← Back to Newsroom

Avoiding EU “Chat Control” and Chat Surveillance

14 October 202545 min read

Guide

The European Union’s proposed “chat control” regulation has raised alarm among privacy advocates. We agree with the intent—protecting people from harmful, illegal content is a legitimate goal—but we’re against solutions that impose blanket surveillance or disproportionate burdens on the innocent majority. As drafted, “chat control” would require scanning of private communications—even end-to-end encrypted chats—by installing scanning mechanisms on users’ devices, effectively turning personal phones into potential monitoring tools.

This guide provides actionable steps for both general users and professionals to protect private chats on mobile (iOS and Android) from such mass-surveillance approaches and similar spyware. We’ll explain what chat control is, why it’s risky, and how to harden your mobile communications—through secure apps, OS settings, careful app choices, and solid privacy habits. (A follow-up will cover desktop and web platforms.)

What Is “Chat Control” and Why Is It Risky?

Chat Control is a controversial EU proposal (part of the draft Child Sexual Abuse Regulation) that would mandate mass scanning of all private messages and files, even on end-to-end encrypted services . This scanning would happen via client-side scanning – i.e. your own device would scan messages and photos before or as you send them. The goal is to flag illicit content (like CSAM), but the implications are dire: it’s essentially government-mandated spyware on every phone .

Privacy and Security Risks: Client-side scanning undermines end-to-end encryption (E2EE) by accessing content on one of the “ends” (your device) before it’s encrypted . In E2EE, only sender and receiver can read messages – but if the device itself is forced to peek at messages, the confidentiality promise is broken. In effect, chat control installs a backdoor, since it functions just like having an eavesdropper in your phone . The EU Council’s own legal service warned it could lead to mass surveillance and weaken data protection rights . Security experts note that expanding the attack surface in this way makes everyone less safe . A phone that must scan its owner’s data can be turned into a “bug in our pocket,” vulnerable to abuse by hackers or authoritarian regimes .

False Positives and Mission Creep: The content detection algorithms (often AI-based) are unreliable and prone to mistakes . False positives have already caused innocent people to be flagged – for example, a father was erroneously flagged as a predator due to a misinterpreted photo he sent for medical advice . Once such scanning exists, experts fear mission creep: today it’s child protection, tomorrow it could expand to political speech or other content, chilling free expression . Even European intelligence agencies have warned that weakening encryption via client-side scanning is a “cybersecurity nightmare” .

In short, chat control = mass surveillance. It would deploy “personalised spyware to millions of people’s devices” , treating every citizen as a suspect by scanning communications without cause . This not only erodes privacy but also creates new vulnerabilities for criminals to exploit . The very people meant to be protected could be put at greater risk if secure channels are compromised .

How Can Private Chats Be Monitored or Compromised?

Understanding the threat helps us counter it. Here are the primary ways that spies or surveillance systems could access your messages:

  • Client-Side Scanning (CSS): As with the EU proposal, apps or the OS itself could scan content on your phone. This happens before encryption or after decryption, so even E2EE messages get inspected. Essentially, an algorithm watches your messages in real time and compares them to databases of “bad” content. This voids the privacy of E2EE – it’s akin to an encryption backdoor . The scanned data or “hashes” of it are then sent to servers if a match or suspicion is found. This mechanism can be hidden inside messaging apps or even baked into the operating system. Takeaway: If client-side scanners are deployed, anything you send could be read by an automated system (and forwarded to authorities), even if the channel is encrypted.
  • Compromised or Malicious Apps: Not all privacy threats are legal mandates; some apps themselves can be spyware in disguise. Malicious chat apps (or fake “secure” messengers) may capture your conversations and send them to bad actors. Even mainstream apps can have third-party SDKs (software components) that leak data. For example, many apps include trackers for analytics or ads . These trackers might not target your messages specifically, but they collect a lot of info about your device and usage. In worst cases, a rogue SDKcould log keystrokes or message content. Case in point: the UAE’s “ToTok” messenger was reportedly a government spy tool harvesting user chats. Takeaway: An app with poor reputation or excessive permissions could be reading more than it should – choose trusted, verified apps (we’ll cover how below).
  • Device-Level Spyware (Trojans): Powerful spyware like NSO Group’s Pegasus can infect phones and gain complete access to calls, texts, chats, microphone, camera, and more . Such spyware often uses exploits to install itself without your knowledge (sometimes via a simple message or missed call). Once inside, it can copy all your messages and photos, even those sent on encrypted apps, by acting as you or reading your screen . It basically makes your phone a 24/7 surveillance bug. These tools are typically used in targeted attacks (e.g. against journalists, activists or high-profile targets), but some less advanced variants (stalkerware) can be deployed by anyone with brief physical access to your phone. Takeaway: If your device gets infected with malware, encryption won’t protect you – the spyware will see everything. That’s why device security (updates, safe downloading, etc.) is critical.
  • Network & Cloud Weaknesses: Traditional network eavesdropping (like wiretapping or Wi-Fi interception) can’t decipher E2EE chats, but unencrypted channels (SMS, standard phone calls, or improperly configured apps) are vulnerable. Also, if you use cloud services that store your messages, those copies can be accessed. For instance, if your WhatsApp or iMessage chats are backed up unencrypted to the cloud, governments or hackers could subpoena or breach those backups to read your conversations . Even without chat control laws, companies like Google, Apple, or Facebook can be compelled to hand over data they can read – which is why we emphasize minimizing cleartext data in the cloud.

