EU: Revised chat control accepted with 'optional' scanning included

Norman

See the official press release: https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/child-sexual-abuse-council-reaches-position-on-law-protecting-children-from-online-abuse/

EU member states have reached a majority in pushing through a revised version of Chat Control with mandatory scanning excluded, but this new bill seems to pretty much push through the same concept as in previous iterations. It still has to go through European Parliament, but from what I can see there is almost no way this isn't going to happen.

The conditionality for 'optional' scanning also seems doubtful, since the state can just deem chat apps as high-risk for CSAM at which point they are practically enforced to introduce client-side scanning.

All in all this seems like a privacy and security nightmare.

What are the possible implications for EU-citizens when it comes to this? Are we still going to be able to use services like Signal without client-side scanning? How is grapheneOS affected? Will client-side scanning functionality be introduced through AOSP because of this?

fernlike

At the present it should not affect Signal, Graphene, or any other properly encrypted service or system.

CHAPTER I, GENERAL PROVISIONS, Article 1, Subject matter and scope, page 35:

This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise
undermine cybersecurity measures, in particular encryption, including end-to-end
encryption, implemented by the relevant information society services or by the users.
This Regulation shall not create any obligation that would require a provider of hosting
services or a provider of interpersonal communications services to decrypt data or
create access to end-to-end encrypted data, or that would prevent providers from
offering end-to-end encrypted services.

Norman Will client-side scanning functionality be introduced through AOSP because of this?

If it would, I have full confidence it would be completely removed by the devs. But I don't see that this applies to AOSP (nor Graphene) since it's not in any way an "information society services", which is what this regulation is aimed at.

Article 1, Subject matter and scope, page 34:

This Regulation lays down uniform rules to prevent and combat ~~address~~ in a targeted,
carefully balanced and proportionate manner the ~~mis~~use of relevant information society
services for online child sexual abuse in the internal market.

Article 2, Definitions, page 36:

For the purpose of this Regulation, the following definitions apply:

(a) ‘hosting service’ means an information society service as defined in Article 23(g),
point (iii) ~~point (f), third indent~~, of Regulation (EU) 2022/2065 …/… [on a Single Market
For Digital Services (Digital Services Act) and amending Directive 2000/31/EC];

(b) ‘interpersonal communications service’ means a publicly available service as defined in
Article 2, point (5), of Directive (EU) 2018/1972, including services which enable direct
interpersonal and interactive exchange of information merely as a minor ancillary feature
that is intrinsically linked to another service;

(ba) ‘number-independent interpersonal communications service’ means a publicly
available service as defined in Article 2, point (7), of Directive (EU) 2018/1972;

(c) ‘software application’ means a digital product or service as defined in Article 2, point (15)
13, of Regulation (EU) 2022/1925 …/… [on contestable and fair markets in the digital
sector (Digital Markets Act)];

(d) ‘software application store’ means a service as defined in Article 2, point (14) 12, of
Regulation (EU) 2022/1925 …/… [on contestable and fair markets in the digital sector
(Digital Markets Act)];

(e) ‘internet access service’ means a service as defined in Article 2(2), point 2, of Regulation
(EU) 2015/2120 of the European Parliament and of the Council18;

(f) ‘relevant information society services’ means all of the following services:
(i) a hosting service;
(ii) an interpersonal communications service;
(iii) a software applications store;
(iv) an internet access service;
(v) online search engines.

EDIT: Although, the App Store (f,iii, a software applications store) might potentially be subject to the regulation, but I do not know what that would entail. Need to read more.

ryrona

Norman What are the possible implications for EU-citizens when it comes to this? Are we still going to be able to use services like Signal without client-side scanning?

fernlike "This Regulation shall not create any obligation that would require a provider of hosting
services or a provider of interpersonal communications services to decrypt data or
create access to end-to-end encrypted data, or that would prevent providers from
offering end-to-end encrypted services."

This is a very strong statement, and it looks like it is clarified further from the first draft of the new compromise solution. It says no other part of the regulation must be interpreted in such a way as to force a service provider to backdoor or not offer end-to-end encryption. To be clear, not even the strong obligations on service providers to do risk assessments and implement all reasonable measures to prevent child sexual abuse online can override this. Service providers are still allowed to offer secure end-to-end encryption, and can not be penalized for that. This was the compromise.

