# chat control passed in the european parliament. i am against it.

· #privacy #eu #chatcontrol

salix@host:~/posts/chat-control-passed-2026

You may have seen the headlines this week: Chat Control passed in the European Parliament.

The full situation is more complicated, because of course EU lawmaking cannot be explained without several different proposals, readings and voting rules. But my own opinion is not complicated: I am against Chat Control 1.0, and I am against Chat Control 2.0.

I don’t want companies scanning private messages without suspicion. I don’t want it when the scanning is called “voluntary”, and I especially don’t want it turned into a permanent European system. A private message should be private unless there is a specific reason and proper legal approval to investigate somebody.

Two versions of the same bad idea

What people call Chat Control 1.0 is a temporary exception to the EU’s ePrivacy rules. It allows messaging and email providers to “voluntarily” scan private communications for child sexual abuse material, and to report and remove it. It does not force every provider to scan, but it gives companies the legal space to inspect messages which people reasonably believe are private.

The word “voluntarily” does a lot of work here. The provider may volunteer to scan. The person sending a photo or having a conversation did not volunteer to be monitored. From the user’s side, there is nothing voluntary about it.

This exception existed since 2021 and expired on 3rd of April 2026. In March, Parliament rejected an extension, with 228 voting for the extension, 311 against it and 92 abstaining.

Then there is Chat Control 2.0, officially the permanent Child Sexual Abuse Regulation. It would create permanent rules for online services, including risk assessments, removal and blocking orders, and a new EU Centre on Child Sexual Abuse. The Council and Parliament are still negotiating the final text. It has not passed yet, and I hope it does not pass in a form which permits general scanning of private communication.

The two versions are legally different, but they move in the same direction. Chat Control 1.0 makes private scanning seem normal now. Chat Control 2.0 risks making the system permanent later. I oppose both for the same reason: people who are not suspected of a crime should not have their private communication inspected.

They brought it back after Parliament rejected it

After the March rejection, the extension should have been finished. Instead, on 2nd of July, the Council adopted the Commission’s original proposal as its position and sent it back to Parliament for a second reading. The Council wants the exception restored until 3rd of April 2028.

This second reading had different voting rules. Rejecting or amending the Council position required an absolute majority of all MEPs, not only a majority of those who voted. The threshold was 360.

On 9th of July, 314 MEPs voted to reject the Council position. 276 voted against rejection and 17 abstained. More MEPs voted to reject Chat Control than to keep it, but the rejection still failed because 314 was below the special threshold.

Maybe this follows the official procedure, but I find it very difficult to call the outcome democratic. Parliament rejected the extension in March. A clear majority of votes cast rejected it again in July. Still, the proposal survived. Bringing it back just before the summer break, under rules which made rejection much harder, looks like finding a procedural way around an answer the Council did not like.

This is also why people lose trust in the EU. You cannot tell citizens their representatives voted against a proposal, then say it passed anyway, and expect nobody to be angry about it.

The encryption amendment does not make it good

Parliament did add one important amendment. The exception should not apply to communications which use, used, or will use end-to-end encryption. If that protection remains in the final text, encrypted Signal conversations and encrypted Matrix rooms should be outside its scope.

I am glad this amendment exists. I am still against the proposal.

Unencrypted private messages also deserve privacy. Email does not become public communication because its protection is weaker. And a legal exception encouraging companies to inspect private messages is still wrong even if some encrypted services are excluded.

The official Parliament announcement also makes clear that this is not the final step. The amended text now goes to the Council. It has three months to accept all Parliament’s amendments. If it refuses, Parliament and the Council enter a conciliation procedure to negotiate a common text.

So, as of 13th of July 2026:

  • Parliament failed to reject Chat Control 1.0, even though more MEPs voted for rejection than against it.
  • Parliament added an exclusion for end-to-end encrypted communication.
  • The Council still has to accept that exclusion for the text to become law in this form.
  • Chat Control 2.0, the permanent and more far-reaching proposal, has not passed.

