I am ashamed to be Danish. Where are the mass protests of hundreds of thousands, the mass walkouts from our workplaces until our government at last respects our human dignity?
Our government has today turned the EU into a tool for total surveillance I don't know if there can be any return from. Our democratic processes have been abused, and our politicians shown to be nothing but craven, self-interested agents of control.
> What about going out in front of your city hall with a poster saying no-chat-control?
Unorganized, individual acts cannot change anything in the EU.
> You risk nothing, do you?
Given the legislative maze the EU has become, you can't be sure of that, but you surely gain nothing.
The conditions in Europe are quite specific, and in that environment, pan-EU legislation (except the customs union) should be optional for individual members, anything else can and will be used against the people.
Seeing this as an opportunity: this further solidifies the need for opensource and decentralisation.
Chat apps should be opensource, E2E encrypted, and decentralised. In 2025 we still don't have that in any meaningly manner - Signal perhaps comes the closest, but it's centralised and controlled by a US organisation. The moats are deep within the chat app space, and getting the "network effect" is going to be really tough.
>At the beginning of the month, the Danish Presidency decided to change its approach with a new compromise text that makes the chat scanning voluntary, instead.
Hmm, so this will probably make the life for those who don't scan quite hard and if they experience a high profile scandal getting out of it will not be easy I assume.
I'm not sure what to think of it, not being mandatory and requiring risk assessment sounds like "Fine, whatever don't do it if you don't want to do it but if something bad happens it's on you". May be fair to some extent, i.e. Reddit and Telegram can decide how much they trust their users not to run pedo business and be on the hook for it.
On the other hand, it is a backdoor and if the governments go crazy like they did in some other countries where high level politicians are implicated with actual pedophiles and have a tendency for authoritarianism Europe may end up having checking user chats for "enemies of the state" instead of CSAM materials. Being not mandatory here may mean that you get constant bullying because you must be hiding something.
While I fully agree with your sentiment, I'd like to take the opportunity to share a favorite fun-fact of mine: the frogs in the not-jumping-out experiment had their brains removed beforehand. Which might make the analogy more apt, actually, considering how much under siege our attention is these days.
"voluntary" can also be pretty meaningless depending on the context. In the UK, if the police suspects you of shenanigans, they'll politely invite you for an "voluntary interview".
Of course you can decide to not go, it's voluntary, right? Yes, you can. Your choice. And when you reject their kind offer they'll come and arrest you so you can attend the interview.
They have removed the backdoor paragraph, and inserted a new one that states that scanning is entirely voluntary and best effort, and also state that the EU cannot force them to scan.
As far as the mass surveillance scanning goes, it has completely been removed, and what remains is still the mandatory age checks, which might be problematic.
From reading the specification, it appears to be reasonably well designed, where identification is handled by authorities, and the requesting party cannot get your identification details, only send an "is the user of this session older than 18". The verifier cannot see which site the request comes from, and you identify yourself in the session, and a reply goes back to the requester with a "yes/no" answer.
So, it at least appears to be simply an age check, and not some sort of surveillance program to stalk your online browsing habits.
The age check is already present in France, since I think a month? I will probably test it soon to see how inconvenient/insecure it is, but from what I read it seems to be well designed for privacy.
Problem is that once you've gotten this thing through to begin with it's comparatively easy to make slight amendments later, also of course with the justification of "protecting the children".
I feel like this will just incentivise the creation of privately run federated messaging systems. Powerful people will always be protected, any smart people will run fed messengers for their private stuff and normie tech for normie comms. This power will just turn into another form of control. As always, the only losers will be the average citizens.
And, clearly, all the mass surveillance in the USA has worked wonders to stop key political figures from engaging in pedophilia and other shenanigans. It's been 100% successful.
We must do it in Europe, lest the children be harmed. You know, instead of improving daycares and schools, the general economy, give them access to safe outdoor spaces, help families so they don't take it out on the kids…
I don't know. I've a son now, and I expected that to make me connect with this type of policy. It didn't.
you people need to disabuse yourselves of the idea that only a Trumpian type regime could possibly have any interest in finding and incapacitating “enemies of the state”.
Misleading title, the council approves their mandate for negotiations with parliament. It’s still a long way to go before it turns into law and I think it’s rather unpopular in parliament.
I think it's just the trialogue left, so still some distance but comfortably past halfway to becoming valid law.
There's been so much drama over the years about this proposal from the commission I doubt von der Leyen will want to fight to get the scanning back in.
Terrorists are winning. If husband wanted to control wife's phone, read all messages, that is jail time in many countries. But if bureaucrats in nice suits want to abuse Europeans all at once, then it is fine.
Germany get you s*t together and issue arrest warrants for this lot. They seem to be breaking German laws.
Democracy worked well here. The executive wanted more power (once again), the parliament refused, twice, despite _a lot_ of lobbying and pressure from the executive branch. Good job to the tech industry for counterlobbying (i'm not saying that often i swear), good job us for mobilizing, and also la quadrature and other NGO privacy watchdog for mobilization that allowed the EU parliement to resist somewhat, and forced a compromise that will any overreach tentative in the hand of judges.
What europe needs to be careful of is that the EUCJ keep its power. I _know_ people on both side of the political spectrum dislike judges (because they defend the status quo for the left, and the rule of law for the right) but multiple time this past 3 years i've seen mediatic assaults on EUCJ and ECHR that expend their political power again and again and again. We have to keep executive power from limiting judiciary power. Already executive branches are powering through legislative in a lot of country (France, UK, US, and EU which isn't a country but have similar institution), we absolutely have to keep the third branch as a check against government overreach.
The crux is in those „risk assessments”, to be approved by authorities. IIUC those authorities will be able to designate e.g. Signal „high risk” and slap penalties unless they „mitigate” the risk. Hard to tell what will happen without seeing final regulation.
Laymen actually do care. But mass media does the sanewashing, and you can’t blame the average Joe of not having a deep understanding of what this entails and that it is not to protect the children.
Governmental interests benefit if we blame ourselves and other citizens for this shit passing. It is clear that modern democracies are people in power (which includes the media) vs the masses.
