Chat Control Criticism: Why the EU CSAM Scanning Plans Must Fail.

The EU Regulation to Prevent and Combat Child Sexual Abuse has become the "most criticized law of all time".

Chat control: The most criticized EU law ever.

The Council of EU Member States has postponed the final vote on the Child Sexual Abuse Regulation (CSAR), which had been scheduled for Oct. 19th - which is the second postponement already. EU countries simply can't get an agreement on this highly controversial draft, which then - even if EU Member States come to an agreement eventually - also needs to be discussed in the EU Parliament. This is great sign that the regulation, also dubbed chat control and one of the most criticized EU laws ever, might fail.


The fight over chat control continues among the EU member states were a small group of countries - namely Germany, Austria, Netherlands, Poland, Sweden, Estonia, and Slovenia - are in opposition to the current draft of the EU CSA Regulation. German politicians have said before that there is no prosecution at any cost, a clear statement against the EU plans for client-side scanning which would undermine encryption.

This comes at a very important time as the UK just passed the Online Safety Bill, the so called ‘playbook for dictators’. While it’s now theoretically possible for the UK to undermine encryption, the EU still has the chance to take a more pro-privacy approach when it comes to safeguarding the web.

Germany opposes chat control

Chat control criticism: Germany opposes the draft version as it requires illegal mass surveillance.

Germany demanded to postpone the vote, as in the previous session, supported by Austria. The work would not be finished, yet, the measures in the current text are disproportionate and illegal and need to be amended.

Earlier this year the legal experts of the EU Parliament’s Scientific Service concluded in a study on the legality of chat control:

“when weighing the fundamental rights affected by the measures of the CSA proposal, it can be established that the CSA proposal would violate Articles 7 and 8 of the Charter of Fundamental Rights with regard to users.”

According to the legal services of the EU, the CSAR proposal’s parts on chat control via client-side scanning are disproportionate and contrary to fundamental rights.

This leads to the major chat control criticism: The EU CSA Regulation is illegal under EU law.

Council is divided

In addition, Poland, the Netherlands and Sweden wanted changes to the text of the law. Nine other states called for the common position to be adopted soon. Their argumentation: in the trilogue negotiations with the Commission and the EU Parliament, the states will have to make further compromises anyway.

But since the start of the debates 18 months ago, surveillance obligations such as client-side scanning, chat control, and encryption aspects - key points of the draft law - are particularly controversial among EU member states.

Sweden sees “problems with the integrity and legal certainty of the proposal.” Poland called everything “very complicated,” saying the CSA Regulation has not yet “managed to strike the right balance between child protection and data protection.”

Poland demanded that only chats of “people under concrete suspicion” should be scanned, not those of innocent citizens.

Several states criticize other provisions as disproportionate. The Netherlands and Germany want to exempt audio telephony, while Sweden wants to exempt communications over mobile networks. Sweden and the Netherlands want to limit scanning to known abusive material and exempt unknown material and grooming.

This demonstrates how divided EU member states still are - and how controversial chat control is, one of the most criticized EU laws of all time.

EU Commission’s conflicting statements

The EU Commission, however, rejects the arguments of the opponents and claims that you can protect and scan chats at the same time - however, giving no evidence on how this should be done.

At the same time, another formulation within the draft law makes it clear that chat control is a surveillance tool: Non-public communication services are to be exempted, for example if they are “used for national security purposes.” This is to protect “confidential information, including classified information.” States do not want chat control for their own communications to avoid surveillance.

Decision postponed

While the EU Commission is putting pressure on the states to come to a final decision, it has become obvious that there is no qualified majority for the current proposal. Consequently, the vote on CSAR has been postponed within the council.

This comes at no surprise as no other EU law has been criticized as much as CSAR (leaked draft of Spanish Presidency).

Criticism of chat control

1. Chat control may be illegal

The core problem of CSAR is the following: scanning the communications of unsuspected persons en masse without cause is disproportionate and contrary to fundamental rights.

In May last year, the European Commission proposed to introduce mandatory requirements for all chat, messaging and email services, even when providing end-to-end encryption, to scan messages for illegal child sexual abuse material (CSAM). But since their publication, the proposed measures are criticized across Europe as these could lead to the de facto “permanent surveillance of all interpersonal communications”.

