I keep my own servers, my own backups, and my own keys. Not because I have something to hide — because the secrecy of correspondence is a right, not a privilege somebody else grants. This week I did something I rarely do: I emailed seven Finnish Members of the European Parliament.
On 29 June the EU holds what may be the final trilogue on the Chat Control regulation (CSA-Regulation 2022/0155) — the proposal to scan the private messages of 450 million Europeans. This is the engineer-to-engineer version of why that plan is broken, why it will not survive its first contact with the Court, and the letter I sent so you can send your own.
What Chat Control actually proposes
Two mechanisms, both dressed up as child protection. First, mass scanning of private messages — including, in the latest text, letting tech giants search communications on their “own initiative” without any reasonable suspicion. Second, mandatory age verification on messaging and email. Neither is an appropriate or proportionate means to the stated goal. They are the wrong tools for a real problem.
The false-positive math
This is where the engineering falls apart. Scan 450 million people and even a very accurate classifier produces an ocean of false positives, because the base rate of actual abuse material in any given chat is vanishingly small. Run a 99%-accurate filter against billions of innocent messages and you do not catch criminals efficiently — you generate millions of innocent family photos and private conversations flagged for human review. Independent experts have said it plainly: the technology is error-prone, unreliable, and not fit for this purpose. This is not a vague opinion. It is the informed assessment of an AI-native architect who has spent 20+ years shipping software.
“Voluntary” is a backdoor mandate
The clever trick in the current text is to keep own-initiative scanning “voluntary” while tying it to mandatory, enforceable risk-mitigation measures (Article 4). Make the voluntary thing the only way to satisfy an enforceable obligation and you have built a mandate with extra steps — a backdoor requirement for providers to scan everyone. Voluntary stops meaning anything the moment refusing it is non-compliance.
You cannot backdoor encryption for the good guys only
There is no such thing as a hole that only the right people can climb through. To scan an end-to-end encrypted message you have to break the encryption or read the message before it is sealed — client-side scanning is the backdoor. Once it exists, it is a target: for cybercriminals, for hostile states, for anyone who wants what the scanner can see. Secure communication protects children, citizens, journalists, businesses and public authorities alike. Undermining it makes every one of them more vulnerable, not less.
Real perpetrators just route around it
The people this is sold to stop are the people least affected by it. Anyone actually trading abuse material moves to a service outside the regime — self-hosted, foreign, or simply not on the list. What remains in the net is the law-abiding majority. You surveil everyone and catch the ones who were not trying to hide.
It will not survive the Court
As the Council’s own Legal Service reiterated on 10 June, the latest own-initiative proposal still amounts to generalised scanning of interpersonal communication. Access to private messages without reasonable grounds for suspicion and prior judicial authorisation is incompatible with Article 7 of the EU Charter of Fundamental Rights, and it is destined to be annulled before the EU Court of Justice — at which point the whole scheme fails the very children and victims invoked to justify it. Whether someone is linked to child sexual abuse is for public authorities to establish, not the tech industry, and never without a prior court order.
And you cannot trust the scanners either
We already know how tech giants behave when they think no one is watching, because it has been tested in court. Google promised users it was not tracking them in private — incognito — mode, and tracked them anyway. The class action (Brown v. Google) ended in a settlement where the company agreed to destroy billions of unlawfully collected records. This is the same industry Chat Control would deputise to search 450 million people’s private messages on its “own initiative.” When the same companies broke an explicit promise the instant they thought no one was looking, the outcome here is not hard to predict.
And do not underestimate what these companies will do for data. “Data is the new oil,” as the Finnish security researcher Mikko Hyppönen has long put it — and like oil, it brings both prosperity and problems. The generative-AI race runs on training material, and the industry’s answer to “where do we get it” has repeatedly been: take it. Court filings in Kadrey v. Meta show Meta torrented roughly 82TB of books from shadow libraries like LibGen and Anna’s Archive — staff balked that “torrenting from a corporate laptop doesn’t feel right,” and the call was escalated to and approved by Zuckerberg anyway. Anthropic settled a near-identical piracy claim for $1.5 billion in 2025, the largest copyright settlement in US history, over roughly half a million pirated books. Visual artists are fighting the same battle over images scraped without consent. This is the consent model of the firms that want to read your messages: take first, settle later, apologise never. Now point that appetite at the private communications of an entire continent.
Age verification ends anonymity
Forcing age verification onto encrypted messaging and email providers would effectively end the right to private and anonymous digital communication in Europe. You cannot prove your age to a service without identifying yourself to it. That is the opposite of private.
