The Malta Independent 19 July 2026, Sunday
View E-Paper

Two wrongs, one worse: Why Chat Control 1.0 and 2.0 both fail Europe

Sunday, 19 July 2026, 07:12 Last update: about 11 hours ago

David Zammit

Europe likes to think of itself as the world's privacy standard-bearer. The GDPR is cited from Brasília to Bangalore as proof that a large, prosperous democracy can regulate technology without gutting fundamental rights. That reputation is now on the line, because Brussels is trying, for the second time in five years, to build a legal architecture for scanning the private communications of hundreds of millions of people who are not suspected of any crime.

Both versions of "Chat Control" deserve to fail. But they fail for different reasons, and the second is considerably more dangerous than the first.

 

Chat Control 1.0: A stopgap that should have stayed a stopgap

Regulation 2021/1232 was sold as a temporary, narrow fix: a derogation from the ePrivacy Directive that let providers voluntarily scan for child sexual abuse material (CSAM) in unencrypted services. It never touched end-to-end encrypted communications, and no provider was legally compelled to scan anything. Companies like Meta and Microsoft used it because their business model already involved server-side processing of user content; it was an extension of existing practice, not a new surveillance power over the population as a whole.

That law expired on 4 April 2026 after the European Parliament declined to renew it. The right response to that expiry is to let it die and build something better through ordinary process. Instead, the Council is attempting a fast-track "revival", a new regulation with essentially identical content, timed to slip through before proper scrutiny can catch up. That manoeuvre alone should trouble anyone who cares about how EU law is supposed to be made: rushing a lapsed instrument back into force by relabelling it is a workaround, not a mandate.

Chat Control 1.0's flaw was never really about mass surveillance in the strict sense, it was voluntary, and it didn't reach encrypted messaging. Its flaw is that it normalised the premise now driving its successor: that scanning private messages is an acceptable tool of first resort, rather than a last resort reserved for judicially authorised, targeted investigations.

 

Chat Control 2.0: The premise made permanent, and mandatory

The CSA Regulation is where the real danger sits. Unlike its predecessor, this is not a temporary derogation, it is meant to be permanent EU law. And unlike its predecessor, it does not stop at unencrypted mail providers. Whether end-to-end encrypted messengers like Signal or WhatsApp would be pulled into scope remains one of the central unresolved fights between Parliament and Council, and the Council's proposals have repeatedly signalled a willingness to include them.

That distinction, encrypted versus unencrypted, is not a technicality. It is the whole argument. There is no way to build a scanning mechanism that inspects the content of an end-to-end encrypted message before it is encrypted (client-side scanning) without installing, in effect, a permanent listening device on every participating phone. Security researchers have said this consistently for years: you cannot create a backdoor "only for bad actors." A vulnerability scanning pipeline built into a messaging client is a vulnerability available to anyone who can access, subpoena, hack, or coerce it, including authoritarian governments watching how Europe legislates and looking for precedent.

The Council's fallback position, "voluntary" detection paired with sweeping risk-mitigation obligations, is not the concession it appears to be. If a platform faces heavy compliance liability unless it deploys detection tools, the scanning stops being meaningfully voluntary; it becomes commercially compelled. This is a classic regulatory move: avoid the word "mandatory" while making the alternative to compliance economically irrational.

Parliament's counter-position, scanning limited to individuals or groups already under suspicion, authorised by a court order, is close to what a rights-respecting system should look like: targeted, judicially supervised, proportionate. That it remains a negotiating position rather than settled law, five trilogue rounds and one collapsed "final" session later, tells you how contested the fundamental question still is.

 

Why the second is worse

Three concrete points separate a bad temporary law from a dangerous permanent one:

  1. Permanence versus expiry. A sunset clause, however clumsily extended, at least forces periodic reconsideration. A regulation has no such built-in accountability moment. Once passed, undoing it requires the same political energy it took to pass it in the first place, energy that surveillance regimes, once operational and institutionally embedded, rarely attract.
  1. Encryption is the line, and 2.0 is negotiating over whether to cross it. Chat Control 1.0 left the strongest form of digital privacy protection, end-to-end encryption,  completely untouched. Chat Control 2.0 is explicitly negotiating whether to compromise it. That is not an incremental expansion; it is a category change, from "scan what a company can already read" to "build the company a way to read what it currently cannot."
  1. Mandatory versus voluntary, in substance if not in name. Even in its most watered-down Council form, CSAR creates strong incentives that function like a mandate. A law that achieves compulsion through liability design rather than an explicit obligation is arguably more corrosive to democratic accountability, because it lets legislators claim they never "mandated" anything.