By knowing these attack methods, we can tailor our defenses: use genuine secure apps, keep devices clean from malware, limit what’s stored in the cloud, and generally reduce opportunities for prying eyes. Next, we’ll dive into practical steps to do exactly that.

Use End-to-End Encrypted Apps That Prioritize Privacy

Your choice of messaging app is crucial. Prefer apps with strong end-to-end encryption and a proven privacy track record. Such apps encrypt messages on your device and only decrypt on the recipient’s device – no one in the middle (not even the service provider) can read them. Equally important, choose apps that refuse to implement client-side scanning or other backdoors.

  • Signal: A highly trusted open-source messenger known for its uncompromising stance on privacy. All Signal messages, calls, and video chats are end-to-end encrypted by default. Signal collects virtually no metadata and doesn’t store your contacts or conversations on any server. Notably, Signal’s leadership has stated it would withdraw from the EU market rather than weaken its encryption for chat control . This commitment makes Signal a top recommendation for avoiding surveillance. (Tip: Enable features like registration lock PIN and disappearing messages on Signal for extra security.)
  • Threema: A paid secure messenger (based in Switzerland) that is also end-to-end encrypted and does not even require a phone number or real name – it generates a random ID for you, preserving anonymity. Threema’s developers have openly said the chat control plans conflict with their data security principles, and if forced, they would consider all options (possibly even blocking EU users rather than comply) . Using Threema can thus reduce exposure to any compliance with scanning mandates, and it’s designed for privacy by minimizing data retention (contact lists and groups are stored only on your device, not on servers).
  • WhatsApp (with Caution): WhatsApp uses the Signal encryption protocol, so its chats are technically end-to-end encrypted. The company (owned by Meta/Facebook) has publicly opposed the EU chat control proposal, arguing it would undermine everyone’s privacy and security . WhatsApp has even indicated it would rather be blocked in some countries than break encryption. However, because it’s a big corporate service, there’s uncertainty about how it will react if laws pass. Use WhatsApp only if you and your contacts need it – and adjust its settings for privacy (see backups section below). Keep an eye on news: if WhatsApp ever caves to scanning demands or weakens encryption, be prepared to switch.
  • Other Secure Apps: Consider alternatives like Element (Matrix), Wire, Session, or Jami. These are open-source and encrypted. Matrix, for instance, is a decentralized network – you can choose a server or self-host, making blanket surveillance harder. The Element app (Matrix client) supports E2EE and because of Matrix’s open nature, even if one client were pressured to add scanning, others could fork the code and remove it. Sessionis another messenger that routes messages through an onion network (no central server, no phone number required), providing anonymity and encryption. Wire (based in Switzerland) offers e2e encryption and enterprise options, and Jami is a peer-to-peer messenger requiring no server at all. The key is that these options are designed to resist surveillance – no plain-text data for authorities, and being open-source, any attempt to add spyware would likely be caught by the community.
  • Avoid Insecure Platforms: Do NOT rely on SMS or unencrypted email for private conversations. SMS messages (and standard phone calls) can be easily intercepted by carriers or governments – they are not encrypted at all. Likewise, Facebook Messenger and Instagram Direct are not E2EE by default (Messenger has an optional “Secret Chat” – which you should use if you must use Messenger – but regular chats are stored on Facebook’s servers in plain form). Any service that doesn’t offer end-to-end encryption or uses proprietary encryption with no transparency should be assumed unsafe against a determined surveillance regime. For example, Telegram is popular, but note that its default chats are cloud-based (the service can read them) – only “Secret Chats” are device-to-device encrypted. So if privacy is critical, Telegram is not as secure as Signal or others, and it could theoretically enable scanning on its servers.

Practical Takeaway: Install one of the recommended secure messaging apps and encourage your contacts to use it for sensitive conversations. If an app is open-source, even better – that means its code can be audited for backdoors (and forked if needed). Publicly commit to using apps that respect user privacy; many of these apps also vocally oppose laws like chat control. By choosing them, you’re not only protecting yourself but also sending a message in support of privacy-friendly services.