And the verification itself is a honeypot. To prove your age you hand a government ID to a third party — and those third parties leak. In October 2025 a breach at a Discord age-check vendor exposed tens of thousands of government IDs collected for exactly this purpose; the attackers claimed millions. Age-verification providers are now spilling passports and driver’s licences at a rate that embarrasses the crypto exchanges everyone loves to mock — except you cannot rotate a leaked passport the way you rotate a leaked key.
Then follow the money. Discord’s own verification vendor, Persona, is Peter Thiel-backed — its code even turned up on a US government server — the same orbit as Palantir, whose Gotham data-mining software is already wired into police forces across Germany: Hesse, Bavaria, North Rhine-Westphalia, and a €25M Baden-Württemberg contract in 2025. Mandate identity and scanning at the protocol level and you are not just ending anonymity; you are manufacturing the exact datasets a data-fusion industry — already embedded in European policing — exists to consume. The infrastructure always outlives the justification that sold it.
Parliament already said no — twice
This is also a democratic problem. The European Parliament has rejected Chat Control mass surveillance repeatedly: in its 2023 mandate for this CSA regulation, and again in March 2026, when it voted 311–228 to refuse extending the temporary derogation (2021/1232), which then expired. The recent backroom attempts to bypass that plenary rejection and force a second reading on the temporary law are alarming and anti-democratic. Targeted, evidence-based solutions — interception based on a suspected link to a crime, authorised by courts rather than private companies or administrative bodies — are the only legally sound, court-proof way forward.
What you can do before 29 June
Write to your MEPs. Individual emails carry more weight than petitions, and they carry far more weight than silence. fightchatcontrol.eu has the current status, contact tooling, and background. Below is the letter I sent — take it, change it, make it yours. If you write to a bloc of MEPs at once, use BCC: each office reads it as a personal message rather than a circular.
Dear Member of Parliament,
I am writing to you urgently ahead of the potentially decisive trilogue on the proposed Chat Control legislation (CSA-Regulation 2022/0155) on 29 June.
I am a software architect and consultant. I keep my own servers, my own backups and my own keys — not because I have something to hide, but because the secrecy of correspondence is a fundamental right, not a permission someone else grants. That is exactly why the latest text proposals alarm me. Neither the unwarranted mass scanning of citizens’ private messages nor mandatory age verification is an appropriate or proportionate means to achieve child protection. They are the wrong tools for a real problem.
I am particularly concerned about the following:
• Mass scanning produces mass error. Letting tech giants search the private messages of 450 million innocent Europeans on their “own initiative” without reasonable suspicion produces countless false positives and can criminalise innocent family photos and conversations. These technologies remain highly error-prone and have been criticised by independent experts.
• Tech giants cannot be trusted to self-police. Google promised users it would not track them in private (incognito) mode — and tracked them anyway. The class action (Brown v. Google) ended in a settlement to delete billions of unlawfully collected records. This is the industry Chat Control would empower to scan our messages.
• This will be struck down. As the Council’s Legal Service reiterated on 10 June, the latest “own-initiative” proposal still constitutes generalised scanning of interpersonal communication, incompatible with Article 7 of the EU Charter and destined to be annulled before the EU Court of Justice. Whether a person is linked to child sexual abuse must be established by public authorities, not the tech industry, and never without a prior court order.
• “Voluntary” must not become a backdoor mandate. Own-initiative scanning must not be tied to mandatory, enforceable risk-mitigation measures (Article 4); doing so creates a de facto obligation to scan everyone.
• It will not protect children. Indiscriminate scanning massively violates privacy while real perpetrators simply move to other services. We need targeted, evidence-based interception based on a suspected link to a crime — authorised only by judicial authorities, not private companies or administrative bodies.
• Secure communication protects everyone — children, citizens, journalists, businesses and public authorities — and underpins our digital security and competitiveness. Mandatory age verification on encrypted messaging and email would effectively end private and anonymous communication in Europe.
The European Parliament has repeatedly rejected Chat Control mass surveillance — in its 2023 mandate and again in March when it refused to extend the temporary derogation 2021/1232. I urgently ask you to respect Parliament’s democratic decisions and the requirements of the EU Charter and the Court of Justice by removing generalised mass scanning and mandatory age verification from any 29 June trilogue agreement.
Yours sincerely,
Jani Karlsson
Espoo
Suomeksi
Koko tausta ja tekninen perustelu ovat yllä englanniksi. Tässä lyhyesti: mitä voit tehdä ennen 29. kesäkuuta, ja kirje jonka lähetin.
