Chat Control, the Brussels Effect, and Neil Stephenson’s Spew
“So, a week later I’m still wondering how I got this job: patrolman on the information highway. We don’t call it that, of course, the job title is Profile Auditor 1. But if the Spew is a highway, imagine a hard-jawed, close-shaven buck lurking in the shade of an overpass, your license plate reflected in the quicksilver pools of his shades as you whoosh past. Key difference: we never bust anyone, we just like to watch.” (Stephenson, N. (1994, October 1). Spew.)
The European Union’s proposed Regulation to Prevent and Combat Child Sexual Abuse, known as “Chat Control,” is built upon precisely this premise of permanent watching. Its central tool is mandatory client-side scanning of all private communications: messages, images, and files inspected on a user’s device before they are encrypted (European Commission, 2022). Unlike targeted investigations, this is systematic and indiscriminate monitoring.
Stephenson’s patrolman analogy encapsulates the problem. In his dystopia, the observer does not intervene but catalogues everything. Similarly, the EU’s regulation seeks to observe all messages by default, and only then escalate “suspicious” content. The European Data Protection Board and European Data Protection Supervisor warned that the draft law “introduces a general monitoring obligation” that violates both the Charter of Fundamental Rights (Articles 7 and 8) and the GDPR principle of data minimisation (EDPB & EDPS, 2022). The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
Yet, because the EU regulations have a global reach, the impact will not be confined to its citizens. Messaging providers like WhatsApp, Signal, and Telegram operate transnationally. Global firms often choose to comply with EU law across their operations rather than fragment their code base. That means adoption in Brussels could trigger worldwide scanning, with non-EU users involuntarily pulled into the surveillance regime.
The question burning in the author’s mind: Will international visitors to Europe face surveillance when using local networks, even briefly?
Potential for Misinterpretation
“It looks like chaos, even to me, but to the proctors, watching all my polygraph traces superimposed on the video feed, tracking my blood pressure and pupil dilation, there is a strange attractor somewhere down there, and if it’s the right one….” (Stephenson, N. (1994, October 1). Spew.)
The epigraph highlights the interpretive leap from noisy data to supposed meaning. Automated CSAM detectors make the same leap. A CSAM detector is a tool, usually software, designed to identify child sexual abuse material (CSAM) in digital communications, images, videos, or files. The European Parliamentary Research Service (2023) concluded that tools for detecting new material and grooming have “very high error rates,” risking both over-reporting and misidentification of lawful conduct. The EDPS warned that algorithmic opacity and bias make proportionate application unlikely (EDPS, 2022).
False positives are not abstract. Innocent family photos, adolescent sexting, or private jokes can all be flagged as illegal, subjecting ordinary people to investigations. The Swiss Federal Council (2022) reported false-positive rates as high as 80 percent in pilot projects. For international travelers in Europe, this risk is acute: a vacation photo sent while abroad could be misclassified, initiating a process with local law enforcement.
Through the Brussels Effect, such risks extend globally. If platforms harmonize compliance with EU standards, users everywhere may face the chilling possibility that innocent messages are flagged and shared with foreign authorities. This undermines trust not just in European digital services but in the global infrastructure of communication.
Loss of Secure Encryption
“When a schmo’s paycheck is delivered over the I-way, the number on the bottom line is plotted in his Profile, and if that schmo got it by telecommuting we know about that too – the length of his coffee breaks and the size of his bladder are an open book to us. When a schmo buys something on the I-way it goes into his Profile, and if it happens to be something that he recently saw advertised there, we call that interesting, and when he uses the I-way to phone his friends and family, we Profile Auditors can navigate his social web out to a gazillion fractal iterations, the friends of his friends of his friends of his friends, what they buy and what they watch and if there’s a correlation.” (Stephenson, N. (1994, October 1). Spew.)
Stephenson’s parable of the schmo’s life reduced to a profile is prescient. Client-side scanning breaks the promise of end-to-end encryption by ensuring content is inspected before encryption is applied. The Internet Society (2023) concluded that “you cannot simultaneously have robust end-to-end encryption and client-side scanning.” A technical consensus paper authored by Abelson, Anderson, Bellovin, and others (2021) makes the same point: client-side scanning creates systemic vulnerabilities, exposes data to hackers, and eliminates the core assurance that only sender and recipient can access the message.
Once again, the Brussels Effect amplifies this concern. If providers implement backdoors for the EU, they are unlikely to maintain distinct versions of their apps elsewhere. Encryption, the backbone of digital security from financial transactions to dissident communications, could be weakened globally. This does not only expose Europeans. It endangers journalists in authoritarian states, whistleblowers in democracies, and ordinary users worldwide.