Disable Cloud Backups and Safeguard Your Message History

Even the best encrypted chat app can be undermined if your messages are quietly copied to the cloud in readable form. Many messengers offer cloud backup options (to save your chat history on Google Drive, iCloud, etc.), but these backups often are NOT encrypted – meaning they’re a weak link for privacy . If authorities or hackers can obtain those backups, your conversations are exposed. To lock this down:

  • Turn Off Chat Backups (or use local encrypted backups): The safest approach is to disable automatic cloud backups for your messaging apps. For example, in WhatsApp, go to Settings > Chats > Chat Backup and set it to Never (no backup), or at least do not use cloud services for backup . WhatsApp now has an option for end-to-end encrypted backups – if you want backups, enable that and set a strong password. (Keep that password safe; if lost, the backup is irretrievable by anyone, which is the point.) iMessage on Apple devices is a bit tricky: iMessages are end-to-end encrypted between devices, but if you have iCloud Backup enabled for your iPhone, it may include a copy of the key so Apple could technically access those messages. The solution is to either disable Messages in iCloud / iCloud Backup for messages, or turn on Apple’s Advanced Data Protection (which end-to-end encrypts most iCloud data, including backups). Apple’s Advanced Data Protection, if available in your region, ensures that not even Apple can read the content of your iCloud backups – highly recommended if you use iMessage or store sensitive data in iCloud.
  • Beware of Auto-Sync Photo Backups: Chat control proposals have included scanning not just texts but also photos (for example, Apple’s shelved plan to scan iCloud Photos) . If your messaging app auto-syncs images or media to cloud storage, consider turning that off. For instance, WhatsApp lets you choose whether media is included in backups. Similarly, apps like Signal by default do not backup anything to cloud – Signal only makes local encrypted backups (which you must manually enable and transfer). Prefer apps that give you control over backups. Telegram users: note that Telegram’s default cloud chats are essentially a continuous backup on Telegram’s servers (not E2E encrypted) – there’s no way to “disable” that except by not using cloud chats. Yet another reason to use truly E2E apps.
  • Regularly Purge Sensitive Chats: In addition to managing backups, practice good data hygiene. If a conversation contains very sensitive info, consider using disappearing messages (many apps allow you to have messages auto-delete after a set time) or manually delete the chat once it’s no longer needed. The less lingering data on your device or cloud, the less can be scanned or leaked. For instance, in Signal you can set all new conversations to auto-delete messages after, say, 1 week or 1 day. This way, even if an attacker or scanner accesses your phone later, they won’t find a long archive of past chats. Just be sure your contact is okay with it and understands the messages will vanish (to avoid confusion).
  • Communicate Privacy Preferences to Contacts: Backups are one area where your privacy can depend on your friend’s choices. If you’re using WhatsApp with a friend, and you have backups off but they left backups on, the chat is still being saved in their cloud. Politely encourage friends to turn off or encrypt backups as well. On professional teams, set policies for secure communication that include disabling cloud backups. EFF recommends not backing up secure messenger data to the cloud at all , because unencrypted backups “introduce a significant hole” in your security. So make it a shared practice.

How to Disable/Encrypt Backups – Examples:

  • WhatsApp: Settings > Chats > Chat Backup. If using Android, ensure “Back up to Google Drive” is set to Never (or if you need it, use the End-to-End Encrypted Backup option in the same menu – you’ll create a password or 64-digit key). On iOS, set Auto Backup = Off in the Chat Backup settings, or if you enable the encrypted backup, follow the prompts to secure it with a password. 
  • iPhone iCloud (iMessage): Settings > [your name] > iCloud > iCloud Backup – you can turn off iCloud Backup entirely (you’ll have to back up your device locally via computer, which you can encrypt with a password in iTunes/Finder). Alternatively, turn on Advanced Data Protection (in Settings > Privacy & Security > Advanced Data Protection) which ensures only you hold the keys for iCloud data. Also, if you want to disable just Messages in iCloud syncing: Settings > [your name] > iCloud > Show All > Messages – turn that off to stop syncing messages to iCloud. This means messages won’t be stored on Apple’s servers at all, only on your devices.
  • Signal: Signal by default doesn’t use cloud backup. It can create an encrypted local backup file on your device if you manually enable it (you set a passphrase for the backup, and Signal produces an encrypted blob you can move off device for safekeeping). If you use this, store it securely (like on a computer or drive encrypted) and do not upload it to generic cloud storage unless you put it in another encrypted container (to avoid someone in cloud getting hold of it).

By taking these steps, you ensure that your private messages remain truly private, existing only on your devices and those of your intended recipients – not floating in some cloud where a company (or scanning algorithm) can peek. It closes a major loophole that surveillance can exploit.

Harden Your Smartphone’s Operating System

Beyond messaging apps, the security of your mobile operating system (OS) is the foundation for privacy. A hardened, privacy-focused OS can make it far more difficult for spyware or unwanted scanning to operate. Here are strategies for both Android and iOS:

  • Use a “De-Googled” or Privacy-Focused Android OS: Standard Android phones (especially from big manufacturers) come with Google’s services deeply integrated, which means a lot of data collection by default (location, usage stats, etc.). Moreover, if the stock OS is modified in the future to include scanning hooks, you might have little control. Consider switching to a custom Android distribution that prioritizes privacy and security. GrapheneOS and CalyxOS are two leading examples:
    • GrapheneOS: An open-source, security-hardened OS for Google Pixel phones. It strips out Google tracking by default (though it allows sandboxed installation of Play services if you absolutely need them for some apps). GrapheneOS has robust hardening features: enhanced sandboxing, a network and sensors permission toggle (you can literally disable network access for specific apps), and many exploit mitigations. It’s maintained with monthly updates. Because it’s community-driven, it’s extremely unlikely to incorporate a client-side scanner; if Google introduced scanning in stock Android, GrapheneOS would not include that code unless legally forced. Many privacy-conscious professionals (journalists, etc.) use GrapheneOS on Pixel devices to get the best of both security updates and privacy.
    • CalyxOS: Another privacy-oriented OS (also often used on Pixel or select devices). It is slightly more user-friendly, including some conveniences like an optional curated app store (F-Droid) and microG (an open-source substitute for some Google services). CalyxOS encrypts everything and offers features like “Auditor” to verify your OS hasn’t been tampered with. Both Calyx and Graphene allow finer control over app permissions than stock Android.
    • LineageOS / /e/OS: If your device isn’t supported by Graphene or Calyx, LineageOS is a popular open-source Android fork that you can de-Google (don’t install the optional Google apps package, or use alternatives). /e/OS is a variant of Lineage with privacy defaults and its own ecosystem. While these may not have all the hardened security of Graphene, they remove a lot of trackers and bloat, and give you more control. Note: Installing a custom OS requires some technical process (unlocking bootloader, etc.) – follow official docs carefully or seek help if unsure.
  • Hardened iOS Setup: You can’t replace iOS with a custom ROM, but Apple devices do have strong security if used properly. To maximize privacy on an iPhone:
    • Enable Lockdown Mode (on iOS 16+): This is an extreme protection mode Apple provides for users at high risk of targeted spyware (like Pegasus). It disables many vulnerable features (e.g. most message attachments, link previews, FaceTime from unknown callers, etc.) to shrink the attack surface. If you think you could be targeted by advanced spyware or you just want maximum protection, go to Settings > Privacy & Security > Lockdown Mode and turn it on. It’s a trade-off (some conveniences disabled) but dramatically lowers risk of zero-click hacks .
    • Keep iOS Updated: Always install the latest iOS updates, as they often include security fixes for exploits that spyware may use. For example, NSO’s Pegasus frequently used zero-days that Apple then patched. Don’t delay updates, since once a vulnerability is known, lesser attackers might start using it.
    • Tweak Privacy Settings: Go through Settings > Privacy & Security and review each category (Camera, Microphone, Photos, Contacts, etc.). Restrict access for apps that don’t need each permission. For messaging apps, you might allow Camera and Mic for calling features, but perhaps deny Location if it’s not required. iOS lets you give apps access to only selected photos instead of your whole library – use that feature when sharing images. Also, disable things like “Personalized Ads” (under Apple Advertising) and Analytics sharing with Apple to reduce data sent out.
    • Limit iCloud Data: As discussed, use Advanced Data Protection to encrypt iCloud, or turn off iCloud for sensitive data categories. Also consider signing out of iCloud or using a separate Apple ID with minimal info for a device if you want to compartmentalize usage (some advanced users do this to keep certain activities completely separate).
    • No Jailbreaking (in most cases): Jailbreaking (or rooting on Android) might tempt power users, but it bypasses a lot of built-in security. On iOS, jailbreaks disable some of Apple’s sandboxing and can allow any app (or malware) to gain elevated privileges. Unless you really know what you’re doing and have a specific need, avoid jailbreaks on a primary device – the security loss usually outweighs any gain. On Android, rooting can similarly expose you if not done carefully; many banking or secure apps won’t even run on rooted devices.
  • Device Encryption & Strong Lock: Ensure your device’s storage is encrypted (on modern iOS and Android it is, as long as you set a lock PIN/password). Use a strong passcode or password for your phone, not just a simple 4-digit code. This helps if your device is seized – a strong encryption passcode will protect your data from most attackers. Biometric unlocks (fingerprint/FaceID) are convenient; they’re generally secure but be aware that at borders or in some legal situations, you might be compelled or tricked into biometric unlock. You can temporarily disable FaceID/TouchID (on iPhone, pressing the power button 5 times quickly will do this) if you feel at risk, which forces the passcode entry. This is more of a high-risk scenario tip.
  • Disable Unused Features: Turn off wireless interfaces when not needed – e.g., keep Bluetooth and NFC off if you’re not using them, as they can be avenues for attack (there have been Bluetooth vulnerabilities allowing remote installation of malware). Also, in Settings, look at things like Exposure Notifications, Universal Clipboard, etc., and decide if you need them. Apple and Google have been known to use device analytics (though anonymized) – you can usually opt out in settings (“Share usage data” off).

In essence, think of your phone as a sensitive notebook: lock it up (encrypt it), reduce who/what can access it (permissions), and keep its “software locks” up to date. Using a custom privacy-focused OS on Android or leveraging iOS’s security features will make it much harder for any scanning system or spyware to gain a foothold. Even if chat control became reality, a hardened OS might allow savvy users to avoid installing the offending updates or to run alternative apps that don’t comply.

