ESCAPE CHAT CONTROL · escapechatcontrol.com STATUS: LIVING DOCUMENT · PUBLISHED · LAST VERIFIED

EU interpersonal communications · Regulation (EU) 2021/1232 · second reading, 9 July 2026

314 MEPs voted to kill Chat Control. It passed anyway.

A plurality of the European Parliament voted to reject message scanning. Under EU second-reading rules that wasn't enough. Here is what actually changed, which apps opt in to scanning your messages, and how to move to services that refuse — without the myths going around.

Section — the record

What actually happened, in 60 seconds

Two different things get called “Chat Control.” Most of what you read this week confuses them.

What passed on 9 July is the revival of “Chat Control 1.0” — a voluntary scheme that lets providers scan messages and mail for known child sexual abuse material. Google, Meta and Microsoft have used it for years, across Gmail, Facebook Messenger, Instagram DMs, Skype and Outlook. It lapsed in April 2026 after Parliament rejected it; the Council brought it back, and this week's rejection vote fell 47 short. It is on track to run to 3 April 2028.

What did not pass is “Chat Control 2.0” — the mandatory client-side scanning of everyone's messages, including encrypted apps, that Signal has said it would leave the EU over. That regulation remains stuck in negotiations, which collapsed again on 29 June. It comes back in September 2026.

Parliament also did something almost nobody reported: it passed an amendment (369 votes, clearing the same threshold the rejection missed) explicitly excluding end-to-end encrypted services from the revived scheme's scope.

  • 26 MAR 2026

    Parliament votes against extending the scanning scheme. It expires in early April.

  • 02 JUL 2026

    The Council of the EU moves to reinstate it until April 2028.

  • 07 JUL 2026

    An urgency procedure (Rule 170) passes 331–304, forcing a snap vote on the last sitting day before summer recess — the maneuver critics call the real procedural trick.

  • 09 JUL 2026

    The rejection motion gets 314 of the 361 votes required. The scheme survives. The E2EE carve-out amendment passes with 369.

  • SEP 2026

    Negotiations on the mandatory version — Chat Control 2.0 — resume. This is the fight that decides whether encrypted apps get scanned.

One procedural step remains: because Parliament amended the text, it returns to the Council, which can accept the amendments or force further negotiation. The voluntary scanning regime is in motion either way.

Section — the tracker

Who scans, and who refuses?

Scanning under the scheme is voluntary — these providers chose it, and used it for years before the April lapse. Statuses reflect each service's participation record and public commitments — updated as they change.

ServiceStatusBasis
GmailOPTS INOne of the Google services in scope. Google reported hash-matching images and video in EU accounts under the scheme, and says it does not scan text for solicitation.
Instagram DMOPTS INMeta runs media-matching on images and video across Instagram Direct and Messenger, on “surfaces that are not end-to-end encrypted”. It actioned about 1.5 million pieces of media in EU threads in 2024.
SnapchatOPTS INSnap signed the April 2026 industry pledge to keep taking “voluntary action” against CSAM on its interpersonal communications services. It has never filed a transparency report under the scheme. No end-to-end encryption for text.
Skype / OutlookOPTS INMicrosoft invoked the derogation and names Skype, Outlook, GroupMe and Teams as its services in scope. It creates digital signatures of images and video. Xbox is not among them.
iCloud MailSCANSApple confirmed in 2021 that it scans incoming and outgoing iCloud Mail attachments for CSAM, and has done since 2019. Mail is not encrypted. Apple has never reported under the scheme — this is its own policy, not the EU’s.
Facebook MessengerMIXEDPersonal chats have been E2EE by default since late 2023, and Meta scans only surfaces that are not end-to-end encrypted. It was still reporting media-matching in Messenger threads through 2024.
TelegramNOT E2EE BY DEFAULTDefault chats — including every group and channel — are encrypted to Telegram’s servers, not end to end, so the 9 July carve-out does not reach them. Telegram has never appeared among the providers reporting use of the scheme. Secret Chats are genuine end-to-end encryption, but they are opt-in and one-to-one only.
WhatsAppEXEMPT — E2EEEnd-to-end encrypted; covered by the 9 July carve-out. Meta has warned it cannot keep meaningful encryption under a scanning mandate.
iMessageEXEMPT — E2EEE2EE in transit; note iCloud backups without Advanced Data Protection weaken this.
SignalWOULD EXIT EUPresident Meredith Whittaker: Signal leaves the EU market before it weakens encryption. Restated through 2026.
ThreemaWOULD RESISTSwiss; calls the plans incompatible with its convictions, “all options” examined.
Tuta MailSUING THE EUGerman, E2EE; publicly preparing litigation against Chat Control.
Proton MailOPPOSESSwiss, E2EE, campaigning against; no exit commitment found.
SimpleX ChatNO IDENTIFIERSNo phone number, no username, no user IDs — no account that ties messages to you.

Every row verified 2026-07-10 against the sources below. A status changes → subscribers get one email.

Section — the honest part

What works, and what is theater

Client-side scanning is code inside the provider's own app, running before your message is encrypted. Anything that only changes what happens to your traffic after it leaves the app cannot help, by construction. Half the advice going around fails this test.

