EU now one step away from reviving private message scanning rules
231 points
3 hours ago
| 14 comments
| cyberinsider.com
| HN
budududuroiu
23 minutes ago
[-]
The Internet Watch Foundation, an organisation funded by almost all of big tech, is already at work pushing for client side scanning next [1], for the children, of course.

[1] https://www.iwf.org.uk/policy-work/preventing-the-upload-of-...

reply
red_admiral
17 minutes ago
[-]
This is about 1.0, which sounds ok - it basically allows providers a legitimate exception from data privacy laws to scan for CSAM in not E2EE communications. I reckon gmail, iCloud mail and the like already scan attachments for malware and emails for phishing scams, now they can also scan for child abuse.

cc 2.0 is a different beast.

reply
budududuroiu
15 minutes ago
[-]
"We decide on something, leave it lying around, and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back." -- Jean-Claude Juncker
reply
inigyou
1 hour ago
[-]
The Chat Control 1.0 rule is simply that organisations like Meta are allowed to scan messages if they want to. In other words your Facebook messages are not private from Facebook. Surely we already knew and expected that.

Chat Control 2.0 is the worrying one because it mandates scanning and bans E2EE.

These two things should not have both been given the same branding.

reply
john_strinlai
1 hour ago
[-]
>These two things should not have both been given the same branding.

the confusion is purposeful, because it is easier to convince people that 1.0 is okay, which makes 2.0 appear like a version bump of the same thing.

reply
layer8
1 hour ago
[-]
“Chat Control”, along with the version numbers, is a naming invented by the opponents, not by the proponents.
reply
john_strinlai
1 hour ago
[-]
huh, i stand corrected. what a massive blunder in that case.
reply
inigyou
1 hour ago
[-]
and they should not have done that
reply
iLoveOncall
21 minutes ago
[-]
I think it's the contrary. People don't want Zuckerberg reading their private messages, and everyone in Eutope uses WhatsApp, which is advertised as E2E encrypted.

Therefore it makes Chat Control 2 a harder sell.

To be fair I think "<anything> Control" makes it pretty clesr it's nefarious. They missed the opportunity to call it "Chat Safety".

reply
Cider9986
1 hour ago
[-]
The name "Chat Control" is great because it implies a lockdown on free speech and the exact consequences that are going to happen to everyone.
reply
chronogamous
2 minutes ago
[-]
Not everyone. Politicians and all their communication are to be excluded, for they have decided it is obvious that we can trust them. It's just the rest of the world that is considered untrustworthy. This also absolves them from having to go through a trial period of having the software tested on themselves, so they will never have to know about any ridiculous false positives. Or worse: all the stuff they communicate which they never considered to be problematic - it would have been so nice if they had at least had such a trial run, for say, about one or two years, with anything that is being flagged open for anyone who wishes to see.

The problem with this software is at the very core of why any sane person should reject it; a company like Thorn has no incentive whatsoever to actually come up with something that would work properly, especially since the target demographic that is to be monitored, is European. No worries if some firmware update bricks a massive amount of devices. Good for business. And I bet the US Government would also prefer if they prioritized having the backdoors work properly for listening in, over having the software scan properly (taking all the cultural and linguistic differences across the continent into account) just so that it will be capable of actually flagging what it is (for now) meant to flag.

Having your entire infrastructure of digital devices augmented with surveillance software is a bad idea in itself, but it's sheer madness if you're having this done for the whole of Europe, by using an American software endlosung/solution that was pushed by a Hollywood-actor who was so genuine in his motivation to save the children... truly impressive show of tears for someone who had the chance to save a number of girls from his predatory co-star a long time ago, like, to save them for real, yet he chose not to intervene... Years later, he's with Thorn, but still what he knows best is acting, so instead of focussing on actual victims, he's acting as if he gives a toss about present day children, knowing full well he is selling a dodgy technology using horror-scenarios they actually invented themselves for this very purpose.

In subsequent years this has led to an actual increase in number and variety of perpetrators in the field of sexual abuse and/or trafficking of minors - where it was quite a niche field in crime before - niche and overall way more predictable, making it possible to prevent quite a bit of it, too. Thanks to the fearmongering and constant need for succesfull detection of victims (as it is the metric they've used for years to keep the people providing them with money and power excited about the project) it has become much more problematic. The efforts of groups like Thorn have so effectively spread these horrorstories by pushing them as 'news' using so many newsoutlets, that this in itself caused a whole new demographic of messed up people to act them out, making the horrors a reality.