The trick is that because they could not pass the proposal that enforces message scanning, now this proposal defines "high risk activities" and in the case of high risk activity, the national authorities can force someone to comply (i.e. start to scan messages, block, stop activity).
High risk classification is at the end of the text.
Some highlights of what is defined as high risk, and thus can be forced to go through mandatory scanning or forbidden:
- Encrypted messaging follows closely due to privacy concerns and the potential for misuse. Posting and sharing of multimedia content are also high-risk activities, as they can easily disseminate harmful material.
- The platform lacks functionalities to prevent users from saving harmful content (by making recordings, screenshots etc.) for the purpose of the dissemination thereof (such as for example not allowing recording and screenshotting content shared by minors)
- Possibility to use peer-to-peer downloading (allows direct sharing of content without using centralised servers)
- The platforms’ storage functionalities and/or the legal framework of the
country of storage do not allow sharing information with law enforcement
authorities.
- The platform lacks functionalities to limit the number of downloads per user
to reduce the dissemination of harmful content.
- Making design choices such as ensuring that E2EE is opt-in by default, rather than opt-out would require people to choose E2EE should they wish to use it, therefore allowing certain detection technologies to work for communication between users that have not opted in to E2EE
Also, a lot of these points do not sound like they are about the safety of children
- Platforms lack a premoderation system, allowing potentially harmful content
to be posted without oversight or moderation
- Frequent use of anonymous accounts
- Frequent Pseudonymous behavior
- Frequent creation of temporary accounts:
- Lack of identity verification tools
Based on the light of the proposal, Hacker News is very dangerous place and need to have its identity verification and CSAM policies fixed, or face the upcoming fines in the EU.
> - Making design choices such as ensuring that E2EE is opt-in by default, rather than opt-out would require people to choose E2EE should they wish to use it, therefore allowing certain detection technologies to work for communication between users that have not opted in to E2EE
So you make it so that when the user starts the application you ask them "Your current configuration allows government, and probably some hackers as well, to see your messages. Do you want to enable encryption? Your government's suggestion is that you should say 'No' here. That's also what the foreign intelligence agencies suggest" "Yes, enable encryption" "No". That's clearly opt-in, you even provide the government's recommendation. And of course you then ask that whenever they open the application if they selected "No", we have learned that it's completely fine to keep asking same question from the user.
Oh, and make sure that the other party is clearly aware that the other side has not enabled encryption.
Is there still a loophole for politicians not to be tracked? Because if so, some people will make a lot of money by creating a political party and turning citizens into politicians for yearly fee and thus bypassing this whole law.
You can read the proposal and found out, if you're interested.
> In the light of the more limited risk of their use for the purpose of child sexual abuse and the need to preserve confidential information, including classified information, information covered by professional secrecy and trade secrets, electronic communications services that are not publicly available, such as those used for national security purposes, should be excluded from the scope of this Regulation. Accordingly,
this Regulation should not apply to interpersonal communications services that are not available to the general public and the use of which is instead restricted to persons involved in the activities of a particular company, organisation, body or authority.
Sad to see Europe morph from postal secrecy to chat control. I can’t imagine 19th century intellectuals would do anything other than laugh in the face of censors who would suggest that the governments need to read personal correspondence to protect children and/or national interests against Prussia/Russia/China.
I know it's the recognized term for 'officially designated authority', but 'competent authority' seems to conflate two traits that do not necessarily co-habit.
Just read it as ”we have the competence to make decisions with authority on this issue”, though we all wish it always meant ”we have authority to make competent decisions on this issue” xD
Honest question. The EU was created as an economic and trade institution. How has it morphed into a wierd political institution, which NATO was already supposed to be?
The root question: how did an organization that ushered in things like the Euro become a body that decides whether Europeans are allowed to have personal privacy?
The answer is pretty simple. This decision isn't "the EU".
The European Commission has fewer employees than the Luxembourg government (and keep in mind, they're "running" a continent).
This decision was the Council, i.e. simply the national member governments. Don't let anyone blame "the EU" for this, the national governments are the ones that proposed this, pushed it through EU institutions, and might now try to override the EU parliament about it. Just because national (elected) governments are pushing it through EU institutions doesn't mean you should blame "the EU". It wasn't the "Eurocrats".
What you're describing is how the process in the EU works. So in essence it is "the EU".
It doesn't seem to have any limits or restrictions on what it can do as an institution. It forced idiotic bottlecaps on all of us for shit's sake... and it has little consideration for privacy laws or constitutions of individuals, otherwise this proposal would've been thrown out automatically each time, if there was anything resembling constitutional values governing the EU's mandates.
It's like being governed by a neurotic unhinged monarch.
EU (and preceding organisations since European Coal and Steel Community) were created so that there will be no war in Europe. How exactly this objective is achieved is of secondary importance. It is economic institution, because someone calculated that this will be best shot, but if (or when) calculation credibly shifts (for example, that it would be better for them to be a religion, a feudal system, or a federation -- whatever), it will morph into something else.
I'd say that it has 100% fulfilled its primary goal that there is no military conflict between major European states for like 80 years and counting, which is longest period ever recorded and a historical anomaly. The means of how it was executed is obviously a matter of debate, mistakes were made etc., but we over here generally make love, not war.
the entire point is to build a country called Europe
and the EU is built on the "Monnet method", where it slowly ratchets forward taking more power from national parliaments and giving it to the EU council/commission
(with a useless parliament there to make it appear democratic)
the UK leaving is the only example of the ratchet being reversed
>How has it morphed into a wierd political institution
Von der Leyen, an autocratic fascist that is ruining this continent. She failed to push her agenda in Germany so she "failed upwards". Even how she got this position was highly controversial and went against the top candidate principle. The EU commission is exceeding their competencies. The EU is not democratic, there is no parliamentary oversight, the parliament can't even introduce legislative proposals. No one can vote for the EU commission, only the parliament can vote for or against all the proposed candidates (not one by one). Parliament is essentially a rubber stamp for the commission.
> The EU was created as an economic and trade institution. How has it morphed into a wierd political institution, which NATO was already supposed to be?
That is not the case.