Mitä voit tehdä ennen 29. kesäkuuta
Kirjoita omille europarlamentaarikoillesi. Yksittäiset sähköpostit painavat enemmän kuin vetoomukset, ja paljon enemmän kuin hiljaisuus. fightchatcontrol.eu tarjoaa ajantasaisen tilanteen, yhteydenottotyökalut ja taustan. Alla on kirje jonka lähetin — ota se, muokkaa, tee siitä omasi. Jos kirjoitat usealle edustajalle kerralla, käytä piilokopiota (BCC): jokainen toimisto lukee sen henkilökohtaisena viestinä.
Arvoisa edustaja,
kirjoitan Teille kiireellisenä ennen niin sanotun Chat Control -lainsäädännön (CSA-asetus 2022/0155) mahdollisesti ratkaisevaa trilogineuvottelua 29. kesäkuuta.
Olen ohjelmistoarkkitehti ja -konsultti. Pidän omat palvelimeni, omat varmuuskopioni ja omat avaimeni — en siksi, että minulla olisi jotain salattavaa, vaan siksi, että luottamuksellisen viestin salaisuus on perusoikeus eikä lupa, jonka joku toinen myöntää. Juuri siksi uusimmat tekstiluonnokset hälyttävät minua. Kansalaisten yksityisviestien perusteeton massaskannaus ja pakollinen iän todentaminen eivät kumpikaan ole asianmukaisia tai oikeasuhtaisia keinoja lasten suojeluun. Ne ovat vääriä työkaluja oikeaan ongelmaan.
• Massaskannaus tuottaa massoittain virhettä. Se, että teknologiajätit saisivat “omasta aloitteestaan” seuloa 450 miljoonan syyttömän eurooppalaisen yksityisviestit ilman perusteltua epäilyä, johtaa lukemattomiin vääriin osumiin ja voi tehdä rikollisia viattomista perhekuvista. Teknologia on yhä erittäin virhealtis ja riippumattomat asiantuntijat ovat sen tyrmänneet.
• Teknologiajätteihin ei voi luottaa itsesääntelijöinä. Google lupasi olla seuraamatta käyttäjiä yksityisessä (incognito) tilassa — ja seurasi silti. Joukkokanne (Brown v. Google) päättyi sovintoon miljardien laittomasti kerättyjen tietueiden poistamisesta. Tämä on se toimiala, jolle Chat Control antaisi vallan seuloa viestejämme.
• Tämä kaatuu tuomioistuimessa. Kuten neuvoston oikeuspalvelu 10. kesäkuuta toisti, uusin “oma-aloitteinen” ehdotus on edelleen yleistä viestinnän skannausta, ristiriidassa perusoikeuskirjan 7 artiklan kanssa ja tuomittu kumoutumaan EU:n tuomioistuimessa. Kytköksen lasten hyväksikäyttöön selvittävät viranomaiset, eivät teknologiayhtiöt — eikä koskaan ilman ennakollista tuomioistuimen päätöstä.
• “Vapaaehtoisuus” ei saa muuttua takaovivelvoitteeksi. Oma-aloitteista skannausta ei saa sitoa pakollisiin, täytäntöönpanokelpoisiin riskinhallintatoimiin (4 artikla); se loisi tosiasiallisen velvoitteen skannata kaikki.
• Se ei suojele lapsia. Erotteleton skannaus loukkaa yksityisyyttä massiivisesti, ja todelliset tekijät vain siirtyvät muihin palveluihin. Tarvitsemme kohdennettua, näyttöön perustuvaa, epäiltyyn rikoskytkökseen perustuvaa puuttumista — jonka myöntävät vain tuomioistuimet, eivät yksityiset yhtiöt tai hallintoviranomaiset.
• Turvallinen viestintä suojelee kaikkia — lapsia, kansalaisia, toimittajia, yrityksiä ja viranomaisia — ja on digitaalisen turvallisuutemme ja kilpailukykymme perusta. Pakollinen iän todentaminen salatuissa palveluissa lopettaisi käytännössä yksityisen ja anonyymin viestinnän Euroopassa.
Euroopan parlamentti on toistuvasti torjunut Chat Control -massavalvonnan — vuoden 2023 mandaatissaan ja uudelleen maaliskuussa kieltäytyessään jatkamasta väliaikaista poikkeusta 2021/1232. Pyydän Teitä kiireellisesti kunnioittamaan parlamentin demokraattisia päätöksiä sekä EU:n perusoikeuskirjan ja tuomioistuimen vaatimuksia poistamalla yleisen massaskannauksen ja pakollisen iän todentamisen 29. kesäkuuta käytävien trilogineuvottelujen lopputuloksesta.
Kunnioittavasti,
Jani Karlsson
Espoo