By ByteBot
After losing the Chat Control 2.0 battle on November 26, 2025, the European Commission didn’t retreat. Instead, they pivoted to “Going Dark“—an initiative that targets VPN services by summer 2026. The Council’s “compromise” dropped mandatory encrypted message scanning but kept the surveillance infrastructure intact through “voluntary” scanning and age verification requirements. Signal threatened to leave Europe. Mullvad VPN warns that “no-log” services could become illegal. Privacy advocates call it what it is: political deception disguised as child safety.
The Council Vote: Compromise or Cover-Up?
On November 26, 2025, the EU Council endorsed Chat Control’s negotiating position in a close vote. The Czech Republic, Netherlands, and Poland opposed. Italy abstained. Critically, Germany abstained—a shift from previous opposition that allowed the measure to pass.
Headlines celebrated the removal of mandatory encrypted message scanning. But Patrick Breyer, a Pirate Party MEP leading opposition, calls it “not a retreat, but a green light for indiscriminate mass surveillance and the end of the right to communicate anonymously.” The Council kept “voluntary” scanning infrastructure and age verification requirements. “Voluntary” doesn’t mean optional—it means regulatory pressure and liability risks that coerce compliance. German Federal Police data shows 50% of algorithmic reports under current voluntary schemes are “criminally irrelevant.” This is mass surveillance with a PR makeover.
Going Dark: Phase Two Targets VPNs
Chat Control was always phase one. The European Commission launched “Going Dark” (rebranded as “ProtectEU”) in April 2025, with a roadmap presented in June. By summer 2026, they’ll introduce legislation explicitly targeting VPN services. The stated goal: “enable law enforcement to access encrypted data in a lawful manner.” The reality: mandate VPN data retention, making “no-log” services illegal in Europe.
Mullvad VPN issued a stark warning in December 2025: “By the summer 2026, they will be back with their next attempt: Going Dark. This time some EU member states want to include VPN services.” If Going Dark passes, Mullvad says they “will never spy on customers no matter what”—meaning they’ll exit the EU market. Proton VPN and AdGuard VPN echo this position. For developers who rely on VPNs for remote work security, testing, and privacy, this isn’t theoretical. It’s an infrastructure crisis.
Signal Won’t Bend, WhatsApp Will
Signal President Meredith Whittaker told German media that if forced to choose between “undermining encryption and data protection guarantees or leaving Europe, Signal would unfortunately make the decision to leave the market.” Signal’s VP of Global Affairs compared client-side scanning to “malware on your device.” Age verification requirements—mandatory under the Council position—are incompatible with Signal’s privacy mission. Signal will leave. WhatsApp will comply. Developers lose the gold standard for secure team communication and get stuck with Meta’s surveillance version.
The Technical Reality: Backdoors Don’t Exist
The Internet Architecture Board, the technical standards body for the internet, is unambiguous: “For client-side scanning technologies, there is by design no technical way to limit the scope and intent of scanning, nor curtail subsequent changes in scope or intent.” Client-side scanning (CSS) scans content on users’ devices before encryption. Once that infrastructure exists, it can scan for anything—not just child sexual abuse material. Political dissent. Copyright infringement. Whatever governments decide.
The EFF states it plainly: “While it may technically maintain some properties of end-to-end encryption, client-side scanning would render the user privacy and security guarantees of encryption hollow.” Proton VPN adds: “Weakening encryption would not magically solve internal security challenges but would only make European security worse.” You either have encryption or you don’t. There’s no middle ground. The EU is demanding the impossible, which means they’re demanding no encryption at all.
Child Safety: The Trojan Horse
Chat Control’s official goal is preventing child sexual abuse material. But Going Dark dropped the child safety rhetoric entirely, shifting to “serious crime” and “terrorism.” The pattern is familiar: the PATRIOT Act was sold as counterterrorism and became the legal foundation for NSA mass surveillance. FBI representatives attended Going Dark planning meetings in November 2023. This isn’t about children. It’s about building permanent surveillance infrastructure.
The 50% false positive rate for algorithmic detection isn’t a bug. It’s a feature. Mass flagging creates justification for mass surveillance. Once the infrastructure exists, mission creep is inevitable. What starts as CSAM detection becomes political monitoring, copyright enforcement, or whatever governments want next.
What Developers Should Do
The EU is building a surveillance state piece by piece. Chat Control targets messaging. Going Dark targets VPNs. What’s next—Tor bans? Self-hosting restrictions? The trilogue negotiations between the Council and Parliament are happening now, with a deadline of April 2026. Contact your MEPs. Support privacy organizations like the EFF, EDRi, and Patrick Breyer’s work. Plan contingencies: learn self-hosted alternatives like Matrix and WireGuard before you need them.
Going Dark’s VPN proposal drops summer 2026. The window to resist is closing. This isn’t just European policy—it’s a global precedent that the UK, Australia, and others are watching. Privacy isn’t negotiable. Encryption backdoors don’t exist. And if the EU makes “no-log” VPNs illegal, the only winners are authoritarian governments who will cite Europe as justification for their own surveillance.