The 1957 Treaty Establishing the European Community contained the objective of “ever closer union” in the following words in the Preamble. In English this is: “Determined to lay the foundations of an ever closer union among the peoples of Europe …..”.
> The root question: how did an organization that ushered in things like the Euro become a body that decides whether Europeans are allowed to have personal privacy?
Sensationalist framing aside, how does any government become a body that decides anything?
> Sensationalist framing aside, how does any government become a body that decides anything?
Powerful people get together and decide that they know what's best for people. Then they claim that there is "consent" because people are given the right to vote and that there is a "social contract" that no one actually has signed, which everyone should still abide by.
That treaty was established just over a decade after Hitler surrendered, when there were two Germanys, an Iron curtain across Europe, and a lot of other things which changed significantly after the Wall fell. Surely you would agree that those words meant something quite different then than they do now?
I don't think my framing was sensationalist at all. Chat Control is using the threat of child porn to make people forget the reasons why the ECHR cares so deeply about privacy. I'm not sure why Denmark is pushing it so hard, but governments have long feared and hated encryption.
Such words in any Preamble are usually meant as a lofty declaration of some ideal, not a concrete political goal.
After all, "ever closer" does not even mean federation, it means a unitary state, which is "closer" than a federation or a confederation.
If you believe that a single sentence in a 1957 treaty can be used as a ramrod to push European federalization from above, you will be surprised by the backlash. European nations aren't mostly interested in becoming provinces of a future superstate, potential referenda in this direction will almost certainly fail, and given the growth of the far right all over the continent, I don't expect the governments to agree to any further voluntary transfer of powers to Brussels.
Also, the European Commission is not a government and is not meant to act as a government that can decide "everything".
The countries that formed the EU have only agreed to transfer some powers to Brussels. Not give it an unlimited hand over everything. And Chat Control is a major infringement of constitutional rights in many countries, where inviolability of communication except for concrete warrants has been written into law for decades.
Imagine a situation if the German Constitutional Court says "this is illegal by the German Grundgesetz, and German law enforcement may not execute such laws". Do you believe that German authorities will defer to Brussels instead of its own Constitutional Court? Nope. Same with Poland etc. Local constitutional institutions have more legitimacy among the people than the bunch of bureaucrats in Brussels.
How is it possible this thing can just keep coming back and back? There should be a law that gives these kinds of bills a cooldown period of 2 years or so that prevents them from being reintroduced with slightly different wording.
Because the EU citizens keep voting for those politicians. It’s as simple as that. There are dozens of different parties in each EU country, but people keep voting for parties that push chat control.
Honest question: let's say I get an email and encrypt it with a highly secure key, or maybe I just encrypt a file and send it through WhatsApp. That might not be as easy or secure as a double ratchet, but, is it against chat control?
The path from position to actual implementation (details) is long
And you can bet there's still a lot of opposition of people (with actual involvement in the legislative process)
And legal hurdles for implementation as well
(this all reminds me of the discussion around the copyright directive where people here were decrying it was going to be the end of memes. So, how did that go again?)
One thing with chat control I don't get is why can't it be vetoed by a single member? That doesn't seem like part of regular trade policy competency of the EU
I just want to reiterate that in Germany getting convicted of gang raping a 15 year old (and stealing her phone and purse and filming the rape) is something which gets you probation. Yes, the crime was proven, there was no doubt about the guilt.
In this context putting the entirety of the population under the suspicion of facilitating child rape is completely and utterly deranged.
Taking the reasons at face value (for the sake of argument) I guess what I'm confused about is why this would be necessary. I would think there were already laws/regulations/liability reasons/etc requiring companies to make efforts to ensure they're not hosting CP and other such things? Am I wrong?
Why follow the EU's press release instead of stating what's happening? The EU parliament voted - many times. They voted AGAINST having this law at all. The EU council is now threatening to fully override parliament, but "gives parliament another chance" to agree, in hopes this makes the member states more likely to cooperate.
More correct would be to state the in power EU governments have decided to use the EU council power to override the will of both the EU parliament and the member states' own parliaments - for now, by threatening parliament with the override.
This is completely incorrect, the Parliament, the Council, and the Commission always come up with their own version of a proposed regulation (the Commission because they get to create new proposals, the other two because they have to react to comission proposal). Then all three parties sit down and negotiate a final text that becomes law.
Ah yes, going into details and then leaving out the crucial part. You're technically right about "regulations", which is a technical legal term with a surprise indirect meaning. The surprise is that "directives" also exist.
Of course the situation is that the EU parliament HAS come up with a version of the Chat Control law. It can be summarized very succinctly:
"NO" (obviously I mean that nothing passed parliament, I do get that they did work on a couple dozen versions of the actual law too. However the final outcome really is "NO")
Now, can you tell me how the role of parliament "changes" if they actually follow through on their threat *, which is of course to turn this from a regulation into a directive?
* the threat is that this is the EU council, not the EU Commission, which could do the same (and has in fact done the same for this law, but as pointed out they failed with parliament refusing to pass any kind of compromise at all). The only party that has the power to stop the Commission acting unilaterally to make this law is the EU council, so by getting the EU council to "propose" to parliament, the Commission is signaling that the EU council will choose their side against parliament, and there will be no way to stop them forcing this into law. After this the commission can then claim more legitimacy (because of what happened in the many local parliaments' "fuck the EU and your legitimacy" disasters of the past 2 decades, like the very dramatic fuck-you's to the division rules for illegal immigrants, you can see why they want maximum legitimacy on controversial laws).
Or to put it very very bluntly, this is the commission calling in daddy, because parliament doesn't want to cooperate and daddy EU Council saying "ok, we'll go to parliament together, PARLIAMENT! BEHAVE! You're going to listen and you're going to cooperate!".
And the problem is that in a democracy one might point out that if parliament doesn't want to cooperate, that's the end of the line. That is in fact a pretty good definition of the idea of democracy.