MeasureVerdictWhy
Leave the services that opt inWORKSOpted-in services scanned content for years under this scheme. Moving off them is the single biggest step.
SignalWORKSReal E2EE, no scanning participation, and a credible public commitment to exit rather than comply.
SimpleX ChatWORKSThe strongest architecture: no identifiers of any kind, so targeting individual users is technically much harder.
TelegramPARTIALNot a scanning participant, so it is a real step up from Gmail or Instagram DM. But default chats are not end-to-end encrypted: Telegram holds the keys and stores the messages, so the 9 July carve-out does not protect them. Only Secret Chats fall under it, and they are opt-in and one-to-one only.
Proton Mail / TutaPARTIALA real upgrade over scanned mail today. Future-proofing rests on their stated willingness to fight, not on legal exemption.
Threema / SessionPARTIALSwiss-based helps enforcement-wise; EU law is written to reach any service “offered to EU users.”
Self-hosted Matrix / XMPPPARTIALPersonal, non-commercial servers plausibly fall outside the rules — plausibly. Untested. Metadata still leaks between servers.
VPNsTHEATERScanning happens on your device before encryption. A VPN never sees the content being scanned. Useful for other things; useless for this.
TorTHEATERSame layer problem. Network anonymity does not remove scanning code from an app.
Sideloading your appsTHEATEROrders bind the provider, not the app store. A sideloaded WhatsApp is the same code.
GrapheneOS / de-Googled AndroidDIFFERENT THREATGenuinely valuable against OS-level telemetry. Does not strip scanning code out of a compliant app. Do it for the right reason.

Section — the escape ladder

Five steps, easiest first

  1. Stop feeding the services that opt in

    Minutes · free

    Move private conversations to Signal and private mail to Proton or Tuta. Gmail, Instagram DM and Snapchat participated in content scanning for years — this step matters regardless of any future vote.

  2. Bring your people with you

    An afternoon · free

    An encrypted messenger you use alone is useless. Move your three most important group chats. For anything genuinely sensitive, use SimpleX — no phone number, no username, no account tied to you.

  3. Shrink the surveillance you already carry

    A weekend · a supported Pixel

    GrapheneOS removes Google's telemetry layer. Be clear-eyed: this does not defeat in-app scanning — it removes a bigger, already-active layer underneath it.

  4. Practice metadata discipline

    Ongoing · free

    Who you talk to and when leaks even from encrypted apps. Separate identities per context. Verify safety numbers in person for anyone sensitive. Treat access to any centrally-run app as revocable.

  5. Run your own infrastructure

    Weeks · sysadmin skills

    A self-hosted Matrix or XMPP server for a small trusted circle is the only rung that doesn't rest on some company's promise to resist. You become the provider — plausibly outside the rules' commercial scope, though that reading is untested.

Section — September

The real fight is in September.

Chat Control 2.0 — the mandatory version, the one that reaches encrypted apps — returns to negotiation in September 2026. One email when that moves, and when any app's status in the tracker changes. Nothing else, ever.

Section — receipts

Sources

Every claim above traces to one of these. If you find an error, tell us and it gets fixed with a changelog entry.

  1. Council of the EU — press release, 2 July 2026
  2. European Commission — COM(2025) 740 final, implementation of Regulation (EU) 2021/1232: “Google, LinkedIn, Meta, Microsoft and Yubo submitted reports.”
  3. European Commission — COM(2023) 797 final: “Google, LinkedIn, Meta, Microsoft, and X (former Twitter) submitted reports for 2021 and 2022.”
  4. Google Ireland — transparency report under Regulation (EU) 2021/1232 (Google Chat, Hangouts and Gmail; hash-matching; no text scanning for solicitation)
  5. Microsoft — jurisdictional transparency reports: services in scope of the EU CSAM interim regulation (Skype, Outlook, GroupMe, Teams)
  6. Meta Ireland — EU CSAM derogation report: media-matching “across Messenger and Instagram Direct on surfaces that are not end-to-end encrypted”, ~1.5m items actioned in EU threads in 2024
  7. Google, Meta, Microsoft and Snap — April 2026 joint statement pledging continued voluntary detection
  8. 9to5Mac — Apple confirms it has scanned iCloud Mail for CSAM attachments since 2019
  9. The Register — vote report, 9 July 2026
  10. Euronews — the E2EE carve-out amendment
  11. netzpolitik.org — the urgency-procedure maneuver
  12. Greens/EFA — Rule 170 urgency vote, 7 July 2026
  13. Patrick Breyer — Chat Control dossier
  14. EFF — background on the April 2026 rejection
  15. The Record — Signal's EU exit warning
  16. Threema — public position
  17. TechRadar — Tuta's planned lawsuit
  18. Telegram FAQ — Cloud Chats (private and group) use client-server encryption; only Secret Chats are end-to-end encrypted
  19. Telegram protocol docs — “Secret Chats are one-on-one chats” and are device-specific
  20. fightchatcontrol.eu — contact your MEP (advocacy)
  21. EDRi — Stop Scanning Me coalition