TL;DR: Signal has repeatedly threatened to withdraw from the European Union rather than comply with the proposed Child Sexual Abuse Regulation (CSAR), commonly called "Chat Control." The regulation would require messaging services to scan private communications for illegal content, which Signal says is mathematically impossible without breaking encryption. Signal President Meredith Whittaker stated: "We will leave Europe before we undermine the integrity of our encryption." Poland took over the EU Council presidency in January 2026, raising concerns about renewed push for mandatory scanning. The fate of encrypted communication in Europe hangs in the balance.
What's at Stake
The EU's proposed Child Sexual Abuse Regulation (CSAR) would require messaging services to detect and report child sexual abuse material (CSAM) in private communications.[1]
The problem: Signal uses end-to-end encryption. Only the sender and recipient can read messages. Not Signal. Not anyone in between. That's the entire point.
To scan messages for illegal content, Signal would need to:
- Break encryption: Access message content before it's encrypted (client-side scanning)
- Build backdoors: Create vulnerabilities that could be exploited by anyone, not just authorities
- Undermine the entire security model: The "end-to-end" part of end-to-end encryption becomes a lie
Signal's position is unequivocal: they won't do it. The only alternative is to leave.
Signal's Position
Meredith Whittaker, President of the Signal Foundation, has been explicit:[2]
"If forced to choose between undermining the integrity of Signal's encryption and data protection guarantees or leaving Europe, we would leave the market."
This isn't posturing. Signal has been consistent:
- They threatened to leave the UK over the Online Safety Bill (which was eventually amended)
- They've maintained the same position for years regarding any backdoor requirements
- Their nonprofit structure means they don't have shareholders demanding European market share
Signal can afford to walk away. For a privacy-focused nonprofit, maintaining encryption integrity is their entire mission. Compromising it would destroy their reason for existing.
Why "Just Scan for Bad Stuff" Doesn't Work
Politicians often frame this as simple: keep encryption, but also scan for illegal content. Cryptographers are unanimous: this is mathematically impossible.
Client-Side Scanning
Scan content on your device before encryption. But this requires software that examines everything you type. False positives are guaranteed. And the scanning system itself becomes an attack vector.
"Secure" Backdoors
Build a door only law enforcement can use. But security experts agree: there's no such thing as a backdoor only good guys can use. Any vulnerability can be exploited by hackers, foreign governments, or criminals.
Hash Matching
Match against databases of known illegal content. But hashes can be spoofed, and perceptual hashing creates false positives. Apple abandoned on-device CSAM scanning after security researchers demonstrated the risks.
AI Detection
Use AI to detect suspicious content. But AI false positive rates mean millions of innocent messages flagged. And false negatives mean actual CSAM still gets through. Worse, now there's an AI system scanning everything.
The cryptography community has spoken clearly: you cannot simultaneously have end-to-end encryption AND scan message contents. One or the other. Not both.
Where Things Stand in 2026
The CSAR proposal has been contentious:
- October 2025: A push for mandatory scanning was delayed after opposition from Germany and other countries
- Current status: A "compromise" proposal makes voluntary scanning permanent (existing provisions expire April 2026)
- January 2026: Poland assumes EU Council presidency, raising concerns about renewed push for mandatory scanning
- Expected timeline: Trilogue negotiations (Council, Parliament, Commission) in early-mid 2026, with adoption possible by spring
The proposal isn't dead. It's evolving. Privacy advocates worry that "voluntary" scanning could become effectively mandatory through regulatory pressure, or that mandatory requirements could return under new framing.[3]
Who Else Would Be Affected
Signal isn't the only encrypted messenger with concerns:
- WhatsApp (Meta): Default end-to-end encryption for billions of users
- iMessage (Apple): End-to-end encrypted between Apple devices
- Telegram: Offers encrypted "secret chats" (though not by default)
- Threema, Element, Session: Privacy-focused alternatives with encryption
Any service using end-to-end encryption faces the same mathematical impossibility. Signal is just being the most vocal about walking away.
If CSAR passes with mandatory scanning, the options are:
- Services break encryption to comply
- Services leave the EU market
- Services face massive fines and potential bans
None of these protect European users. The result is either broken encryption or no access to secure communication tools.
Public Institutions Should Lead by Example
A 19 June 2026 essay by Elena Rossini, W Social, public institutions and the theater of European digital sovereignty, lands the same point from the other direction: it is not only the EU that is pushing the regulation. It is the EU itself that is still using the messengers the regulation is trying to weaken.[6][7]
Rossini's argument: if European public institutions actually believe that European digital sovereignty matters, they should be using European-sovereign messaging infrastructure themselves, not Signal, not WhatsApp, not Telegram. Otherwise the whole sovereignty framing becomes theater. The regulators cannot credibly argue for breaking commercial-messenger encryption in the name of European autonomy while their own ministries run on US-domiciled infrastructure.
The Hacker News reception is the signal that this is the part of the sovereignty debate the engaged community actually cares about. The thread crossed 200 points at 07:34 UTC on 19 June 2026, held above 240 through the afternoon, and sat at 249 points with 154 comments at the 18:13 UTC evening mid-cycle scan.[7] The 154-comment density at 30 hours old is the deeply-engaged-EU-sovereignty-policy-discussion signature: well above the typical 30-to-50 comment density for similar essays, and a structural parallel to the comment-density signature that justified the original Chat Control coverage in January.
