The European Union Council has once again retreated from its controversial Chat Control proposal, a plan that would have required widespread scanning of encrypted messages. The withdrawal by the current Danish presidency represents yet another chapter in a long-running battle between privacy advocates and lawmakers who believe they can compromise encryption in the name of public safety. While this latest defeat is a victory for digital rights, the fight is far from over, and the fundamental misunderstanding of encryption technology continues to plague policy discussions across Europe.

User A User B End-to-End Encrypted Message 🔒 Secure Communication 👁️ Scanning Blocked

A zombie proposal that refuses to die

Since its introduction in 2022, Chat Control has become what privacy advocates call a zombie proposal, repeatedly resurrected despite consistent opposition from civil society, technical experts, and the public. The Electronic Frontier Foundation and more than 80 civil society organizations have strongly opposed the legislation, which would mandate client-side scanning of encrypted communications under the guise of combating child sexual abuse material.

The pattern has become predictable. EU lawmakers introduce the proposal, claiming it includes safeguards for privacy. Technical experts explain why those safeguards are illusory. Public pressure mounts. The proposal is withdrawn or modified. Then, after a brief hiatus, it returns with minor tweaks, and the cycle begins anew. This latest withdrawal by the Danish presidency follows the same script, but the underlying issues remain unresolved.

What makes this particularly frustrating is that the fundamental problem with Chat Control has never been addressed. The proposal seeks to create what privacy experts call a “backdoor” into encryption, allowing authorities to scan messages before they’re encrypted or after they’re decrypted. Proponents argue this preserves encryption while enabling content moderation, but this reveals a dangerous misunderstanding of how encryption actually works. Creating any mechanism to access encrypted content inherently weakens the entire system, making it vulnerable not just to authorized access but to malicious actors as well.

The technical impossibility of “safe” scanning

The core issue with Chat Control and similar proposals lies in a fundamental misunderstanding of encryption technology. End-to-end encryption works because only the sender and recipient possess the keys to decrypt messages. Any third party, whether a government agency or a tech company, cannot read the contents. This is not a design choice but a mathematical certainty that ensures the security of billions of communications daily.

Client-side scanning, the technical approach favored by Chat Control advocates, attempts to circumvent this limitation by analyzing messages on users’ devices before encryption or after decryption. While this might sound like a clever workaround, it fundamentally breaks the security model of encryption. If a device can scan and report on message content, so can malware, hackers, or authoritarian governments who might compel tech companies to expand the scope of scanning.

Security researchers have repeatedly demonstrated that there is no way to create a scanning system that only works for “good guys.” Apple learned this lesson the hard way in 2021 when it proposed a similar system for detecting child abuse imagery in iCloud photos. The backlash from security experts was swift and devastating, forcing the company to abandon the plan. The same security vulnerabilities that would enable Chat Control would inevitably be exploited by malicious actors, putting everyone at greater risk.

Client-Side Scanning: The Security Risk Secure Encrypted Device 🔒 ✓ Messages encrypted ✓ Privacy protected ✓ No backdoors ✓ User control Secure Communication Device with Scanning ⚠️ ✗ Scanning enabled ✗ Privacy compromised ✗ Backdoor exists ✗ Vulnerable to abuse Security Risk Chat Control

Moreover, the scope creep inherent in surveillance technologies is well documented. A system initially designed to detect illegal content could easily be expanded to monitor political dissent, religious expression, or any other communication governments deem problematic. Countries around the world are watching the EU’s actions closely. If Chat Control were to pass, it would set a dangerous precedent that authoritarian regimes would eagerly exploit, claiming they’re simply following Europe’s lead in implementing “reasonable” content moderation.

Public pressure and the power of resistance

The withdrawal of Chat Control demonstrates the critical importance of sustained public engagement in technology policy. Unlike previous instances where technical proposals sailed through legislative processes with little public awareness, this fight has been characterized by unprecedented mobilization from civil society organizations, technology companies, security researchers, and ordinary citizens concerned about their digital rights.

Organizations like the Electronic Frontier Foundation, European Digital Rights, and numerous national privacy advocacy groups have played a crucial role in educating the public about the risks of Chat Control. Their efforts have included detailed technical explanations, legal analysis, and coordination of opposition campaigns that have reached millions of Europeans. This groundswell of opposition has made it politically toxic for lawmakers to support the proposal, at least in its current form.

The effectiveness of this resistance offers important lessons for future policy battles. First, technical expertise matters. When security researchers speak with a unified voice about the impossibility of safe backdoors, it becomes harder for politicians to dismiss concerns as alarmist. Second, coalition-building across different sectors strengthens opposition. When civil liberties groups, tech companies, and individual users all oppose a policy, it suggests the problems are real and widespread. Third, sustained pressure is essential because, as Chat Control demonstrates, bad proposals rarely die on the first attempt.

However, this victory should be tempered with realism. The forces pushing for Chat Control have not given up, and the underlying political dynamics that gave rise to the proposal remain unchanged. Politicians face genuine pressure to be seen as “doing something” about online harms, particularly regarding child safety. Until alternative approaches that don’t compromise encryption gain political traction, proposals like Chat Control will continue to resurface.

The path forward requires education and alternatives

The repeated resurrection of Chat Control points to a deeper problem in how technology policy is made. Many lawmakers genuinely believe they can have both strong encryption and government access to encrypted content. This belief persists despite unanimous opposition from the cryptographic community because the political incentives favor appearing tough on crime over understanding complex technical realities.

Breaking this cycle requires a fundamental shift in how we approach online safety. Rather than seeking technological magic bullets that promise security without trade-offs, policymakers need to invest in solutions that actually work. This includes better funding for law enforcement training and tools that don’t require breaking encryption, improved international cooperation on criminal investigations, and addressing the root causes of online exploitation through social programs and education.

Technology companies also bear responsibility for developing and promoting genuinely privacy-preserving safety features. End-to-end encrypted platforms can implement abuse prevention measures that don’t involve content scanning, such as metadata analysis, user reporting systems, and account-level restrictions for suspicious behavior. While these approaches may be less comprehensive than mass surveillance, they achieve meaningful safety improvements without the catastrophic privacy trade-offs of backdoors.

Looking ahead, the privacy community cannot simply celebrate the withdrawal of Chat Control and move on. The next presidency of the EU Council will bring new opportunities for the proposal to resurface in yet another modified form. Sustained vigilance, continued public education, and proactive development of alternative safety measures will be essential. The fight to protect encryption is not a single battle but an ongoing campaign that requires long-term commitment from everyone who values digital privacy and security.

The withdrawal of Chat Control is a victory, but it’s a temporary one. The fundamental challenge remains: convincing policymakers that some trade-offs are not worth making, and that breaking encryption to combat illegal content creates far more problems than it solves. Until that message truly sinks in, the zombie proposal will keep rising from the grave, and the privacy community must remain ready to defeat it again and again.