Live Wire
13:15ZNOELREPORTUkrainian drone units report activity along 2-km stretch of T0508 highway between Pokrovsk and Hryshyne13:13ZIRNAENIran says enemy's ultimate fate is defeat, isolation13:13ZWARMONITORIsraeli airstrike hits Al-Shahabiya in Tyre district, southern Lebanon13:13ZWARMONITORIranian source denies reports of a US-Iran agreement signed Sunday, Fars reports13:12ZGEOPWATCHUAE dispatches C-17 transport aircraft to Daegu Air Base in South Korea13:11ZCLASHREPORQatar held secret talks with Iran to protect world's largest LNG export facility13:10ZWFWITNESSSatellite imagery shows damage to building at Isa Air Base in Bahrain13:09ZTHECANARYUMorocco suffers injury setback ahead of World Cup opener13:15ZNOELREPORTUkrainian drone units report activity along 2-km stretch of T0508 highway between Pokrovsk and Hryshyne13:13ZIRNAENIran says enemy's ultimate fate is defeat, isolation13:13ZWARMONITORIsraeli airstrike hits Al-Shahabiya in Tyre district, southern Lebanon13:13ZWARMONITORIranian source denies reports of a US-Iran agreement signed Sunday, Fars reports13:12ZGEOPWATCHUAE dispatches C-17 transport aircraft to Daegu Air Base in South Korea13:11ZCLASHREPORQatar held secret talks with Iran to protect world's largest LNG export facility13:10ZWFWITNESSSatellite imagery shows damage to building at Isa Air Base in Bahrain13:09ZTHECANARYUMorocco suffers injury setback ahead of World Cup opener
Markets
S&P 500739.81 0.28%Nasdaq25,810 2.54%Nasdaq 10029,446 3.29%Dow512.13 0.54%Nikkei92.11 0.08%China 5035.26 1.00%Europe88.13 1.49%DAX42.27 0.00%BTC$63,396 0.78%ETH$1,665 0.94%BNB$605.81 0.99%XRP$1.13 1.83%SOL$66.73 2.25%TRX$0.3124 2.65%HYPE$60.37 6.96%DOGE$0.0869 2.48%LEO$9.52 0.42%RAIN$0.0131 0.31%QQQ$716.65 0.07%VOO$680.14 0.28%VTI$365.3 0.27%IWM$291.33 0.32%ARKK$75.55 0.12%HYG$79.87 0.09%Gold$385.22 0.28%Silver$60.25 0.93%WTI Crude$127.09 1.35%Brent$48.68 0.92%Nat Gas$11.2 0.36%Copper$38.88 0.15%EUR/USD1.1537 0.00%GBP/USD1.3364 0.00%USD/JPY160.54 0.00%USD/CNY6.7774 0.00%S&P 500739.81 0.28%Nasdaq25,810 2.54%Nasdaq 10029,446 3.29%Dow512.13 0.54%Nikkei92.11 0.08%China 5035.26 1.00%Europe88.13 1.49%DAX42.27 0.00%BTC$63,396 0.78%ETH$1,665 0.94%BNB$605.81 0.99%XRP$1.13 1.83%SOL$66.73 2.25%TRX$0.3124 2.65%HYPE$60.37 6.96%DOGE$0.0869 2.48%LEO$9.52 0.42%RAIN$0.0131 0.31%QQQ$716.65 0.07%VOO$680.14 0.28%VTI$365.3 0.27%IWM$291.33 0.32%ARKK$75.55 0.12%HYG$79.87 0.09%Gold$385.22 0.28%Silver$60.25 0.93%WTI Crude$127.09 1.35%Brent$48.68 0.92%Nat Gas$11.2 0.36%Copper$38.88 0.15%EUR/USD1.1537 0.00%GBP/USD1.3364 0.00%USD/JPY160.54 0.00%USD/CNY6.7774 0.00%
CLOSEDNYSEopens in 12m 9s
themonexus.
Vol. I · No. 163
Friday, 12 June 2026
13:17 UTC
  • UTC13:17
  • EDT09:17
  • GMT14:17
  • CET15:17
  • JST22:17
  • HKT21:17
← back to Saturday edition
Tech

The Day the Scanners Went Dark: Chat Control 1.0 Expires, and the Protection Filter Runs Out of Runway

