An Inconvenient Proof
The EU just sunsetted mass scanning. I wrote a proof suggesting detection of known CSAM is mathematically defensible, and of unknown abuse material is not. No one wants to hear this argument.
It’s hard out here for a rogue methodologist ninja.
One of those early morning work sessions, when the baby falls back asleep but I can’t, recently produced a security working paper update: now my Chat Control case study features a mathematical proof showing that mass scanning for child sexual abuse material (CSAM) — specifically, hash-matching against previously identified material — is technically feasible without false positives overwhelming the investigative infrastructure required to sort them. Scanning for unknown CSAM, by contrast — the sort of mass scanning that, if technically feasible, would disproportionately save real, live children being subjected to abuse — is not.
These are two different types of mass scanning. They are often conflated in policy discussions. But mathematically, they are different problems with different resource allocation implications. Searching for a known signal versus trying to categorize noise as signal-like or not are totally different mathematical problems.
This proof has found its natural audience: nobody.
Privacy advocates such as Patrick Breyer tend to find the first half uncomfortable, because it concedes that maybe some mass scanning can be done without backfiring on child safety. Child safety organizations like ECPAT tend to find the second half uncomfortable, because it implies the ambitions of Chat Control 2.0 overshoot what the evidence supports.
There is no coalition of people whose priors are confirmed by “known: yes, unknown: no.” So the research sits quietly on GitHub, where I was able to update the working paper version, and not SSRN, where I could not.
What Just Happened in Brussels
On March 25, 2026, the European Parliament voted 311 to 228 with 92 abstentions against extending Chat Control 1.0 — the temporary ePrivacy derogation that had allowed platforms like Gmail, LinkedIn, and Microsoft to voluntarily scan private messages for known CSAM using hash-matching. As a result, the current legal basis expired on April 4.
Unusually, this was the second vote in two weeks. An earlier Parliament vote on March 11 had endorsed extending the regime to August 2027 with 458 votes in favour, but with restrictions that already gutted mass scanning: detection would be limited to material already flagged as suspicious, applying only to users under reasonable suspicion — not to general communications. End-to-end encrypted services were explicitly excluded. In other words, mass scanning had already been voted down in the first vote; what remained was a targeted regime. The Council rejected even that. On March 16, trilogue negotiations collapsed, and the March 25 vote then killed the extension entirely.
It appears the Council’s resistance to accepting Parliament’s restrictions may have backfired. Either that, or there was just so much confusion that it was not clear to MEPs what they were actually voting for or against.
Much of the public commentary — and some of the parliamentary debate — treated this as a vote on Chat Control as a whole, or on mass surveillance in general. What actually expired was a voluntary regime for hash-matching of known CSAM on services that are unencrypted to the provider.
The mandatory AI scanning of end-to-end encrypted communications — Chat Control 2.0, the version my paper’s four-pathway analysis shows would catastrophically backfire — was never what was on the table in this vote.
The EU Commission and the vast majority of the EU Council — except for Italy — have so far categorically rejected any restrictions on untargeted mass scanning. The next expected trilogue is April 16, focusing on injunctions to detect content and encryption. The Council is not going to quietly accept the death of known CSAM scanning — nor, my proof suggests, should they, if they can build out the investigative infrastructure to handle the false positive load. Whether they can or will is a resource and political question, not a mathematical one.
The Proof (§5.4, for the Nerds)
The working paper’s new addition is two related formal results. Here they are, stripped of most notation:
Proposition — Resource tractability of known-CSAM scanning. Hash-matching works by comparing a message’s cryptographic fingerprint against a database of confirmed, previously identified material. Because you’re matching against a known list rather than classifying unknown content, the system’s specificity approaches 1 by design: anything that doesn’t match a confirmed hash is not flagged. Under these conditions, false positives approach zero, and total investigative caseload scales with the actual prevalence of known material in the corpus — a finite, manageable quantity.
This is why the base rate problem that drives Chat Control 2.0’s false positive catastrophe doesn’t apply in the same way here. Or, rather, there is a manageable base rate problem according to available data. According to my estimates updated against the Commission's implementation report, that means roughly 914 false alarms per million users, a positive predictive value of 52% — manageable as a sorting task.
Adversarial researchers can make it worse, as a recent white-box attack on PhotoDNA demonstrated in the middle of live EU policy negotiations. As I’ve previously argued, we shouldn’t be doing that.
Corollary — Resource intractability of unknown-CSAM mass scanning. For any probabilistic classifier — any AI system trying to identify new abuse material from visual or behavioral signals — specificity is strictly less than 1. At population scale, the minimum specificity required to stay within a finite investigative budget approaches 1 as the number of messages approaches infinity. Since no probabilistic classifier can achieve perfect specificity, no finite investigative budget can handle the false positive load at mass scale. This is not an engineering problem solvable by better AI. It is a structural consequence of operating a probabilistic classifier at population scale under rarity.
The resource reallocation arithmetic that follows (§5.4) is stark: at 10 billion messages scanned, under intentionally generous assumptions, a high-sensitivity Chat Control 2.0 deployment generates approximately 1.598 billion false positives per scan cycle. EU-wide CSAM investigative capacity is estimated at roughly 3,000 officers. Even 30 seconds of triage per flag — an extremely conservative estimate for review of potentially illegal material — consumes approximately 2.2 times total available investigative capacity, before a single specialist prosecutor sees a case. The result holds across all 27 normative weighting combinations tested.
The distinction between the two propositions is the distinction between the two votes: between the known-CSAM hash-matching regime that just expired, and the unknown-content AI scanning mandate the Council still wants. They are not the same program. They do not have the same math. And it’s unclear how the Parliament’s political battle against the former will affect the latter.
Notes on the Paper
The updated working paper is at GitHub. The SSRN version (Abstract ID 6385478) is currently out of date — I couldn’t get the revision to process in their system. If you’re citing or reading this, please use the repo.
The broader argument — four causal pathways, equilibrium modeling, comparative analysis of Chat Control, police polygraph programs, and iBorderCtrl — is unchanged. The new Proposition 1 / Corollary 1 formalization makes the known/unknown distinction rigorous rather than merely descriptive, and anchors the resource reallocation results more tightly.
The argument continues to have no natural political constituency. I continue to find this more funny than frustrating.