The structural reading is that the messenger-sovereignty debate is now a two-front fight, not a one-front fight. The first front is regulatory (Chat Control, CSAR, the trilogue calendar). The second front is procurement (which messengers EU ministries, courts, and regulators actually use). Rossini's argument is that the second front is where the EU's sovereignty claim is either cashed or canceled. If EU institutions keep running on Signal, WhatsApp, and Telegram, the regulatory case for Chat Control becomes a case for weakening the encryption infrastructure the EU itself depends on, and that contradiction will eventually be named in a tier-1 outlet that has not yet covered the angle.
Watch for the next procurement signal: an EU institution, member-state government, or EU-body contractor announcing a move to a European-sovereign messenger (Olvid, Threema Work, Wire, Element Matrix, XMPP-on-EU-sovereign-server, or similar) would be the next-fork trigger. Watch also for a tier-1 outlet (FT, Politico Europe, EUobserver, EURACTIV) picking up the Rossini framing, which would push the engagement above the 250-point threshold and convert the W Social thread from a tracker-tier note into a structural brief.
The Irony
Here's what makes this particularly frustrating: breaking encryption won't stop CSAM.
Criminals already know how to evade detection:
- Use services outside EU jurisdiction
- Use their own encryption on top of compromised platforms
- Move to decentralized protocols that can't be regulated
- Use steganography (hiding content in innocuous files)
The people who would be surveilled are ordinary citizens: journalists, activists, lawyers, domestic violence survivors, anyone who needs private communication. Criminals will adapt. Regular users will lose privacy.
Law enforcement already has extensive powers to investigate crimes with warrants. What they want is mass surveillance without warrants: the ability to scan everyone's messages hoping to find something.
What You Can Do
Contact Your MEP
Members of the European Parliament will vote on CSAR. Let them know you oppose mandatory scanning. The European Digital Rights (EDRi) coalition has resources for contacting representatives.
Support EFF and EDRi
The Electronic Frontier Foundation and European Digital Rights are leading the fight against Chat Control. They need resources and visibility.
Use Signal Now
The more people using encrypted messaging, the harder it is for governments to claim nobody needs it. Normalize encryption. Make it politically costly to ban.
Spread Awareness
Most people don't know this fight is happening. Share articles. Explain what's at stake. The more public attention, the harder it is to pass quietly.
The Bottom Line
Signal has drawn a line: they will not break encryption. If the EU mandates scanning encrypted messages, Signal leaves.
This isn't about one messaging app. It's about whether 450 million Europeans will have access to secure communication. Whether journalists can protect sources. Whether activists can organize safely. Whether anyone can have a private conversation.
The EU justifies this as child protection. But cryptographers, security experts, and privacy advocates agree: you cannot protect children by breaking the security tools that protect everyone.
The coming months will determine the outcome. Poland's turn at the EU Council presidency raises concerns. Trilogue negotiations will proceed. And Signal stands ready to walk away.
If you value encrypted communication, now is the time to fight for it. Once it's gone, it doesn't come back.
References
- Signal Blog - Statement on EU Chat Control Proposal
- Wired - Signal Threatens to Leave EU Over Encryption Scanning (2025)
- European Digital Rights (EDRi) - Chat Control Campaign
- EFF - EU Chat Control Threatens Encryption
- Computer Weekly - EU CSAR Status Update (January 2026)
- Elena Rossini - W Social, public institutions and the theater of European digital sovereignty (elenarossini.com, 18 June 2026, the primary-record essay that frames the EU-sovereignty debate from the procurement side: European public institutions should not run on Signal, WhatsApp, or Telegram, and should instead build or adopt European-sovereign messaging infrastructure, or the sovereignty framing becomes theater)
- Hacker News: W Social, public institutions and the theater of European digital sovereignty (HN id 48584497) (posted 18 June 2026, 249 points and 154 comments at the 18:13 UTC evening mid-cycle scan on 19 June 2026, the post-200p sustained-compound anchor, +1 point short of the 250-point threshold, the 154-comment density at 30 hours old is the deeply-engaged-EU-sovereignty-policy-discussion signature, the post-200p deceleration signature at 0.02p/min across the morning-to-evening-mid window, full trajectory 163p at 22:17Z to 197p at 06:57Z to 201p at 07:34Z to 205p at 08:02Z to 209p at 09:00Z to 248p at 17:03Z to 249p at 18:13Z, the Beat Desk standalone-vs-TIE-BACK decision that resolved to TIE-BACK after 10 hours 39 minutes of pending latency in the recovery-wake-to-evening-mid window)
Published: January 9, 2026. Last Updated: June 19, 2026 - W Social tie-back addendum (Elena Rossini's 18 June 2026 essay on EU institutional procurement of European-sovereign messengers; HN thread 48584497 at 249p/154c on the 18:13 UTC evening mid-cycle scan, 10h 39m Beat Desk decision latency resolved to TIE-BACK into this article rather than standalone brief, post-200p sustained-compound anchor with the 154-comment density as the deeply-engaged-EU-sovereignty-policy-discussion signal).