All this should be enough for anyone to know that, if you're totally hellbent on having a thing like chat control implemented, doing so by choosing to stick with software sold by these people or anyone from their circles will be disastrous.

reply
AshamedCaptain
1 hour ago
[-]
I think the name is meaningless to the average layman, therefore useless. Something like "(private) chat police" would probably transmit what this is about but is not as catchy.
reply
SpicyLemonZest
52 minutes ago
[-]
I think that framing would be much more vulnerable to companies saying "no no, there's no human reading your chats, we just want to apply these fixed filters".
reply
inigyou
1 hour ago
[-]
That's suitable for Chat Control 2.0. Applying the same name to v1 just muddies the waters, probably intentionally..
reply
Cider9986
1 hour ago
[-]
Agreed.
reply
IshKebab
50 minutes ago
[-]
Yes but that's how all of these objectionable legislations are introduced - first it's voluntary, then they wait a bit and say "companies aren't doing it, we'll need to make it mandatory".

Easier to push through if the only thing they're changing is "may" to "must".

reply
PowerElectronix
2 hours ago
[-]
Tough week for euros. Cars that record your face while driving and now apps snooping on communications.
reply
artisinal
2 hours ago
[-]
Perhaps in the future cars will not only record your face but also listen in for hate speech. Most cars have SOS and GPS modules so calling the police if someone in the car shouts a slur is just connecting some code together.
reply
yubblegum
1 hour ago
[-]
Why do you think this is only going to be in Europe? This will be the global norm modulo some astroid hitting earth or civilizational crash.

The trajectory is crystal clear: access to information (AI), control over personal finance (CBDC), privacy of personal communications (handful of big tech MITM in everything), metered social interactions (today China, tomorrow the world over).

reply
logicchains
15 minutes ago
[-]
Fortunately the US has not only freedom of speech in the constitution but also tens of millions of armed civilians that place a hard limit on how much control the government can have over people's speech. The only reason the Chinese government can achieve such control over speech is because it can disappear anyone who speaks against it.

It doesn't even need guns; Nepalese youth managed to stop social media censorship there just by going to the political capital and threatening to beat the MPs to death.

reply
spwa4
1 hour ago
[-]
Until the sun grows in a final blaze of glory and burns all Qurans at the same time for 100 million years?
reply
ButlerianJihad
1 hour ago
[-]
You say that like it’s a bad fnord
reply
john_strinlai
1 hour ago
[-]
i am interested in hearing why you think it is not god awful
reply
RIMR
1 hour ago
[-]
I mean, I get that these things are typically matters of opinion, but if you value things like freedom and privacy, these things are objectively bad.
reply
greenleafone7
39 minutes ago
[-]
I think this should go one step further. If you don't praise the magnificence of your local EU politicians then your car's breaks will stop working and an electric shot will be administered to everyone presently in the car. That will satisfy EU-rocrats.

The coming revolution will be well deserved I think.

reply
Z0rp
2 hours ago
[-]
Car could also become judge and executioner. Swift justice is just one curve away
reply
ThrowawayTestr
2 hours ago
[-]
Drive you straight to prison
reply
artisinal
1 hour ago
[-]
It is cheaper for the government to just lock the car doors for the length of your sentence. Saves them space in prison. You are allowed to use the McDrive twice a day. The windows will drop 8 centimeters, enough for a Big Mac.
reply
morkalork
49 minutes ago
[-]
reply
sam_lowry_
19 minutes ago
[-]
This is called eCall, a fairly intrusive system built into even some motorcycles.
reply
specproc
14 minutes ago
[-]
Danger, danger. Cannabis detected in the vehicle.
reply
neongod
44 minutes ago
[-]
The car’s computer voice: John Spartan you are fined one credit for a violation of the verbal morality code!
reply
shevy-java
2 hours ago
[-]
Well, it is some kind of social control. People who conform, have more rights than those who reject fascism.
reply
ndriscoll
5 minutes ago
[-]
Didn't Biden's big infrastructure bill already mandate NHTSA to develop regulations to require driver monitoring sensors starting next year? Or was that provision cut or reverted?
reply
varispeed
1 hour ago
[-]
I wait for mandated methane sensor in everyone's anus.
reply
vrganj
1 hour ago
[-]
reply
mito88
2 hours ago
[-]
the children... :)
reply
Cider9986
2 hours ago
[-]
It's not particularly effective with school shootings in the USA.
reply
joshuat
1 hour ago
[-]
what about...
reply
remashedspood
1 hour ago
[-]
More guns?
reply
andrepd
1 hour ago
[-]
Cars sold for the past years already record and transmit all your movements and telemetry, I'm sad to say.
reply
honeycrispy
1 hour ago
[-]
Maybe they should pause on being such snobs towards American politics to take a long hard look at themselves.
reply
mito88
2 hours ago
[-]
test
reply
sscaryterry
1 hour ago
[-]
Honestly, it is mostly a reaction to how society has evolved, for the worse. Rock and hard place.

