EU’s ChatControl proposal ‘creates new cyberattack scenarios,’ warns cybersecurity specialist

Technology company BMIT Technologies has cautioned that the European Union’s proposed ChatControl regulation – which would require the scanning of private messages to detect child sexual abuse material – poses serious risks to user privacy and data security.

Speaking to BusinessNow.mt, Christian Bajada, Head of Information Security at the company, says that the proposed client-side scanning mechanism “breaks the promise” of end-to-end encryption and could erode public trust in digital communications.

“End-to-end encryption prevents third parties from accessing data transferred from one endpoint to another. Client-side scanning breaks that promise,” Mr Bajada says.

“While this may not ‘break’ encryption, it is the same as ‘reading the message while it is being written’. The letter is ‘encrypted’ when sent, but the scanner has already ‘read’ it.”

The spokesperson adds that such systems could inadvertently expose users to new vulnerabilities.

“Client-side scanning means that your device shall be carrying out logic which may result in you being reported to authorities. This creates an opportunity for new attack scenarios where one’s data and pictures may be stolen, or where users and journalists would be maliciously reported to block their electronic access to messaging platforms,” Mr Bajada explains.

“Even if we trust that the authorities will use this power responsibly, the systems governing this scanning technology shall become a target. There’s no security backdoor that stays in the hands of the good guys.”

‘Clearly at odds with EU citizens’ right to privacy’

When asked whether the EU’s proposal could be reconciled with the right to privacy enshrined in EU law, he says the two were fundamentally incompatible.

“This is clearly at odds to EU citizens’ right to privacy as client-side scanning is only designed to work against the user’s interests,” he says.

“We already have seen how erroneous server-side scanning can ruin someone’s life, such as in the case of a parent sending photos of their toddler’s groin infection to a doctor, resulting in an investigation and being locked out indefinitely of his Google account.”

Mr Bajada further warns that the long-term risks for Malta’s digital infrastructure could be significant.

“Weakening endpoint integrity goes against other EU directives requiring state-of-the-art security, such as the Cyber Resilience Act,” he explains.

“Trust would also be eroded – can I trust this platform? Is there a backdoor scanning even though I did not give consent? For small markets like ours, the compliance burden could be debilitating. And what if, over time, the scope is extended beyond Child Sexual Abuse Material (CSAM) to other categories? Our personal devices have become an extension of our mind, and this bill is an unwelcome step towards policing our very own thoughts.”

Petition urges Maltese Government to oppose proposal

A student-led petition urging the Maltese Government to oppose the regulation has now surpassed 1,500 signatures, amid growing concerns about its implications for privacy, cybersecurity, and digital rights.

The petition, launched by David Briguglio Brown, calls on the House of Representatives to take an official stance against the proposal, which critics say would amount to “mass surveillance” by mandating the automated scanning of private digital communications.

In the petition, Mr Briguglio Brown and fellow signatories call on Malta’s Government and its representatives in the Council of the EU and European Parliament to oppose the proposal’s adoption, joining five Maltese MEPs who have already voiced concerns.

The petition argues that “the scanning of private communications, including encrypted messages, photos, videos and files without the individual’s consent, poses risks to the fundamental right to privacy.”

It also highlights a perceived “double standard”, alleging that certain public officials, including EU staff and politicians, would be exempt from the scanning measures. “This risks eroding public trust in democratic institutions,” the petition reads.

The European Commission first introduced the Regulation to Prevent and Combat Child Sexual Abuse in 2022, aiming to create a unified EU framework for detecting and removing child sexual abuse material online and preventing online grooming.

However, the proposal’s reliance on so-called client-side scanning – where content is analysed directly on users’ devices before encryption – has drawn widespread criticism. More than 500 cryptographers and security experts from 34 countries have signed an open letter warning that the technology would undermine cybersecurity and generate false positives.