Limit App Permissions and Leverage Sandboxing

Modern smartphone OSes already sandbox apps (isolating their data from each other), but users can take extra steps to minimize what any single app – or potential spy tool – can access. Reviewing permissions and using sandboxing techniques can prevent unnecessary data exposure:

  • Audit App Permissions Regularly: Go into your phone’s settings and find the Privacy or Permissions section to see what permissions each app has. On Android, you can view a “Privacy Dashboard” (on Android 12+) that shows which apps accessed sensitive sensors (mic, camera, location) recently. On iOS, you can see little indicators (orange dot for microphone, green for camera) in real-time, and in Settings > Privacy each category lists apps with access. Revoke permissions that don’t make sense. For example: A messaging app might request access to your contacts (to find friends). If you’re not comfortable with that, many apps let you use them without contact access (you’d have to manually add contacts or accept they can’t show who is on the app from your address book). Red flag: If an app requests permissions that seem unrelated to its function (like a simple game asking for your SMS or a wallpaper app wanting microphone), that’s a sign of potential spyware or data-harvesting . You should deny those or uninstall the app .
  • Use One-Time and Background Permissions Wisely: Both Android and iOS allow one-time permissiongrants for location, camera, etc., or “Only while using the app” access. Prefer those over “Allow always.” For instance, if a mapping app needs location, you can allow it only when the app is in use, preventing it from tracking you in the background. Android also has an auto-reset feature (permissions auto-revoke from apps you haven’t used in a long time) – ensure that’s enabled (in Android settings under Privacy or Apps). This way old apps lying around don’t keep excessive rights forever.
  • Isolate Apps via Work Profile or Multiple Users (Android): Android has a neat feature called Work Profile(or you can use the app Shelter to create one on personal devices) which creates a separate space for apps. You could put more sensitive apps in a work profile or vice versa, so that data separation adds an extra layer of sandboxing. For instance, you could run a second instance of a messaging app in the work profile with a different account, completely segregated from your main profile’s data. Some custom ROMs and devices also allow multiple user accounts on the phone – you could have a “secure” user where you only have a few apps with no Google integration, and a “daily” user for normal use. This might be overkill for casual users, but for professionals handling sensitive info, it’s a way to compartmentalize data. If malware or a scanner gets access in one profile, it may not see data in the other.
  • Limit Accessibility and Device Admin Access: Certain powerful Android permissions like Accessibility Service or Device Admin can be abused by malware to gain extensive control (e.g., Accessibility can read screen contents and perform taps – some trojans trick users into enabling this). Check Settings > Apps > Special App Access (on Android) for things like “Apps that can appear on top,” “Apps with accessibility access,” “Device admin apps.” Make sure only apps that truly need these (if any) have them. For example, a password manager might use Accessibility for autofill – that could be okay. But if you see something unfamiliar in that list, revoke it. On iOS, there’s no equivalent of device admin apps generally, but do check for any configuration profilesinstalled (in Settings > General > VPN & Device Management). If you’re not part of a managed enterprise or using a specific VPN, you likely should have no profiles installed. A rogue profile can impose policies or even root certificates that intercept traffic.
  • Use a Firewall or DNS Filter: Even though apps are sandboxed, they can still send data out via the internet if permitted. Consider using a network-level blocker to control this. Apps like NetGuard, TrackerControl, or RethinkDNS on Android act as a local VPN to filter traffic – you can block internet access for specific apps entirely (just like Graphene’s network toggle, but via an app for any Android). You can also block known tracker domains system-wide. On iOS, you cannot outright firewall individual apps (unless you use a third-party “secure firewall VPN” service), but you can use DNS privacy apps (like NextDNS or AdGuard) to block tracking domains at the DNS level. This won’t stop an app from sending data to its own server, but it can shut off a lot of tracker chatter (like analytics, ad networks). It also can prevent known malware domains from operating. Some MDM apps or third-party security apps on iOS offer blocking, but choose carefully (an app that acts as VPN sees all your traffic, so only use reputable sources).
  • Don’t Overload on Apps: Each additional app on your phone is another potential weak point. Uninstall apps you don’t use. Try to stick to well-known apps, or even better, open-source apps available from trusted repositories (Android’s F-Droid store is a good source of open-source apps that often are more privacy-respecting by design). The more minimal your device, the smaller the attack surface. If possible, avoid apps that are known to be heavy on tracking. For example, Facebook’s main app collects a lot of data – you could opt to use Facebook via a web browser with an ad-blocker instead of the app.

By minimizing permissions and separating concerns, you ensure that even if one application is compromised or forced to scan, it cannot easily reach into other data on your phone. An official chat app that’s been coerced into scanning might only have access to its own sandbox (your messages in that app), but it won’t see what’s in your other secure app or your photos, etc., if you’ve kept those walls up tightly. The goal is least privilege: each app (and any potential spy within it) gets access to only the information or functions necessary, nothing more.