The Stalker Mode Just for You
“Thenceforward I am in full Stalker Mode, I stake out your Profile, camp out in the middle of your income-tax returns, dance like an arachnid through your Social Telephony Web, dog you through the Virtual Mall trying to predict what clothes you’re going to buy. It takes me about 10 minutes to figure out you’ve been buying mascara for one of your girlfriends who got fired from her job last year, so that solves that little riddle. Then I get nervous because whatever weirdness it was about you that drew the Commander’s attention doesn’t seem to be there anymore. Almost like you know someone’s watching.” (Stephenson, N. (1994, October 1). Spew.)
Stephenson describes function creep, the patrolman moves from one dataset to another, extending surveillance beyond its initial mandate. The same logic applies to Chat Control. Though justified as necessary to combat child sexual abuse, civil society groups warn that once established, the infrastructure could be repurposed to monitor political dissent, copyright infringement, or extremism. Let’s read the proposed legislation:
(63) For the purpose of ensuring the traceability of the reporting process and of any follow-up activity undertaken based on reporting, as well as of allowing for the provision of feedback on reporting to providers of hosting services and providers of publicly available interpersonal communications services, generating statistics concerning reports and the reliable and swift management and processing of reports, the EU Centre should create a dedicated database of such reports. To be able to fulfil the above purposes, that database should also contain relevant information relating to those reports, such as the indicators representing the material and ancillary tags, which can indicate, for example, the fact that a reported image or video is part of a series of images and videos depicting the same victim or victims.
(Interinstitutional File: 2022/0155, COD, p.29)
The Court of Justice of the European Union has repeatedly struck down indiscriminate retention and surveillance laws on precisely these grounds, insisting on targeted, necessary, and proportionate measures (CJEU, 2016; CJEU, 2020). But function creep is not just a European risk. By virtue of the Brussels Effect, once the EU normalizes scanning, authoritarian governments will point to Europe as precedent and demand similar capabilities from providers. The global standard might shift from privacy as default to surveillance as norm.
The Brussels Effect: Europe’s Global Reach?
“And from the middle distance it looks pretty normal. I can see at a glance you are a 24-year-old single white female New Derisive with post-Disillusionist leanings, income careening in a death spiral around the poverty line, you spend more on mascara than is really appropriate compared to your other cosmetics outlays, which are Low Modest…” (Stephenson, N. (1994, October 1). Spew.)
Stephenson’s fictional surveillance apparatus, capable of instantly parsing the intimate details of personal existence, captures the unsettling trajectory of contemporary European regulatory ambition. What appears “pretty normal” from a distance reveals itself as comprehensive behavioral monitoring upon closer examination. This literary vision of The Brussels Effect finds disturbing parallels in the Chat Control regulation, which masquerades as routine child protection policy while establishing the infrastructure for universal surveillance.
Superficially, the regulation appears to be a European policy choice, a domestic balance of child protection and privacy. But the EU is no ordinary regulator. Through the Brussels Effect, its standards influence or become global defaults. GDPR provides the clearest precedent: companies worldwide adapted their data protection practices to EU requirements because it was cheaper to harmonize than fragment. The same dynamic might apply here. See the Annex Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down rules to prevent and combat child sexual abuse:
(5) In order to achieve the objectives of this Regulation, it should cover providers of services that have the potential to be misused for the purpose of online child sexual abuse. As they are increasingly misused for that purpose, those services should include publicly available interpersonal communications services, such as messaging services and web-based e-mail services, in so far as those services as are publicly available. As services which enable direct interpersonal and interactive exchange of information merely as a minor ancillary feature that is intrinsically linked to another service, such as chat and similar functions as part of gaming, image-sharing and video-hosting are equally at risk of misuse, they should also be covered by this Regulation.
(Interinstitutional File: 2022/0155, COD, p.3)
What are the implications? The implications are threefold. First, international visitors: anyone traveling within the EU will have their communications scanned, regardless of nationality. A tourist from the United States, Brazil or Japan using WhatsApp in Paris will be subjected to the same surveillance obligations as a European citizen. Second, foreign companies: global messaging services will likely implement scanning across their platforms, making non-EU users subject to European standards even outside Europe. Third, authoritarian states might cite EU policy to legitimize their own surveillance demands, arguing that if Europe scans everyone, then they should be able to do so too, with access to metadata. Metadata defined in this the context of chat control is described as:
(29a) Metadata connected to reported potential online child sexual abuse may be useful for investigative purposes and for the purpose to identify a suspect of a child sexual abuse offence. For the purpose of this Regulation, the term ‘metadata’ should be understood as data other than content data referring to information about documents, files or communications. Metadata may include, depending on the case, information about the time, IP address and place of, port number and the devices used for, the creation or exchange of the documents, files or communications at issue and about any modifications made thereto.
