Server side non encrypted message scanning, will it get scanned retroactively with chat control 2.0
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Chat Control 2.0 is a revived EU policy drive that would require providers to deploy “detection technologies” — including client‑side or server‑side scanners — to find CSAM, grooming and “suspicious behaviour,” and proponents say it targets encrypted and unencrypted traffic alike [1] [2]. Critics and digital‑rights groups warn the measure effectively mandates mass scanning of private messages and could force providers to scan retroactively if they are required to implement pervasive detection systems [3] [4].
1. What Chat Control 2.0 actually proposes
The Commission’s updated push would make providers of messaging, email and cloud services install detection technologies to identify child sexual abuse material, grooming and related risks; the draft contemplates hashing, AI, metadata analysis and even client‑side scanning to reach end‑to‑end encrypted content [1] [5]. The regulation’s language about “detection technologies” and “risk mitigation measures” is broad and is presented as necessary to address abuse that encryption can hide [1] [3].
2. Server‑side vs client‑side scanning — the difference that matters
Server‑side scanning reads content when it reaches a provider’s servers (already used under voluntary Chat Control 1.0 by some large services), while client‑side scanning inspects content on users’ devices before encryption and sending [6] [2]. The 2.0 discussion explicitly contemplates client‑side approaches to reach E2EE traffic; but the debate includes both server‑side obligations for non‑encrypted flows and client‑side for encrypted ones [1] [2].
3. Will non‑encrypted server‑side messages be scanned retroactively?
Available sources show Chat Control 1.0 already permitted voluntary server‑side scanning of unencrypted communications and reported high volumes of often irrelevant alerts; the 2.0 texts would expand mandatory obligations on providers to install detection systems, which could increase scanning and reporting dramatically [6] [3]. None of the provided sources state a clear, automatic rule that past, already‑stored non‑encrypted messages will be scanned retroactively by law, but the regulatory push for mandatory detection technologies and the Commission’s expectation of a large increase in scanning reports imply providers could be required or expected to scan stored content when they deploy mandated systems [6] [1] [3].
4. Evidence and numbers critics cite
Patrick Breyer and supporters point to a projected 354% increase in scanning reports under the mandatory 2.0 scheme compared with the voluntary framework, and existing voluntary scanning has produced many false positives — German police say roughly half of reports are criminally irrelevant under the earlier regime — which suggests retroactive scanning would yield vast numbers of incidental disclosures [6] [3]. Civil society and technical experts warn the systems use unreliable AI filters and that the proposals could amount to mass surveillance [4] [1].
5. Industry and civil‑society responses — split motivations
Privacy and security providers such as Proton and secure‑messaging services like Signal have argued Chat Control would force client‑side scanning, undermine end‑to‑end encryption, and risk business flight from Europe; EFF, EDRi and other groups frame the proposal as an existential threat to digital privacy [7] [2] [4]. The Commission and supporters frame the measures as child‑safety necessities to close gaps left by encryption [1]. These positions reveal competing agendas: safety advocates prioritize detection capability; digital‑rights groups prioritize encryption and limiting state access [1] [2].
6. Legal and practical constraints to retroactive scanning
Several EU bodies and Members have publicly questioned legality and proportionality; parliamentary questions explicitly flag risks to Charter rights and note that the proposal imposes mass scanning technologies including client‑side scanning [5]. The texts’ ultimate legal effect — whether providers would be compelled to scan stored messages retroactively — depends on final wording, Member State implementation and court review, not only on Commission intent [5] [3]. Available sources do not provide a definitive statutory clause that mandates retroactive scanning of already‑stored server data.
7. What to watch next
Key signals will be: whether the Council’s final text keeps broad “risk mitigation” obligations that watchdogs say create a de facto duty to scan [3]; any explicit requirement to scan archives or to run detection on existing storage; and Member State votes or court challenges that could narrow or block retrospective scanning [3] [5]. Expect sustained opposition from privacy groups and some Member States and continued insistence by proponents that new tech is needed to catch online abuse [4] [1].
Limitations: available sources describe legislative drafts, political debate and advocacy positions but do not publish a final, binding legal text that explicitly states whether providers must scan retroactively in all cases; therefore I cannot assert a definitive legal rule beyond what campaigners and institutions currently state in the reporting [6] [3] [5].