A Machine That Learns to Read You: How Chat Control Reshapes the Structure of Power in the Digital Environment

Chat control – Digital surveillance – European Union dossier

On July 9, 2026, the European Parliament let the extension of voluntary scanning of unencrypted messages pass by procedural inertia, in force until 2028. The real test, mandatory scanning of encrypted apps, returns in the autumn: behind both regimes moves an architecture that shifts control from the judicial enclosure to the code that modulates every conversation in real time.

▶ Listen to the article

Chat Control is the name under which the European regulatory push to search for child sexual abuse material inside user communications has become known, and under that name two distinct regimes coexist that news coverage tends to conflate. The first, extended by the European Parliament on July 9, 2026 until April 3, 2028, concerns the voluntary scanning that platforms like Gmail, Outlook or Discord can already apply to content passing through their servers, a regime that excludes end-to-end encrypted applications such as WhatsApp, Signal and iMessage. The second, the one the mobilization against Chat Control considers the dossier’s real target, is the proposal for mandatory client-side scanning aimed precisely at those applications, expected in the autumn under the Irish presidency: there the declared ambition is that every message, every photo, every file exchanged on an encrypted app be analyzed by an automated system before encryption even turns it into a secret between sender and recipient, and in the most advanced version of the mechanism the analysis happens directly on the phone of whoever is writing.

If that second phase comes into force, the change in daily use will be less visible than the word scanning suggests, and precisely for that reason more profound. The WhatsApp screen will look identical, the encryption padlock will stay in place, nothing will signal to the user that a photo sent to a partner or a message written to a friend was read by an algorithm before delivery. Those defending the measure repeat in Brussels that messages remain encrypted, that the cryptographic lock is not forced open, that the technical confidentiality of communications stays intact, a claim already true today for the voluntary regime just extended on unencrypted services. Applied to the phase still under negotiation, the one designed for encrypted apps, the same claim would deserve close scrutiny, because it would conceal a shift concerning the very form of power. Client-side scanning reads the content of a message directly on the device, an instant before encryption turns it into a secret between sender and recipient. The room would be photographed while the door is still open, and by the time the door closes the photograph would already have been taken, archived, matched against a database. Defending the integrity of the lock while moving the reading one step before its closure would keep the letter of encryption intact while emptying out its social function, the one by which communication belongs only to those exchanging it.

This gap between the form that encryption promises to keep intact and the substance that monitoring would dissolve runs through the entire regulatory apparatus, and understanding it means drawing on a distinction that Michel Foucault and Gilles Deleuze built over the second half of the twentieth century. Foucault had described a power exercised through enclosures, closed and supervised places such as the school, the factory, the barracks, the prison, each with an inside where the rule applies and an outside where it is suspended, each organized around a controlled entry point and a moment of judgment. Deleuze, in a short 1990 text on societies of control, observed that this model was giving way to a more continuous and less visible form, a power that accompanies the individual at every instant through codes that modulate access, cost, reputation, risk, never fully closing nor fully opening. The entire Chat Control framework, from the regime already in force to the phase still under negotiation, belongs to this second family in an almost textbook way: it applies an evaluation code to every conversation, continuously, before it is even possible to know whether that conversation contains anything worth judging.

Chat Control EU graphic representation of a flow of encrypted messages intercepted by an algorithmic scanning system, symbol of the European control architecture
From server to device: the four technical stages of the European regulation, read as a continuous gradient rather than separate categories.

