On 9 July 2026 the European Parliament voted to extend "voluntary" mass scanning of private messages and photos, the exemption from EU privacy law commonly called Chat Control. We build encrypted, self-hosted chat software, so we are not going to cover this one neutrally. This is a genuine threat to private communication in Europe, it just passed through a vote that most of the people in the room actually opposed, and the much larger regulation behind it, Chat Control 2.0, would be far worse. Here is what happened, what it would actually mean for you, and what we will do about it.
What was voted on
The measure extends a temporary exemption from the ePrivacy Directive that lets platforms like Meta and Google keep scanning private messages and photos for known CSAM and grooming patterns. On its own it is not a legal mandate to scan, it just keeps that scanning legal for platforms that choose to do it, for another two years, until 3 April 2028.
How it was pushed through
This same text had already failed twice. In late June 2026, Parliament President Roberta Metsola brought the Council's proposal back to the floor through an expedited procedure, a maneuver critics call a procedural trick, since the same text had already been rejected once. On 7 July, MEPs voted 331 to 304 to fast-track a decisive vote for two days later.
On 9 July, the result flipped on a technicality that should worry anyone who thinks a majority vote means what it says. A majority of MEPs actually present, 314 of them, voted against the extension. But this was a second-reading procedure, and blocking it required an absolute majority of all 720 MEPs, 361 votes, not a majority of whoever showed up. The "no" side landed 47 votes short. A proposal that lost the actual vote in the room was recorded as passed, because not enough of its opponents were present to reach the threshold.
That is not democracy working as intended. That is a quorum rule being used to manufacture an outcome the room did not vote for.
Why this should scare you
- The math was rigged by procedure, not opinion. More MEPs voted against this than for it. It passed anyway. That is the mechanism working exactly as its authors intended: bring it back enough times, on the right procedural track, and eventually absence does the job that persuasion could not.
- "Voluntary" scanning at this scale is still mass surveillance. Every message and photo run through a detection model is a message a machine has read that was never meant for it. False positives are not a rounding error, they are a certainty at this volume, and there is no independent judge in the loop before your private photos are flagged.
- It is rehearsal for something much bigger. This vote is a dry run for CSAR, the actual Chat Control 2.0, which is not close to settled.
What Chat Control 2.0 (CSAR) would actually do to you
What passed on 9 July is not Chat Control 2.0. That is the Child Sexual Abuse Regulation, CSAR, still stuck in trilogue negotiations between Parliament, the Council and member states after five rounds and no agreement, even after the supposedly final round on 29 June 2026. Its most aggressive version would force providers, including end-to-end encrypted services, to scan every single message on your own device before it is ever encrypted. This is called client-side scanning, and you should understand exactly what it means in practice, not as an abstract policy term.
It means an algorithm sitting on your phone, reading every photo and every message you write, before you send it, before your encryption even runs. Not because you are suspected of anything. Because you own a device with a messaging app on it. When that algorithm decides something looks wrong, and independent researchers have shown these classifiers misfire constantly, your private content gets flagged, reviewed by a stranger, and potentially handed to police, with no warrant, no suspicion, and often no way for you to ever find out it happened. This has already happened to innocent people outside the EU: a father in the US had his Google account permanently disabled and was reported to police after taking medical photos of his sick child for a doctor, because an automated scanner misread them. That is what "the system works" looks like when it fails, and CSAR would build that same machinery directly into every encrypted app in Europe.
There is no version of this that only catches the guilty. A scanning mechanism built into your device to read your messages before encryption is a backdoor, full stop, and every security researcher who has looked at this seriously agrees on one point: there is no way to build a backdoor that only works for "the good guys." Once that scanning hook exists, it exists for whoever can compel the provider to point it somewhere else, this year for CSAM, next year for whatever a government decides is unacceptable speech.
The Council now has three months to respond to Parliament's position, which notably proposes excluding end-to-end encrypted communication from mandatory scanning. Whether that exclusion survives the rest of the negotiation is the actual fight that determines whether encrypted messaging still means anything in the EU. This week's vote was not that fight. It was the warm-up.
Where CypherBay stands
Nothing changes today. CypherBay's server never sees plaintext: messages and files are encrypted in your browser with AES-256-GCM before they ever reach us, and we never hold the key. There is nothing on our server to "voluntarily scan," which is all this week's vote extended. That part of Chat Control does not touch architectures like ours.
CSAR is the one that would. So we are saying this plainly, now, before we are ever forced to say it under pressure:
CypherBay will never give any authority, the EU or anyone else, the means to install a backdoor in this software. Not client-side scanning, not key escrow, not a "lawful access" hook, nothing that lets a third party read a message before the person it was written for does. We will not weaken this encryption for a court order, a regulation, or a polite request. If a law is ever passed that requires it, we will not comply quietly and we will not comply at all: we will shut CypherBay down before we ship code that spies on our own users on a government's behalf.
They can try to take our domain offline. They can seize our server. That is a power they have, and if they use it, they use it. What they do not have, and will never get from us, is our help building the tool that betrays the people who trusted this project. We will not do that for the EU. We would not do it for anyone.
If you want to do more than read about this, contact your MEP before the Council's three-month window closes, and follow independent trackers like Patrick Breyer's Chat Control page for what happens next. We will post here again the moment CSAR moves.
< Back to blog