If you’ve sent a photo, document, or voice note through WhatsApp, Telegram, or Messenger in the last few years, there’s a reasonable chance it passed through — or was at risk of passing through — a scanning system you never agreed to. The EU’s “Chat Control” proposal, formally the Child Sexual Abuse Regulation (CSAR), has been one of the most contested pieces of digital policy in Europe, and 2026 brought real movement on it.
Here’s what actually happened, what’s still in motion, and why it matters even if you don’t live in the EU.
What Expired in April 2026
For several years, EU law included a temporary, voluntary exemption that let platforms like Meta, Google, Microsoft, and TikTok scan private messages for child sexual abuse material without violating EU privacy law. That exemption — often called Chat Control 1.0 — expired on April 3, 2026.
In March 2026, the European Parliament voted against extending it. Practically, this means the platforms that had been voluntarily scanning private messages under that exemption lost the legal basis to keep doing so, at least under that specific provision. It was, for privacy advocates, a genuine and notable win.
What’s Still Being Negotiated: CSAR (Chat Control 2.0)
The bigger fight was never really about the temporary exemption — it’s about the permanent regulation meant to replace it. CSAR would require messaging platforms to scan private communications, including end-to-end encrypted ones, for child abuse material.
The technical mechanism proposed to make this possible is client-side scanning: software on your device would scan message content — photos, files, text — before encryption is applied, and flag matches to a database. The argument for it is straightforward: end-to-end encryption otherwise makes that content unreadable to anyone, including investigators looking for genuinely illegal material.
The argument against it is just as straightforward, and it’s the one most security researchers and privacy organizations have made consistently: a scanning system built into the device, running before encryption, is functionally identical to a backdoor. Once that scanning infrastructure exists, the question of what else it scans for — and who controls the matching database — becomes a policy decision, not a technical limitation. Trilogue negotiations on CSAR resumed in early May 2026, with a political deal targeted for July.
A Brief History of a Very Long Fight
Chat Control isn’t a new proposal that suddenly appeared in 2026 — it’s the latest stage of a debate that’s run since 2022, when the European Commission first proposed CSAR. The original draft was broad enough to alarm privacy regulators, security researchers, and even some EU member states, leading to repeated delays, revisions, and a temporary voluntary scanning exemption rather than a permanent mandate, while negotiators tried to find language that could pass.
That temporary exemption is the Chat Control 1.0 that expired in April 2026. Its expiration wasn’t the end of the underlying push — it was a gap between the old stopgap and whatever permanent version eventually passes. Treating the April expiration as the end of the story would be premature; it’s better understood as a pause in a fight that’s been going on for several years and is explicitly continuing through 2026’s trilogue negotiations.
Understanding this history matters because it explains why neither side treats any single vote as final. Privacy advocates who celebrated the March 2026 Parliament vote were clear that it addressed the temporary exemption, not the permanent regulation still being negotiated. The version that ultimately gets adopted — if one does — could look meaningfully different from both the original 2022 proposal and the current CSAR draft.
Why “It’s Just for CSAM” Doesn’t Settle the Debate
The stated purpose of CSAR is narrow and serious: detecting child sexual abuse material that genuinely warrants intervention. Few people disagree with that goal. The disagreement is about whether client-side scanning is a method that can stay narrow once deployed.
A few structural concerns keep coming up in the policy debate:
The matching database isn’t public or auditable in the way the law itself is. Once scanning infrastructure exists on a device, what it matches against is a database maintained and updated by an authority, not something an individual user can verify.
Scope tends to expand. Surveillance infrastructure built for one stated purpose has a documented history of being repurposed or expanded — through later legislation, court orders, or function creep — once it’s already deployed and normalized.
It changes the security model of encryption itself. End-to-end encryption’s value proposition is that no one but the sender and recipient can read the content. Client-side scanning means something else reads it — just before encryption rather than after — which is a meaningful distinction in messaging diagrams but a much smaller one in practice for the person whose message just got scanned.
None of this means the underlying problem CSAR is trying to solve isn’t real. It means the proposed solution has costs that extend well past its stated target.
What a VPN Doesn’t Solve Here
A common reflex when people hear about scanning or surveillance legislation is to reach for a VPN. It’s worth being direct about why that doesn’t apply here: a VPN protects the network path your traffic takes — hiding your IP address and encrypting traffic between your device and the VPN server. Client-side scanning, as proposed under CSAR, happens on the device itself, before your message is even sent. A VPN has no visibility into, or influence over, what an app does to content before it leaves your phone.
This is a useful distinction to internalize broadly: a lot of privacy tooling protects against network-level observation — your ISP, a coffee shop Wi-Fi network, a government intercepting traffic in transit. Client-side scanning is a different category of risk entirely, baked into the app itself rather than the network it runs on. No amount of network-layer privacy tooling addresses it, because the scanning happens before the network is even involved.
What This Means If You’re Not in the EU
EU regulation has a track record of setting de facto global standards, because platforms generally build one version of their product rather than maintaining separate architectures per region. GDPR is the clearest example — a regulation written for the EU that ended up shaping privacy practices for companies operating well outside it.
If CSAR passes with a client-side scanning requirement, the realistic outcome is that major messaging platforms build that capability into their core product, not into an EU-only build. That makes this a relevant story regardless of where you’re reading this from.
Why Security Researchers Keep Calling This a Backdoor Debate
One detail that gets lost in coverage of CSAR is that the objection isn’t really about child safety policy at all — it’s a long-running argument within cryptography and computer science about whether “scan before encryption, but only for bad content” is even a coherent design.
The technical consensus among researchers who’ve studied this, including in open letters signed by hundreds of cryptographers over the life of this debate, is that there’s no way to build a scanning system that only ever flags the intended content. Any system capable of matching message content against a database, running on-device before encryption, is general-purpose scanning infrastructure — the restriction to a specific use case is a policy choice layered on top of the technology, not a property the technology enforces by itself. That’s the crux of the “backdoor” framing: not that CSAR’s authors intend misuse, but that the infrastructure being proposed doesn’t distinguish its intended use from a much broader one.
What to Do With This Information Now
Nothing here is settled — a political deal targeted for July 2026 is not the same as finalized law, and implementation timelines for regulations like this typically run years past initial passage. But a few practical takeaways hold regardless of how the negotiation lands:
Messaging apps are not file storage, even when they’re end-to-end encrypted. This has always been true, but it’s worth restating: a chat thread is the wrong place to keep a scanned ID, a medical document, or years of family photos, independent of any scanning debate. Threads get deleted, accounts get migrated, and message history isn’t built for long-term retrieval the way dedicated storage is.
Understand what “encrypted” protects against, and what it doesn’t. End-to-end encryption protects message content from interception in transit and from the platform itself reading it under normal operation. It does not, by itself, prevent a government from requiring scanning at the endpoint — that’s a separate, ongoing legal and technical fight, and CSAR is the current chapter of it.
Keep your personal archive separate from your messaging history. Whatever happens with CSAR, the safest position is one where the files you actually care about — photos, documents, voice notes — aren’t dependent on a messaging app’s retention policy or its encryption architecture being a moving regulatory target. daftei stores files with AES-256 encryption at rest and TLS 1.3 in transit, is GDPR and CCPA compliant, and is built specifically for personal storage rather than messaging — a different category of product facing a different set of legal obligations than chat apps caught in the middle of this fight.
This is a story worth following over the rest of 2026, not a settled outcome. But the underlying lesson — that your most important files shouldn’t live exclusively inside apps whose core function and legal obligations are still being actively renegotiated — holds either way.