Keep it secure

In democratic societies, trust in communication systems is vital for our lives and connections with others. This allows us to work, socialise, organise, express ourselves, and care for each other safely, without being put under arbitrary suspicion. Our privacy and security must be strongly protected to ensure that our most sensitive conversations are not subject to unwarranted intrusion.

States and companies launch unprecedented attacks on our devices and communications: Pegasus, client-side scanning, encryption backdoors

The recent Pegasus and #CatalanGate scandals have shown the huge risks at stake when people’s devices and communications are compromised without a legitimate and lawful reason. In Catalonia, a total of 65 direct victims, and thousands of collateral ones, were put under permanent surveillance with the Pegasus programme – spyware from the Israeli company NSO Group – for the last five years. In many regions of the world, this spyware was used to limit dissent, political expression, organisation and journalism.

Now, imagine if Pegasus spyware were installed on every single smartphone!

This is what the European Commission’s proposed new chat control legislation could do, by introducing client-side scanning as a purported solution to the sharing of illegal content online, but which in fact would fundamentally undermine encryption.

Worried about Pegasus and CatalanGate? Wait until you hear about Client-Side Scanning and the latest attack on encryption.

Help EDRi protect encryption and the confidentiality and safety of our communications in Europe and beyond!

Spyware and attacks on encryption provide malicious actors and authoritarian regimes with tools of control on a silver plate. Breaking encryption in the EU would result in undermining encryption everywhere. The EU must do better!

Donate now!

How does the EU’s new law attack encryption with Client-side scanning?

The EU’s proposed law can force companies that provide messaging and web-based email services to scan people's private conversations. This will inevitably require the use of Client-Side Scanning (CSS) systems, which would undermine the foundation of end-to-end encryption. CSS breaks one of the fundamental principles of encryption: only the sender and the recipient can access and read the content exchanged. With CSS, this is no longer the case: the content is spied on before it is sent.

A pair of hands using a phone. A police officer with circuits stemming from its body towards multiple pairs of eyes. The text "What" is written in the middle of the image.

CSS is a method using content scanning technologies to monitor and detect certain types of content on the side of a user’s device (hence the “client side”) rather than on a server, for example. Many governments around the world are exploring Client-Side Scanning as a purported way to detect unlawful content in private communications. But experts agree that CSS creates serious dangers for all users of a service.

A woman using her laptop, while icons depicting messages, phone calls or location stem from her. The text "How" is written in the middle of the image.

CSS technology is installed on the user’s mobile device, so it can scan content on the phone like personal photos, videos, messages or emails. This means that CSS techniques can monitor all content before you encrypt and send it. In some cases – like Apple’s notorious 2021 plans to introduce CSS on their customer’s phones – it would scan every photo on the device.


Protected conversation between two users. End-to-end encrypted communications ensure that no one can access the content of the messages, not even the server that facilitates the transmission.

Two examples of how communications are affected by the use of Client-Side-Scanning (CSS). The CSS system scans the content directly from the users’ phones, making it prone to attacks, whether it finds malicious content or not.

Learn more about EDRi's work on EU rules on scanning private online communications