On 26 March the European Parliament voted 311 to 228 to refuse another extension of the voluntary ePrivacy derogation. On 3 April the derogation lapsed. On 15 April the European Board for Digital Services met in Brussels. Trilogue on the permanent Child Sexual Abuse Regulation reopens 4 May. In London, Ofcom's encryption-scanning assessment is due this month. Three overlapping systems — DSA, OSA, CSAR — converge on the same question: can a regulator order a platform to break the cryptography it sells, and which filter does the public hear first?
By Moemedi Michael PoncanaEurope10-minute read18 Apr 2026☆ Save↗ Share⎙ Print

On Thursday 26 March 2026 the European Parliament voted 311 to 228, with 19 abstentions, to refuse another extension of Regulation (EU) 2021/1232 — the temporary ePrivacy derogation that since 2021 had let Google, Meta, Microsoft, Snap and TikTok voluntarily scan users' messages, images and URLs for child sexual abuse material. At 23:59 CEST on 3 April the derogation expired; from 4 April, those scans can no longer run under EU jurisdiction without breaching Article 5(1) of Directive 2002/58/EC. On 15 April the European Board for Digital Services met in Brussels for its eighteenth session and "reaffirmed its commitment to the protection of minors online." Trilogue on the permanent Child Sexual Abuse Regulation (CSAR) — the proposal the Commission calls "Chat Control 2.0" — reopens on 4 May. In London, Ofcom's Section 121 assessment of "accredited technology" for scanning encrypted messages under the Online Safety Act is due this month; Lord Hanson of Flint told the House of Lords on 15 January, "We have set a date of April 2026, and we expect to act extremely speedily once we have had the report back."

That is the seven-day news peg. The deeper story is that three overlapping regimes — the EU's Digital Services Act, the UK's Online Safety Act, and the proposed CSAR — have converged, within a single quarter, on a single question: can a regulator order a platform to break the end-to-end encryption it sells to users? The 2022–2026 Chat Control arc is a live study of how ideology functions as a rhetorical filter: a frame that pre-empts a merits argument by making opposition read as complicity with a named enemy. In this case, the enemy is "child sexual abuse material." The surprising thing is not that the framing worked. The surprising thing is that on 26 March it lost by eighty-three votes.

What happened in the past seven days

On 11 March a preliminary vote passed amendments narrowing voluntary scanning to judicially-authorised, suspect-based operations (458–103–63 on the core amendment). On 26 March the final roll call on the full extension package failed. Patrick Breyer, the former Pirate MEP who has tracked the file since 2022, called it "a historic Chat Control vote": "Digital privacy is alive! Just as with our physical mail, the warrantless screening of our digital communications must remain taboo." CDT Europe, EDRi, and the Global Encryption Coalition issued parallel statements. On 27 March Google, Meta, Microsoft and Snap jointly committed — in studied vagueness — to "continue to take voluntary action on our relevant Interpersonal Communication Services," without specifying jurisdiction, volume, or post-derogation legal basis.

From 4 April, any provider still scanning user-to-user content inside the EU does so without the specific safe harbour that shielded it for almost five years; Directive 2002/58's default rule of confidentiality is back in force. Commission Executive Vice-President Henna Virkkunen flagged the "operational gap" at a Brussels press briefing on 8 April and reiterated that the Commission's preferred instrument remains the permanent CSAR.

On 15 April the EBDS's eighteenth session "reaffirmed" the protection of minors and "exchanged on the latest enforcement activities" — code, read alongside the December 2025 €120 million fine on X and the February 2026 preliminary finding against TikTok's addictive design, for the fact that DSA enforcement is now producing cash penalties where CSAR has produced only a lapsed interim regulation. In London, Section 121 of the Online Safety Act 2023 is approaching its in-house feasibility review. Signal's Meredith Whittaker and Meta's WhatsApp unit confirmed again in Computer Weekly in January 2026 that they will withdraw from the UK market before shipping a client-side scanner.

