Following a major public outcry, a clarification in the EU’s controversial “Chat Control” law appeared to secure a victory for privacy advocates. However, a group of 18 of Europe’s top cybersecurity and privacy academics has now issued a stark warning that the latest proposal still contains “high risks to society without clear benefits for children.”

Their open letter arrives just before the EU Council’s ambassadors are set to endorse the proposal on November 19. An endorsement would lock in the EU governments’ position, likely leading to a formal adoption in December and setting the stage for tense negotiations with the European Parliament in the new year.

The controversy centers on the Child Sexual Abuse Regulation (CSAR). After widespread protests, mandatory scanning of private communications was removed from the EU Council’s draft. A further clarification on November 13 confirmed that “Nothing in this Regulation should be understood as imposing any detection obligations on providers.”

This led privacy advocates like former Pirate Party MEP Patrick Breyer to declare a partial victory: “We’ve prevented mandatory Chat Control through the back door. But anonymity-breaking age checks and ‘voluntary’ mass scanning are still planned. The fight continues next year!”

Now, cybersecurity experts from institutions including ETH Zurich, KU Leuven, and the Max Planck Institute are amplifying that warning, arguing that two core elements of the revised Council proposal create new, unacceptable dangers.

Key Concerns Raised by Experts:

1. Flawed ‘voluntary’ AI Chat Control Creates Dangerous False Positives
The experts warn that unlike the previous Council’s proposal, the new text expands scanning of private communications to include automated text analysis, using AI to identify ambiguous “grooming” behaviours. They argue this will create a dragnet that ensnares innocent people. “Current AI technology is far from being precise enough to undertake these tasks with guarantees for the necessary level of accuracy.”

The letter states that this expanded scope “only opens the door to surveil and examine a larger part of conversations, without any guarantee of better protection.” It warns of a “high risk of diminishing overall protection by flooding investigators with false accusations that prevent them from investigating the real cases.”

2. Mandatory Age Verification Systems That Discriminate and Invade Privacy
The Council’s proposal would mandate age verification and assessment for app stores and private messaging services, promising that such measures “should preserve privacy”. The academics describe this as dangerous and unworkable: “Age assessment cannot be performed in a privacy-preserving way with current technology due to reliance on biometric, behavioural or contextual information… In fact, it incentivizes (children’s) data collection and exploitation. We conclude that age assessment presents an inherent disproportionate risk of serious privacy violation and discrimination, without guarantees of effectiveness.”

The alternative approach of requiring official documents for age verification would cut off a “substantial fraction of the population” from essential online services, including vulnerable individuals who may not have easy access to digital IDs.

Perhaps most concerning, the experts warn that age verification measures are easily circumvented and could push children toward more dangerous platforms: “Age verification controls can be easily evaded, by using providers outside the EU or VPNs to avoid geolocation checks… Both cases can result in higher risks for children because these alternate services are likely to present security risks (weak or absent encryption) and extensive tracking practices, sometimes for malicious purposes.”

Outlook:

If the Council does not heed the academics’ warnings, age checks and ‘voluntary’ mass scanning are set to become a central battleground in next year’s negotiations with the European Parliament, whose mandate seeks to remove mandatory age checks and limit scanning to the communications of criminal suspects only.

According to a leaked government memo, Italy also raised concerns last week, questioning whether voluntary chat surveillance can adequately safeguard user privacy. The Italian government fears the tool could be expanded to cover other crimes, which makes it difficult for them to support the proposal. Poland, too, reserved further examination.

About the Signatories:
The letter is signed by 18 distinguished professors and researchers in cybersecurity, cryptography, and data privacy from leading universities and research centers across Europe, including Aarhus University (Denmark), École Polytechnique (France), CISPA Helmholtz Center for Information Security (Germany), ETH Zurich (Switzerland), and KU Leuven (Belgium).

Read the scientists’ open letter: csa-scientist-open-letter.org/…

See also Patrick Breyer’s assessment

patrick-breyer.de/en/eu-chat-c…