End-to-End Encryption Under Threat: What the EU Chat Control Means

The EU Chat Control proposal - formally the Regulation on Preventing and Combating the Sexual Abuse of Children (CSAM) - has been through multiple drafts and political battles since 2022. In early 2026, a modified version appears to be moving toward qualified majority approval, and the security community is alarmed.

Understanding what Chat Control would actually require, what it would break, and what the alternatives are requires separating the political framing from the technical substance.

What Chat Control Would Require

The core mechanism in the most recent draft: communications service providers - including messaging apps, email services, and other platforms - would be required to scan user messages for Child Sexual Abuse Material (CSAM) and report detections to authorities.

The problem that has generated sustained opposition from cryptographers and security researchers: this scanning requirement is technically incompatible with end-to-end encryption (E2EE) as currently implemented.

In a properly implemented E2EE system, only the sender and recipient hold the keys to decrypt messages. The service provider cannot read the messages and therefore cannot scan them. To comply with Chat Control's scanning requirement, a service provider would have to either:

1. Break E2EE - implement a backdoor that allows the provider (and therefore potentially others) to access message content, or
2. Implement client-side scanning - scan messages on users' devices before encryption, before they are sent

The EU Commission's position is that "client-side scanning" preserves E2EE because messages are still encrypted in transit and at the provider level. The cryptographic counter-argument is that scanning content before encryption and after decryption - on the user's device - is functionally equivalent to breaking privacy from the user's perspective, regardless of what happens during transmission.

The Technical Objections

The open letter signed by 150 security researchers in response to earlier Chat Control drafts, and updated in 2025, makes several technical points that have not been refuted:

Client-side scanning creates new attack surfaces. Any system that can scan device content and flag it for reporting creates a capability that can be exploited, modified, or repurposed by attackers, authoritarian governments, or mission creep within the original deploying government.

Hash-matching is not accurate enough at scale. The proposed detection approach uses hashing (PhotoDNA and similar) to compare content against known CSAM databases. These systems have false positive rates that may appear small in percentages but translate to millions of incorrect flaggings at the scale of modern messaging services.

Determined bad actors route around it. The people most motivated to evade detection have resources to use encrypted file-sharing, VPNs, and communication platforms outside EU jurisdiction. The populations most affected by the loss of private communication are journalists, activists, abuse survivors using encrypted communication for support, and ordinary citizens.

What Encryption Actually Protects

The debate around Chat Control often frames encryption as primarily a tool for hiding illegal content. The more accurate framing is that encryption is foundational infrastructure for digital security broadly.

Medical communication between patients and providers travels encrypted. Legal communications between attorneys and clients depend on encryption. Whistleblowers communicating with journalists rely on encryption. Corporate communications containing trade secrets use encryption. Domestic violence survivors using encrypted services to communicate with support organizations need encryption.

Any system that mandates scanning of encrypted communications, through whatever technical mechanism, reduces the security of all of these use cases - not because of malice, but because security guarantees that depend on exceptions are not security guarantees.

Services like ProtonVPN and ProtonMail have built their business model on end-to-end encryption. Signal's developers have stated explicitly that they would shut down EU operations rather than implement scanning requirements. The practical effect on European users of mandating client-side scanning would be the loss of access to the most secure communication tools currently available.

The Legislative Status in 2026

The regulation has had significant political headwinds. Germany, which initially supported Chat Control, reversed its position in 2024 citing technical objections. A qualified majority in the Council requires 15 of 27 member states representing 65% of the EU population.

As of Q1 2026, a modified draft that applies scanning requirements to unencrypted communications and messaging services that voluntarily participate in a "detection order" scheme - while nominally excluding E2EE services from mandatory requirements - has more political traction. Critics argue the "voluntarily" framing creates de facto compliance pressure.

The European Parliament has been consistently more skeptical of Chat Control than the Council, and the LIBE (Civil Liberties) Committee has issued multiple negative opinions. The regulation's final form, timeline, and scope remain contested as of this writing.

What Users Can Do

Regardless of legislative outcomes, users concerned about communication privacy can take practical steps:

Use E2EE services for sensitive communication. Signal for messaging, ProtonMail for email, and ProtonVPN or NordVPN for network privacy are the current best practices. These services provide genuine end-to-end encryption.

Understand the metadata even encrypted services generate. Even when message content is encrypted, metadata - who you communicated with, when, how frequently, and from what device - may not be protected. Services vary in how much metadata they retain.

Support organizations working on these issues. The Electronic Frontier Foundation (EFF), Privacy International, and the European Digital Rights initiative (EDRi) are tracking Chat Control and similar legislation and providing legal and technical analysis.

The core tension Chat Control represents - between the legitimate goal of protecting children and the technical reality that there is no backdoor only the good guys can use - will not be resolved by this regulation. It will continue in various forms across jurisdictions for years.