CEPIS Warns Of Chat Control “Light”

Updated Council Proposal Seems To Remove Mandatory Scanning But Leaves Major Backdoors Wide Open

In the past few years, CEPIS has repeatedly expressed its concern with regards to different versions of the proposed Regulation to Prevent and Combat Child Sexual Abuse (CSA regulation), often referred to as “Chat Control” due to its side effects. On occasion of most recent CSA regulation draft to be voted by member states in the Council of the EU starting with the COREPER Meeting on 19th November CEPIS likes to highlight the following:

CEPIS welcomes the proposed changes in the new proposal that eliminate the mandatory nature of on-device CSAM detection. This significantly improves balancing the very necessary protections for children online with the security and privacy risks that these protections bring for society as a whole.

However, we are worried that other aspects of the new proposal still bring high risks to society without clear benefits for child protection:

1. The new draft extends the scope of the scanning: instead of images only, now also text and video would need to be detected. Moreover, the ambition was raised from finding redistributions of existing material to finding newly generated CSAM. However, the AI technology necessary for this is far from being precise enough to undertake these tasks with guarantees for the necessary level of accuracy. False positives seem inevitable, both because of the inherent limitations of AI technologies and because the behaviours the regulation targets are ambiguous and deeply context-dependent. The result would be overwhelming law enforcement and exposing large numbers of innocent people to investigation.
2. The mandatory age verification and age assessment for software stores and end-to-end encrypted communication services that are deemed at high risk of solicitations causes major security and privacy risks. Age verification typically relies on users presenting a document stating their age from an authoritative source. Presenting full documents (e.g., a passport scan) is disproportionate as it reveals much more information than the age. Therefore age and identity checks risk making anonymous email and messenger accounts practically impossible. This endangers journalists, whistle-blowers, counselling services and vulnerable groups who rely on anonymity for protection.   
3. On-device detection technologies, even if deployed “voluntarily”, would still break the protection of message confidentiality: implementing detection that informs anyone else beyond the sender and intended recipient of message content (e.g., the provider or law enforcement) means that the provider can no longer claim to provide end-to-end encryption. Thus, any communication which can be scanned and is reported, even if the scan is “voluntary”, can no longer be considered secure or private, and cannot be the backbone of a healthy digital society.

At the same time, CEPIS would like to reiterate the foundation of the analysis:

1. The EU Court of Justice has repeatedly ruled that indiscriminate surveillance of private communications is incompatible with the rights to privacy, data protection and freedom of expression.
2. Informatics professionals and security researchers have been clear for years: one cannot weaken encryption “for the bad guys only”. Any backdoor created will sooner or later be abused – by criminals, hostile state actors, or both.
3. Explicitly protect end-to-end encryption and secure infrastructure: EU law should state unambiguously that providers may never be required – directly or indirectly – to weaken encryption, introduce backdoors, or deploy measures that fundamentally compromise the security of their products and services.
4. Safeguard anonymous and pseudonymous communication: provisions that effectively prohibit anonymous communication or introduce de facto identification requirements for basic online services must be rejected. Secure, anonymous channels are essential for democracy, civic engagement and the protection of vulnerable persons.
5. Align with the Parliament’s fundamental-rights-oriented approach: The European Parliament has signalled that any new regulation must respect the Charter of Fundamental Rights and avoid indiscriminate measures. This approach should guide the trilogue negotiations and the final outcome.
6. Focus on effective, targeted child protection measures: The EU and member states should prioritise better resourcing of specialised law enforcement units, improved cross-border cooperation against organised abuse networks, support for platforms implementing targeted, lawful measures, and strong prevention, education and victim support mechanisms.

CEPIS would like to thank the group of scientists who published the analysis under https://csa-scientist-open-letter.org/Nov2025, and refers to it for a more detailed treatment of the most recent updates in the CSA regulation.