EU plans for chat control: Screening of WhatsApp messages in Denmark

Anyone who communicates via private messaging services like WhatsApp, Signal, or iMessage could soon have a silent reader: An AI and possibly even a government agency could unnoticed check what exactly is being sent to their partner, colleague, child, or lover. The basis for this is an EU project that online activists have dubbed "chat control." In recent weeks, the issue has taken on a new dimension: Denmark holds the EU Council Presidency and wants to push ahead with the plans. And Germany's position, of all things, could determine whether they are actually implemented.

According to its proponents, the purpose of chat control is to combat the spread of child pornography. The software is supposed to check sent images and videos for potentially criminal content – ​​even before they are encrypted and sent via the messaging service. How far this software can go in this regard and what exactly it monitors has recently been the subject of repeated negotiations. One thing is clear, however: if it raises an alarm, an authority should be informed about the material found.

The problem: Technical scans are prone to errors. IT experts, civil rights advocates, and online activists fear that billions of private messages from innocent citizens could fall into the hands of law enforcement agencies in the future. What's more, once the digital privacy of correspondence has been undermined, it could pave the way for further intrusions.

Denmark recently included the aforementioned regulation on its Council Presidency's priority list. "The Presidency will give high priority to work on the Child Sexual Abuse Regulation and Directive (CSA)," the program states.

"Furthermore, law enforcement authorities must have the necessary tools, including access to data, to effectively investigate and prosecute crimes," it continues. "This applies both to online crimes and to serious crimes planned or carried out by organized criminals using modern technologies and means of communication."

The new rules could be adopted as early as October 14 if the Danes succeed in reaching a compromise among the member states. So far, the EU member states have been unable to reach an agreement due to a blocking minority. Germany, among others, under the previous "traffic light" coalition government, opposed the proposals. However, it remains unclear what the future holds under Chancellor Friedrich Merz (CDU).

German Interior Minister Dobrindt is considering the nationwide introduction of Palantir's US software. The program, developed by Trump friend Peter Thiel, could soon analyze and link data from millions of German citizens. What does the police actually know about us? And can this data be deleted?

Green Bundestag member and digital policy expert Jeanne Dillschneider had already addressed a question to the federal government on the topic in June – but a clear answer was not forthcoming. The Interior Ministry of Alexander Dobrindt (CSU) stated at the time that it welcomed the EU regulation's goal of creating "clear, permanent, and fundamental rights-compliant legal bases." It stated that it would "continue to advocate for the greatest possible protection of all affected fundamental rights" – without precisely defining what this actually meant.

Dillschneider has since tried again. In another inquiry, submitted to the RedaktionsNetzwerk Deutschland (RND), the MP reminds the federal government of its promise in the coalition agreement – ​​which still listed the "confidentiality of private communications." Dillschneider now wanted to know whether this also includes so-called end-to-end encryption – and whether technical backdoors such as "client-side scanning" (the technical term for chat control) are excluded for her.

Again, the answer remains vague. The government's response describes end-to-end encryption as an "important tool" "to ensure the security and confidentiality of user communications." It should "fundamentally not be weakened." It continues: "As part of the ongoing negotiations on a new EU regulation to combat child sexual abuse (...), among other things, discussions are taking place on how children can be effectively protected from online sexual abuse, even with end-to-end encryption of communications." Denmark's current proposals are currently being "reviewed" by the federal government.

Dillschneider is dissatisfied with the response: "Instead of taking a clear stance, [the German government] hides behind EU recitals, refers to ongoing reviews of Danish proposals, and avoids a clear position on end-to-end encryption," she writes to the RND. "I look in vain for a clear rejection of technical backdoors or client-side scanning in the response."

Meanwhile, protests against the plan are growing within civil society. Thirty-three organizations have now joined the "Stop Chat Control" campaign, including the Chaos Computer Club (CCC), the German Association of Specialist Journalists, the organization Digitalcourage, Reporters Without Borders, and – among other political youth organizations – the Jusos (Young Socialists), whose parent party, the SPD, sits in the federal government.

Organizers fear that these measures will lead to "total surveillance" and a threat to professional secrecy, for example, of doctors, lawyers, journalists, or counseling center employees. The system is vulnerable to abuse and error-prone. The campaign cites the case of a man from the USA as an example. He lost access to his online accounts after photographing his son's private parts for his doctor.

But the campaign also mentions one more point: so-called "client-side scanning" is simply not suitable for protecting children. Images of child abuse are "not primarily sent via messaging apps, and the law doesn't even address the actual distribution channels." The organizers therefore appeal for genuine child protection "instead of mass surveillance."

There are also protests from industry: The privacy-focused US messenger Signal made it clear last year that it would consider withdrawing from the EU if pre-screening of chat messages were made mandatory. The Swiss messenger service Threema also clearly opposes this.

Benjamin Schilz, CEO of the German messaging service Wire, believes the plans are technically almost impossible. Furthermore, they are ineffective. "Surveillance only works if those affected don't know about it. Chat control is the opposite. (...) The consequences are easy to predict: Criminals will switch to alternative services – such as encrypted messengers, TOR services, VPNs, dark web offerings, or unregulated platforms. This would make the very people the chat control is intended to target impossible for authorities to track down."

For everyone else, the company's CEO fears dire consequences. "Mass surveillance, once implemented, can rarely be reversed. If the hoped-for successes fail to materialize, the proponents won't give up. It's more likely that they'll demand even more control." Schilz fears continued political attacks on end-to-end encryption and a further expansion of surveillance.

The plans have been debated among EU member states for years – and have changed repeatedly since then. A so-called "chat control light" was recently discussed under Hungary's Council Presidency. According to this, software would compare photos and videos with a database of known criminal content and raise an alarm if a match was found. Earlier drafts also included scanning for potentially new material. Such a process would have required AI to classify the file as questionable or harmless, which would have been particularly error-prone.

The draft bill also previously included so-called grooming protection. This refers to the deliberate contact of minors by adults with the purpose of abusing them. Here, too, an AI would have been required to scan suspicious messages. The problem: Artificial intelligence doesn't understand irony or other double meanings particularly well – and frequent false alarms would be inevitable.

Chat control was first presented by EU Commissioners Dubravka Suica and Ylva Johansson in May 2022. At the time, they stated that they wanted to develop "a global standard" against illegal child pornography. Since then, several EU Council Presidencies have failed to implement the plans.