Service providers might still have legal responsibility to implement other features now, such as better ability for you as the user to decide who can initiate chats with you, and an actual effective and easy-to-use reporting system where the encryption keys to the reported messages or chat are attached with the report. But these are features that are beneficial for everyone anyway, and where you as the user is empowered rather than the opposite.

I do worry that this accepted version of the regulation still permits or maybe encourages age verification and the disallowing of minors from using the platform to prevent abuse. Since laws against age discrimination rarely override laws that mandates age discrimination, this might still effectively negatively affect the rights of minors, and lead to age verification becoming more common place also among end-to-end encrypted chat apps that require account signups.

Norman From what I'm understanding, Signal could be affected if it is deemed as a 'high-risk' service in the context of this bill.

Yes.

Norman That would require them to perform client-side scanning no?

No. They will still be allowed to offer their service in the European Union, with the same secure end-to-end encryption as they have today.

This accepted compromise version of the regulation clearly says that the regulation must not be interpreted in a way where service provider would have to weaken the encryption or stop to offer it. They are legally required to take other kinds of actions against child sexual abuse if deemed high-risk.

Norman Of course they're not going to agree to this so I wonder what happens then.

They can still offer their service in the European Union.

If things would had gone another way, and an earlier revision of the text would have been accepted, Signal would probably have withdrawn their service from EU, refusing registration of EU phone numbers and banning all existing accounts, rather than complying. Matrix on the other hand would have complied, they have been clear about that.

Norman How is grapheneOS affected?

Not at all. Actually, even if the worst revision of the text would have been accepted, GrapheneOS would not be affected at all, as the text was never about operating systems or software, but about service providers, such as providers of messaging apps. GrapheneOS does not include any end-to-end encryption at all.

Eirikr70

As far as I understand, it is not chat control as was initially planned. It gives the responsibility of preventing CSAM to be disseminated, to the online service provider (OSP). Which means that in this first step, the OSP should come with a mitigation measure.
I must admit that I can see no non-privacy-intruding measure they could come with, but it is not a technical measure imposed by the EU. So we'll see what WhatsApp or Signal come with.

Norman

fernlike From what I'm understanding, Signal could be affected if it is deemed as a 'high-risk' service in the context of this bill. That would require them to perform client-side scanning no? Of course they're not going to agree to this so I wonder what happens then.

fernlike

fernlike EDIT: Although, the App Store (f,iii, a software applications store) might potentially be subject to the regulation, but I do not know what that would entail. Need to read more.

As far as I can see, the only relevant part in the App Store would be the Messaging app. But that is number-based (which is defined separately from (5) interpersonal communications service) and unencrypted, so presumably any obligation to scan for CSAM would lie with the mobile phone operator.

(Bold emphasis mine.)

(b) ‘interpersonal communications service’ means a publicly available service as defined in
Article 2, point (5), of Directive (EU) 2018/1972, including services which enable direct
interpersonal and interactive exchange of information merely as a minor ancillary feature
that is intrinsically linked to another service;

DIRECTIVE (EU) 2018/1972, PART I, FRAMEWORK (GENERAL RULES FOR THE ORGANISATION OF THE SECTOR), TITLE I, SCOPE, AIM AND OBJECTIVES, DEFINITIONS, CHAPTER I, Subject matter, aim and definitions, Article 2, Definitions:

(5) ‘interpersonal communications service’ means a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service;

(6) ‘number-based interpersonal communications service’ means an interpersonal communications service which connects with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which enables communication with a number or numbers in national or international numbering plans;

fernlike

Norman No that would make end-to-end encryption impossible which point 5 prohibits.

This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise
undermine cybersecurity measures, in particular encryption, including end-to-end
encryption, implemented by the relevant information society services or by the users.
This Regulation shall not create any obligation that would require a provider of hosting
services or a provider of interpersonal communications services to decrypt data or
create access to end-to-end encrypted data, or that would prevent providers from
offering end-to-end encrypted services.

But should Signal be forced to leave the EU (as they've long since stated they will), we might have to start using VPNs, proxies, etc, to circumvent any blocks. But I think that depends on what requirements there are to block interpersonal communications services that don't comply. I will have to read more on that.

MetropleX

Please direct further discussion to this existing thread:

https://discuss.grapheneos.org/d/24743-eu-revives-chat-control-ways-to-navigate-it-if-this-happens/138

Thankyou