Be Selective with Apps and App Stores (App Hygiene)

Not all apps are created equal when it comes to privacy. “App hygiene” means being careful about which apps you install and from where, to avoid those that might hide spyware or excessive tracking. Some guidelines:

  • Download Apps From Official or Trusted Sources: Stick to the Apple App Store, Google Play Store, or reputable alternatives like F-Droid (an open-source Android app repository). Official stores have reviews and some vetting process – while not perfect, they reduce the risk of malware-laden apps. Avoid downloading random APK files from the web or clicking “Install” on dubious websites. If you need an app outside the Play Store (e.g., some open-source app not listed there), verify its authenticity (get it from the developer’s site or GitHub, and check signatures if possible). On iOS, unless you jailbreak, you’re limited to the App Store and TestFlight; be suspicious of any trick to “sideload” outside these (there are scams with profiles that claim to offer free apps, which could be malware).
  • Research App Reputation: Before installing a new messaging app (or any app that will handle sensitive data), do a quick background check. Search online for “ privacy” or “ security issues”. See if the developer is transparent about their data practices. If an app has no website or a sketchy one, that’s a bad sign. If it’s a lesser-known secure messaging app, check if it’s open source or had any audits. Red flags include: no privacy policy, unclear ownership (who runs the service?), and overly broad permissions as mentioned earlier. Conversely, positive signs: open-source code, endorsements or reviews by privacy experts, and a clear explanation of encryption use.
  • Check Trackers in Apps: An excellent step for Android users is to use Exodus Privacy reports. Exodus Privacy is a platform that scans Android apps for embedded trackers – pieces of code that collect data about you or your usage . You can go to the Exodus website (reports.exodus-privacy.eu.org) and search any app by name. It will show you a list of tracking SDKs and the permissions the app requests. If you find a messaging app has, say, 10 different trackers (ad networks, analytics, etc.), that’s a clue it’s monetizing data and should be avoided. For example, a simple flashlight app with 5 trackers is obviously selling your data – similarly a “free chat app” loaded with trackers is suspect. On the other hand, apps like Signal will show 0 trackers in Exodus . Use that as a guide. (Note: iOS users don’t have Exodus, but Apple’s App Store now has Privacy Nutrition Labels – check those on the app’s page to see what data it claims to collect. While these are self-reported, it’s better than nothing.)
  • Use AppCensus or Other Audit Tools: AppCensus is a project that analyzes mobile apps to see what personal data they collect and where they send it . It uses dynamic analysis (running the app to watch its behavior). AppCensus’s website (appcensus.io) might not allow individual lookups easily for consumers, but they publish reports and have an API. Kaspersky’s security blog notes that AppCensus can reveal what servers an app contacts and what data leaves your phone . If you’re technical, you could also use a network sniffer on your own device (with something like HTTP Toolkit or Pi-hole on your network) to see which servers a chat app talks to. But for most, reading an AppCensus or Exodus report is enough to spot the worst offenders.
  • Avoid Apps with Extraneous Features/Ads: A messaging app that shows a lot of ads or “smart” features likely includes more tracking. For instance, some keyboard apps or “messenger boosters” claim to enhance your chat experience but may log what you type. Similarly, free VPN apps can be very dangerous – some exist solely to harvest data (even reading your traffic). Use trusted, paid or open-source VPNs if needed (or iOS’s Private Relay, etc.). The rule of thumb: if something is free and not open-source, you and your data might be the product. Be especially wary of clone apps – e.g., dozens of apps called “[Something] Chat” that no one has heard of; many have hidden snooping capabilities.
  • App Update Vigilance: Keep apps updated to get security patches – but also read the update notes when you can. If an app suddenly requests new permissions after an update, check why. Occasionally, a previously okay app can turn bad (for example, a developer sells the app to another company that then pushes a malicious update). The community often spots these changes – staying plugged into privacy forums or tech news can alert you. If a formerly good app starts adding strange features (like scanning images locally “for your safety”), that could be a sign of compliance with something like chat control – time to switch.
  • Minimal Footprint: As a proactive measure, reduce sensitive data on apps. E.g., if you use WhatsApp but don’t want Facebook to have more than necessary, you can choose not to grant access to your phone contacts (it will work, you just won’t automatically see who’s on WhatsApp – you can click invite by phone number manually). Similarly, you can deny location permission; WhatsApp can still send your location if you explicitly use the attach-location feature (it will prompt then). The idea is: give apps just enough to function, no more. And if an app demands something you’re not willing to give, find an alternative app or workaround.

In summary, treat new apps with healthy skepticism. Much like you wouldn’t download random files from strangers on your computer, don’t install random apps without vetting. By keeping a clean app ecosystem on your phone, you reduce the risk of unwittingly installing something that spies on you. This also positions you to avoid apps that might be first in line to comply with draconian regulations. Privacy-respecting apps and stores will be the least likely to force spyware on your device.

