VPN Industry Opposes EU's Proposed Chat Control Scanning Bill
Key Points
- VPN Trust Initiative urges EU lawmakers to reject the Chat Control bill.
- Proposed client‑side scanning would occur before messages are encrypted.
- Industry leaders warn the measure would undermine end‑to‑end encryption.
- Over 500 cryptography experts have signed a warning letter to the EU Council.
- Eight EU countries have joined the opposition, while fifteen support the bill.
- Critics call for targeted, warrant‑based investigations instead of mass scanning.
The VPN Trust Initiative, representing leading VPN providers, has publicly warned against the EU's draft legislation known as "Chat Control," which would require messaging services to scan private communications for child sexual abuse material. Members argue the mandate would undermine end‑to‑end encryption, create systemic security vulnerabilities, and set a precedent for broader surveillance. Experts and scientists have voiced concerns, while a growing number of EU member states have joined the opposition. The initiative calls for strong encryption to remain a cornerstone of privacy and digital trust.
Overview of the Proposed Legislation
The European Union is considering a draft bill, nicknamed "Chat Control," that would obligate all messaging services operating in Europe to scan user chats for known and unknown child sexual abuse material (CSAM). The proposal envisions client‑side scanning of URLs, pictures, and videos before they are encrypted, with the exception of government and military accounts.
VPN Industry Response
The VPN Trust Initiative (VTI), a consortium of leading VPN providers, has issued a strong statement urging lawmakers to reject any regulations that weaken encryption standards. VTI co‑chair Emilija Beržanskaitė emphasized that "encryption either protects everyone or it protects no one," and called on governments to defend strong encryption as essential to privacy, digital trust, and democratic values.
NordVPN privacy advocate Laura Tyrylyte warned that client‑side scanning creates a false choice between safety and security, arguing that solutions should not sacrifice systemic security for a single problem. NymVPN CEO Harry Halpin described the proposal as "a major step backwards for privacy," highlighting the risk of normalising surveillance that could be repurposed against journalists, activists, or political opponents.
Technical and Security Concerns
Industry experts contend that mandatory scanning would irrevocably damage the technology VPNs rely on. They argue that client‑side scanning infrastructure could be easily reconfigured to expand surveillance beyond its original intent, contradicting the EU’s own cybersecurity goals such as the Cyber Resilience Act and post‑quantum cryptography initiatives.
Political Landscape
As of the latest meetings, eight EU member states—including Luxembourg and Germany—have joined the opposition, while fifteen countries, including France, Italy, and Spain, remain in favour of the bill. Over 500 cryptography scientists and researchers have signed a letter warning the EU Council of the risks associated with the proposal. Only three EU members—Estonia, Greece, and Romania—remain undecided.
Calls for Alternative Approaches
Critics of the bill advocate for targeted, warrant‑based investigations, rapid takedown of illegal content, clear industry reporting routes, and properly resourced specialist teams as more effective and less intrusive methods for combating CSAM.