It would be inaccurate to say that the EU can now scan every encrypted message. Chat Control 1.0 allows providers to scan “voluntarily” and the Parliament text excludes end-to-end encryption. But correcting exaggerated headlines should not become an excuse to defend the proposal. The real version is already bad enough.

Protecting children does not require scanning everybody

Child sexual abuse is real and horrific. Material showing it should be removed, offenders should be investigated, and victims deserve serious support. I don’t question any of that.

What I reject is the idea that opposing mass scanning means opposing child protection. It does not. Police can investigate suspects. Courts can authorise targeted searches. Platforms can act on reports and remove confirmed illegal material. Governments can give investigators and victim-support organisations enough staff and money to do their work properly.

These are actions aimed at abuse and abusers. Scanning the conversations of people who are not suspected of anything is surveillance first and investigation second.

Automated detection is not harmless either. Matching a known illegal image is one thing. Trying to detect unknown material or grooming from ordinary conversations is much less certain. False reports can expose innocent people and deeply private messages to companies, reviewers and authorities. “An algorithm will check it” is not a meaningful privacy protection.

End-to-end encryption cannot magically stay private while a system checks the content. If software inspects a message on the device before it is encrypted, the encryption may still work during transport, but the conversation was already inspected. Moving the scanner to the phone does not solve the privacy problem. It only moves the place where privacy is broken.

Why Chat Control 2.0 worries me even more

Chat Control 1.0 is described as temporary, although temporary EU measures have a strange habit of returning. Chat Control 2.0 is meant to create the permanent framework. The Council’s position on the permanent law includes making the current “voluntary” scanning exception permanent.

Once scanning infrastructure exists, there will always be pressure to use it for more. Today the reason is child sexual abuse. Later somebody will propose terrorism, organised crime, copyright infringement, or another serious subject which makes opposing surveillance politically difficult. The technical system does not know that it was promised for only one purpose.

This is a boundary we should not cross. Private communication should not become a space where everybody is monitored just in case somebody commits a crime.

What it means for small services

I run a Matrix homeserver, so this is not only a theoretical discussion for me. Small independent services don’t have entire legal and compliance departments. If European rules create pressure to scan communication, a small provider may have to build surveillance infrastructure, remove features, stop accepting users, or shut down.

Big companies can pay for scanning systems and lawyers. Smaller privacy-friendly alternatives often cannot. Regulation like this can end up strengthening Meta, Google and Microsoft while making independent services disappear. That would leave people with fewer private choices, not more safety.

For encrypted Matrix rooms, Parliament’s amendment would offer some protection if it survives. But I don’t want protection to depend on one amendment surviving every later negotiation. And I don’t believe unencrypted rooms should be treated as fair targets for general scanning either.

I oppose both versions

Chat Control 1.0 passed an important stage through a process where 314 votes for rejection were not enough. It is not final in its amended form, and the Council may still fight the encryption exclusion. Chat Control 2.0 is still being negotiated and will decide the permanent direction.

I oppose Chat Control 1.0 because it normalises companies scanning private communication without suspicion. I oppose Chat Control 2.0 because it risks making that principle permanent and building the infrastructure for wider surveillance.

If you care about this, contact your MEPs and your national government. National governments form the Council, so they have direct influence over what happens next. Ask them to keep end-to-end encryption outside the temporary law and to reject general scanning in the permanent one. European Parliament has a tool to find your MEPs.

You can also follow Fight Chat Control to stay up to date. It keeps track of the changing proposals, upcoming decisions and positions of EU countries, and also helps you find the right representatives to contact.

For a much more detailed explanation, I also recommend Patrick Breyer’s Chat Control overview. He has followed this proposal for years and keeps a timeline, comparisons of the different texts, background documents and arguments against both versions in one place.

Protecting children and protecting private communication are not opposite goals. We can target criminals, support victims and remove illegal material without treating every person in Europe as a possible suspect.

My private messages are not the government’s messages. They are not Meta’s messages either. They should not be scanned just in case.

~$