TL;DR: The EU's Child Sexual Abuse Regulation (CSAR), nicknamed "Chat Control," would require messaging platforms to scan private communications for child abuse material. The problem: this includes end-to-end encrypted messages. The proposed solution: client-side scanning that checks your messages before encryption. Privacy experts and cryptographers say this fundamentally breaks encryption's security model. A vote is expected in Spring 2026, with negotiations ongoing and the current interim regulation extended until 2028 to prevent any legal gap.

What CSAR Proposes

The Child Sexual Abuse Regulation, first proposed by the European Commission in May 2022, aims to combat child sexual abuse material (CSAM) online.[1]

The goal sounds unobjectionable. The implementation is the problem.

What CSAR would require:

  • Detection orders. Platforms must scan messages for known CSAM, new CSAM, and "grooming" behavior
  • Apply to encrypted messages. End-to-end encryption doesn't exempt you
  • Client-side scanning. Messages scanned on your device before encryption
  • Automatic reporting. Detected material reported to authorities

Critics call it "Chat Control" because that's what it is: government control over private conversations.[2]

How "Client-Side Scanning" Breaks Encryption

End-to-end encryption means only you and the recipient can read your messages. Not even the platform can see them. That's the whole point.

CSAR's answer: scan messages on your device before they're encrypted.

Sounds like a workaround that preserves encryption. It's not.

Built-In Backdoor

Client-side scanning means your device has software designed to report on your messages. That's a surveillance tool built into your phone.

Mission Creep

Today it's CSAM. What stops governments from adding political speech, terrorism keywords, or dissent to the scan list?

False Positives

AI systems make mistakes. Innocent photos of your kids at the beach? Could trigger a report. Your life disrupted by algorithm error.

Security Vulnerabilities

Any backdoor can be exploited. If governments can access scanning systems, so can hackers and hostile states.

Cryptographers have been explicit: there's no way to build a backdoor that only good guys can use. Weakening encryption for one purpose weakens it for all purposes.[3]

Where Things Stand: January 2026

The legislative process has been messy:

  • May 2022. Commission proposes CSAR
  • November 2023. European Parliament adopts privacy-protective position favoring targeted surveillance with judicial warrants
  • 2024-2025. Negotiations stall, votes postponed, Member States disagree
  • December 2025. Commission proposes extending interim voluntary detection regulation to April 2028
  • Spring 2026. Expected adoption vote[4]

The interim regulation lets platforms voluntarily detect and report CSAM. The new regulation would make scanning mandatory and expand scope to encrypted messages.

Who Supports This?

EU countries are split:[5]

  • Supporters. Countries emphasizing law enforcement access and child protection
  • Opponents. Countries with stronger privacy traditions and encryption concerns
  • Denmark. Holding the Council presidency in late 2025, reportedly softening on mandatory scanning requirements

The European Parliament has pushed for a more privacy-centric approach: targeted surveillance with judicial warrants, not mass scanning of everyone's messages.

The final text will depend on "trilogue" negotiations between Parliament, Council, and Commission, expected late 2025 or early 2026.

The False Positive Problem

Every detection system has errors. With billions of messages scanned daily, even a small error rate means millions of false reports.

What happens when AI flags legitimate content?

  • Parents sharing photos of their children
  • Doctors sending medical images
  • Teenagers sharing age-appropriate content
  • Art, educational material, journalism

Each false positive means someone's private images reviewed by strangers. Potentially reported to police. Lives disrupted by algorithm mistakes.

Studies suggest false positive rates could overwhelm law enforcement with legitimate content while actual abuse material slips through.[6]

Impact on Encrypted Services

What happens to WhatsApp, Signal, iMessage under CSAR?

Options:

  1. Comply and scan. Implement client-side scanning, fundamentally changing their security model
  2. Exit the EU. Stop offering services to hundreds of millions of users
  3. Disable encryption. Switch to server-side scanning, eliminating E2E encryption entirely

Signal has already threatened to leave jurisdictions that mandate backdoors. Would they really exit the EU market? Would the EU really force that choice?

Either scenario is bad. EU users lose secure messaging, or they lose access to messaging services entirely.

What You Can Do

Contact MEPs

European Parliament members have influence over the final text. Tell them you oppose mandatory scanning of encrypted messages.

Support Digital Rights Organizations

Groups like EDRi, Access Now, and EFF's international work are fighting this. They need public support.

Follow the Vote

Pay attention to Spring 2026 legislative calendar. Public pressure matters most when votes are imminent.

Use Encrypted Services Now

Normalize encrypted communication. The more people depend on it, the harder it is to break.

The Bigger Picture

CSAR is part of a global trend: governments worldwide pushing to break encryption.

The UK's Online Safety Act. Australia's Telecommunications Act amendments. The US EARN IT Act attempts. Different laws, same goal: eliminate truly private communication.

The child safety framing is deliberate. It's politically difficult to oppose protecting children. But the technology doesn't discriminate. Backdoors built for child safety can be used for any surveillance purpose.

Once client-side scanning infrastructure exists, expanding what it scans is a policy change, not a technology change. Today CSAM. Tomorrow terrorism. Next year political speech.

Privacy isn't a special interest. It's the foundation of free expression, dissent, journalism, and democracy. What happens in EU negotiations affects messaging for billions worldwide.

Spring 2026 matters. Pay attention.

References

  1. EUR-Lex - Proposal for Child Sexual Abuse Regulation (CSAR)
  2. Patrick Breyer MEP - Chat Control EU Mass Surveillance
  3. EFF - Client-Side Scanning Is a Backdoor
  4. Computer Weekly - EU CSAR Vote Expected Spring 2026
  5. EDRi - Chat Control Campaign
  6. Al Jazeera - EU Chat Control False Positive Concerns