Secure and private digital communications are under fire again in Europe, where authorities continue to put pressure on messaging apps that use end-to-end encryption (E2EE).
One such measure is the European Union’s “Chat Control” proposal, which is a response to the horrific problem of child abuse material transmitted over digital channels. Its official name is Regulation to Prevent and Combat Child Sexual Abuse or CSAR, and the proposal’s been in the pipeline since 2022.
In simple terms, “Chat Control” would entail automated scanning of users’ devices and what they send, before it is encrypted. If objectionable content is found, it is automatically forwarded to the police. This is a way to get around secure E2EE protected communications, and to tackle abusive content right at the source.
That may seem reasonable at first glance, but it only takes a moment to realise that “Chat Control” would severely harm people’s online privacy, and create an enormous state surveillance apparatus.
No technology is perfect, and there’s every reason to believe that “Chat Control” scanning would make errors and automatically dob in the innocent. Mission creep beyond searching for child abuse material is likely, data breaches ditto, and of course, “Chat Control” would break E2EE.
App providers such as Signal have made it clear that they will leave the EU rather than compromise their users’ privacy but that might not help as “Chat Control” would have global reach.
Despite a huge amount of warning flags going up, 12 EU countries support “Chat Control”. Nine EU nations oppose it, and the latest is that Germany, which obviously carries a huge amount of weight in the bloc, has come out against “Chat Control” as it doesn’t think private communications should be under blanket suspicion.
The German federal justice minister Stefanie Hubig said on social media that mass scanning of private messages must be taboo in a constitutional state, and the country will not agree to the EU “Chat Control” proposals.
Massenhaftes Scannen privater Nachrichten muss in einem Rechtsstaat tabu sein. "Solchen Vorschlägen wird Deutschland auf EU-Ebene nicht zustimmen", betont Bundesjustizministerin Stefanie Hubig. (1/2) pic.twitter.com/74cWYOy9TX
— BMJV (@bmjv_bund) October 8, 2025
We’ll see where this goes, but it’s unlikely to be the last such attempt by the authorities. Apple is sparring with the United Kingdom, where the government is using legal means to demand the tech company maintains encryption but provides a backdoor for authorities.
Apple has already disabled its Advanced Data Protection feature that provides E2EE for iCloud backups for British users, rather than providing backdoor access.
Why does encryption matter?
Encryption of data and communications going over the Internet is hugely important. The Internet is a very hostile environment these days, and it doesn’t matter how innocuous you think the data you share across it is, you do not want to transmit or receive anything in clear text that others can and will intercept.
E2EE takes that security feature further. It ensures that your endpoint, be it an application or a device, scrambles network data communications. That data can then only be decrypted by the intended recipient; and vice versa for data reaching you.
Even if your data is intercepted, E2EE protection means it can’t be read by others.
Undermine encryption and E2EE and you can forget about a great many things that we take for granted, like secure Internet banking, e-commerce, social media, government sites and even working online.
It just wouldn’t be safe anymore. The risks of compromised encryption aren’t theoretical as a recent major law enforcement operation illustrates.
How criminals ratted on themselves through an app
Is E2EE the ultimate in bulletproof security and privacy, a system that ensures all your communications are kept safe from whatever prying eyes that would like to see what you’re saying?
It’s certainly a great tool for that, but never underestimate the power of human ingenuity when it comes to getting around seemingly impenetrable digital defences. Criminals in New Zealand, Australia and the United States who were using the AN0M encrypted messaging app, thinking there was no way their chats could be intercepted, experienced just this.
Unknown to the criminals, the US Federal Bureau of Investigation and Australia’s Federal Police had seized the opportunity to take control of the development of AN0M, after the app’s main coder faced legal trouble.
Long story short, AN0M had a secret encryption bypass. The app would forward copies of the criminals’ messages to police in Australia and the US. There were lots of AN0M users, including 65 in NZ, and the captured messages volume over three years is massive.
Prosecutions in the AN0M cases look set to continue after the High Court of Australia validated retrospective legislation confirming the evidence was lawfully obtained.
There are other cases of encrypted apps being compromised, like EncroChat and SkyECC, by the authorities who were able to listen in on criminals’ uninhibited communications.
