The current proposal, presented by the Council Presidency in July 2025, does include some improvements regarding reporting obligations and providers’ response options. In key areas, however, it represents a step backwards, as previously foreseen safeguards have been weakened.

Open letter signed by more than 450 researchers

On September 8, over 450 scientists from 34 countries published a new open letter, the fourth of its kind. Among the signatories are 115 researchers from Germany, including 6 members from TU Darmstadt and many alumni. While they welcome improvements such as faster reporting obligations and the option for voluntary notifications, they still see significant risks. Their main points of criticism:

• The proposed technologies are technically ineffective, generate many false positives, and can be easily circumvented.
• Measures such as on-device scanning undermine end-to-end encryption, are disproportionate, and violate fundamental rights.
• There are alternative measures that contribute more effectively to child protection online and are also recommended by organizations such as the UN. These include better prevention programs, awareness initiatives, improved reporting pathways, and keyword-based interventions.

The researchers also warn of so-called “function creep”, the gradual expansion of surveillance and censorship measures, and of potential misuse by authoritarian regimes.

EMC² highlights that chat control would be useless

A research project from the research groups ENCRYPTO (Gowri Chandran, Dr. Kasra Edalat, Prof. Thomas Schneider) and PEASEC (Kilian Demuth, Dr. Sebastian Linsner, Prof. Christian Reuter) at TU Darmstadt demonstrates how easily such monitoring mechanisms could be bypassed, both by people with good intents who want to protect their fundamental rights (e.g., journalists, activists, people facing discrimination, etc.) but also those with malicious intents (e.g., criminals). Their demonstrator, called EMC² (Encrypted Multi-Channel Communication), sends encrypted parts of a message over multiple independent communication channels. Even if a provider were forced to scan content, confidentiality would remain intact. EMC² is designed to be understandable for the general public, showing that you don't need to be tech-savvy to set up secure communication.

The conclusion is clear: systems for chat control could be circumvented with ease and without any technical expertise. The burden of weakening such protections, however, falls disproportionately on those acting in good faith. While determined criminals will usually find ways to shield their communication, ordinary citizens, companies, and institutions are the ones who lose privacy and security when encryption is undermined. For the researchers, one thing is certain, both child protection and secure communication are indispensable. The current proposal, however, does not resolve either issue. They therefore call for political decisions to be based on scientific expertise and for encryption, as the foundation of digital security, not to be weakened.

Implications for Germany and Europe

The coming weeks will be decisive. With the Child Sexual Abuse Regulation (CSAR), the European Commission aims to oblige platform providers to detect and report certain content. The proposal includes mandatory technical measures such as age verification and content scanning. The revised version from July 2025 initially limits detection to images and links, but explicitly allows for a future extension to text messages. Experts warn that this would break end-to-end encryption. Member states are scheduled to debate the regulation on September 12, with a Council vote planned for mid-October 2025.