DEV Community

Cover image for The EU Just Killed Mass Surveillance of Your DMs. Most Developers Missed It.
Aditya Agarwal
Aditya Agarwal

Posted on

The EU Just Killed Mass Surveillance of Your DMs. Most Developers Missed It.

#webdev #discuss #career #programming

The EU has prevented mass surveillance of your DMs. And most developers are not aware of the near miss.

The European Parliament voted to reject Chat Control today, March 26. The regulation, which would have allowed platforms such as Instagram and LinkedIn to voluntarily monitor your private messages for illegal content? It will expire on April 4. No extension. No substitute. Finished.

It wasn't even close. The EPP has tried to compel a re-vote to overturn an earlier decision. They were defeated.

Here's the backstory you should know

Since 2021, a temporary EU law called Chat Control 1.0 has allowed tech companies to monitor private messaging for child sexual abuse material voluntarily. Meta and similar platforms have conducted pre-encryption message automation detection.

The EU Commission wanted to make the legislation permanent and compulsory. Chat Control 2.0 will require every messaging app to introduce client-side scanning. Your messages are scanned by your computer before they are encrypted and anything suspicious is tagged.

If you're creating something with end-to-end encryption, that should scare you.

Why client-side scanning breaks everything

Client-side scanning violates E2EE's fundamental pledge. If one end has already been compromised, it doesn't matter if the transmission is encrypted.

Meredith Whittaker, CEO of Signal, said they would withdraw entirely from Europe as a result. WhatsApp would have been obliged to create the same backdoor.

Parliament fought back fiercely. An extension was passed with conditions on March 11:

→ Scanning had to be specific and restricted to certain suspects identified by a court
→ E2EE communications were explicitly excluded

The Council declined those terms. Trilogue negotiations were suspended around the 16th of March.

And now we're here

The Parliament voted today and rejected the extension in full. The underpinning of voluntary scanning expires April 4.

Here's why this matters beyond Europe

Every encryption backdoor law establishes a pattern. The Australian Assistance and Access Act of 2018 demonstrated this.

As soon as one jurisdiction required access, others followed. The EU's rejection of client-side scanning sends the opposite signal.

But it's not completely over 🤔

The permanent regulation is being discussed. Chat Control 2.0 is not forgotten, only delayed.

The Council is still keen on broad scanning capabilities. There's a real chance of this returning within 12 months with slightly different language.

If you're working on encrypted communications, messaging networks, or applications that are sensitive to privacy, be aware of this fight. Today, the technology you select determines whether a future mandate can be quietly complied with or requires you to rebuild from scratch.

The EU Parliament made the right choice today. The big question is, will it last?

Are you building anything where client-side scanning mandates would force an architecture change? 👇

Top comments (0)