countries like France, Spain and Italy, several member states, including Austria, the Netherlands and Poland, have voiced strong opposition. Germany, a key player in the EU, could play a decisive role in the outcome. A vote against or an abstention from Berlin would be enough to block the proposal by helping form the required minority of member states representing at least 35 percent of the EU population. The European Parliament, which has already voted to limit scanning and protect encryption, is expected to continue pushing for a more balanced and privacy-friendly approach. A compromise text will need to be negotiated in "trilogues" between the Parliament and the Council before the regulation can take effect.

A delicate balance between safety and privacy

As the EU grapples with the complex issue of online child safety, the debate over the Chat Control 2.0 regulation highlights the delicate balance between protecting vulnerable children and preserving individual freedoms. The widespread opposition from experts and member states underscores the need for a more nuanced and evidence-based approach. Ultimately, the success of any regulation will depend on its ability to achieve meaningful protection without compromising the digital security and privacy of all EU citizens. Sources for this article include: ReclaimTheNet.org EuroNews.com HelpNetSecurity.com
Copy