P.S. I must say, the EU Commission has never cared (at least not successfully) about social policy in the EU. Frankly, the Commission is normally opposed to social progress when it interferes with business. So I find it very hard to understand why the EU Commission is risking yet another legitimacy disaster over ... protecting kids? I've worked for them for a long time and despite the past, they really care about their legitimacy, they don't care about kids (or rather they see themselves as "the voice of reason" in a hopelessly divided Europe, and it's country parliaments that care about social issues, and sometimes even smaller parliaments (like ironically the Brussels parliament currently forcing a government shutdown over social spending). Now, the EU as a whole and the Commission specifically may be right about them often being the voice of reason but it's been made crystal-clear time and time again: the EU population does not want any voice overriding their countries' parliaments, reasonable or otherwise. This was made clear from the very beginning with the Charles De Gaulle - Robert Shuman incident "Un Boche, un bon Boche, mais un Boche tout de même", calling into question the wisdom of letting "Un bon Boche" (he means: a reluctant Nazi collaborator) unify Europe with the creation of the EU.
The EU parliament and the head of states that comprise the EU council are elected by the EU citizens. Why is there such discordance between the two? Isn’t it mostly the same people from the same parties?
In a nutshell, there will be no more intrusions into chats, but only obligations for the companies to provide preferential channels for victims of these crimes.
And companies considered high-risk will have to "contribute to the development of technologies to mitigate the risks relating to their services." Which sooner or later will involve another attempt at client-side scanning.
This is a major win! Basically: It's now (still) voluntary for services to implement scanning for CSAM material. Not mandatory. End-to-end encryption will continue to be legal.
Source: Swedish national public service radio (Sveriges Radio) interviewing Jon Karlung, CEO of Bahnhof AB - a major privacy-centric and politically outspoken ISP in Sweden. Think XS4ALL (RIP) but in Sweden. Here's the interview: https://www.sverigesradio.se/artikel/efter-flera-ar-eu-overe... (Swedish speech).
Here's their blog post (in Swedish, use browser translation tools):
They could have subpoenaed the unencrypted Gmail accounts of Maxwell, Epstein and Barak like two decades ago. They can still subpoena Barak's Gmail and other accounts, especially after Giuffre's allegations about "a well known prime minister".
Given how badly the EU just folded on GDPR, data protection and AI laws (which were good laws generally imo, and tragic to see useful exercise of sovereignty erased), I want to have hope that this might not stand.
But unfortunately I feel like the big tech interests probably somewhat want this happen, are happy to hand the citizenry over to the state. That we won't hear much from them over this all. With some notable Signal sized / Medium Tech exceptions.
It sure does seem like there's a huge legitimacy crisis the EU council is creating around itself by going so far against the will of the people, by intruding so forcibly into literally everyone's life.
"High risk" providers will be obligated to "contribute" technologies "to mitigate." Seems like a doublespeak way of saying enforced decryption or enforced backdoors.
It's one of those things that will obviously be used to boil the frog over time via beurocratic rules.
Year 1 a minimum viable effort manual process will be fine. But they'll say "not good enough" to someone every now and then and the minimum can do in order to get a) permission b) enforcers not crawling up your ass (IDK if it will be permission based or enforcement after the fact based) will ratchet up.
By year 10 or 20 "everyone" will have an API or a portal or whatever.
And worse, by creating a compliance industry they create a whole suite of business and people who will ask for more, more, more more.
Yes, I see this as the people pushing for surveillance and control taking what they can get for now, with the view to bring it back to mandatory scanning before all is said and done.
No, because EUCJ still have power to interpret the laws, or to declare the laws illegal. And the EUCJ, while incredibly pro-consummer, seems to really, really dislike the police state.
It will happen only if the council manage to defang the EUCJ (it does try, regularly, to reduce the judiciary power by forcing it to make unpopular statements on obviously illegal laws, so it might be a long term goal).
Sadly, another attempt will likely be made at some point. At least the regulation is quite explicit:
> This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption, implemented by the relevant information society services or by the users. This Regulation shall not create any obligation that would require a provider of hosting services or a provider of interpersonal communications services to decrypt data or create access to end-to-end encrypted data, or that would prevent providers from offering end-to-end encrypted services.
I am ashamed to be Danish. Where are the mass protests of hundreds of thousands, the mass walkouts from our workplaces until our government at last respects our human dignity?
Our government has today turned the EU into a tool for total surveillance I don't know if there can be any return from. Our democratic processes have been abused, and our politicians shown to be nothing but craven, self-interested agents of control.
What about going out in front of your city hall with a poster saying no-chat-control?
You risk nothing, do you?
> What about going out in front of your city hall with a poster saying no-chat-control?
Unorganized, individual acts cannot change anything in the EU.
> You risk nothing, do you?
Given the legislative maze the EU has become, you can't be sure of that, but you surely gain nothing.
The conditions in Europe are quite specific, and in that environment, pan-EU legislation (except the customs union) should be optional for individual members, anything else can and will be used against the people.
6 replies →
Seeing this as an opportunity: this further solidifies the need for opensource and decentralisation.
Chat apps should be opensource, E2E encrypted, and decentralised. In 2025 we still don't have that in any meaningly manner - Signal perhaps comes the closest, but it's centralised and controlled by a US organisation. The moats are deep within the chat app space, and getting the "network effect" is going to be really tough.
>At the beginning of the month, the Danish Presidency decided to change its approach with a new compromise text that makes the chat scanning voluntary, instead.
Hmm, so this will probably make the life for those who don't scan quite hard and if they experience a high profile scandal getting out of it will not be easy I assume.
I'm not sure what to think of it, not being mandatory and requiring risk assessment sounds like "Fine, whatever don't do it if you don't want to do it but if something bad happens it's on you". May be fair to some extent, i.e. Reddit and Telegram can decide how much they trust their users not to run pedo business and be on the hook for it.
On the other hand, it is a backdoor and if the governments go crazy like they did in some other countries where high level politicians are implicated with actual pedophiles and have a tendency for authoritarianism Europe may end up having checking user chats for "enemies of the state" instead of CSAM materials. Being not mandatory here may mean that you get constant bullying because you must be hiding something.
I assume this is a delay to get a foot in the door. After some time, the scanning will be made no longer voluntary.
One has to take rights away slowly, otherwise the frog jumps before you can boil it.
