ChatControl: EU wants to scan all private messages, even in encrypted apps (metalhearf.fr)

The EU is advancing the Child Sexual Abuse Regulation (CSAR), dubbed "ChatControl," which would require all interpersonal communication providers — from Signal, WhatsApp and Telegram to email, dating apps, gaming chats, file hosts and small community services — to perform mandatory client-side scanning of private messages and images, even on end-to-end encrypted apps. The system would run three automated checks on device before transmission: hash-matching against known CSAM, AI-based image analysis to flag unknown potentially abusive content, and NLP-based detection of grooming patterns, with flagged material automatically reported to a centralized EU Centre on Child Sexual Abuse. Providers would also face risk-assessment, mandatory age-verification demands and expanded data-collection obligations. Technically and politically this is seismic: it bypasses E2EE by inserting surveillance at the sender’s device, creating systemic privacy and security risks (cryptographers warn it’s “technically unfeasible” and dangerous). High false-positive rates — studies and Irish police data suggest only ~20% of automated reports contain illegal material — would flood law enforcement and harm innocent users. The proposal also invites new attack surfaces and central points of failure, and can be evaded relatively easily (pre-encrypting files, sharing external links, steganography, custom clients or decentralized platforms). While framed as child protection, ChatControl sets a precedent for mass, mandatory on-device surveillance and is likely to reshape encryption, platform design and digital civil liberties across and beyond Europe.