Chat Control and ID Checks Threaten Privacy

• By SMSPool Admin
• October 8, 2025
• News

Why Chat Control and Age Verification Threaten Privacy

The EUs Chat Control (CSA Regulation) and distinct age-verification proposals together pose a double threat to your privacy. Scanning every message on your device would break end-to-end encryption, while centralised ID checks under new eID and media-services rules would erase anonymity. Together, theyd overwhelm authorities with false positives and create a honeypot of personal data. Act now: keep the blocking minority in the Council, demand targeted safeguards, and mobilise civil society by 14 October 2025.

1. What Chat Control Actually Does

Chat Control is the EUs draft Regulation to prevent and combat child sexual abuse, officially known as the CSA Regulation. It would:

1. Require communication providers to run AI and machine learning scans on every piece of private content, messages, emails, chats, images, videos, and voice recordings, directly on users devices before any encryption takes place.
2. Enforce continuous, universal inspection for both known and unknown child sexual abuse material (CSAM) without any individualised suspicion or warrant.
3. Mandate technical back doors that break or weaken end-to-end encryption.
4. Automatically report any flagged content to national authorities, creating a pipeline of personal data from all users to law enforcement.
5. Harm free expression, as users will self-censor, even perfectly legal conversations out of fear of being flagged, reported, or deemed outside the status quo.

This Regulation does not include ID checks, see Section 2 for age-verification proposals advancing in other files

Click here for a great video by Patrick Breyer (Owner of Chatcontrol.eu) explaining Chat Control (CSA).

Here is an infographic explaining Chat Control (CSA)'s scanning plans:

2. How Distinct Age-Verification Proposals Work (Not part of CSA Regulation)

Platforms would be required to verify users ages under separate legislative files the eID Regulation (European Digital Identity Wallet) and the upcoming Media Services Act. In many proposed implementations, users would need to present official documents or government-issued digital IDs before using communication services. This approach would:

1. End anonymous or pseudonymous accounts.
2. Tie every message, chat, and email to a real-world identity.
3. Block anyone under 16 from installing mainstream messaging, social media or gaming apps that regulators deem likely to be used for grooming.
4. This would also create a huge centralised honeypot of various forms of ID cards available for an adversary to breach.

(These age-verification requirements are contained in the eID and media-services legislative files, not in the CSA Regulation itself.)

3. Why Chat Control Ends Digital Privacy

1. Breaks End-to-End EncryptionScanning on the client side forces backdoors into every encrypted conversation. That backdoor can be exploited by hackers, authoritarian governments, malicious insiders and foreign adversaries. There isn't a backdoor for the "Good guys' as a backdoor can be exploited by the bad guys.
2. Harvests Mass Data on CommunicationsEvery private communication becomes a source of metadata and content for authorities. There is no limit to the volume of data collected.
3. Harms Free ExpressionHarm free expression, as users will self-censor, even perfectly legal conversations out of fear of being flagged, reported, or deemed outside the status quo.
4. Creates Systemic VulnerabilitiesLeading cryptographers warn that any mandated client-side inspection expands the attack surface and makes all encrypted messaging less secure.

4. Why Age Verification Ends Digital Privacy

1. Eliminates Anonymity for at-risk usersWhistle-blowers, journalists, political dissidents and abuse survivors rely on anonymous or pseudonymous accounts to stay safe. Mandatory ID checks remove that protection.
2. Links Identity to Communication HistoryEvery piece of communication becomes part of a permanent, searchable record tied to your real-world identity. This enables profiling, behavioural analysis and potential misuse of personal data.
3. Increases Data Breach RiskCentralised databases of verified identities and communication histories become high-value targets for hackers, putting vast amounts of personal data at risk.

5. Chat Controls Status And The Current Timeline

As of 8th October 2025, the proposal is stalled. Germanys opposition, representing about 19 percent of the EU population, blocks the qualified majority needed for passage. Key milestones include:

• 12th December, 2024: A blocking minority halted mandatory controls.
• 1st July 2025: The Danish presidency reopened negotiations.
• October 7th 2025: Germany , Poland , and Luxembourg secured a blocking minority, leading to the cancellation of the scheduled Council vote for lack of a qualified majority.

6. Political Landscape

Opposition coalition (9 states): Austria , Czechia , Estonia , Finland , Germany , Luxembourg , Netherlands (We're based here), Poland , Slovenia

Supporting countries (14 states): Bulgaria , Croatia , Cyprus , Denmark , France , Hungary , Ireland , Lithuania , Malta , Portugal , Romania , Spain

Undecided (6 states): Belgium , Greece , Italy , Latvia , Slovakia , Sweden

Germanys position makes a qualified majority impossible for now, though future presidencies may revive the debate.

