EU Chat Control Proposal and Its Privacy and Security Implications
The European Union's proposed Chat Control regulation, formally known as the CSAM Regulation, seeks to combat child sexual abuse material by mandating that digital platforms detect, report, and remove illegal content, including grooming behaviors. This proposal has sparked significant controversy and opposition from privacy advocates, technology companies, and some member states. The regulation would require online service providers to implement scanning mechanisms on user devices and communications, a move that cybersecurity experts warn is fundamentally incompatible with end-to-end encryption. Benjamin Schilz, CEO at Wire, emphasized that mandated scanning would effectively introduce a universal backdoor into secure systems, undermining the privacy and security protections relied upon by millions of individuals and businesses. He argued that such measures would create new attack surfaces, increase the risk of exploitation by malicious actors, and present insurmountable compliance and liability challenges for service providers. The proposal has faced strong resistance from privacy rights organizations and secure messaging providers such as Signal and Threema, who argue that it would lead to arbitrary surveillance and heightened hacking risks. The European Commission first introduced the proposal in 2022, but it has repeatedly failed to gain consensus among member states, with previous attempts by Hungary and Belgium also stalling. Most recently, the EU Justice and Home Affairs Council postponed a scheduled vote on the measure after German lawmakers and other member states voiced opposition, removing the CSAM proposal from the agenda of their Luxembourg meeting. The Danish presidency has prioritized passing the regulation, but the lack of agreement continues to impede progress. Critics highlight that the EU's own data protection bodies and advisers have deemed the proposal unworkable, citing the fundamental conflict between mandated scanning and the preservation of privacy rights. The debate underscores the tension between efforts to protect children online and the imperative to maintain robust digital privacy and security. If enacted, the regulation would force service providers to choose between compliance and the technical impossibility of maintaining end-to-end encryption alongside mandated surveillance. The ongoing postponement of the vote reflects the deep divisions within the EU regarding the balance between child protection and civil liberties. The outcome of this legislative process will have far-reaching implications for the future of digital privacy, encryption standards, and the responsibilities of online service providers across Europe.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
EU temporary legal basis for voluntary CSAM scanning expires
An EU law that had allowed technology companies to voluntarily scan private communications for child sexual abuse material expired, removing the legal basis for proactive detection under EU law. Microsoft, Google, Meta, and Snapchat said they would continue CSAM scanning despite the resulting legal uncertainty.
Wire CEO publicly warns Chat Control threatens encryption and privacy
Wire CEO Benjamin Schilz said the proposed Chat Control rules are incompatible with end-to-end encryption and would create systemic security, privacy, and compliance risks. He also warned the proposal could introduce exploitable monitoring infrastructure, generate false positives, and disproportionately burden smaller European providers and open-source developers.
EU postpones vote on proposed Chat Control regulation
The European Union postponed a scheduled vote on the proposed CSAM Regulation, commonly called 'Chat Control.' The delay marked a procedural setback for the measure, which would require platforms to detect, report, and remove child sexual abuse and grooming-related content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Big tech vows to continue CSAM scanning in Europe despite expiration of law allowing it | The Record from Recorded Future News
therecord.media
Open sourceWhat Chat Control means for your privacy
helpnetsecurity.com
Open sourceEurope Postpones 'Chat Control' Vote
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denmark Withdraws EU Chat Control Proposal After Widespread Opposition
Denmark has withdrawn its proposal to mandate client-side scanning of electronic communications for child sexual abuse material (CSAM) across the European Union, following significant domestic and international backlash. The proposed law, known as Chat Control, would have required online service providers to scan user messages and files, including those on end-to-end encrypted platforms, for CSAM. The initiative lost critical support after Germany publicly withdrew its backing, and the Danish Moderates, a key coalition party, also failed to support the measure. Danish Justice Minister Peter Hummelgaard confirmed that the government will no longer pursue mandatory scanning and will instead support the continuation of voluntary CSAM detection by technology companies. The current EU authorization for voluntary anti-CSAM scanning by communication providers is set to expire in April 2026, with the European Parliament having recently extended it until then. Hummelgaard emphasized the need for Europe to act on a CSAM proposal before the expiration of voluntary scanning, warning of the risk of losing a vital tool in combating child sexual abuse. Privacy advocates, including the president of the Signal Foundation, strongly opposed the mandatory scanning proposal, citing concerns over mass surveillance and the potential impact on confidential communications for all users, including government officials and journalists.
