This is the third time the EU Parliament has killed some version of chat scanning since the original "Chat Control" proposal in 2022. The pattern is always the same: the Commission pushes client-side scanning as a compromise that "preserves" encryption, Parliament eventually recognizes that scanning before encryption is mathematically identical to breaking encryption, and the proposal dies.
What's interesting is the technical mechanism they kept proposing. The last draft required messaging apps to run a perceptual hash classifier on every image before encrypting it. Apple actually built and then abandoned this exact system (CSAM NeuralHash) in 2021 after researchers demonstrated collision attacks within 48 hours of the hash function leaking. You could craft a completely innocent image that matched a flagged hash. False positive rate was orders of magnitude worse than advertised.
The thing to watch now is whether the Council tries to resurrect this through the "going dark" working group that Europol has been pushing. They've been shopping the idea of mandating "lawful access by design" which is just key escrow with better branding. The EU Fundamental Rights Agency already flagged that approach as incompatible with Article 7 of the Charter, but that hasn't stopped them before.
Good win for now. But these proposals are like zombies. They keep coming back with new names.
This is the third time the EU Parliament has killed some version of chat scanning since the original "Chat Control" proposal in 2022. The pattern is always the same: the Commission pushes client-side scanning as a compromise that "preserves" encryption, Parliament eventually recognizes that scanning before encryption is mathematically identical to breaking encryption, and the proposal dies.
What's interesting is the technical mechanism they kept proposing. The last draft required messaging apps to run a perceptual hash classifier on every image before encrypting it. Apple actually built and then abandoned this exact system (CSAM NeuralHash) in 2021 after researchers demonstrated collision attacks within 48 hours of the hash function leaking. You could craft a completely innocent image that matched a flagged hash. False positive rate was orders of magnitude worse than advertised.
The thing to watch now is whether the Council tries to resurrect this through the "going dark" working group that Europol has been pushing. They've been shopping the idea of mandating "lawful access by design" which is just key escrow with better branding. The EU Fundamental Rights Agency already flagged that approach as incompatible with Article 7 of the Charter, but that hasn't stopped them before.
Good win for now. But these proposals are like zombies. They keep coming back with new names.