Chat Control Four Technical Layers Form a Single Gradient of Intrusion

The text the European Parliament examined on July 9, 2026 covers only the first of the technical layers that the broader design puts in place, and reading those layers as progressive stages of a single movement clarifies the trajectory along which the apparatus moves. Hash matching, the first stage, compares a file’s digital fingerprint against an archive of material already identified as illegal, and operates according to the clean logic of the boundary: a piece of content either matches something already known or it does not, with no intermediate zones. The second stage, detection of previously unseen material, replaces that clarity with the probabilistic estimate of a classifier that ventures a score on what is new, and introduces for the first time the margin of error as a structural component of the system. The third stage, grooming detection, shifts the threshold from the file to the language, because establishing whether a conversation constitutes grooming requires analyzing tone, context, the presumed age of the participants, intent reconstructed from words, and the risk score thus begins to apply to a relationship between two people. The fourth stage, client-side scanning, completes the final shift in physical space, moving the analysis from the remote server to the phone held in one’s hand. At every step the boundary loses sharpness while the intrusion gains proximity to the body of whoever is communicating.

The coherence of this progression is reflected in the regulation’s vocabulary, which avoids the word surveillance and speaks instead of risk assessment, adopting the vocabulary of continuous modulation described by Deleuze in place of that of the enclosure and judgment described by Foucault. This terminological choice carries weight, because establishing an obligation to assess risk institutes an operation with neither beginning nor end, one that stretches over every communication as a permanent condition of communicating.

At every step the boundary loses sharpness while the intrusion gains proximity to the body of whoever is communicating.

Chat Control: A Collection Center for Noise That Accumulates Fragility

Any architecture that deploys sensors at the periphery needs a point toward which what those sensors collect can converge, and the regulation provides for this in the figure of the future EU Centre, which according to the Council’s position will share information with Europol and national authorities, becoming the node up which reports generated along the four stages flow. The decisive question concerns this center’s ability to distinguish what it receives, and cybernetic theory offers an interpretive tool that 2025 data confirms with unpleasant precision. Norbert Wiener, founding cybernetics in the mid-twentieth century, defined control as a system’s capacity to correct its own action based on the difference between what happens and what should happen. A control system is measured, then, by its capacity to separate useful information from noise before acting, far more than by the quantity of information it manages to absorb.

The numbers from existing collection centers show how much this separation is the real point of crisis. The US center NCMEC received a million and a half reports linked to generative artificial intelligence in 2025, a figure that circulated for a long time as proof of an explosion in synthetic abuse material, until an investigation verified the composition of that number and found that over one million one hundred thousand of those reports came from a single sender, Amazon, and concerned possible material intercepted in its own training datasets, lacking any information on a victim or a suspect, and therefore lacking any possibility of investigative action, by the company’s own admission. The same dynamic recurs in the Irish case analyzed by a study commissioned by the European Parliament, where of four thousand one hundred ninety-two reports reaching the police, only eight hundred fifty-two concerned real material, while four hundred seventy-one, 11.2 percent, turned out to be confirmed false positives. In each of these cases the center fails at its ordinary function, because the largest share of what it receives is noise to be processed, and a system that spends its operational capacity processing noise only increases its own exposure to error.

The Numbers Behind the Noise
SourceReportsVerified outcome
NCMEC, 2025 dataover 1.5 millionlinked to generative AI; over 1.1 million from Amazon alone, zero actionable due to missing victim or suspect data
Irish police (EPRS study for the European Parliament)4,192852 real material (20.3%), 471 confirmed false positives (11.2%)
Meta, EU CSAM Derogation Report 2025about 1.5 millioncontent removed on Facebook in the EU; about 1,800 restored following appeal

Chat Control: Reading Conversations, Predicting the Future

The relationship between the periphery that communicates and the center that collects does not end in the one-way flow in which the former sends and the latter receives, and one documented case illuminates the movement by which the periphery reprograms the center. In May 2020, researchers at Citizen Lab, the University of Toronto laboratory specializing in the study of digital surveillance, published an investigation titled “We Chat, They Watch,” dedicated to how the WeChat platform treats its users’ communications, and the central finding concerned accounts registered outside China. Images and documents exchanged between users registered outside the country, theoretically beyond the reach of Chinese censorship, were nonetheless subjected to content analysis, and when a file was found to be politically sensitive by the platform’s criteria, its digital fingerprint was added to an index used to block, in real time, content circulating among accounts registered in China. A user in Berlin sending a photograph to a friend unknowingly feeds the database that will determine what another user, elsewhere, will be able to write the next day.

