The European Union is on the verge of enacting one of the most sweeping surveillance regimes in the West, under the benign-sounding pretext of child protection. The legislation—dubbed Chat Control by critics—would force messaging services like WhatsApp, Signal, and Telegram to scan every private message sent on their platforms, destroying the concept of encryption and privacy.
On July 1, 2025, Denmark assumed the rotating presidency of the Council of the EU, and almost immediately the long-stalled Chat Control (the Child Sexual Abuse Regulation, or CSAR) was put back on the agenda. Multiple trackers now point to a Council position push in September and a potential adoption vote on October 14, 2025 under the Danish Presidency.
Behind this proposal lies a well-funded network of NGOs, foundations, and lobbyists that have worked for years to normalize mass surveillance under the guise of protecting children. But a closer look reveals commercial incentives, and a playbook that weaponizes child safety fears to justify breaking end-to-end encryption for everyone.
While defenders of the initiative have limited their arguments to child safety, the longer-horizon plan is to systematize “lawful access” to encrypted data. This will create an official doorway around end-to-end encryption that, once built, won’t only be used for the worst crimes. The temptation to expand them will be structural and permanent.
As the Foundation for Freedom Online has previously revealed, governments and their NGO have already attempted to build surveillance networks to monitor private messaging platforms to discover and report “mis, dis, and malinformation.” Dubbed “civic listening” by its advocates, this initiative involved a network of volunteer informants, passing messages from private chat groups to centralized “disinformation” databases. Given that disinformation is now regulated under the EU’s Digital Services Act, the mandatory establishment of scanning systems for private encrypted chats will likely be used for more than just hunting down child predators and terrorists.
How the EU Was Sold on Mass Surveillance
The Danish presidency of the EU Council introduced the measure, citing child protection. But the groundwork had already been laid. In 2023, the EU’s High Level Group on Access to Data for Effective Law Enforcement was tasked with developing ways to bypass encryption.
By March 2025, the group’s report described end-to-end encryption as one of the main technical challenges for law enforcement. Its recommended workarounds—client-side scanning, operating system backdoors, and “secure enclaves”—were not about privacy, but about giving governments a pathway to mass data access.
The report noted privacy concerns, but went on to propose what many consider technically impossible — the enabling of chat monitoring without compromising encryption for the purpose of privacy.
In parallel to the HLG’s work, EU interior ministries have promoted a technical blueprint for “Law Enforcement Operational Needs” (LEON). The LEON framework sketches how providers could be compelled to facilitate access to data and enable detection orders—even in end-to-end encrypted environments—anticipating “client-side” scanning and other workarounds flagged in the EU Parliament’s own research analyses (EPRS study).
Funders and Coalitions
A central player is the WeProtect Global Alliance, which emerged from a 2016 merger between the EU Commission, the US Department of Justice’s Global Alliance and the UK’s WePROTECT initiative (see official histories). The alliance now counts 300+ members drawn from governments, major tech firms and NGOs, and promotes a “Model National Response” adopted by many states (Model National Response).
WeProtect’s threat assessments and web resources discuss scanning options that would be compatible with (or bypass) strong encryption in theory —client-side scanning, homomorphic encryption, and “intermediate secure enclaves”.
Investigative reporting has mapped how major philanthropy and private vendors are intertwined with EU policy. A 2023 cross-border investigation details how Thorn engaged closely with the Commission on CSAR and hired FGS Global for at least €600,000 in 2022, while selling scanning tools commercially—including $4.3 million in US DHS licenses.
The same investigation tracks philanthropic money flows that shape the Brussels child-safety ecosystem. Oak Foundation funding supports major NGOs and policy convenings; its 2024 annual report confirms extensive grant-making in this portfolio. Coalitions such as ECLAG (whose steering group includes Thorn) explicitly lobby for passage of CSAR (ECLAG FAQs).
What Experts and Practitioners Say
Arda Gerkens, former director of the Dutch hotline Offlimits (EOKM), warns that companies “presenting themselves as NGOs but acting more like tech companies have influenced [the] regulation,” adding that such groups “have a commercial interest.”
Signal president Meredith Whittaker argues scanning vendors are positioning themselves as liability shields for Big Tech: they offer a “get out of responsibility free card” by promising to “host the hashes” and “maintain the AI system.”
University of Cambridge cryptographer Ross Anderson cautions that “the security and intelligence community have always used issues that scare lawmakers, like children and terrorism, to undermine online privacy.”
The Technical Reality Check
Despite repeated rebranding, client-side scanning is not a magic exemption from cryptography. The EU Parliament’s own study warns such scanning “violates the essence of the right to private life”. The Internet Society calls client-side and server-side scanning “backdoors.”
After pausing its controversial CSAM-scanning plan in 2021, Apple confirmed in 2022 that it would not proceed—and in 2024 told US regulators it had concluded the approach was “not practically possible” without imperiling user security and privacy. Wired (Dec 2022) | Apple filing (Oct 2024).
The UK, meanwhile, effectively conceded in 2023 that its internet regulator, Ofcom, cannot require scanning of E2EE messages unless such technology actually exists and meets privacy/security requirements.
What Happens Next
Denmark’s presidency (July–December 2025) has revived Council deliberations toward an autumn decision on CSAR. Official presidency listings and parliamentary trackers point to a tentative October 14 vote. Regardless of the exact dates, the broader ‘lawful access’ roadmap will run in parallel—Commission roadmap (June 24, 2025)—keeping pressure on encrypted services beyond CSAR.
