Chat Control 1.2: the permanent version nobody voted for
Chat Control 1.0 is temporary. it expires in july 2029 unless renewed. that's by design — pass the temporary version, normalize the scanning, then make it permanent. it's the same trick they pulled with airport security after 9/11.
Chat Control 1.2 is the permanent replacement. it's being negotiated right now, behind closed doors, with almost no public scrutiny. here's what we know.
what's different from 1.0
1.0 is temporary. 1.2 is permanent.
that's the biggest difference. once 1.2 passes, there's no expiry date. no sunset clause. no "we'll review this in 3 years." the scanning infrastructure becomes a permanent fixture of the EU's digital landscape.
broader scope.
1.0 covers "child sexual abuse material." 1.2 covers "all forms of child sexual exploitation and abuse." sounds like the same thing? it's not. "exploitation and abuse" is deliberately vague. it could include:
- any content involving minors that algorithms deem "sexualized" — including perfectly innocent photos
- "grooming" detected by AI — which we've already seen has a 94% false positive rate
- "solicitation" — broad enough to cover any conversation between an adult and a minor
the vagueness is the point. it gives regulators room to expand the scope without new legislation.
mandatory technology.
1.0 lets platforms choose how to implement detection. they can use hash matching, AI analysis, or client-side scanning. 1.2 mandates specific technologies. the leaked draft requires:
- client-side scanning for all image and video content
- AI behavioral analysis for all text conversations
- real-time scanning (not batch processing)
this is the nuclear option. client-side scanning on every device, scanning every image before it's sent. the technical community has been screaming about this since 2021.
who's pushing for this
the driving force behind 1.2 is the EU Home Affairs Commissioner and a coalition of member states led by:
- france — has been the strongest advocate for surveillance expansion since the Bataclan attacks
- germany — CDU/CSU supports it, Greens oppose it. coalition politics make germany unpredictable
- spain — quietly supportive, has its own domestic surveillance expansion
- ireland — the tech hub. paradoxically supportive despite hosting most US tech companies' EU operations
the lobbying behind this is intense. child protection organizations (some genuine, some astroturfed) provide the emotional cover. law enforcement agencies provide the "we need this tools" narrative. and tech companies that sell scanning technology provide the money.
the scanning industry.
there's a multi-billion euro industry that sells content scanning tools. companies like PhotoDNA (Microsoft), Thorn, and various AI startups stand to profit enormously from mandatory scanning. they've been lobbying for years. Chat Control is their payday.
the negotiation process
Chat Control 1.2 is being negotiated through the EU's ordinary legislative procedure:
- commission proposal — the EU Commission drafts the regulation (done — leaked in may 2026)
- council position — member state governments negotiate their position (ongoing, mostly behind closed doors)
- parliament position — the EU Parliament's LIBE committee drafts amendments (expected late 2026)
- trilogue — commission, council, and parliament negotiate the final text (expected 2027)
- vote — final vote in parliament (expected mid-2027)
the timeline is aggressive. the commission wants this passed before the current parliament term ends. they know that if it goes to a new parliament, the composition might change.
what's secret
the council negotiations are almost entirely secret. member state positions aren't published. the only leaks come from civil liberties organizations that get hold of draft documents. the commission's impact assessment — the document that's supposed to analyze whether the regulation is proportionate — hasn't been published.
this is how they pass unpopular legislation: keep it secret until it's too late to organize opposition.
the technical problems (even worse than 1.0)
false positives at scale
with 1.0, platforms can choose less invasive methods. with 1.2 mandating client-side scanning and AI behavioral analysis, the false positive problem explodes.
let's do the math:
- ~450 million EU citizens use messaging apps
- average of ~50 messages per day
- that's 22.5 billion messages per day
- with a 94% false positive rate (from the TU Munich study)
- that's 21.15 billion false flags per day
even if the false positive rate is "only" 50%, that's 11.25 billion innocent conversations flagged daily. who reviews them? humans? AI? the infrastructure for reviewing that volume doesn't exist.
the security hole
client-side scanning requires your device to have a database of "flagged" content. that database needs to be updated. the update mechanism is a massive security vulnerability.
researchers at the University of Cambridge showed in 2023 that client-side scanning databases can be manipulated to flag arbitrary content. a government could add political speech, protest imagery, or journalist sources to the database. the scanning happens on your device, so you'd never know.
the end of E2EE
this is the part that makes security researchers break out in cold sweats. client-side scanning doesn't technically break end-to-end encryption. it does something worse: it makes it irrelevant.
if your device scans content before encrypting it, the encryption is theater. the content has already been analyzed. the "end" in "end-to-end" doesn't include your own device if your device is the surveillance tool.
Signal's president Meredith Whittaker put it bluntly: "there's no way to implement client-side scanning that doesn't create a backdoor. and there's no backdoor that only good guys can use."
what you can do
right now
the best thing you can do is prepare. switch your messaging apps to ones that will resist — Signal, Session, or self-hosted Matrix. get a VPN to protect metadata. switch your DNS to encrypted providers.
politically
contact your MEP. specifically, contact the members of the LIBE committee (civil liberties, justice, and home affairs). they're the ones drafting the parliament's position. use votewatch.eu to find them.
the country-by-country guide has specific contact information and action items for each EU country.
legally
there are legal challenges being prepared. the European Data Protection Supervisor has already raised concerns. multiple civil liberties organizations are preparing court challenges. but legal challenges take years. you need to protect yourself now.
my take
1.2 is the real threat. 1.0 was just the foot in the door. once the scanning infrastructure is built under 1.0, 1.2 makes it permanent and expands it.
the negotiation process is deliberately opaque. the timeline is deliberately aggressive. the scope is deliberately vague. this is legislation designed to pass before people understand what it does.
if you're reading this, you're already ahead of 99% of people. share this page. tell your friends. contact your MEP. the fight isn't over — 1.2 hasn't passed yet. but the window is closing.
last updated: july 2026