Verify App Integrity and Monitor for Privacy Leaks

Even with careful app selection, it’s wise to routinely check what your apps are actually doing. Thankfully there are tools and features to help you keep tabs on app behavior and ensure your defenses are working:

  • Use Exodus Privacy and Tracker Scanners: As mentioned, run checks on your installed apps via Exodus (for Android). You can use the Exodus Privacy app itself (available on F-Droid) which can scan the apps on your device and report how many trackers each contains. This can be eye-opening – you might discover, for instance, that a news app has 15 trackers embedded. If you find something concerning, consider uninstalling that app and finding a more privacy-friendly alternative. Exodus essentially gives you a “privacy report card” for apps .
  • Leverage Operating System Reports:
    • On iOS, turn on the App Privacy Report (in Settings > Privacy & Security > App Privacy Report). After being enabled, it logs every time apps access data or sensors and what domains they contact. Check it after a day or two to see, for example, if a messenger app is contacting lots of third-party domains in the background. If an app that shouldn’t be doing much is reaching out to unknown servers, that’s suspicious. The App Privacy Report will list domains – you can identify trackers because they often have URLs like analytics.company.com or known ad networks.
    • On Android, you don’t have a built-in full network log, but you do have the Privacy Dashboard for sensor access as mentioned. For network, you could use a local VPN logging tool. TrackerControl (from F-Droid or GitHub) is one such tool: it not only blocks trackers but also shows you live which connections an app is making. Using TrackerControl, you might observe that when you open a messenger, it also contacts some ad network – a clue that maybe it’s uploading data. This kind of visibility is useful to catch apps “phoning home” too much. Note: using these tools requires trusting them since they handle your traffic; choose open-source reputable ones.
  • Check App Signatures and Updates: If you’re sideloading apps (installing outside of Play Store), verify the APK’s signature or checksum from the official source. For instance, the Signal APK can be downloaded and its signing key is known – if an attacker ever tried to trick you into installing a fake Signal with spyware, the signature wouldn’t match the official one. For most users on official stores, this isn’t a daily worry, but for those obtaining apps via alternate means, it’s important to validate you got the genuine app.
  • Mobile Threat Scanners: Consider running a device security scan periodically. On Android, apps like Malwarebytes or Bitdefender Free can scan for known malicious apps or spyware. They compare your installed apps against databases of malware. While they might not catch a sophisticated state-level spyware, they can find common stalkerware or trojan apps. On iOS, direct “antivirus” apps are not a thing (due to sandboxing), but iOS’s built-in measures usually prevent malware installation unless the device is jailbroken or hit by a rare zero-day. If you suspect something on iOS (e.g., unexplained behavior or if you have reason to believe you’re targeted by Pegasus), you can use Amnesty International’s Mobile Verification Toolkit (MVT). MVT is a technical tool that scans iPhone backups for indicators of known spyware. It’s not simple to use, but security researchers and higher-risk users might use it to check for compromise. You can also contact services like Access Now’s Digital Security Helpline if you fear your device is compromised – they help activists and journalists deal with such scenarios.
  • Monitor Battery and Data Usage: A practical non-technical tip: keep an eye on your phone’s battery usage stats and data usage. If a normally dormant app suddenly starts consuming a lot of battery in the background, that could indicate some unwanted activity (like it’s constantly scanning or sending data). Similarly, if you see unexplained spikes in data usage, investigate which app is responsible. Some spyware will try to upload data periodically, which can show up as data usage even when you aren’t actively using the phone. Granted, modern malware might try to hide itself, but sometimes there are traces (Pegasus was sophisticated enough to hide, but simpler ones might not be).
  • Verify Encryption & Safety Features in Apps: Within your secure messaging apps, take advantage of verification features. For example, in Signal or WhatsApp, you can verify safety numbers or security codes with your contact (usually found in the contact info or security settings in the app). This ensures no one is silently “man-in-the-middle” intercepting your encryption. It’s more about targeted attacks than chat control, but it’s a good habit. If an app offers a setting to block screenshots of chats (Telegram and Signal have such options for specific chats), use it when appropriate to prevent chat content from being easily copied.
  • Stay Updated on App Audits: Privacy-focused organizations sometimes audit popular apps. For instance, the German security agency might audit Telegram, or independent researchers publish reports on WhatsApp’s encryption (or lack thereof in backups). Keep an ear out for such news. If an app you rely on gets a bad privacy grade in an independent review, reconsider using it or adjust how you use it.

The goal of these measures is to catch any privacy-invasive behavior early and to validate that your apps are doing what they claim. In a world where chat control laws might pressure companies to add scanning, vigilant users could potentially detect changes (like apps suddenly reaching out to known scanning service domains, etc.). Community forums, privacy Reddit threads, and the like often light up with discussion if a major app update appears to incorporate something fishy. By monitoring your own device and staying connected to those information sources, you’ll be among the first to know and can react (by blocking the behavior via firewall, or uninstalling the app, etc.).