While I fully agree with your sentiment, I'd like to take the opportunity to share a favorite fun-fact of mine: the frogs in the not-jumping-out experiment had their brains removed beforehand. Which might make the analogy more apt, actually, considering how much under siege our attention is these days.
5 replies →
"voluntary" can also be pretty meaningless depending on the context. In the UK, if the police suspects you of shenanigans, they'll politely invite you for an "voluntary interview".
Of course you can decide to not go, it's voluntary, right? Yes, you can. Your choice. And when you reject their kind offer they'll come and arrest you so you can attend the interview.
1 reply →
> The scanning will be made no longer voluntary.
Yes, it's always like that. Eat piece by piece until nothing is left to eat.
They have removed the backdoor paragraph, and inserted a new one that states that scanning is entirely voluntary and best effort, and also state that the EU cannot force them to scan.
As far as the mass surveillance scanning goes, it has completely been removed, and what remains is still the mandatory age checks, which might be problematic.
From reading the specification, it appears to be reasonably well designed, where identification is handled by authorities, and the requesting party cannot get your identification details, only send an "is the user of this session older than 18". The verifier cannot see which site the request comes from, and you identify yourself in the session, and a reply goes back to the requester with a "yes/no" answer.
So, it at least appears to be simply an age check, and not some sort of surveillance program to stalk your online browsing habits.
The age check is already present in France, since I think a month? I will probably test it soon to see how inconvenient/insecure it is, but from what I read it seems to be well designed for privacy.
Problem is that once you've gotten this thing through to begin with it's comparatively easy to make slight amendments later, also of course with the justification of "protecting the children".
1 reply →
I feel like this will just incentivise the creation of privately run federated messaging systems. Powerful people will always be protected, any smart people will run fed messengers for their private stuff and normie tech for normie comms. This power will just turn into another form of control. As always, the only losers will be the average citizens.
And, clearly, all the mass surveillance in the USA has worked wonders to stop key political figures from engaging in pedophilia and other shenanigans. It's been 100% successful.
We must do it in Europe, lest the children be harmed. You know, instead of improving daycares and schools, the general economy, give them access to safe outdoor spaces, help families so they don't take it out on the kids…
I don't know. I've a son now, and I expected that to make me connect with this type of policy. It didn't.
you people need to disabuse yourselves of the idea that only a Trumpian type regime could possibly have any interest in finding and incapacitating “enemies of the state”.
Of course but Trump is a really good cautionary tale
Misleading title, the council approves their mandate for negotiations with parliament. It’s still a long way to go before it turns into law and I think it’s rather unpopular in parliament.
I think it's just the trialogue left, so still some distance but comfortably past halfway to becoming valid law.
There's been so much drama over the years about this proposal from the commission I doubt von der Leyen will want to fight to get the scanning back in.
Ok, we've put that in the title above. Thanks!
Thanks indeed!
Terrorists are winning. If husband wanted to control wife's phone, read all messages, that is jail time in many countries. But if bureaucrats in nice suits want to abuse Europeans all at once, then it is fine.
Germany get you s*t together and issue arrest warrants for this lot. They seem to be breaking German laws.
Good old salami tactics still work. Same goes for going way over target to then settle for your actual goal.
Good old democracy at work.
Democracy worked well here. The executive wanted more power (once again), the parliament refused, twice, despite _a lot_ of lobbying and pressure from the executive branch. Good job to the tech industry for counterlobbying (i'm not saying that often i swear), good job us for mobilizing, and also la quadrature and other NGO privacy watchdog for mobilization that allowed the EU parliement to resist somewhat, and forced a compromise that will any overreach tentative in the hand of judges.
What europe needs to be careful of is that the EUCJ keep its power. I _know_ people on both side of the political spectrum dislike judges (because they defend the status quo for the left, and the rule of law for the right) but multiple time this past 3 years i've seen mediatic assaults on EUCJ and ECHR that expend their political power again and again and again. We have to keep executive power from limiting judiciary power. Already executive branches are powering through legislative in a lot of country (France, UK, US, and EU which isn't a country but have similar institution), we absolutely have to keep the third branch as a check against government overreach.
Let's see how democracy protects us from the digital id proposal. It probably won't.
Democracy is actually at work here: it's restraining somewhat the reptile-brained politicians behind chat control.
The crux is in those „risk assessments”, to be approved by authorities. IIUC those authorities will be able to designate e.g. Signal „high risk” and slap penalties unless they „mitigate” the risk. Hard to tell what will happen without seeing final regulation.
The worst thing is that it's sold as child protection in all official publications of the EU
And no one cares. No one. There is no outcry, no protest, no shitstorm. Nothing.
I don't understand.
Do people not care if everyone is able to read and analyze, store their private communication?
Laymen actually do care. But mass media does the sanewashing, and you can’t blame the average Joe of not having a deep understanding of what this entails and that it is not to protect the children.
Governmental interests benefit if we blame ourselves and other citizens for this shit passing. It is clear that modern democracies are people in power (which includes the media) vs the masses.
The trick is that because they could not pass the proposal that enforces message scanning, now this proposal defines "high risk activities" and in the case of high risk activity, the national authorities can force someone to comply (i.e. start to scan messages, block, stop activity).
Here is the actual text: https://data.consilium.europa.eu/doc/document/ST-15318-2025-...
High risk classification is at the end of the text.
Some highlights of what is defined as high risk, and thus can be forced to go through mandatory scanning or forbidden:
- Encrypted messaging follows closely due to privacy concerns and the potential for misuse. Posting and sharing of multimedia content are also high-risk activities, as they can easily disseminate harmful material.
- The platform lacks functionalities to prevent users from saving harmful content (by making recordings, screenshots etc.) for the purpose of the dissemination thereof (such as for example not allowing recording and screenshotting content shared by minors)
- Possibility to use peer-to-peer downloading (allows direct sharing of content without using centralised servers)
- The platforms’ storage functionalities and/or the legal framework of the country of storage do not allow sharing information with law enforcement authorities.
- The platform lacks functionalities to limit the number of downloads per user to reduce the dissemination of harmful content.
