The EU’s proposed Chat Control (CSAM Regulation) aims to combat child sexual abuse material by requiring digital platforms to detect, report, and remove illegal content, including grooming behaviors.
Cybersecurity experts warn that such measures could undermine encryption, create new attack surfaces, and erode user privacy.
In this Help Net Security interview, Benjamin Schilz, CEO at Wire, discusses the Chat Control cybersecurity and privacy risks. He explains that mandated scanning mechanisms are incompatible with end-to-end encryption and would create liability and compliance challenges for service providers.
If the proposal were enacted, what technical safeguards or architectural controls could realistically mitigate the abuse potential of mandated scanning mechanisms?
Sadly, Chat Control is so damaging that it’s not something that, if implemented, has any realistic mitigation. It is like inserting a universal backdoor into every secure system and once it exists, it can and will be exploited. End-to end encryption simply cannot coexist with mandated scanning; the two are mutually exclusive. You can’t make a system both secure and surveilled.
Mandated scanning is like forcing everyone to leave a key under their doormat for authorities to access when they deem it necessary. Criminal actors will seek to exploit any opportunity and while Chat Control is framed as protecting citizens, it actually invites intrusion and violates the security it was intended to provide.
Chat Control threatens fundamental privacy rights and dismantles the encryption protections used by millions of individuals and even businesses, all in the pursuit of a monitoring scheme that the EU’s own data protection bodies and advisers have already deemed unworkable.
If scanning becomes mandatory, who bears liability for false positives and wrongful reporting: the service provider, the software vendor, or the state?
If governments mandate scanning, they must also assume liability for the predictable harms it causes. False positives are not going to be anomalies; they are statistically inevitable. Expert bodies within the EU and the German Bundestag have already warned that detection systems for new material and grooming are deeply inaccurate and would overwhelm law enforcement with false reports.
Placing a burden of liability on the parties that are being forced to implement something that everybody with technical knowledge and experience knows will fail, is not tenable or justifiable.
For security leaders inside technology firms, what new compliance burdens or threat models would Chat Control introduce?
Chat Control does not directly alter existing data protection obligations. Instead, the compliance burden would fall on managing state access requests, data retention policies and audit obligations. From a threat modelling point of view, it is inevitable that the monitoring schemes will become prime exploitation targets by nation state and large criminal syndicates. That means that consumer data and small business will be even more exposed, mined, and used to plan exploits against other businesses, worsening the threat level.
The regulation would also reshape Europe’s digital sovereignty landscape in the worst possible way. Large U.S. platforms can absorb the cost of compliance; smaller European and open-source developers cannot.
Implementing scanning, human review, and law enforcement pipelines requires infrastructure and legal resources that only large incumbents possess. The result would be to lock out EU innovators from the secure communications market, deepening dependency on foreign cloud providers and undermining the EU’s stated goal of digital sovereignty. In short, Chat ontrol will make EU tech less competitive.
Smaller developers and open-source projects often lack the resources of large platforms. Could this regulation effectively create a barrier to entry for European innovation in secure messaging?
Chat Control is not targeted. It is the mass surveillance on technically infeasible grounds. The use of the term “targeted” to describe Chat Control is misplaced and confuses the matter. Truly targeted scanning is based on and scoped to justifiable legal or criminal suspicion.
Is there a credible path for targeted scanning that satisfies both proportionality and operational viability, or is the entire premise technically and ethically untenable?
Protecting children online is an essential and shared goal, but mass surveillance is not the way to achieve it. The most effective safeguards are upstream and targeted, disrupting distribution networks, strengthening international cooperation, and investing in prevention and education.
Europe has led the world in digital rights and data protection. If it now mandates the mass inspection of private messages, it risks undermining the trust and security that define its leadership.
