DEV Community

Cover image for Chat Control is what regulation looks like when you meet it as a headline
Mirza Iqbal
Mirza Iqbal

Posted on

Chat Control is what regulation looks like when you meet it as a headline

Thursday night I watched a Hacker News thread rise past 1,600 points.

EU Parliament greenlights Chat Control. 848 comments underneath, looping through the same feelings in the same order. Anger first, then dread, then the tired shrug of people who feel they lost a fight they never got to join.

If you build anything that moves a message between two people, you read that thread the way I did.
With a list forming in your head of every promise your product makes about privacy, and a quiet question about which of them still holds.

The powerless feeling is the worst part.
Code you can fix. A parliament you cannot.
So the thread fills with people rehearsing exits. Move the servers, drop the feature, leave the EU market, self-host everything.
Exit plans written in anger at midnight are rarely good architecture.

I recognized the feeling in those comments, and not from this week.

I met this exact week in 2018

I have spent sixteen years building inside German enterprise. Banks, automotive, public sector. Regulation is the water there, and I will be honest about how I started. I treated compliance reviews as the place where features went to die. Legal was the department of no, and I resented every form they made me fill.

Then May 2018 arrived and GDPR landed on everyone at once.

I watched two kinds of teams live through the same law.

The first kind met GDPR as breaking news. More than a year of warnings had rolled past them, and now they were rewriting consent flows and data exports under deadline while the planned quarter burned in the background. Some of that work was mine. It was rushed, miserable, and it shipped worse than anything else we built that year.

The second kind had treated one question as an architecture concern all along. Where does personal data live, and who can read it. For those teams GDPR was work, but boring work. A quarter of tickets, not a crisis. Their features did not die in review, because review had nothing left to find.

Same law. Same deadline. Very different year.

The opinion that annoys people

Regulation has never killed a product I worked on. Meeting regulation as a headline has come close more than once.

I hold a stronger version of that, and you are welcome to argue with it below.

If a parliamentary vote can surprise your release plan, your intake failed long before the law did. Laws move at the slowest speed of anything in your stack. Chat Control has been fought over in public for years. Anything that spends years in the open before it can touch you is the most forecastable dependency you have, and most teams track their npm packages more carefully than they track it.

We watch deprecation notices. Someone owns the upgrade path before the break lands. Nobody calls that bureaucracy. Treat the two or three regulations that can reach your product the same way, and the headline week turns into a planning week.

That is the whole pattern. Know which parts of your system a law can touch, keep that map current, and give the watching to a named person instead of to everyone in general and no one in particular.

For a messaging product that map is short. Where encryption starts and ends, what you could technically read if compelled, what you log, and how long you keep it. Four answers. If producing them takes your team a quarter, that is the real finding, and no parliament caused it.

None of this makes Chat Control fine

I want to be plain about the other half.

Scanning private messages deserves the anger it is getting. The fight over it matters, and developers are right to be loud. Call your MEPs, argue in public.

But anger and architecture are different budgets.
You can spend one without emptying the other.

The teams I trust most in regulated industries hold both at once. Loud in the debate, calm in the codebase, because they know what changes for them if the worst version passes, and it is written down somewhere that is not a panicked Slack thread.

Sixteen years in, the stomach drop still comes when a vote goes the wrong way.
The difference is what happens in the week after.

Your turn

Has a regulation ever genuinely blindsided a system you own, and what did the first week after look like?

If this was useful

I work through this in public, the wins and the freezes both, mostly on LinkedIn and YouTube. If the real version of building in the open is useful to you, that is where it lives. Find me on X, GitHub, and the work at next8n.com.

Top comments (0)