Chat Control is back & we've got two months to stop the EU CSAM scanning plans.
The EU Regulation to Prevent and Combat Child Sexual Abuse, first published in May 2022, has become the "most criticized law of all time". Here's how to stop it now!
Chat Control was first proposed in 2022, but despite several attempts by Hungary, Sweden, and others, the draft has still not made it into law. Now, the Danish presidency of the EU Council is proposing a new version of Chat Control - and one that is worse than the others that came before:
If the Hungarian proposal was bad, the Danish version is even more extreme pushing for a creation of an Orwellian world.
Stop Chat Control: Fight for privacy isn’t over!
The new Chat Control proposal by Denmark would force mandatory scanning of all private communications — including secure, encrypted chats — by inserting dangerous client-side scanning into your messaging apps.
It is very telling that government and military accounts would be exempt from this privacy invasion while citizens’ and businesses’ data would be up for grabs.
But what makes this even worse is that this 2025 version doesn’t just recycle previous proposals for client-side scanning by the EU — it goes further. If passed, law enforcement all over Europe will be able to compel online communication providers to scan for “unknown” content using unreliable AI, not just for known illegal material. This risks exposing your most intimate private conversations and photos.
With all the privacy-issues we are already seeing around AI tools - just think about how Google might train its AI with all your data, how LinkedIn opted users into AI training without explicit consent - people are now actively looking into how to disable Gemini on Android, or how to turn off Meta AI on WhatsApp. And, yes, as a privacy-first email provider, we can also say that using AI in email is not a good idea.
Despite this trend - to protect ones data from aggressive AI-abuse - EU politicians want to give AI even more and deeper access into everything we do online, including scanning encrypted messages. Instead of protecting users’ data, politicians want to create an encryption backdoor that threatens the security and privacy of everyone.
If Chat Control is passed, opaque AI algorithms will decide whether your personal messages and your private pictures will be flagged or leaked. This undermines online privacy for over 450 million EU citizens, which is something we must not accept. What’s more, a leaked German government memo confirms the Council’s own lawyers believe this draft law violates fundamental rights, weakens encryption, and is unlikely to survive in court — achieving nothing for child protection while destroying privacy for all.
Take action now
The leaked memo also reveals a dangerous development: Many countries within the EU Council that helped block Chat Control in 2024 are now wavering.
The following countries are undecided or unclear: Belgium, Czech Republic, Estonia, Finland, Germany, Greece, Slovenia, Luxembourg, Romania, while the Swedish government leans in favour, it needs parliamentary approval.
This is - or used to be - the blocking minority. We need to make sure that these countries continue to oppose Chat Control to stop it from becoming law.
One fact that makes Chat Control so controversial in Germany - and should be in the entire EU - is that we in Germany actually call this law “Chat Control” - not Upload Moderation, ProtectEU, or whatever name the EU Council comes up with. So follow this call on YouTube, and call this law by its real name: Chat Control.
The clock is ticking and the time to stop Chat Control is now!
-
September 12: Governments will finalize positions.
-
October 14: Final vote of the EU Council.
Before September 12, call on decision-makers in your local governments demanding they protect encryption and reject Chat Control.
Make Germany oppose Chat Control again!
Germany, under a new government since May 2025, is no longer clearly opposing Chat Control. This is a warning to everyone in favor of privacy, and must make everyone act now to turn the tide in this large EU country. The politicians point of view is particularly worrying as they seem to no longer oppose Chat Control, despite clear signs that the draft law violates human rights and will very likely be declared illegal by the German Constitutional Court for disproportional mass surveillance. This looks like a similar approach as the history of data retention legislation in Germany - which was declared illegal multiple times. But politicians kept trying, until finally agreeing that personal communication like emails are exempt for any kind of data retention obligations.
But back to Chat Control: In 2024, the legal experts of the EU Parliament’s Scientific Service concluded in a study on the legality of Chat Control:
“When weighing the fundamental rights affected by the measures of the CSA proposal, it can be established that the CSA proposal would violate Articles 7 and 8 of the Charter of Fundamental Rights with regard to users.”
According to the legal services of the EU, the CSAR proposal’s parts on client-side scanning are disproportionate and contrary to fundamental rights.
