Return of chat control: Something is rotten in the state of Denmark

To break encryption, or not to break encryption, that is the question.

Across the continent, tech-native Europeans are spinning up new large language models (LLMs) and artificial intelligence (AI) chatbots on their phones and computers and connecting with friends on end-to-end encrypted messaging apps. But that experience may soon change.

In Brussels, the European Commission, Danish presidency, and member states will be trying, once again, to revive the CSAM/chat control that would effectively break encryption online in the name of combating child sexual abuse material, a process more colloquially known as "chat control".

Taking up the lead this time is the country of Denmark, which holds the rotating presidency of the European Council from July 1 until the end of 2025.

At the heart of this prolonged battle over additional police powers is a technical discussion on whether encrypted messaging apps, now a default for millions of smartphone and internet users, can effectively screen for illegal material and alert authorities where appropriate.

Some member states and police agencies say yes. Most technologists and privacy campaigners say no.

Denmark follows others in planting its flag on encryption

The Scandinavian state has been a stalwart supporter of CSAM image scanning and chat control at previous EU Council meetings, and mentioned the regulation by name in their list of priorities to pursue in their Council presidency for the next six months.

“The Presidency will give the work on the Child Sexual Abuse (CSA) Regulation and Directive high priority,” they wrote in their programme.

“Furthermore, law enforcement authorities must have the necessary tools, including access to data, to investigate and prosecute crime effectively. This applies to both online offences and serious crime planned or carried out by organised criminals using modern technology and communication methods," they added.

Some member states have already introduced versions of encryption-busting regulation, including most recently Austria. In early July, the Alpine Republic passed a surveillance law allowing intelligence services to intercept encrypted messaging by deploying "trojan horse" software against suspected criminals and terrorists.

The vote carried despite abstentions from liberal MPs of the coalition, and will likely be challenged in the nation's constitutional court.

France and Sweden are debating similar rules forcing the decryption of internet traffic logs of virtual private network (VPN) providers. Spain has remained a passionate defender of outlawing end-to-end encryption altogether, leading a bloc of 15 member states who previously voted in favour of allowing backdoors into encryption services.

Former EU member state, the United Kingdom, currently facing both ridicule and outrage for its online age-verification scheme, has used secret court orders to force companies like Apple to introduce backdoors into their encrypted iCloud services.

In response, the company disabled its Advanced Data Protection services to UK users, leaving their information vulnerable not just to government snooping, but also to hackers targeting Apple devices.

It's about the children until it's not

The next Council debate and vote on chat control will reportedly take place on 14 October, where Danish leaders will attempt to convince holdouts like Poland and the Netherlands to change votes. Though Austria previously baulked at the regulation, the new coalition looks primed to change its mind.

During a press conference in Copenhagen on July 23 on the fringes of an informal meeting of European Justice and Home Ministers to set the presidency agenda, Danish Justice Minister Peter Hummelgaard stumbled through his answers.

"There is a broad recognition in the Council that we need to move on the regulation on child sexual abuse," he said, noting the conflicting opinions championing privacy over those wanting additional police powers.

But he then claimed the debate was "unjustly portrayed by business interests," adding that the rights of victims aren't being considered appropriately.

"We need to ask ourselves, at the end of the day, whose privacy is it that we're mostly concerned with? Is it the privacy of the thousands of children being sexually abused? Or is it the privacy of ordinary people who may be or may not be if they share child sexual abuse content can be protection order against what they're sharing (sic). We need to compromise on these differing views”.

While the stories of abuse and grotesque material shared online are compelling, it does not remove from the simple and plain fact that the European regulation aims to break encryption, something European Commission leaders were admitting as late as last year.

Addressing the 20th anniversary summit of the European Data Protection Supervisors in June 2024, former European Commission Vice President Vera Jourova admitted that the proposed CSAM scanning rule clarifies "that even encrypted messaging can be broken for the sake of better protection of children".

Technically unfeasible, socially undesirable

If this regulation is passed in its current form, these powers would allow national police agencies to force encryption messaging providers to scan and moderate content in real-time to avoid liability from prosecution.

Effectively, that would mean email services, messaging apps, VPNs, company databases, file uploads on secure servers, and much more will be required to detect and report any image, link, or material related to sexual exploitation or general crime. How general it would be is up to each member state's adaptation of the regulation.

Though the stated intention of EU authorities is noble, if we believe their rationale, there should be no hiding the fact that most of this is not technically feasible.

Apart from analysing metadata, there are no secure methods that would allow partial or even delayed encryption of information or images between users while still maintaining the integrity of end-to-end encryption.

Every VOIP call, iMessage, Signal text, WhatsApp message, and even direct message on platforms like Messenger and X use basic encryption protocols to secure conversations between their users.

How could these services feasibly exist or function in an EU that demands that everything must be available for inspection by some authority?

What's more is that nothing prevents police agencies from using court orders and legal powers they already possess to get information or evidence from individuals. There are no additional powers required.

Reasonable suspicion and reasonable cause can be used by trained law enforcement to solve and deter crimes without the need for snooping on every user's device.

If the Danes want to push this through without adequate debate and technical consideration, then we'll know for certain that something is rotten in the state of Denmark.

The return of chat control in October will be another opportunity for European democracy to be truly put into practice.

Will continental Europeans who regard personal privacy and security as sacrosanct consent to the power to screen their calls to catch bad actors? Or will they stand up and demand that their member states respect their rights and freedoms to use privacy-preserving technology?

"The rest is silence," said Hamlet in his last dying words.

Yaël Ossowski is a consumer and technology advocate, journalist, and writer.