# chat control is still not dead (unfortunately)
Okay, different topic today. If you’re in the EU and you care about privacy even a little bit, you’ve probably heard of Chat Control at some point. It’s the EU proposal to make messaging apps scan private messages for child abuse material. Sounds reasonable when you say it like that, which is exactly the problem, because what it actually means is scanning everyone’s messages, all the time, without any suspicion. And you can’t do that with end-to-end encrypted messages without breaking the encryption. There is no magic version of this where your chats stay private but also get scanned. Every cryptographer who looked at it said the same thing.
This law has been “almost passing” for years now, and I noticed most people I talk to have completely lost track of where it stands. Honestly I lose track sometimes too. So here’s the current state, as of when I’m writing this.
The good news
There was actually a real win this spring. On March 26 the European Parliament voted against extending “Chat Control 1.0”, the temporary rule that let providers like Meta scan everyone’s messages “voluntarily”. The vote was 307 to 306.
One vote. Let that sink in for a moment.
Anyway, that temporary regulation then expired on April 3. So right now, for the first time in years, there is no legal basis for mass scanning of private messages in the EU at all. That happened because a lot of normal people made noise about it. It worked.
The bad news
Here’s the thing, and this is the part that’s actually urgent right now: they’re trying to bring Chat Control 1.0 back. The Parliament voted to let it die, it expired, and now EU ambassadors have pushed to just extend it anyway, and MEPs are being asked to vote on reversing the decision they made in March. Read that again. The Parliament said no, by however thin a margin, and the answer to that is apparently “vote again until you say yes”. That’s the vote to watch right now, and it’s why the pressure matters again right now and not at some vague point in the future.
And in the background, the permanent version, Chat Control 2.0 (officially the CSA Regulation), is still being negotiated between the Parliament, the Council and the Commission. That fight is the same one as always. The Parliament’s position is actually fine: only scan specific suspects, and only with a court order. Normal police work, basically. The Council wants scanning of everyone without suspicion. Their newest trick is calling it “own-initiative” scanning by the providers, so on paper nobody is forced to scan, wink wink. Even the Council’s own legal service looked at that in June and said no, this is still generalised scanning of private communication. Which is the thing the EU courts keep saying is not compatible with fundamental rights.
There was supposed to be a final negotiation round on 2.0 on June 29, and it fell apart, exactly over this suspicionless scanning question. So no deal yet there either. Talks continue under the Irish presidency now, and Ireland is unfortunately one of the countries pushing for scanning.
This is the pattern with Chat Control. It gets rejected, it comes back with a new name. It gets blocked, it comes back under the next presidency. It expires, they try to extend it after the fact. The people pushing it only need to win once. We have to win every single time. That asymmetry is what worries me the most, more than any specific version of the text.
Why I care
Well, I run a Matrix server. If a scanning obligation like this passes, what am I supposed to do exactly? Break encryption for my users, or shut down? The big companies can hire compliance people and build scanning infrastructure. Signal at least has the weight to say “we’ll leave the market” and make headlines with it. A small homeserver like mine just quietly dies, or I’d be forced to move my server elsewhere with better privacy regulations.
And even if you don’t run anything: once the infrastructure to scan everything exists, “it’s only for CSAM” is just a promise. Promises like that have a history. First it’s this, then it’s terrorism, then it’s copyright, then it’s whatever the government of the day doesn’t like. Surveillance powers never shrink on their own.
What you can actually do
The March vote was 307 to 306. Margins like that don’t happen without ordinary people bothering their representatives, so this is not one of those “nothing you do matters” situations. Concretely:
- Contact your MEPs. The easiest way is fightchatcontrol.eu, they have a tool that finds your representatives and helps you contact them, plus they track the current status of everything. Takes five minutes. A short personal message is better than a copy-paste one, but a copy-paste one is a lot better than nothing.
- If your government is on the pro-scanning side (Denmark, Ireland, Spain, France, Italy and a bunch of others), write to them too. The worst versions of this keep coming from the Council, and the Council is just national governments, and those care about national voters.
- Follow the people who actually track this stuff. Patrick Breyer has documented every twist of this saga for years, and EDRi does a lot of the real policy work.
- Use encrypted messengers, and get others on them. Not because it fixes the law, but because the more normal encryption is, the harder it gets politically to ban it. I’m working on a whole post comparing the options, should be up tomorrow, conveniently.
I know “write to your politician” sounds like the most useless advice in the world. But this specific fight has been won multiple times now by exactly that. One vote in March. That was people making noise.
They will try again, they always do. So stay loud.
And as always, if you want to talk about this, you know where to find me.