This leads to the major Chat Control criticism: The EU CSA Regulation is illegal under EU law.
EU Commission’s conflicting statements
The EU Commission, however, rejects the arguments of the opponents and claims that you can protect and scan chats at the same time - however, giving no evidence on how this should be done.
At the same time, another formulation within the draft law makes it clear that Chat Control is a surveillance tool: Non-public communication services, for example the military services, are to be exempted. This is to protect “confidential information, including classified information.”
States do not want Chat Control for their own communications to avoid surveillance.
Criticism of Chat Control
1. Chat control may be illegal
The core problem of CSAR is the following: scanning the communications of unsuspected persons en masse without cause is disproportionate and contrary to fundamental rights.
In May 2022, the European Commission proposed to introduce mandatory requirements for all chat, messaging and email services, even when providing end-to-end encryption, to scan messages for illegal child sexual abuse material (CSAM). But since their publication, the proposed measures are criticized across Europe as these could lead to the de facto “permanent surveillance of all interpersonal communications”.
The EU Charter of Fundamental Rights guarantees the right to privacy for all people living in the European Union. Consequently, the EU legal advisors have concluded that European Chat Control proposals which would require tech companies to scan private and encrypted messages for child abuse material (CSAM) are in breach with EU law.
The controversial EU law will enable governments to serve “detection orders” on technology companies, requiring them to scan private messages and emails for “indicators of child abuse”. This could undermine encrypted communications, which is criticized by security experts as well as privacy advocates as being general and indiscriminate mass surveillance. In addition, one must remember that the German Federal Constitutional Court has even declared data retention illegal in Germany for being “disproportionate”.
It is highly likely that the CSA Regulation - should it become law - would be declared illegal by the European Court of Justice (ECJ) as well. The requirement for companies such as WhatsApp, Signal and others to scan every message - even when encrypted - for child abuse material infringes people’s right to privacy, which is in conflict with the EU Charter of Fundamental Rights.
2. Lobbying from AI companies
In September 2023 a new research was published that threw a very different light on Chat Control - and who would really benefit if all Europeans would be monitored 24/7 on the internet.
Next to Ashton Kutcher and his organization Thorn, a long list of organizations, AI companies and law enforcement are lobbying pro Chat Control in Brussels. The research for example exposes the WeProtect Global Alliance as a government-affiliated institution that is closely linked to ex-diplomat Douglas Griffiths and his Oak Foundation. The latter has invested more than 24 million US dollars in lobbying for Chat Control since 2019, for example via the Ecpat network, the Brave organization and the PR agency Purpose.
The research “confirms our worst fears,” said Diego Naranjo, head of policy at civil rights organization European Digital Rights (EDRi). “The most criticized European law on technology in the last decade is the product of lobbying by private companies and law enforcement.” EU commissioner, Ylva Johansson, ignored “science and civil society” and proposed a law to “legalize mass surveillance and break encryption,” he said. “Child protection is being abused here as a door-opener for an infrastructure for mass surveillance without any reason,” complains Konstantin Macher of the data protection association Digitalcourage.
3. Mostly criticized EU law ever
According to the non-profit organization EDRi an “unprecedentedly broad range of stakeholders have raised concerns that despite its important aims, the measures proposed in the draft EU Child Sexual Abuse Regulation are fundamentally incompatible with human rights”.
EDRi has published an impressive collection of 69 opposing voices from EU politicians, EU member states, tech companies and even child protection experts explaining why Chat Control must fail.
It also published an open letter signed by over 80 NGOs adding to the voice of almost 500 scientists and ~90 organizations explaining why we must fight for privacy in Europe.
No matter how politicians try to convince the public: Scanning our private messages for child sexual abuse material is mass surveillance. We must never allow this.
We at Tuta won’t accept Chat Control
At Tuta we are freedom fighters: We are at the forefront of the privacy revolution by offering everyone around the world a private email account.
Should the CSA Regulation continue to move forward in its current form, we would be willing to defend people’s right to privacy in court as we have done so before in Germany.
We put your privacy and security first, our code for Tuta’s automatic end-to-end encryption is publicly available, published as open source. We would never undermine our privacy promise or our encryption.
Our position remains firm: We will do whatever it takes to ensure your right to privacy.