- Making design choices such as ensuring that E2EE is opt-in by default, rather than opt-out would require people to choose E2EE should they wish to use it, therefore allowing certain detection technologies to work for communication between users that have not opted in to E2EE
Also, a lot of these points do not sound like they are about the safety of children
- Platforms lack a premoderation system, allowing potentially harmful content to be posted without oversight or moderation
- Frequent use of anonymous accounts
- Frequent Pseudonymous behavior
- Frequent creation of temporary accounts:
- Lack of identity verification tools
Based on the light of the proposal, Hacker News is very dangerous place and need to have its identity verification and CSAM policies fixed, or face the upcoming fines in the EU.
> - Making design choices such as ensuring that E2EE is opt-in by default, rather than opt-out would require people to choose E2EE should they wish to use it, therefore allowing certain detection technologies to work for communication between users that have not opted in to E2EE
So you make it so that when the user starts the application you ask them "Your current configuration allows government, and probably some hackers as well, to see your messages. Do you want to enable encryption? Your government's suggestion is that you should say 'No' here. That's also what the foreign intelligence agencies suggest" "Yes, enable encryption" "No". That's clearly opt-in, you even provide the government's recommendation. And of course you then ask that whenever they open the application if they selected "No", we have learned that it's completely fine to keep asking same question from the user.
Oh, and make sure that the other party is clearly aware that the other side has not enabled encryption.
Is there still a loophole for politicians not to be tracked? Because if so, some people will make a lot of money by creating a political party and turning citizens into politicians for yearly fee and thus bypassing this whole law.
You can read the proposal and found out, if you're interested.
> In the light of the more limited risk of their use for the purpose of child sexual abuse and the need to preserve confidential information, including classified information, information covered by professional secrecy and trade secrets, electronic communications services that are not publicly available, such as those used for national security purposes, should be excluded from the scope of this Regulation. Accordingly, this Regulation should not apply to interpersonal communications services that are not available to the general public and the use of which is instead restricted to persons involved in the activities of a particular company, organisation, body or authority.
Oh, so sharing all those restricted materials is fine, as long as you limit it to your company.
Elected officials of if I recall correctly. Not just people belonging to a political party.
In big governments or also in councils?
Sad to see Europe morph from postal secrecy to chat control. I can’t imagine 19th century intellectuals would do anything other than laugh in the face of censors who would suggest that the governments need to read personal correspondence to protect children and/or national interests against Prussia/Russia/China.
I know it's the recognized term for 'officially designated authority', but 'competent authority' seems to conflate two traits that do not necessarily co-habit.
Legal competence is like a legal person — it's a subset of what we normally associate with the term.
Just read it as ”we have the competence to make decisions with authority on this issue”, though we all wish it always meant ”we have authority to make competent decisions on this issue” xD
Honest question. The EU was created as an economic and trade institution. How has it morphed into a wierd political institution, which NATO was already supposed to be?
The root question: how did an organization that ushered in things like the Euro become a body that decides whether Europeans are allowed to have personal privacy?
The answer is pretty simple. This decision isn't "the EU".
The European Commission has fewer employees than the Luxembourg government (and keep in mind, they're "running" a continent).
This decision was the Council, i.e. simply the national member governments. Don't let anyone blame "the EU" for this, the national governments are the ones that proposed this, pushed it through EU institutions, and might now try to override the EU parliament about it. Just because national (elected) governments are pushing it through EU institutions doesn't mean you should blame "the EU". It wasn't the "Eurocrats".
What you're describing is how the process in the EU works. So in essence it is "the EU".
It doesn't seem to have any limits or restrictions on what it can do as an institution. It forced idiotic bottlecaps on all of us for shit's sake... and it has little consideration for privacy laws or constitutions of individuals, otherwise this proposal would've been thrown out automatically each time, if there was anything resembling constitutional values governing the EU's mandates.
It's like being governed by a neurotic unhinged monarch.
3 replies →
The EU almost certainly has protected privacy for most European nations than it has hurt it.
You simply need to look at the precipitous decline in privacy in the UK after it left the EU to see some of the most stark examples of this.
You speak as if the EU is somehow divorced from the national governments, and is imposing its will to the helpless states that compose it.
The commissioners that propose laws are appointed by each national government. The national governments of each member state is all in on this.
NATO is not a political institution. It is a defense treaty (this one completely outside the realm of democracy).
A defence treaty is obviously a very political institution.
1 reply →
EU (and preceding organisations since European Coal and Steel Community) were created so that there will be no war in Europe. How exactly this objective is achieved is of secondary importance. It is economic institution, because someone calculated that this will be best shot, but if (or when) calculation credibly shifts (for example, that it would be better for them to be a religion, a feudal system, or a federation -- whatever), it will morph into something else.
I'd say that it has 100% fulfilled its primary goal that there is no military conflict between major European states for like 80 years and counting, which is longest period ever recorded and a historical anomaly. The means of how it was executed is obviously a matter of debate, mistakes were made etc., but we over here generally make love, not war.
ever closer union in the Treaty of Rome
the entire point is to build a country called Europe
and the EU is built on the "Monnet method", where it slowly ratchets forward taking more power from national parliaments and giving it to the EU council/commission
(with a useless parliament there to make it appear democratic)
the UK leaving is the only example of the ratchet being reversed
The useless parliament that’s stopped this legislation twice?
> a weird political institution, which NATO was already supposed to be?
NATO is a military alliance, not a government.
>How has it morphed into a wierd political institution
Von der Leyen, an autocratic fascist that is ruining this continent. She failed to push her agenda in Germany so she "failed upwards". Even how she got this position was highly controversial and went against the top candidate principle. The EU commission is exceeding their competencies. The EU is not democratic, there is no parliamentary oversight, the parliament can't even introduce legislative proposals. No one can vote for the EU commission, only the parliament can vote for or against all the proposed candidates (not one by one). Parliament is essentially a rubber stamp for the commission.
I could be jailed for this comment btw.
All of this is disinformation and propaganda.
There is parliamentary oversight, it's literally the next step in the process.
We all voted for the EU commission through our respective elections for national governments, who appoint the comission.