Mar 21, 2026
Signal Threatens EU Exit Over Proposed Chat Control Law Mandating Message Scanning
Signal, a leading provider of end-to-end encrypted messaging services, has publicly stated it will withdraw from the European Union market if the proposed Chat Control legislation is enacted. The Chat Control proposal, currently under consideration by the European Union and spearheaded by the Danish Presidency, would require all messaging platforms, including those offering end-to-end encryption, to scan user communications and files for abusive or illegal material before messages are sent. This measure is intended to combat child exploitation and other criminal activities, but has raised significant concerns among privacy advocates, technology experts, and encrypted messaging providers. Signal Foundation President Meredith Whittaker has argued that the legislation would effectively mandate mass surveillance, undermining the privacy and security of all users, including government officials, journalists, activists, and vulnerable populations. The proposed law would require service providers to implement scanning mechanisms that could potentially be exploited by hackers or nation-state adversaries, thereby increasing the risk of unauthorized access to sensitive communications. Privacy experts warn that the requirement to scan messages before encryption would fundamentally break the security model of end-to-end encrypted services, exposing all users to potential surveillance and data breaches. The pending vote, scheduled for October 14, has become a focal point of debate, with Germany holding a pivotal swing vote that could determine the law's fate. Historically, Germany has opposed such measures, but recent political developments have cast uncertainty on its position. Denmark, currently presiding over the Council of the European Union, has been a strong proponent of the legislation and is pushing for its adoption. The controversy highlights the ongoing tension between law enforcement objectives and the protection of digital privacy in Europe. Signal's threat to exit the EU market underscores the potential impact on both users and the broader technology ecosystem if the law is passed. Other encrypted messaging platforms, such as Telegram, WhatsApp, and Threema, are also likely to be affected by the proposed requirements. The debate has drawn international attention, with privacy advocates warning that the law could set a precedent for similar measures in other jurisdictions. The outcome of the EU vote will have significant implications for the future of encrypted communications and digital privacy rights across Europe. If enacted, the law could force major changes in how messaging services operate, potentially leading to reduced privacy protections for millions of users. The situation remains fluid as stakeholders on all sides lobby for their positions ahead of the critical vote.
Mar 21, 2026
UK Push for Device-Level Nude Blocking Rekindles On-Device Scanning Debate
The U.K. government said it wants Apple and Google to implement device-level controls that would stop minors from taking, sending, or viewing nude images, while requiring adults to complete age verification to access such content. Prime Minister Keir Starmer gave the companies about three months to comply voluntarily or face possible legislation and fines, presenting the measure as a child-safety response to grooming and pornography exposure. Supporters including child-protection advocates backed the proposal, while critics warned it would extend the U.K.’s broader online safety regime into smartphones, cameras, apps, and messaging platforms. The proposal landed amid wider scrutiny of on-device content analysis across major platforms. Signal said mandatory client-side scanning would weaken encrypted communications and create infrastructure that could be repurposed for surveillance or censorship. At the same time, Google faced backlash over the quiet rollout of Android `SafetyCore`, a local image-classification service tied to sensitive-content warnings, while Apple unveiled expanded child-safety features in `iOS 27`, including broader sensitive-content detection for nudity and violent imagery. Meta is also developing an opt-in WhatsApp `Scam Alert` feature that analyzes suspicious messages locally without breaking end-to-end encryption, underscoring how vendors are increasingly turning to on-device moderation while trying to preserve privacy claims.
Jun 11, 2026