Mechanism one: the ideology frame renamed

The ideological frame is the most flexible instrument in any regulatory campaign: name the enemy, and opposition reads as complicity. In 1988 the enemy was communism; by 2003 terrorism; by 2016 "Russian disinformation"; by 2022 "online harms." The 2022 Commission proposal for the CSAR renamed it one more time: the enemy is "child sexual abuse material," and opposition reads as indifference to children. Former Home Affairs Commissioner Ylva Johansson — censured by the European Ombudsman in January 2024 for microtargeted ads directing privacy-concerned users toward pro-Chat-Control messaging — understood this instrument perfectly. "No one is against protecting children," she said repeatedly. That was the tell.

Tarleton Gillespie's Custodians of the Internet (Yale, 2018) predicted the next move: once ideology bias is set, the state converts speech policy into intermediary-liability policy, because intermediaries can be coerced through compliance windows courts cannot supervise in real time. The CSAR's "detection orders" — issued by national authorities on ex-parte papers and capable of compelling "effective technology" including client-side scanning — are the textbook case. The Council's October 2025 Danish-presidency compromise, blocked by Berlin in November, swapped "mandatory" for "voluntary" on the label while keeping the "effective risk-mitigation measures" language civil society read as mandatory in all but name. The Global Encryption Coalition called the drafting trick "a rhetorical retreat with a substantive advance."

Zeynep Tufekci's Twitter and Tear Gas (Yale, 2017) supplies the counter-flow. Once trust in platforms is low enough — after Cambridge Analytica, the 2024 European elections, and recurring disclosures of Meta's algorithmic amplification of minors' eating-disorder content — the public is primed to accept state intervention framed as protection, without asking which state, which protection, at whose cost. The Eurobarometer polls the Commission cites track a real sentiment. They do not ask whether respondents understand that "effective detection" means a scanner running on every phone in the Union before the message is encrypted.

Mechanism two: three regulators, one cryptographic perimeter

The DSA, OSA and CSAR are usually discussed as three separate files. They are three fronts in one siege.

The DSA is the furthest along. The Commission's December 2025 decision fined X €120 million for deceptive blue-check verification, a threadbare ad repository, and restricted researcher access. In February 2026 the Commission issued a preliminary finding that TikTok's addictive feed-design violates the DSA's systemic-risk obligations (IP/26/312). In October 2025 TikTok and Meta were found in preliminary breach for obstructing Article 40 researcher access; EBDS's 15 April statement points toward formal follow-through in Q2. None of these touch encryption directly — but the DSA's "systemic risk" framework already requires Very Large Online Platforms to assess "foreseeable negative effects" on minors, and the Commission has signalled it considers unreviewable encrypted communications a systemic risk to be assessed.

The OSA is the most radical in text. Section 121 empowers Ofcom to require "accredited technology" to detect CSAM or terrorism content, with no statutory carve-out for end-to-end encryption. In September 2023 the Government gave an oral commitment not to trigger Section 121 "until it is technically feasible" — a political assurance with no legal force. On 15 January 2026 Lord Hanson set April 2026 as Ofcom's internal feasibility deadline; implementation would follow "speedily." Ofcom's March 2026 fine of 4chan (£520,000) and December 2025 fine of AVS Group (£1 million) show the regulator's appetite. Signal's Meredith Whittaker has restated throughout 2026 that scanning and end-to-end encryption are mutually exclusive: "there is no such thing as a backdoor only for the good guys."

The CSAR is the most expansive — every number-independent interpersonal communications service, every hosting provider, every app store — and the least settled. After Berlin's November 2025 veto of the Danish compromise, the Council shifted from mandatory to voluntary detection; Parliament's 26 March vote removed the ePrivacy fallback. Virkkunen's Commission now enters the 4 May trilogue with two maximalists (itself and part of Council) against a Parliament holding the line on judicial authorisation and targeted suspects. The EFF's 7 April analysis by Christoph Schmon warned that detection obligations may be revived through age-verification and risk-benchmark clauses, "rebuilding Chat Control on a different legal base."

Mechanism three: the Global South watches, and copies selectively

The Brazilian precedent is instructive. On 26 June 2025 the Supremo Tribunal Federal concluded its judgment on Article 19 of the Marco Civil da Internet, 8–3, declaring partial unconstitutionality of the rule that conditioned platform liability on non-compliance with a specific court order. The Court replaced it with a fault-based regime modelled, as the Global Network Initiative's July 2025 analysis notes, on the DSA's systemic-risk logic: platforms must act on "unequivocal knowledge" of illicit third-party content, publish annual transparency reports, maintain an in-country legal representative. DSA-procedural, not CSAR-cryptographic. The STF declined to touch encryption; Marco Civil Article 10's privacy protections were left intact. Brazil's Global-South reading of the DSA stops short of the client-side scanner.