You could not be jailed for this comment, though sometimes I wish you could. Information warfare is real.
5 replies →
> The EU was created as an economic and trade institution. How has it morphed into a wierd political institution, which NATO was already supposed to be?
That is not the case.
The 1957 Treaty Establishing the European Community contained the objective of “ever closer union” in the following words in the Preamble. In English this is: “Determined to lay the foundations of an ever closer union among the peoples of Europe …..”.
> The root question: how did an organization that ushered in things like the Euro become a body that decides whether Europeans are allowed to have personal privacy?
Sensationalist framing aside, how does any government become a body that decides anything?
> Sensationalist framing aside, how does any government become a body that decides anything?
Powerful people get together and decide that they know what's best for people. Then they claim that there is "consent" because people are given the right to vote and that there is a "social contract" that no one actually has signed, which everyone should still abide by.
That treaty was established just over a decade after Hitler surrendered, when there were two Germanys, an Iron curtain across Europe, and a lot of other things which changed significantly after the Wall fell. Surely you would agree that those words meant something quite different then than they do now?
I don't think my framing was sensationalist at all. Chat Control is using the threat of child porn to make people forget the reasons why the ECHR cares so deeply about privacy. I'm not sure why Denmark is pushing it so hard, but governments have long feared and hated encryption.
2 replies →
"contained the objective of “ever closer union” "
Such words in any Preamble are usually meant as a lofty declaration of some ideal, not a concrete political goal.
After all, "ever closer" does not even mean federation, it means a unitary state, which is "closer" than a federation or a confederation.
If you believe that a single sentence in a 1957 treaty can be used as a ramrod to push European federalization from above, you will be surprised by the backlash. European nations aren't mostly interested in becoming provinces of a future superstate, potential referenda in this direction will almost certainly fail, and given the growth of the far right all over the continent, I don't expect the governments to agree to any further voluntary transfer of powers to Brussels.
Also, the European Commission is not a government and is not meant to act as a government that can decide "everything".
The countries that formed the EU have only agreed to transfer some powers to Brussels. Not give it an unlimited hand over everything. And Chat Control is a major infringement of constitutional rights in many countries, where inviolability of communication except for concrete warrants has been written into law for decades.
Imagine a situation if the German Constitutional Court says "this is illegal by the German Grundgesetz, and German law enforcement may not execute such laws". Do you believe that German authorities will defer to Brussels instead of its own Constitutional Court? Nope. Same with Poland etc. Local constitutional institutions have more legitimacy among the people than the bunch of bureaucrats in Brussels.
29 replies →
I thought Argentinian politicians were bad... big brother here we go.
Argentinian politicians are definitely worse
Does this already include the parliament's position based on a trilogue or will there be amendments before it's voted in parliament?
IIUC no, this is Council position before trilogue.
The wording on all this is incredibly vague. The intentions are pretty clear, but as the saying goes… the road to hell…
How is it possible this thing can just keep coming back and back? There should be a law that gives these kinds of bills a cooldown period of 2 years or so that prevents them from being reintroduced with slightly different wording.
Because the EU citizens keep voting for those politicians. It’s as simple as that. There are dozens of different parties in each EU country, but people keep voting for parties that push chat control.
Honest question: let's say I get an email and encrypt it with a highly secure key, or maybe I just encrypt a file and send it through WhatsApp. That might not be as easy or secure as a double ratchet, but, is it against chat control?
Note this is the council position
The path from position to actual implementation (details) is long
And you can bet there's still a lot of opposition of people (with actual involvement in the legislative process)
And legal hurdles for implementation as well
(this all reminds me of the discussion around the copyright directive where people here were decrying it was going to be the end of memes. So, how did that go again?)
One thing with chat control I don't get is why can't it be vetoed by a single member? That doesn't seem like part of regular trade policy competency of the EU
Even the Maastricht Treaty went beyond trade, though that does seem to have been the origin of the EU. https://en.wikipedia.org/wiki/Maastricht_Treaty
They're are merely extending the current policy, it was set to expired early next year.
Oh, but we are terrified of child sexual abusers online :D
I just want to reiterate that in Germany getting convicted of gang raping a 15 year old (and stealing her phone and purse and filming the rape) is something which gets you probation. Yes, the crime was proven, there was no doubt about the guilt.
In this context putting the entirety of the population under the suspicion of facilitating child rape is completely and utterly deranged.
Is this the end of secure communication within EU?
Taking the reasons at face value (for the sake of argument) I guess what I'm confused about is why this would be necessary. I would think there were already laws/regulations/liability reasons/etc requiring companies to make efforts to ensure they're not hosting CP and other such things? Am I wrong?
No, you're not wrong. But this framing allows them to paint the parties opposing these measures as being 'pro CP'.
Why follow the EU's press release instead of stating what's happening? The EU parliament voted - many times. They voted AGAINST having this law at all. The EU council is now threatening to fully override parliament, but "gives parliament another chance" to agree, in hopes this makes the member states more likely to cooperate.
More correct would be to state the in power EU governments have decided to use the EU council power to override the will of both the EU parliament and the member states' own parliaments - for now, by threatening parliament with the override.
This is completely incorrect, the Parliament, the Council, and the Commission always come up with their own version of a proposed regulation (the Commission because they get to create new proposals, the other two because they have to react to comission proposal). Then all three parties sit down and negotiate a final text that becomes law.
Ah yes, going into details and then leaving out the crucial part. You're technically right about "regulations", which is a technical legal term with a surprise indirect meaning. The surprise is that "directives" also exist.
Of course the situation is that the EU parliament HAS come up with a version of the Chat Control law. It can be summarized very succinctly:
"NO" (obviously I mean that nothing passed parliament, I do get that they did work on a couple dozen versions of the actual law too. However the final outcome really is "NO")
Now, can you tell me how the role of parliament "changes" if they actually follow through on their threat *, which is of course to turn this from a regulation into a directive?
