Chat Control proposal appears to disregard the right to privacy

Like having the state read your letters before you seal the envelope is how one US-based commentator describes the upshot of the Chat Control legislation coming up for a vote at the European Parliament. The European Commission, as well as the Danish presidency of the European Council, are pushing hard for the legislation, which critics warn is fraught with dangers – online mass surveillance and the effective death of digital privacy.

What is it? Under the front of combating child pornography, the EU proposes to impel every messaging platform – WhatsApp, iMessage, Messenger, Instagram, Telegram, Signal, Gmail and all communication apps – to implement government-mandated scanning technology that will analyse every private communication with artificial intelligence (AI) and report suspicious content to authorities.

The pitfalls are virtually innumerable: sexting between teenagers could be flagged as suspicious, with the police coming knocking at the door; parents getting into trouble for sharing photos of babies; and so on. AI, say experts, can’t distinguish context or intent.

Last week, writing in the Cyprus Mail, lawyer Andreas Shialaros warned of the risks of Chat Control – or more formally, the ‘Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse’.

Cyprus MEP Giorgos Georgiou (Akel, Left Group) told us that during preparation of the European Commission’s proposal at the relevant committee of the European Parliament, the Left Group opposed the proposal because the European Parliament’s text removed the group’s biggest concerns – namely about “the violation of our fundamental right to privacy and the need for strong encryption as a digital security barrier against cybercriminals, authoritarian regimes and foreign interventions”.

Georgiou said that currently the issue is blocked in the Council due to the lack of a majority.

“Our goal is to protect children effectively with targeted, evidence-based solutions, which will minimise issues of violations of privacy. This is also the proposal of child protection organisations and technical experts,” he said.

“The days preceding the Plenary are usually days of in-depth appraisal. We will discuss the issue in our Group, we will consult with other political groups and we will reach the most advantageous decision for children.”

Loucas Fourlas (Disy, Group of the European People’s Party) alluded to the need to strike a balance between child protection and safeguarding privacy.

A balance is needed between child protection and safeguarding privacy

“From what I observe among colleagues, a majority in [the European] Parliament are not in favour of measures that would mean blanket surveillance or controlling private communications,” Fourlas said.

The MEP said he has personally received many messages and concerns from people who fear that Chat Control could lead to the weakening of end-to-end encryption and the erosion of personal privacy.

“As the head of the EPP Cyprus Delegation, and as a former journalist who always supports the freedom of expression, I deeply value these voices and will give them my utmost consideration.

“We will be very careful in our approach to ensure the protection of people’s private communications. At the same time, we cannot ignore the need for a safer digital environment for children. The challenge is to find solutions that genuinely protect minors without sacrificing the privacy rights of everyone else. That balance is what Parliament is working towards.”

But the clock is ticking. And those worried about online privacy are becoming increasingly vocal.

A recent piece in news aggregator site Zerohedge had this to say: “Through [client-side scanning], content is analysed on a user’s device before encryption. What this means, for the less tech-savvy reader, is opening a permanent backdoor that bypasses the privacy guarantees of secure communication.

“This would be like having the state read your letters before you seal the envelope, and would subject every EU citizen’s private messages to automated scrutiny. East German readers may find such Stasiesque instruments familiar; most wouldn’t want them making a grand comeback, either in Germany or elsewhere.”

Speaking of Germany, its 96 MEPs could well tip the vote in the European Parliament. Right now the German government is ‘undecided’.

Germany is one of eight EU member states sitting on the fence. Four – Austria, the Netherlands, the Czech Republic and Poland – have stated their opposition to Chat Control.

And 15 states – including Cyprus – support it.

Europol officials have floated the idea of using a proposed EU Centre to scan for more than just CSAM

That said, the respective positions of individual EU governments are but a proxy tally for the upcoming ballot.

The proposed legislation needs support from 55 per cent of member states representing 65 per cent of the total EU population to pass.

But Shialaros again raised doubts over the proposed legislation really being about protecting children.

It’s becoming increasingly difficult to dismiss Chat Control as merely child protection legislation when we examine the global pattern emerging simultaneously across democratic nations,” he told the Cyprus Mail.

He tracks a pattern – which others have noticed as well – that suggests a certain direction of travel in terms of state surveillance.

“Russia has just mandated its ‘Max’ messaging app with built-in surveillance features on all devices, while the UK’s Online Safety Act contains provisions requiring platforms to scan encrypted messages, which critics say is not possible to implement without undermining users’ privacy. Now Switzerland proposes surveillance laws ‘identical to Russia’, and the EU pushes Chat Control.

“The timing is too coincidental. When authoritarian and democratic governments alike simultaneously pursue the same mass surveillance capabilities using nearly identical technical approaches (client-side scanning that breaks encryption for everyone) we must reasonably ask: is this really about protecting children, or is child safety being weaponised to achieve long-standing surveillance goals?”

As a lawyer, Shialaros see this as a coordinated effort “to normalise mass surveillance infrastructure under the guise of safety.

Once these systems exist, expanding their use becomes trivial – from child abuse to terrorism, then to tax evasion, copyright infringement, or political dissent. The pattern across Russia, the UK, Switzerland, and now the EU suggests this isn’t coincidence. It’s a template for dismantling digital privacy globally. We are essentially making everyone less secure in the name of making them safer.”

Tech experts share this take. An investigation by news analysis website Balkan Insight cited research by Imperial College academics indicating that AI-driven client-side scanning systems “could be quietly tweaked to perform facial recognition on user devices without the user’s knowledge.”

The researchers warned of more vulnerabilities yet to be identified.

“Once this technology is rolled out to billions of devices across the world, you can’t take it back”, they said.

In the same article, professor of Security Engineering at Cambridge University Ross Anderson warned that the debate around AI-driven scanning for CSAM (child sexual abuse material) has overlooked the potential for manipulation by law enforcement agencies.

“The security and intelligence community have always used issues that scare lawmakers, like children and terrorism, to undermine online privacy,” Anderson told Balkan Insight.

“We all know how this works, and come the next terrorist attack, no lawmaker will oppose the extension of scanning from child abuse to serious violent and political crimes.”

In 2022, Ylva Johansson, then European Commissioner for Home Affairs, and a key figure driving forward the Chat Control proposal, dismissed the idea thatthe approach she advocated would unleash something new or extreme, telling MEPs it was “totally false to say that with a new regulation there will be new possibilities for detection that don’t exist today”.

As the Balkan Insight reported, in July 2022 the head of Johansson’s Directorate-General, Monique Pariat, visited Europol “to discuss the contribution the EU police agency could make to the fight against CSAM, in a meeting attended by Europol executive director Catherine de Bolle.”

There, Europol officials “floated the idea of using the proposed EU Centre to scan for more than just CSAM, telling the Commission, ‘There are other crime areas that would benefit from detection’.”

Then there’s the question of hypocrisy and double standards, as critics point out that politicians and state functionaries would be exempt from having their communications scanned.

In a commentary published in April 2024, Patrick Breyer – a digital rights activist and member of the Pirate Party Germany – honed in on the text of the Commission’s proposal.

Breyer points to Article 1 of the proposed regulation, which reads: “This Regulation shall not apply to professional government accounts using services or parts of the services for national security purposes, maintaining law and order or military purposes.”

And: “The Regulation shall not apply to confidential information, including classified information, information covered by professional secrecy and trade secrets…”

Breyer commented: “The fact that the EU interior ministers want to exempt police officers, soldiers, intelligence officers and even themselves from chat control scanning proves that they know exactly just how unreliable and dangerous the snooping algorithms are that they want to unleash on us citizens.”