The worst thing I have to hide is knowledge about my intentions, none of which are bad/illegal/immoral.

Scan away, I'd rather try to protect my children, other children from unscrupulous characters.

reply
haywalk
1 hour ago
[-]
> The worst thing I have to hide is knowledge about my intentions, none of which are bad/illegal/immoral.

Correction: None of which are bad/illegal/immoral _right now_. The "I have nothing to hide" crowd will surely change their tune the moment any of their data starts to be used against them.

reply
sscaryterry
32 minutes ago
[-]
It is being used against me, but not my governments, by private enterprises :)
reply
63stack
16 minutes ago
[-]
Can anyone explain something? Since there are so many open source chat applications, what keeps anyone from "just" exchanging a key with someone else out of band, and then modifying the client so that it uses that key to encrypt all communication? I understand that this does not scale to big groups, but surely whoever is pushing this crap must have thought about this? Or is the idea that we will have completely locked down PCs as well ala android and ios so you can't run anything unapproved?
reply
peterlk
10 minutes ago
[-]
Nothing is stopping people from doing that. It’s just more inconvenient than other available options. If I were a politician trying to remove private communication, I would first pass something that allows scanning communications, then pass something that allows e2ee messages to be scanned, then make it illegal to use non-scannable e2ee messaging. People could still do it, but now they could be punished if they’re ever caught
reply
Nidhug
48 minutes ago
[-]
For my fellow EU citizens, you can contact your representatives here: https://fightchatcontrol.eu/
reply
red_admiral
13 minutes ago
[-]
What is the US legislation on this - I thought providers were already mandated to take action against distribution of CSAM, or is that only for public-facing posts?
reply
kubb
1 hour ago
[-]
When is it coming online? I have seen so many of these headlines that I feel it's always about to kick in, but I never get any closure.
reply
ggirelli
44 minutes ago
[-]
Had expired in April. This is a tentative of bringing it back up even though it expired after a number of previous extensions.
reply
watwut
1 hour ago
[-]
This was online already. It is existing law that is being extended rather then expired.
reply
SiempreViernes
1 hour ago
[-]
Somewhat unsurprisingly too, since the negotiations about a more comprehensive CSAM legislation (the one that now doesn't contain chat control 2.0) isn't done yet.
reply
spwa4
1 hour ago
[-]
CSAM? You mean the system the Belgian state uses to identify children online?

(not even joking https://www.csam.be/en/index.html )

Fantastic quotes for services the Belgian government offers:

"Make your life easier with CSAM"

"CSAM ensures that everyone follows the same rules"

"If you are interested in a service CSAM has to offer, please go straight to our Contact page"

reply
kubb
1 hour ago
[-]
Hmm, so… what happened while it was online? Any scandals?
reply
spwa4
1 hour ago
[-]
2 August 2021.

It already was in force, and EU states are presumably using it right now despite that being illegal. Only to protect the children, of course.

reply
mattrighetti
58 minutes ago
[-]
Give it time. I’ll see you in 5 years
reply
bellowsgulch
21 minutes ago
[-]
lol, say someone publishes an E2E distributed extension to an existing chat protocol.

Are you going to arrest someone for writing code? Are you going to arrest people who use private communications? Sounds like a legislator carve out hot and ready to happen.

I get the point, ban E2E, OK sure, but what if some software is designed in such a way that the company doesn't provide it, but it just happens to be compatible with the protocol extension? Are you going to arrest the authors if they don't explicitly ban it?

Yeah, right.

reply
pton_xd
1 hour ago
[-]
I don't understand the EU's position on privacy. On the one hand, they enacted GDPR to give you control over access to your personal data.

On the other, they need access to all of your data.

reply
joe463369
1 hour ago
[-]
The unquestioned view in certain circles - including here - is that when the EU/UK does something that chips away at people's online privacy, there's un ulterior motive.

