New EU Chat Control makes scanning encrypted chats optional – but privacy experts are still worried

The – so far unsuccessful – legal journey of the EU child sexual abuse material (CSAM) scanning bill could see developments this week as lawmakers are set to discuss a new proposal on Wednesday, February 5, 2025. The Polish Council Presidency proposed a new version of the bill that seeks to address existing privacy concerns.

Deemed Chat Control by its critics, the bill comes as a way to halt the spread of CSAM content online by scanning all people’s communications. Under the new Poland’s proposal, however, the scanning would become voluntary instead and classified as “prevention.”

Despite looking like a step in the right direction in the battle to safeguard encrypted communications, privacy experts aren’t completely sold on this solution, warning that a few issues remain.

“Major progress but not yet acceptable because of mass surveillance,” commented Patrick Breyer from the German Pirate Party. A similar view was also shared by Elina Eickstädt, spokeswoman for the Chaos Computer Club, who pointed out how the new proposal asks more questions than it answers – digital rights group Netzpolitik reported.

The end of online anonymity?

Chat control has seen many twists and turns since the European Commission presented the first version of the draft bill in May 2022.

The initial plan required messaging services and email providers to scan all people’s messages on the lookout for illegal material – no matter if these were encrypted, like WhatsApp or Signal chats.

A watered-down version would later adjust the target toward shared photos, videos, and URLs upon users’ permission. These changes weren’t enough, however, to convince the majority of lawmakers, with the latest December vote failing to attract the needed majority yet again.

Poland’s proposal, as Breyer from the Pirate Party pointed out, represents a “major leap forward” to protect Europeans’ fundamental right to keep their digital correspondence private.

He said: “It would protect secure encryption and thus keep our smartphones safe. However, three fundamental problems remain unsolved.”

For starters, Breyer explains, that while the likes of Meta, Microsoft, or Google can decide whether or not to implement CSAM scanning, this could still provoke untargeted mass surveillance. This is why the European Parliament has proposed a different approach, which involves making searches mandatory but limiting them to persons or groups connected to child sexual abuse.

Breyer is also worried about Article 6 of the proposal, which would prevent users under 16 from installing popular applications, including encrypted messaging apps, social media, video conferencing services, and even online games. While this minimum age would be easy to circumvent, for example by using one of the best VPN services, Breyer believes it would also disempower teens instead of making them stronger.

Last but certainly not least, Poland’s proposal didn’t change the controversial Article 4 (3), for which users would be banned from setting up anonymous email or messenger accounts. “This would inhibit for instance sensitive chats related to sexuality, anonymous media communications with sources (e.g. whistleblowers) as well as political activity,” warns Breyer.

What’s next?

As mentioned earlier, lawmakers are set to discuss the new Chat Control proposal on Wednesday.

Asked about how likely it is for this version to finally gain the needed number of votes, Breyer told TechRadar to be skeptical about the hardline majority agreeing to pull mandatory chat control.

He said: “The proposal is likely to go too far already for the hardliner majority of EU governments and the EU Commission whose positions are so extreme that they will rather let down victims altogether than accept a proportionate, court-proof, and politically acceptable approach.”