- Over 500 cryptography scientists and researchers have signed a joint letter against the EU’s controversial child sexual abuse (CSAM) scanning proposal
- Experts warn that the Danish version of the text still fails to address concerns around encryption, indiscriminate surveillance, and accuracy
- EU Council members must share their final positions on the so-called Chat Control bill on September 12
Over 500 cryptography scientists and researchers have signed a joint open letter to share their concerns about the EU’s controversial child sexual abuse (CSAM) scanning proposal. For the third time since 2022.
Deemed by its critics as Chat Control, the bill seeks to introduce new obligations for all messaging services operating in Europe to scan users’ chats, even when they’re encrypted, in the lookout for CSAM material.
EU Council members are set to share their final positions on the Danish version of the proposal on Friday, September 12, with adoption expected as early as October 2025 if an agreement is found.
While including some improvements from previous versions, experts believe that the latest iteration of the text still fails to address concerns around encryption, indiscriminate surveillance, and the accuracy of detection.
“I think a lot of the changes that happened are just smoke and mirrors,” Bart Preenel, the Belgian cryptographer and professor at Leuven University behind the open letter, told TechRadar.
Below are the main contentious points highlighted by the experts in the open letter.
The Danish Chat Control version still breaks encryption
The risk of breaking encryption has been the main objection against the proposal since the beginning.
Encryption is responsible for keeping our communications private and secure. The likes of WhatsApp, Signal, ProtonMail, and the best VPN apps use end-to-end encryption (E2E) to scramble the content of users’ messages into an unreadable form and prevent unauthorized access.
If the Danish Chat Control text passes, all the multimedia files and URLs you sent via WhatsApp and similar services would have to be mandatorily scanned for CSAM materials.
Crucially, the proposal demands that the CSAM detection technology must not lead to a weakening of the protection provided by encryption. Yet, according to experts, this cannot happen without undermining E2E protections, as any detection technology inevitably “introduces a single point of failure” into encrypted communications.
Furthermore, “the new proposal does not address our concerns regarding the potential for function creep of on-device detection,” wrote experts.
Accuracy keeps being a problem – and AI cannot help
Another big concern for experts surrounds the lack of accuracy of detection tech – something that could de facto fail the goal of increasing the effectiveness of law enforcement investigations.
“Existing research confirms that state-of-the-art detectors would yield unacceptably high false positive and false negative rates, making them unsuitable for large-scale detection campaigns at the scale of hundreds of millions of users as required by the proposed regulation,” reads the open letter.
Experts also suggest that AI-based technologies cannot be the solution, either, considering the “enormous attack surface” they have. “We expect these technologies to be highly ineffective in the case of CSAM detection,” they conclude.
What’s next?
On Friday, September 12, EU members are expected to share their positions in the Council.
Did you know?
A source with knowledge of the matter told TechRadar that Germany, a decisive country to either block or back the bill, may be considering abstaining from taking a position. Germany is among the members still undecided at the time of writing, alongside Estonia, Greece, Luxembourg, Romania, and Slovenia.
Despite the list of countries opposing the law growing, support for Chat Control remains strong, with 15 countries supporting the proposal against six opposing and six still undecided, according to the latest data.
Whether 500 signatories are enough to turn the undecided members in the opposition ranks is too early to know. What’s certain, however, is that Chat Control is far from being the only proposed regulation that could endanger encrypted communications as we know them.
Commenting on this point, Preenel told TechRadar: “There is enormous pressure to get access to encrypted data: it’s not only the CSAM case, there is also the ProtectEU document. That’s the real debate, and I think that CSAM is used as an excuse to open the door.
“I do think, however, that law enforcement should get more power to investigate if providers don’t take the right measures. They could be allowed, in my view, to do infiltrations and fight these groups with targeted investigations, if there’s real suspicion. What I think is not acceptable, though, is breaking encryption for everybody.”
Add Comment