7. Industry Response and Legal Challenges

• Signals CEO Meredith Whittaker has vowed to withdraw from the EU rather than build surveillance backdoors.
• Meta/WhatsApp warns the law would break end-to-end encryption and put everyones privacy, freedom and digital security at risk.
• Germanys Federal Office for Information Security (BSI) on Chat Control: "Every breach of end-to-end encryption increases the attack surface and poses high risks."
• Global Encryption Coalition (Center for Democracy & Technology, Mozilla, Internet Society, etc.) has condemned client-side scanning as ineffective and rights-incompatible.
• EDRis Stop Scanning Me campaign highlights mathematical infeasibility and chilling impacts on privacy
• Former MEP Patrick Breyer is appealing a German court ruling to force default encryption and end bulk scanning. He argues that algorithmic surveillance opens private messages as if they were postal letters, is ineffective and illegal, and floods police with false denunciations. German police data show almost 40 percent of child pornography suspects last year were minors, demonstrating how sweeping measures risk criminalising innocent behaviour.

The European Court of Human Rights ruled in Podchasov v. Russia (2024) that mass surveillance and encryption backdoors violates fundamental human rights Experts also warn the Chat Control (CSA) Regulation breaches Articles 7 and 8 of the EU Charter on privacy and data protection.

8. Why Requiring IDs for Age Checks Backfires

• One troubling case involved Tea, a womens dating-safety app whose breach exposed 13,000 users government-issued ID cards to the public.
• The Discord Zendesk breach may have revealed passports, drivers licences, and emails of 2.1 million users who submitted them for age checks.
• In mid-2024, AU10TIX, an identity verification platform used by TikTok, Uber, X, and other popular platforms, had left its internal logs unprotected for over a year. Anyone who discovered the server gained access to links pointing directly to peoples uploaded IDs (passports, licences), plus names, birth dates, nationalities, and ID numbers.

This list of only a few incidents highlights how age-verification schemes turn personal documents into high-value honeypots that, once breached, can cause lasting harm.

9. The Hypocrisy of the EU

The Chat Control (CSA) Regulation expressly exempts national defence and military communications. Any messages sent over official armed forces networks or devices procured for military use would not be subject to client-side scanning or age verification requirements, this shows that there is one rule for the elites, and another for ordinary citizens.

The EU claims to protect privacy and children while simultaneously dismantling encryption and sweeping up everyones data. This contradiction exposes the Regulations true nature: a mass-surveillance regime that undermines the very rights it claims to safeguard.

10. Implications for Digital Rights and Privacy

Chat Control (CSA) and mandatory age verification threaten to dismantle both the technical and legal foundations of digital privacy. Civil society, technical experts and data protection authorities have so far succeeded in stopping this proposal, but the fight is far from over. Europes choices will set a global precedent for private communication in the digital age.

11. What now?

We must do the following:

1. Support the opposing countries such as Germany, Poland, Luxembourg, and other opposing Member States to maintain their qualified majority blockade by contacting national ministers and highlighting the irreparable privacy and security risks.

2. Engage PolicymakersMobilise citizens, SMEs, and civilsociety groups to submit concise feedback during the Digital Services Act review by 14 October 2025, demanding targeted warrants, mandatory DPIAs, and dueprocess safeguards instead of universal scanning.

3. Join the CoalitionSign and share the Stop Chat Control open letters and petitions, and encourage tech and privacy organisations to stand against clientside scanning and mass age verification.

We would like to thank the following organisations for signing Tuta's (Formerly Tutanota) letter against Chat Control:

Blacknight (Ireland)Commown (France)CryptPad (France)Ecosia (Germany)Element (Germany)E-Foundation (France)European Digital SME Alliance (EU trade association representing 45.000 EU SMEs)Fabiano Law Firm (Italy)FlokiNET (Iceland)FFDN (France)Gentils Nuages (France)Hashbang (France)Heinlein Group (Germany)LeBureau.coop (France)Logilab (France)Mailbox (Germany)Mailfence (Belgium)Mailo (France)Murena (France)Nextcloud (Germany)Nord Security (Lithuania)Nym (France / Switzerland)Octopuce (France)Olvid (France)

OpenCloud (Germany)OpenTalk (Germany)Phoenix R&D (Germany)Proton (Switzerland)Serendipiware (Greece)Skylabs (Ireland)Sorware Ay (Finland)Soverin (Netherlands)Startmail (Netherlands)Surfshark (Netherlands)TeleCoop (France)The Good Cloud (Netherlands)Threema (Switzerland)Tuta Mail (Germany)Volla Systeme GmbH (Germany)WEtell (Germany)Wire (Switzerland)XWiki SAS (France)zeitkapsl (Austria)

Return to knowledgebase