In March 2025, a French scientist was denied entry to the US, after the messages on his phone were searched and criticism of the Trump administration was found by border agents. Google and Meta are handing over social media, email and location data to immigration officers of protesters against Israel’s war on Gaza. Both US colleges and US authorities are using invasive AI-powered technologies to track activists and migrants, making use of large combined databases of scraped data.
Against this background, it is chilling that the Danish EU Presidency is pushing for the adoption of the so-called Chat Control Regulation (Regulation to Prevent and Combat Child Sexual Abuse). A new vote of Member States on the proposal next week would advance the contentious legislation, after it had been dormant in the Council since 2024.
Much of the mass-surveillance, as employed in the US would be a lot less effective in the EU. Companies such as Babel Street and Palantir rely on large amounts of both private databases and scraped public data. The EU Charter of Fundamental Rights and more detailed legislation, such as the GDPR, have prevented such large interconnected databases in Europe. Law enforcement needs warrants to access private communications.
However, none of these protections would protect us from government overreach, if Chat Control would be implemented in the EU. While the technical implementation and feasibility is seemingly treated as a detail to be hashed out at a later date, every realistic measure would result in severe degradation of the security of online systems and large scale violation of the privacy of all EU citizens.
While the Commission presented a number of technical solutions, these boil down to two approaches: allowing all messages by all EU citizens to be screened, allowing targeted screening of encrypted messages, or a combination of these two. The difference lies in who has access, how the information is screened and where it is screened.
Democracies in the EU are also backsliding. What I have to say now is not illegal or persecuted anywhere. But neither was this the case for students protesting genocide in Gaza or visitors criticising the government in the US just a year ago. In the US, ICE has started asking for private data from Facebook and Instagram accounts of activists, while hiring people screening social media to start databases of targets. With an example of how quick guardrails and protections erode under anti-democratic governments, we should not even consider the possibility of undermining the privacy and cybersecurity of 450 million EU citizens.
The myth of privacy-focused technical solutions
Too many people don’t know how Chat Control would be implemented and hearing terms like hashing, machine learning, and client-side-scanning might provide a comforting blanket of ignorance. After all, this technology is going to flag Child Sexual Abuse Material (CSAM), while leaving the privacy of all EU citizen intact, right?
Unchaining big tech
There is a difference between encrypted and end-to-end encrypted content. Most of our internet traffic is encrypted in some fashion to prevent bad actors from intercepting and messing with it. However, the companies facilitating that traffic still have access to your data if they choose to do so. In the EU they are preventedfrom doing so for purposes that you haven’t agreed to and they don’t have a good reason to, like a warrant for example. This would change, as all communication would be monitored for specific content based on AI (which is notoriously inaccurate) and image and text patterns.
The result could be disastrous, as people could get reported for pictures between spouses mistaken for CSAM, misunderstood text, and faulty AI. But more insidiously, the definition of CSAM could be extended by future governments. Future governments? In June 2021, the government of Hungary introduced a law prohibiting the showing of "any content portraying or promoting sex reassignment or homosexuality" to minors. Similarly, once implemented Chat Control is likely to be extended to terrorism in due time, as once privacy and encryption is broken. Just last month, the Netherlands moved to declare Antifa a terrorist organisation.
A bug on your phone
This leaves us with end-to-end encrypted content. Only the sender and the receiver can decrypt the content, the service provider merely transmits the encrypted material for you. This is giving the Commission the biggest headache. After all, most people would move behind encryption once Chat Control would be implemented.
And so the Commission proposes to force communication service providers to scan the content of your communication on your device before encrypting it. However, the experts reporting to the Commission agree that the solution could be easily subverted and compromised and must thus send a hash (a specific algorithmically created content ID) to a server for matching.
Those hashes can be compared to other content as well. Thus, while not providing direct access to the content of your communication, indirectly that can be accessed, if the person searching knows what he is looking for. Additionally, large amount of these hashes provide a rich picture of metadata of social networks, interests, and patterns. A power that have made Google and Meta some of the most valuable companies in the world. Finally, this new function of hashing the content before it is encrypted provides a new attack vector for any bad actor trying to break into your encrypted content.
A magic trick
The previous solutions clearly have some issues and the Commission experts agree: leaving the data on your device leaves it open to tampering. So the proposal is to send the data to a “secure enclave” on the company's server, or a government-run server. What is this secure enclave? It is just the server that can decrypt your messages. It then encrypts the message and sends it to the receiver. Next to the complexity and security issues arising from that, that is just not end-to-end encryption anymore. As such, all communications would be made available to a third party.
The last solution proposed is another magic trick: homomorphic encryption. If it sounds scary, that’s because it is maths. It allows encrypted content to be computed on as if it wasn’t encrypted, while maintaining said encryption. Because it is a lot of maths, it is very difficult and slow, requiring massive resources if applied to all EU communications. Even if this technological hurdle would be solved, it remains mass-surveillance of all our communication, crudely searching for illegal content. So if EU countries follow the US descent into fascism, this Stasi-like surveillance apparatus would quickly bear down upon us by redefining what is illegal.
"If in the first act you have hung a pistol on the wall, then in the following one it should be fired. Otherwise don't put it there." - We are currently in that first act.