It's entirely possible that politicians just want to do something about CSAM and young people having their mind twisted by social media. The electorate do seem to be keen on some sort of action.

reply
budududuroiu
17 minutes ago
[-]
Other governments across the Channel also want to protect children online, while at the same time dismissing thousands of reports of grooming, for fear of being labelled "racist".
reply
vlian2088
38 minutes ago
[-]
>It's entirely possible that politicians just want to do something about CSAM

except that honest-to-God child rapists get extremely lenient sentences in Western Europe and rarely (if ever) get deported afterwards.

reply
munk-a
1 hour ago
[-]
The EU's position on privacy seems pretty consistent to me - they're against your data being monetized by private entities but not against building governmental tools to monitor private entities.

In good faith this could be summarized as "Personal data should be used for public safety but not for profit" - but that philosophy is definitely a strong contrast with the basic American philosophy towards civil liberties.

reply
watwut
1 hour ago
[-]
> basic American philosophy towards civil liberties.

Errrr, america does not look like country that cares about that. It does care about liberties of rich companies tho.

reply
inigyou
1 hour ago
[-]
Exactly, that is the American philosophy being referenced.
reply
Puts
36 minutes ago
[-]
The thing is that according to the Universal Declaration of Human Rights privacy and the right to private communication is a basic human right. And GDPR was literally enacted to enforce this human right.

Now one basic principle of democracy is that supreme courts are superior to the people in power. Someone needs to watch the lawmakers so to say. Because it could actually be that the European commission enacts laws that are illegal. And Chat Control 2.0 could actually be illegal because it violates the Universal Declaration of Human Rights. However, somebody has to take them to The Court of Justice of the European Union to test it.

reply
ggirelli
1 hour ago
[-]
Not "access to ALL of your data". Also, as confusing as it might be, it is in the nature of EU (at least IMHO) to not have a clear position over multiple legislatures.
reply
varispeed
53 minutes ago
[-]
This is a wedge.
reply
arjie
48 minutes ago
[-]
It seems fairly consistent, doesn't it? CC 2.0 is that the government must be able to access things, and GDPR has a legal basis exemption that is defacto used every time by government entities. The general idea is that private parties cannot consent to things to each other but that residents of a place consent to being governed by the government. e.g. you can't consent to having someone jail you; but you also can't opt out of jail by the government.

Personally, the politics of Europe is really not for me, but I can see why others might find it attractive. In the end, history will show us which path is adaptive.

reply
inigyou
1 hour ago
[-]
The one that passed doesn't give them access to anything. It is different from the scary one.
reply
mhitza
1 hour ago
[-]
Maybe big tech weren't good a lobbying bureaucrats against GDPR but got better at lobbying in the EU for this. There's also been a slight shift towards authoritarianism in the last decade, which naturally love the possibilities of stricter communication control.

Children protection and russian propaganda are the tried and tested covers at enforcing age verification, message scanning, and probably any future pan-european surveillance network.

reply
coldtea
1 hour ago
[-]
There's no position on privacy. They make whatever laws the corporate laws and elites like, and that furthers their own bureucratic reach. GDPR is a good way to create a "compliance moat" against smaller players, and to give the EU bureucrats more power.
reply
bossyTeacher
1 hour ago
[-]
It is simple. GDPR is aimed at private entities misusing your data. Keyword private.
reply
spwa4
1 hour ago
[-]
Not even that. The government outsources a lot of their functions, so a LOT of organizations have access to extremely private data, where necessary.

For example, Palantir gets access to "large and diverse (government) databases with Dutch citizens’ data for analysis" (including mental health treatment data) under the GPDR to help police in the Netherlands do terror investigations (from 2012 to 2019). I'm sure you can appreciate the wisdom and privacy-enhancement in that just as much as me!

There are large lists of private organizations that get access to government data about citizens ... every country has multiple (public and secret ones).

Oh, they also "failed to mention" this to parliament, and this was only discovered after a journalist got a tipoff and requested financial data about the deal ... for about 5 years. Of course, there was never even the slightest investigation into this.

https://nltimes.nl/2025/08/22/dutch-police-also-use-controve...

(paywalled) https://www.volkskrant.nl/tech/ook-nederlandse-politie-gebru...

reply
JoshTriplett
1 hour ago
[-]
I think the position can best be approximated as "companies should not be able to do this, but you should trust your government to do this to you". (That's a bad position that needs to be defeated every time it arises, but it's a consistent position.)
reply
sscaryterry
1 hour ago
[-]
Given the choice of trust between, lets say Amazon/Meta/Google and the EU (or some European government), 9 times out of 10, the EU is the lesser evil.
reply
Cider9986
1 hour ago
[-]
You don't have to use Amazon/Meta/Google. You have to use the government.