(Interinstitutional File: 2022/0155, COD, p.20)
The paradox of the Brussels Effect – the Regulation to Prevent and Combat Child Sexual Abuse or Chat Control risks exporting surveillance itself.
European Surveillance Standards vs Ulysses S. Grant
The American Constitutional Foundation and Legislative Equality
Ulysses S. Grant, the 18th President of the United States (1869-1877) and former Union Army commanding general during the Civil War, articulated “Laws are to govern all alike – those opposed as well as those who favor them. I know no method to secure the repeal of bad or obnoxious laws so effective as their stringent execution.” (Grant, 1869)during his presidency as America grappled with Reconstruction-era enforcement challenges. His observation that “laws are to govern all alike” reflected hard-won wisdom from a nation that had just fought a devastating civil war partly over the principle that some classes of people could be exempted from fundamental legal protections.
The aspiring global reach of European surveillance stands in stark contrast to the constitutional principles that have historically constrained American regulatory overreach. Where Stephenson’s fictional panopticon achieves its power through the seamless integration of monitoring across all social boundaries, the American constitutional framework was deliberately designed to prevent such comprehensive governmental oversight through structural limitations on state power.
When Ulysses S. Grant declared that “laws are to govern all alike, those opposed as well as those who favor them,” he articulated a principle that directly challenges the selective application evident in Chat Control’s proposed exemptions. Grant’s insight flows from the constitutional architecture established by America’s Founders, who designed governmental structures specifically to prevent the emergence of privileged classes immune from the laws they impose on others. Let’s see what the proposed regulation says:
2.a. This Regulation shall not apply to professional government accounts using services or parts of the services
(Interinstitutional File: 2022/0155, COD, p. 36)used by the Statefor national security purposes, maintaining law and order or military purposes. 2b. The Regulation shall not apply to confidential information, including classified information, information covered by professional secrecy and trade secretsand information and communication systems processing such information.
Conclusion: Nicomachean Ethics
“Thenceforward I am in full Stalker Mode… Then I get nervous because whatever weirdness it was about you that drew the Commander’s attention doesn’t seem to be there anymore. Almost like you know someone’s watching.” (Stephenson, N. (1994, October 1). Spew.)
The EU’s Chat Control proposal threatens to normalize this effect for Europeans and, through the Brussels Effect, for visitors and businesses worldwide. From the perspective of Aristotle’s Nicomachean Ethics, virtue lies in the mean between extremes, guided by phronesis or practical wisdom (Aristotle, trans. 2009). The excess here is indiscriminate mass surveillance under the pretext of child protection. The deficiency would be doing nothing to prevent abuse. A virtuous mean requires targeted, proportionate measures that actually protect children without destroying encryption or privacy. If Europe enshrines surveillance, it legitimizes authoritarian demands and reshapes global norms toward constant monitoring rather than fundamental trust.
Aristotle himself witnessed how Athens, the birthplace of democracy, could turn tyrannical by executing Socrates for asking inconvenient questions and threatening the established order.
The last word belongs to Socrates’ warning: “Tyranny naturally arises out of democracy.”
Dr. Jasmin (Bey) Cowin, a columnist for Stankevicius, employs the ethical framework of Nicomachean Ethics to examine how AI and emerging technologies shape human potential. Her analysis explores the risks and opportunities that arise from tech trends, offering personal perspectives on the interplay between innovation and ethical values. Connect with her on LinkedIn.
References
Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., Landau, S., Neumann, P. G., Rivest, R. L., Schiller, J. I., Schneier, B., & Teague, V. (2021). Bugs in our pockets: The risks of client-side scanning. Journal of Cybersecurity, 7(1), taab005. https://www.lawfaremedia.org/article/bugs-our-pockets-risks-client-side-scanning
Aristotle. (2009). Nicomachean ethics (W. D. Ross, Trans.). Oxford University Press. (Original work published ca. 350 BCE)
Bradford, A. (2020). The Brussels effect: How the European Union rules the world. Oxford University Press.
Grant, U. S. (1869, March 4). First inaugural address. The Avalon Project, Yale Law School.
Internet Society. (2023). Internet impact brief: Client-side scanning in the EU. Internet Society.
Stephenson, N. (1994, October 1). Spew. *WIRED*. https://www.wired.com/1994/10/spew/
Swiss Federal Council. (2022). Report on automated detection of child sexual abuse material. Bern.