India's choice is the mirror image. MeitY's February 2026 Synthetically Generated Information notification and March 2026 Draft IT Rules Second Amendment — covered in this publication on 18 April — compress takedown windows to three hours and extend safe-harbour conditions to compliance with executive advisories, without touching encryption directly. But the Digital Personal Data Protection Rules 2025, MediaNama's April 2026 reporting shows, grant the central government broad powers to obtain data from "data fiduciaries," and Meta's 8 March announcement that Instagram direct messages will remove end-to-end encryption from 8 May suggests Indian pressure is being applied at the product level rather than the statute.

The synthesis across Brasília, New Delhi and Brussels is straightforward: once platforms are coerced by deadlines, automation bias favours false positives, because a false positive costs the platform nothing and a false negative costs the safe-harbour shield. The mechanism does not need to be called "Chat Control" to do Chat Control's work.

What the 26 March vote actually tells us

First, the ideological frame is not omnipotent. Eighty-three votes of margin, in a Parliament where the Commission had spent four years campaigning the file, is a meaningful result. When the contradiction between stated value (protection) and operational mechanism (warrantless pre-screening) becomes visible enough, the frame slips. The 26 March vote is the frame slipping. Article 19's 2025 Global Expression Report put it precisely: "The DSA's most expensive features are its procedural safeguards; its compression-of-speech features are the cheapest."

Second, the filter does not surrender; it retools. Virkkunen's 8 April framing — "operational gap" — is the opening move. Ofcom's Section 121 assessment, timed for the same month Chat Control 1.0 expired, is the second. The DSA's systemic-risk framework, which already treats encrypted-communication opacity as a category of risk to be "assessed and mitigated," is the third. What Parliament blocked through one door, three regulators can bring in through three other doors. EDRi's "CSA Regulation Document Pool" tracks the substitution in real time.

Third, the Global-South reading is that the cryptographic line is a choice, not a technical constraint. Brazil's STF had the Marco Civil authority to reach encryption and declined. MeitY has the IT Rules authority and, so far, has routed around it. The EU Parliament on 26 March made the same choice Brazil's STF made. The UK's Parliament and its regulator have not. That is a political distribution, not an engineering fact. In Susan Landau's phrase — Listening In (Yale, 2017) — "the question is never whether exceptional access is possible; the question is what is destroyed when you build it."

What it means for information control going forward

The CSAR trilogue on 4 May is the next hinge. If the Commission re-injects detection through the age-verification clause — Tuta's April 2026 analysis warns of precisely this — the 26 March victory will prove narrower than it reads. If Parliament holds the judicial-authorisation and targeted-suspect language adopted on 11 March, the permanent regulation will ship as an infrastructure bill, not a surveillance bill.

Ofcom's April Section 121 report is the second hinge. The question is not whether the technology works; it is whether London will treat Signal's and Meta's exit threats as bluffs. If Ofcom issues a Section 121 notice, Signal leaves, and the government has to decide whether to firewall the app at the ISP level — a move that crosses the Overton line the OSA's drafters spent four years insisting they were not crossing.

EBDS's eighteenth meeting is the third. If Q2 brings the first formal DSA non-compliance decisions against Meta and TikTok on researcher access, the Commission will have fined the American platforms into the hundreds of millions on procedural grounds while losing the encryption fight on the merits. That is what happens when the propaganda filter slips on the big question and reasserts itself on the small ones.

The comparative story the Western tech press is not telling: Brasília held the line on encryption; Brussels-Parliament held the line; New Delhi is routing around it; London is assessing how to break it this month. The three democratic jurisdictions with working constitutional courts and the Global-South jurisdiction with the most active platform-liability jurisprudence all drew the same line in Q1 2026. The one that did not is the same one that exported OSA language to Nigeria's NBC Code, Kenya's Computer Misuse Act amendments, and South Africa's Films and Publications Board drafts. Watch where the OSA template goes next. That is where the filter will do its work.

That is the story.

© 2026 Monexus Media · reported from the wire