* the threat is that this is the EU council, not the EU Commission, which could do the same (and has in fact done the same for this law, but as pointed out they failed with parliament refusing to pass any kind of compromise at all). The only party that has the power to stop the Commission acting unilaterally to make this law is the EU council, so by getting the EU council to "propose" to parliament, the Commission is signaling that the EU council will choose their side against parliament, and there will be no way to stop them forcing this into law. After this the commission can then claim more legitimacy (because of what happened in the many local parliaments' "fuck the EU and your legitimacy" disasters of the past 2 decades, like the very dramatic fuck-you's to the division rules for illegal immigrants, you can see why they want maximum legitimacy on controversial laws).
Or to put it very very bluntly, this is the commission calling in daddy, because parliament doesn't want to cooperate and daddy EU Council saying "ok, we'll go to parliament together, PARLIAMENT! BEHAVE! You're going to listen and you're going to cooperate!".
And the problem is that in a democracy one might point out that if parliament doesn't want to cooperate, that's the end of the line. That is in fact a pretty good definition of the idea of democracy.
P.S. I must say, the EU Commission has never cared (at least not successfully) about social policy in the EU. Frankly, the Commission is normally opposed to social progress when it interferes with business. So I find it very hard to understand why the EU Commission is risking yet another legitimacy disaster over ... protecting kids? I've worked for them for a long time and despite the past, they really care about their legitimacy, they don't care about kids (or rather they see themselves as "the voice of reason" in a hopelessly divided Europe, and it's country parliaments that care about social issues, and sometimes even smaller parliaments (like ironically the Brussels parliament currently forcing a government shutdown over social spending). Now, the EU as a whole and the Commission specifically may be right about them often being the voice of reason but it's been made crystal-clear time and time again: the EU population does not want any voice overriding their countries' parliaments, reasonable or otherwise. This was made clear from the very beginning with the Charles De Gaulle - Robert Shuman incident "Un Boche, un bon Boche, mais un Boche tout de même", calling into question the wisdom of letting "Un bon Boche" (he means: a reluctant Nazi collaborator) unify Europe with the creation of the EU.
1 reply →
The EU parliament and the head of states that comprise the EU council are elected by the EU citizens. Why is there such discordance between the two? Isn’t it mostly the same people from the same parties?
Because in a democracy it's the legislative assembly - parliament - that decides on laws, not the executive.
The EU commission is the executive and represents the currently in power government, NOT parliament.
2 replies →
In a nutshell, there will be no more intrusions into chats, but only obligations for the companies to provide preferential channels for victims of these crimes.
And companies considered high-risk will have to "contribute to the development of technologies to mitigate the risks relating to their services." Which sooner or later will involve another attempt at client-side scanning.
“We won’t intrude in your home any more, but you are forbidden to put a lock on your front door.”
Orwell would be proud.
This is a major win! Basically: It's now (still) voluntary for services to implement scanning for CSAM material. Not mandatory. End-to-end encryption will continue to be legal.
Source: Swedish national public service radio (Sveriges Radio) interviewing Jon Karlung, CEO of Bahnhof AB - a major privacy-centric and politically outspoken ISP in Sweden. Think XS4ALL (RIP) but in Sweden. Here's the interview: https://www.sverigesradio.se/artikel/efter-flera-ar-eu-overe... (Swedish speech).
Here's their blog post (in Swedish, use browser translation tools):
https://bahnhof.se/2025/11/26/eu-bromsar-chat-control/
[dupe] https://news.ycombinator.com/item?id=46056358
Thanks for the link. I had missed the other two submissions.
If any admin is around, they should probably be merged. This is the other one: https://news.ycombinator.com/item?id=46055863
They could have subpoenaed the unencrypted Gmail accounts of Maxwell, Epstein and Barak like two decades ago. They can still subpoena Barak's Gmail and other accounts, especially after Giuffre's allegations about "a well known prime minister".
I have the feeling this will not happen.
Oh but those people would be exempt from scanning anyways.
"Don't worry, the scans won't invade your privacy or expose your information."
"Oh, so the politicians' communications are being scanned too, then?"
"Oh, heavens no. That might risk the privacy of our communications."
Given how badly the EU just folded on GDPR, data protection and AI laws (which were good laws generally imo, and tragic to see useful exercise of sovereignty erased), I want to have hope that this might not stand.
But unfortunately I feel like the big tech interests probably somewhat want this happen, are happy to hand the citizenry over to the state. That we won't hear much from them over this all. With some notable Signal sized / Medium Tech exceptions.
It sure does seem like there's a huge legitimacy crisis the EU council is creating around itself by going so far against the will of the people, by intruding so forcibly into literally everyone's life.
[dead]
Seems… fine? At least i dont see any invasion of privacy or encryption related obligations in this proposal.
The EU ostensibly wants to improve innovation, i wonder how these new assessment regulations help with that, especially for SME and startups.
"High risk" providers will be obligated to "contribute" technologies "to mitigate." Seems like a doublespeak way of saying enforced decryption or enforced backdoors.
It's one of those things that will obviously be used to boil the frog over time via beurocratic rules.
Year 1 a minimum viable effort manual process will be fine. But they'll say "not good enough" to someone every now and then and the minimum can do in order to get a) permission b) enforcers not crawling up your ass (IDK if it will be permission based or enforcement after the fact based) will ratchet up.
By year 10 or 20 "everyone" will have an API or a portal or whatever.
And worse, by creating a compliance industry they create a whole suite of business and people who will ask for more, more, more more.
Yes, I see this as the people pushing for surveillance and control taking what they can get for now, with the view to bring it back to mandatory scanning before all is said and done.
No, because EUCJ still have power to interpret the laws, or to declare the laws illegal. And the EUCJ, while incredibly pro-consummer, seems to really, really dislike the police state.
It will happen only if the council manage to defang the EUCJ (it does try, regularly, to reduce the judiciary power by forcing it to make unpopular statements on obviously illegal laws, so it might be a long term goal).
Sadly, another attempt will likely be made at some point. At least the regulation is quite explicit:
> This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption, implemented by the relevant information society services or by the users. This Regulation shall not create any obligation that would require a provider of hosting services or a provider of interpersonal communications services to decrypt data or create access to end-to-end encrypted data, or that would prevent providers from offering end-to-end encrypted services.