- The VPN industry has spoken out against the controversial child sexual abuse (CSAM) scanning bill
- Members of the VPN Trust Initiative warn that lawmakers should “reject any regulations that weaken encryption standards”
- EU Council members are sharing their final position on the Danish proposal of the so-called Chat Control on September 12, with the next meeting set for October 14
EU lawmakers should reject any regulations that mandate encryption backdoors, weaken encryption standards, or impose insecure technical requirements.
That’s the pledge from the VPN Trust Initiative (VTI), a consortium that includes some of the best VPN providers on the market, as EU members are sharing their final positions on the Danish version of the Child Sexual Abuse Regulation (CSAR) proposal in the Council.
Nicknamed Chat Control by its critics, the bill seeks to introduce new obligations for all messaging services operating in Europe to scan user chats – even if they’re encrypted – in the search for both known and unknown child sexual abuse material (CSAM).
Although virtual private network (VPN) software is outside the law’s scope – for now, at least – VTI’s members are worried that this so-called client-side scanning would irrevocably ruin the very technology VPNs are built on.
“Encryption either protects everyone or it protects no one,” said Emilija Beržanskaitė, Co-Chair of the VPN Trust Initiative.
“Governments worldwide – and especially in Europe this week – must lead from an informed position and defend strong encryption as a cornerstone of privacy, digital trust, and democratic values.”
How Chat Control could break encryption?
In its current form, the Danish CSAM scanning proposal would force the likes of WhatsApp, Signal, ProtonMail, and other messaging services to perform indiscriminate scanning of private messages.
Crucially, the mandatory scanning is expected to occur directly on the device before messages are encrypted, targeting shared URLs, pictures, and videos. Only governments and military accounts are excluded from the scope of the bill.
Despite the proposal mentioning the commitment to preserve end-to-end encryption protections, experts believe that client-side technologies simply cannot do that.
“Chat Control’s client-side scanning provisions create a false choice between safety and security,” Laura Tyrylyte, privacy advocate at NordVPN, a member of the VTI, told TechRadar. “Solutions should not be transactional. We cannot solve one problem, even as serious as child safety, at the expense of creating systemic security vulnerabilities that expose everyone to greater risks.”
NymVPN‘s CEO, Harry Halpin, has also spoken out against Chat Control, deeming it “a major step backwards for privacy.”
“Scanning everyone’s intimate conversations is a disproportionate response that normalises surveillance,” he explains. A measure that could be easily repurposed to target journalists, activists, or political opponents. Such a backdoor will also create a vulnerability that criminals and hostile governments could exploit.
“The better approach is targeted, warrant-based investigations, rapid takedown of illegal content, clear industry reporting routes, and properly resourced specialist teams,” Halpin added.
How likely is Chat Control to pass?
On the eve of today’s (September 12) meeting, Luxembourg and Germany joined the opposition, bringing the list of countries opposing the bill to eight.
The latest rumors shared by the former MEP for the German Pirate Party and digital rights jurist, Patrick Breyer, also indicate that Slovenia has passed from the undecided to those against.
If that’s true, only three EU members remain undecided (Estonia, Greece, and Romania), and we’ll need to wait and see if these governments will eventually take a definite position in the Council.
On Tuesday (September 9), over 500 cryptography scientists and researchers signed a letter to warn the EU Council of the risks of agreeing to the proposal in its current form. This is the third time since 2022 that experts have urged against mandatory chat scanning.
However, support remains stronger, with 15 countries (including France, Italy, and Spain) being in favor of the bill, as per the latest data.
According to the Senior Director for European Government and Regulatory Affairs at the Internet Society, David Frautschy, that’s “a bad outcome” for privacy and secure communications in the EU.
“It’s not over, but the window is closing quickly. The process will be over by October 14th. So, we encourage citizens to convince their policymakers that the right way forward is supporting strong encryption, not weakening or undermining it by client-side-scanning surveillance,” Frautschy added.
What’s certain, however, is that Chat Control is only one of the proposals that could endanger encryption protections for Europeans – and VPNs could also become a target as some EU experts explicitly mentioned them as “key challenges” to investigative work.
Commenting on this point, Tyrylyte from NordVPN told TechRadar: “Once deployed, client-side scanning infrastructure can be trivially reconfigured to expand surveillance beyond its original purpose. This directly contradicts the EU’s own cybersecurity goals, including the Cyber Resilience Act and post-quantum cryptography initiatives. We can’t have one policy weakening security while others are trying to strengthen it.”
You might also like
- “Weakening encryption would make European security worse” – the VPN industry reacts to the EU’s plan for end-to-end encryption backdoors
- Chat Control 2.0? Experts urge the EU not to undermine encryption with new ProtectEU plan
- FTC calls on big tech to resist UK and EU demands to weaken encryption and censor content