This case closes the cybernetic loop left open earlier, because it shows a center using what it receives from the periphery to update its own selection criteria, turning the parameter of what should be sought from a constant fixed by law into a variable the system redefines through its own operation. It is at this point that the objection concerning function creep, the progressive expansion of purposes, stops being a hypothetical fear and becomes a structural property of the architecture, because an infrastructure built to read contains no technical limit on what it can search for, and confinement to a single category of content depends on a political decision always rewritable by whoever controls the system later on. The same imbalance reappears in the unequal distribution of the ability to evade detection. Studies on perceptual hashing, the technology underlying hash matching, showed very high evasion rates under the experimental conditions of 2021 and considerably lower ones in a 2024 study that introduces realistic constraints on the number of attempts and the degree of distortion allowed. Which of the two bodies of literature better describes reality matters less than the fact that an organized actor has the time and the incentive to test those limits, while someone writing an ambiguous message to an acquaintance does not. The periphery equipped with resources evades the center, the one without resources remains exposed to it, and the reversal stems from the structure of the system more than from any intention behind it.

A user in Berlin unknowingly feeds the database that will decide what another user, elsewhere, will be able to write the next day.

How the Same Union That Bans Social Scoring Reproduces Its Architecture in the Most Intimate Space

The most revealing contrast emerges from within the European legal order itself, where principles coexist that contradict one another once read as expressions of the same idea of power. The Digital Services Act establishes that service providers cannot be subject to any general obligation to actively monitor the information they transmit, and the AI Act, which entered into application only a few months ago, bans social scoring practices and severely restricts mass biometric identification, proceeding from the recognition that automatically classifying the behavior of entire populations infringes on fundamental rights removed from administrative negotiation. The same Union writing these two bans is negotiating, in the same span of time, a regime that applies a structurally similar logic, made of algorithmic prevention, risk classification and large-scale monitoring, and it does so in the most intimate space that exists, the private conversation between two people. The technology differs from that of the social scoring banned elsewhere, the architecture of thought is the same, applied exactly where the legislator has decided to suspend the principle it asserts in other contexts. This selective suspension reveals that what is at stake concerns the coherence of a legal order in deciding just how far the power of preventive classification may extend.

Around this suspension a market has already formed, because every detection obligation generates demand for whoever supplies that detection, from classifier manufacturers to indicator database operators to audit and compliance services, all of them carrying an interest in seeing the obligation maintained over time and extended into new areas. Several outlets have documented the concern, widespread among those who have followed the European dossier for years, that behind the push to normalize scanning a network of technological and security interests converges that is broader than child protection alone. None of these actors is doing anything unlawful, and each is doing what a market does when a regulation guarantees it stable demand for a long period. The economic convergence toward the center replicates, at the level of interests, the same convergence of data toward the EU Centre, and the two reinforce each other, because the market living off the obligation pushes for the center to collect more, and the center that collects more justifies the existence of the market feeding it.

Social scoring is banned everywhere except in the private conversation

How the Procedure That Extended the Derogation Modulates Its Own Thresholds of Legitimacy With the Same Logic the Regulation Applies to Conversations

The parliamentary saga accompanying the regulation reproduces, at the procedural level, the same logic of shifting thresholds that the technical apparatus applies to communications. On March 26, 2026, the European Parliament had rejected the extension of the temporary derogation allowing voluntary scanning, with three hundred eleven votes against, two hundred twenty-eight in favor, and ninety-two abstentions. The Council responded by putting the file back on the table, Parliament’s presidency opened a rarely used emergency procedure, and on July 7 the assembly decided to put the text back to a vote by a narrow margin, three hundred thirty-one in favor against three hundred four. The July 9 vote, placed on the last day of the session before the summer recess, took place at second reading, and blocking the text coming from the Council required an absolute majority of three hundred sixty-one votes: three hundred fourteen members voted for rejection, two hundred seventy-six against rejection, seventeen abstained, and one hundred twelve were absent. The threshold was not reached, and the extension passed through procedural inertia, valid until April 3, 2028.