The EU Charter of Fundamental Rights guarantees the right to privacy for all people living in the European Union. Consequently, the EU legal advisors have concluded that European chat control proposals which would require tech companies to scan private and encrypted messages for child abuse material (CSAM) are in breach with EU law.

The controversial EU law will enable governments to serve “detection orders” on technology companies, requiring them to scan private messages and emails for “indicators of child abuse”. This could undermine encrypted communications, which is criticized by security experts as well as privacy advocates as being general and indiscriminate mass surveillance. In addition, one must remember that the German Federal Constitutional Court has even declared data retention as illegal in Germany for being “disproportionate”.

It is highly likely that the CSA Regulation - should it become law - would be declared illegal by the European Court of Justice (ECJ) as well. The requirement for companies such as WhatsApp, Signal and others to scan every message - even when encrypted - for child abuse material infringes people’s right to privacy, which is in conflict with the EU Charter of Fundamental Rights.

While technology companies have unsuccessfully objected to similar UK proposals in the Online Safety Bill which just got passed including it’s controversial requirement to scan for child sexual abuse material once a “feasible technology” exists, it seems rather unlikely that something similar will be passed in the EU given the great resistance, even among EU member states, but even more so among European MPs.

2. Lobbying from AI companies

In September 2023 a new research was published that threw a very different light on chat control - and who would really benefit if all Europeans would be monitored 24/7 on the internet.

Next to Ashton Kutcher and his organization Thorn a long list of organizations, AI companies and law enforcement are lobbying pro chat control in Brussels. The research for example exposes the WeProtect Global Alliance as a government-affiliated institution that is closely linked to ex-diplomat Douglas Griffiths and his Oak Foundation. The latter has invested more than 24 million US dollars in lobbying for chat control since 2019, for example via the Ecpat network, the Brave organization and the PR agency Purpose.

The research “confirms our worst fears,” said Diego Naranjo, head of policy at civil rights organization European Digital Rights (EDRi). “The most criticized European law on technology in the last decade is the product of lobbying by private companies and law enforcement.” EU commissioner, Ylva Johansson, ignored “science and civil society” and proposed a law to “legalize mass surveillance and break encryption,” he said. “Child protection is being abused here as a door-opener for an infrastructure for mass surveillance without any reason,” complains Konstantin Macher of the data protection association Digitalcourage.

3. Germany against proposal

Germany is the strongest opponent of the current CSAR draft - and rightly so. Germany has a track record of defending people’s right to privacy, not least because of its history of mass surveillance during the German repressive systems of the German Democratic Republic (GDR) and during World War II.

Today, German politicians say: “There is no prosecution at any cost.” Meaning: The right to privacy is an important human right, one that we must not give up.

4. Mostly criticized EU law ever

According to the non-profit organization EDRi an “unprecedentedly broad range of stakeholders have raised concerns that despite its important aims, the measures proposed in the draft EU Child Sexual Abuse Regulation are fundamentally incompatible with human rights”.

EDRi has published an impressive collection of 69 opposing voices from EU politicians, EU member states, tech companies and even child protection experts explaining why chat control must fail.

It also published an open letter signed by over 80 NGOs adding to the voice of almost 500 scientists explaining why we must fight for privacy in Europe.

No matter how politicians try to convince the public: Scanning our private message for child sexual abuse material is mass surveillance. We must never allow this.

But there’s also light at the end of the tunnel: Germany - one of the countries with best data protection laws is planning to pass a law that contains the right to encryption. Privacy-advocates around the world are also joining forces to defend encryption in the EU and beyond, for instance in the Australian Online Safety Act.

Tutanota won’t accept chat control

At Tutanota we are freedom fighters: We are at the forefront of the privacy revolution by offering everyone in the world a private email account.

Should the CSA Regulation more forward in its current form, we would be willing to defend people’s right to privacy in court as we have done so before in Germany.

We put your privacy and security first, our code for Tutanota’s automatic end-to-end encryption is publicly available as open source. We would never undermine our privacy promise or our encryption.

Our position remains firm: we will do whatever it takes to ensure your right to privacy.