 

The efficacy problem neither version solves

Set aside civil liberties for a moment and ask the practical question: does bulk, suspicionless scanning actually reduce child sexual abuse?

The evidence is weak. Client-side scanning systems generate large numbers of false positives at population scale, even at claimed accuracy rates that sound impressive in isolation, the base rate of actual CSAM among hundreds of millions of daily messages is so low that even a 99.9% accurate classifier produces enormous numbers of innocent people flagged, their private photos and messages reviewed by moderators or law enforcement. Meanwhile, people engaged in organised abuse are the most likely to migrate to genuinely untraceable channels, the dark web, foreign apps outside EU jurisdiction, steganography, or simple in-person offending, the moment mainstream platforms become known to be monitored. Bulk scanning is well-suited to catching careless, low-level offenders and reshared known material; it is poorly suited to catching the sophisticated, networked abuse it is invoked to justify. Meanwhile, resourcing for the unglamorous work that actually protects children, investigator capacity, victim identification units, school-based prevention, international police cooperation, remains comparatively neglected relative to the political energy spent on scanning mandates.

In other words: the policy that does the most damage to the general population's privacy is not obviously the policy that does the most good for the population it claims to protect. That mismatch is the strongest argument against both versions, but especially against a permanent, potentially encryption-breaking one.

This is not a quirk specific to CSAM detection, it is the pattern with essentially every broad surveillance measure ever deployed. The people with the most to hide are, almost by definition, also the ones most capable and most motivated to find a way around the control: they have the technical know-how, the financial means, and the strongest incentive to migrate the moment a channel becomes risky. Ordinary users, by contrast, don't route around anything, they simply absorb the privacy cost, because they were never the actual target and have no reason to relocate their private conversations to the dark web. The net effect of a law like this is therefore predictable: the population under genuine suspicion adapts and disappears from view, while the population under no suspicion at all stays put and gets monitored. A control designed to catch the worst actors ends up catching everyone except them.

What "looking like a police state" actually means here

The phrase "police state" gets thrown around loosely, so it's worth being precise. The concern is not that the EU is about to start jailing dissidents. The concern is structural: a permanent legal infrastructure in which every citizen's private communications are, by default, subject to automated inspection by an algorithm nobody outside the vendor can fully audit, with no requirement of individualised suspicion, is a surveillance architecture indistinguishable in its technical operation from the tools authoritarian states use for population control. The fact that the stated purpose is benign does not change the architecture. Infrastructure built for one purpose is available for others, a future government, a future court order, a future data breach, a future political crisis in which "emergency" powers get quietly repurposed. Europe would be building the machine and trusting, by legislative promise alone, that no future hand ever turns it toward a different target.

The other side of this argument

It would be dishonest to end without acknowledging why serious people, including many child protection organisations, investigators, and some MEPs, support these measures. CSAM circulation online is a real and growing problem; automated detection (particularly hash-matching of already-known illegal images, which is far less invasive than scanning for new or unknown content) has led to real referrals and real prosecutions under the current voluntary regime. Advocates argue that end-to-end encryption, whatever its benefits, is also used by abusers to coordinate with near-total impunity, and that refusing to address that is its own form of harm to children. Some also argue that a well-drafted, court-supervised, narrowly targeted version of Chat Control 2.0, closer to Parliament's position than the Council's, would thread the needle: enabling investigation of specific suspects without mass scanning. Whether such a narrowly-drafted compromise is achievable, or whether "targeted but mandatory implementation of court orders" inevitably creates the same backdoor infrastructure by another name, is exactly the technical and legal argument still unresolved in trilogue, and it's a legitimate one, not a smokescreen, even for those who ultimately land against the regulation.

Professor David Zammit serves as both a lecturer and the Rector of Pro Deo International University in Italy. He has been actively engaged in the field of education for the past 35 years. Throughout his career, he has delivered lectures in various countries and has participated as a speaker at numerous symposia.


  • don't miss