Let's not forget that these are the people and laws that are supposed to represent and help you, not the other way around. While private companies have no such obligation.

reply
sscaryterry
1 hour ago
[-]
Amazon/Meta/Google is sometimes required, nobody in the real world can get away from that.

> supposed to represent and help you, not the other way around. While private companies have no such obligation.

Exactly my point.

reply
vrganj
1 hour ago
[-]
I've moved countries 5 times in my life. I still haven't been able to fully degoogle.
reply
liveoneggs
1 hour ago
[-]
For now none of Amazon, Meta, or Google can jail you or legally do violence on you, separate you from your family, etc. Your sense of threat is extremely miscalibrated.
reply
sscaryterry
1 hour ago
[-]
Not really. I know what you are playing at. The probability of the government being vindictive towards a single family, whilst not truly zero, is for almost all practical purposes zero.

The probability of a (my or your) child enduring harmful content, perpetuated and enabled by Meta/Google (in particular) is almost a certainty.

reply
JoshTriplett
1 hour ago
[-]
We are not required to pick amongst evils. We could, in fact, say private chats are private and end to end encryption is sacrosanct.
reply
sscaryterry
1 hour ago
[-]
If you are purist and you don't live in the real world with real evils. I don't want pedophiles to have privacy.
reply
john_strinlai
1 hour ago
[-]
>I don't want pedophiles to have privacy.

that is why police already have access to mechanisms to remove privacy from people suspected of being a pedophile.

reply
sscaryterry
1 hour ago
[-]
The existing mechanisms are inadequate or not fit for 2026. Hence this discussion.

You are agreeing with me :)

reply
john_strinlai
1 hour ago
[-]
>You are agreeing with me :)

i am absolutely not :)

you want to provide unfettered warrantless access to all of your communications. ive been fighting against that sort of thing for approaching 40 years now.

reply
sscaryterry
29 minutes ago
[-]
> have access to mechanisms to remove privacy from people suspected of being a pedophile

I don't understand that part then. You can't break open E2EE by willing it open.

Right now, if I wanted a new account, I walk into any supermarket, spend a quid, and I've got a burner, with WhatsApp.

reply
john_strinlai
26 minutes ago
[-]
>I don't understand that part then. You can't break open E2EE by willing it open.

the mechanism to remove privacy from suspects is typically called a warrant.

(end-to-end encryption does not matter if you possess one of the ends)

reply
BoingBoomTschak
27 minutes ago
[-]
After Epstein, Hollywood and decades earlier Dutroux, you'd think people like you would have wizened.

For fuck's sake, my country's entire media/intellectual class protected an avowed and even boasting pedophile during his entire life! https://en.wikipedia.org/wiki/Gabriel_Matzneff

reply
john_strinlai
1 hour ago
[-]
what a crazy turning of the tides to see this comment in the gray.

i suppose the times have changed from when most people on the internet were cypherphunk. now it's common to see people say "i have nothing to hide, please scan all of my communications", unironically invoking "please think of the children".

reply
mctwo
1 hour ago
[-]
Each passing day we are moving closer to a dystopian state and nobody is doing anything.
reply
layer8
1 hour ago
[-]
People are doing something (e.g. [0][1][2]). That’s why Chat Control 2.0 hasn’t passed and is unlikely to pass in the foreseeable future.

[0] https://www.patrick-breyer.de/en/posts/chat-control/

[1] https://edri.org/our-work/european-commission-must-uphold-pr...

[2] https://freiheitsrechte.org/en/themen/freiheit-im-digitalen-...

reply
shevy-java
2 hours ago
[-]
Slaves also have no right to privacy. This EU variant is doomed to failure.
reply
ChrisArchitect
3 hours ago
[-]
reply
Cider9986
2 hours ago
[-]
I feel like this one should not be removed because people want to continue discussing and that's easier on a newer thread.
reply
ChrisArchitect
1 hour ago
[-]
Easier? You mean easier to duplicate? No need to split up the discussion. There's the link, welcome to continue discussing over there, instead of pushing the news back in front of the rest of those who may not have missed it.
reply
sndgndgndgndy
15 minutes ago
[-]
Stop trying to shut down discussions that you don't like.
reply
vaylian
2 hours ago
[-]
Different news source. But same topic.
reply
ChrisArchitect
2 hours ago
[-]
Welcome to share the url over there. Duplicate discussion.
reply