Also known as Operation Ironside in Australia and Operation Trojan Shield in the US, it was the biggest of its kind in the world. Around 12,000 devices were distributed in over 100 countries, 28 million messages were intercepted, and 390 were arrested.
Nobody should feel sorry for the criminals getting caught in the AN0M operation, but at the same time, it shows the power of breaking encryption. It is power that can be aimed at anybody.
5 Comments
“Ultimately, arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”
Edward Snowden
And yet we are urged by government to be 'safe' from bad actors on line - meaning either abandoning the web for all but the most basic things, or the use of security like VPNs and end-to-end encryption that the powers that be also say they don't like.
Kind of mixed messages there.
You have to admit there's a slippery slope both ways here. We demand effective policing and interruption of gangs that have the power to cripple our populations, but yet we also demand absolute privacy in our communications to the point where nobody can ever know what we say. It's not actually possible to have both.
It wasn't that long ago we made landline calls that the police could easily tap with a warrant. It didn't prevent phone banking, corporate dealmaking, or even faxing mail-orders with credit card numbers. This theory that unbreakable encryption is required for the daily functioning of our lives is flawed. The only reason widespread E2EE and TLS everywhere happened was because Snowden disclosed the NSA was watching everyone. We don't have to tolerate that.
Yes it's easier than ever for authorities to mass-monitor communications if they can get them in plaintext. Yes there will be bad actors in power who use that power to stalk their ex. And yes, measures to prevent child abuse will later be abused for secret surveillance. But really, are we anarchists? Do we believe society is better off without policing? Can we not have appropriate guardrails and independent oversight? We're going to snuff out our society if we continue to be so absolutist.
A good portion of the world's population lives in places like China where encryption keys need to be handed over to the state as a condition of using encryption, and content providers need to be licensed. Yes it's dystopian, but again merely 20 years ago our daily lives operated with a similar government monitorability and control. I don't think people in China feel unsafe conducting online banking or ecommerce just because the state can see their traffic. They rightly recognise the government can compel those providers to hand over their records anyway. I don't think they have the balance quite right, but I'm using it as an example of the sky not falling just because E2EE isn't absolute.
I think we need to be a bit more grown up about this.
There's definitely tension between privacy and security, but your framing mischaracterises both the technical realities and what's at stake.
Modern encryption isn't about "absolute privacy" versus "effective policing." It's about whether we deliberately weaken everyone's security to potentially catch some criminals, who could simply use non-weakened encryption from other countries anyway.
The comparison to landlines breaks down because digital surveillance scales infinitely in ways physical wiretaps never could. In the landline and fax machine era, monitoring everyone's communications was impossible. Today it's trivial if encryption is weakened.
Using China as an example that "the sky hasn't fallen" is baffling. China is an authoritarian state where online speech leads to arrest, social credit systems monitor behaviour, and self-censorship is pervasive. If that's not a fallen sky, what is?
Targeted surveillance with judicial oversight remains legal and effective. The question is whether we should fundamentally weaken security for everyone to make mass surveillance easier, despite historical evidence that oversight fails and powers are abused.
Yes I realise the horse has largely bolted and the bad guys won't use mainstream technology if it's known to be monitored. Similarly those in China who want to speak freely have their circumvention mechanisms they use.
But there is a barrier to entry doing something like that.
I don't necessarily agree that a carefully legislated key escrow mechanism constitutes generally weakened security. It's far preferable to the status quo where the NSA sneaks backdoors into the algorithms themselves, effectively giving them access to communications our own law enforcement can't get. Our corporate environments already have such key escrow or MITM for "compliance", but we seem to see that as far more acceptable and secure than a state that demands the ability to enforce laws.
General purpose encryption should be there to protect us from those snooping open wifi, malicious ISP or backbone staff, or foreign adversaries tapping undersea cables. That's what it was for in the early days of the internet. In those days we knew the algorithms we used were weak enough for the state to crack. Historically people simply didn't have the open ability to withhold their communications from the state. We've sort of granted ourselves that capability because we could, and defend it in a way that likens our own governments to the East German regime. A democratic governments should be an extension of us as a people, so automatically assuming they're the boogeyman is a bit rich, and I think the debate should be a little more considered. A lot of harm happens online, much of it to children or even between children. Sometimes the greater good is in being able to disrupt harm.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.