The timing of these steps weighed on the outcome more than the substance of the question did, because the same majority that had been able to reject the text in March, when a simple majority sufficed, found itself in July without the numerical strength to stop it, facing the absolute-majority requirement and a half-empty chamber on the last day of the session. The regulation that introduces continuous modulation into the space of private conversations was approved, at this first stage, through an equally continuous modulation of its own thresholds of legitimacy. The level required to legitimize or block a decision shifted by changing the moment of measurement, the number of members present, the procedural reading invoked, and the one hundred twelve absentees on the last working day weighed as much as a vote against rejection, with the same movement as the risk score applied to a message, which the system modulates continuously.

Why the Alternative Model Already Existed, Had Been Passed by a Wide Majority, and Was Overridden Precisely Because of What It Was

The choice at stake separates two distinct models of power rather than pitting child protection against privacy, and confirmation comes from a vote that recent coverage tends to forget. On March 11, 2026, two weeks before rejecting the general extension, the same Parliament had approved, with four hundred fifty-eight votes in favor and just one hundred three against, an alternative position that limited detection to material already identified or reported, tied it to judicial authorization, and excluded end-to-end encrypted communications from indiscriminate monitoring. This position corresponds to the disciplinary model described by Foucault, grounded in a concrete suspicion, a judge who evaluates it, a case that opens and closes within defined boundaries, and the majority that had supported it was four times larger than the one that decided the fate of the general derogation on July 9.

That a model approved with such broad consent was overridden a few weeks later by the return of the continuous-modulation model reveals the real criterion behind the choice. The disciplinary enclosure was set aside for what it offers less of to whoever governs the architecture, and nothing about the targeted model makes it any less capable of catching already-known illegal material. The enclosure judges one case at a time and is exhausted by it, while the code of continuous control knows no exhaustion and keeps every case perpetually available. This difference in yield for whoever holds control, not a difference in effectiveness against crime, explains why the less invasive model, though available and already legitimized by the vote, was set aside in favor of the one that extends reading to every conversation.

The derogation is back in force, and with it the infrastructure of continuous reading over unencrypted services remains installed until 2028, waiting for someone to narrow or widen its criteria. Installed alongside this infrastructure is the precedent of an assembly that rewrote its own thresholds of legitimacy in order to put a text already rejected in March back into play, and with it the demonstration that a contrary majority is no longer enough to stop a control architecture when whoever backs it controls the calendar by which it is measured: one hundred twelve absences on the last day of the session were enough to make the required threshold unreachable. The bigger contest, over mandatory client-side scanning extended to encrypted apps, returns in the autumn under the Irish presidency, and some already expect the same script, a substantive rejection that a procedural threshold turns into approval. The question that July 9 leaves unresolved concerns which of the two models of power the Union will adopt as its default setting once that contest is settled, the enclosure that judges one case at a time or the code that modulates every conversation at every instant, and whether anyone, five years from now, will still hold on to the conceptual tools to tell the two apart.

Follow the Algorithm investigates the architecture of algorithmic power, one dossier at a time.
{{TESTO_CTA}} → Opens in another page

Postscript

The video accompanying this dossier goes deeper into the technical workings of client-side scanning and the objections raised by hundreds of cryptographers, with a reference to the Apple NeuralHash case, tested in 2021 and abandoned in December 2022 precisely because of these risks of extension.

Follow the Algorithm will keep following this dossier in the coming months, in particular the return of Chat Control 2.0 in the autumn under the Irish presidency, when the discussion will shift from the voluntary regime just extended to mandatory scanning of encrypted applications.

Watch on YouTube →

Similar Posts