Embrace Decentralized and Open Communication Protocols

A key long-term strategy to resist surveillance mandates is to utilize decentralized, federated, or peer-to-peer communication platforms. Unlike big centralized services (where a single company could be forced to comply with chat scanning), decentralized networks have no single point of control. This makes it harder for any authority to enforce blanket rules like “scan all messages” because there’s no “all” – just many independent servers or direct device-to-device links. Consider these approaches:

  • Federated Networks (Matrix, XMPP): In a federated system, many servers run the same protocol and inter-communicate, just like email. Matrix is a modern federated protocol; you can choose a server (such as matrix.org or one run by a privacy-friendly organization, or even run your own). Using an app like Element, you can message users on any Matrix server. Since it’s open source and decentralized, if an EU law forced major providers to scan, smaller independent servers could opt not to comply (though they might be blocked or face legal pressure if in jurisdiction). The Matrix protocol supports E2EE (make sure it’s enabled in your rooms by default). XMPP with OMEMO encryption is another federated option (apps like Conversations for Android or Snikket, and Siskin or Monal on iOS). XMPP is older but battle-tested, and with OMEMO it’s end-to-end encrypted. There are thousands of XMPP servers – again, no central kill switch. Even if some servers capitulate to scanning, users can migrate to others. Federated networks are resilient: they’re how email works globally without one company in charge.
  • Peer-to-Peer (P2P) and Mesh Messengers: These take decentralization further by having no server at all in the message path. Briar (Android only) is an open-source messenger that uses direct connections (Bluetooth, Wi-Fi, or Tor) to transmit messages, creating an ad-hoc mesh. It’s designed for activists in situations with no internet or heavy surveillance – if the internet is up, it routes via the Tor network, otherwise it can sync via proximity. Jami(Android, iOS, desktop) is another P2P messenger (nicknamed “Skype without servers”) which finds peers via a distributed hash table and then communicates directly, all E2E encrypted. Similarly, Tox protocol clients (like qTox) do P2P encrypted chat. These tools mean there’s literally no server to mandate scanning on; an adversary would have to compromise each device individually, which is more work. The downside is they might be slower or consume more battery than centralized ones, but for high privacy needs, they’re invaluable.
  • Use Open Protocol Wrappers: What if you must communicate with someone on a possibly monitored platform? One creative approach is to add your own layer of encryption on top of any platform. For example, there’s a project called KryptEY – an Android keyboard that uses the Signal Protocol to encrypt your messages, then you can paste the ciphertext into any chat app . It’s like doing manual PGP but seamlessly via the keyboard. So you could be using, say, Skype or Telegram or SMS, but you’re actually sending gibberish that only someone with the paired key (through KryptEY) can read. This defeats client-side scanning, since the scanner would only see the encrypted blob (which wouldn’t match any known illegal content database). Of course, the other party has to use the same tool to decrypt. Another example: Delta Chat, which turns email into an end-to-end encrypted chat by using Autocrypt/PGP under the hood. It looks like messaging, but it’s actually just sending encrypted emails. Because it uses the standard email infrastructure, it’s hard to block without shutting down email, and there’s no central server of its own to regulate. If chat control laws spared traditional email (they might, for political/technical reasons), using something like Delta Chat could be a loophole for secure comms .
  • Prefer Open-Source and Community-Run Services: The common theme is openness. When protocols and apps are open, communities can fork and create versions that don’t implement scanning. For instance, if an open-source messenger app in the Play Store got pressured to add scanning for EU users, developers could release a fork on F-Droid or GitHub without that code, and users could switch to it (assuming they’re willing to sideload). This is why having the skills or resources to install non-Store apps (as discussed with GrapheneOS or even just enabling “unknown sources” for a particular app) could become important for privacy-conscious users in the future. It’s a form of software freedom that provides a path around corporate/government constraints.
  • Stay Anonymous Where Possible: Chat control may also entail age verification and identity linkage for messaging services . To “prove you’re not a minor” or just to register, you might be forced to provide an ID or phone number tied to your identity, which erodes anonymity. To minimize exposure, use services that don’t demand phone numbers or real names. As mentioned, Threema doesn’t require a number, Matrix can work with just a username or email (you can use an alias email), and many p2p messengers require no personal info. If you do need a phone-verified app, you could use a secondary number (like a prepaid SIM or VoIP number) that isn’t linked to your main identity. Also, running your own server (for Matrix/XMPP) means you control the login info and can avoid strict verification. The less of your personal identity tied to your communications, the harder it is for mass surveillance to target you or include you by default.

Realistically, widespread adoption of federated and decentralized tools is a community effort. You might need to help friends/family onboard these alternatives. But doing so greatly reduces reliance on a few big tech providers that are under pressure. It also builds digital resilience. If one service gets compromised or regulated into uselessness, a decentralized approach means you have others still running. Think of it like diversifying your communication channels to avoid a single point of failure (or single point of surveillance).

Build Strong Privacy Habits (Operational Security)

No tool or setting is a silver bullet if we don’t also practice good operational security (OpSec) – the habits and common-sense behaviors that keep our information safe day-to-day. Here are some personal practices to cultivate:

  • Keep Secrets Secret: It may sound obvious, but be mindful of what you share digitally at all. The most private message is one never sent. If something is extremely sensitive (e.g., whistleblower information or very personal data), consider if it should be shared over chat at all. Could it be communicated in person or via a more secure channel? When you do share, use disappearing messages or code words if appropriate. Avoid sending sensitive passwords, one-time pins, or documents unencrypted if there’s any chance they could be intercepted.
  • Be Cautious with Links and Attachments: Don’t click strange links or download files from people you don’t know – especially on messaging apps. A common attack vector is to trick users into clicking a link that exploits their app or device. If someone sends an unexpected file or link, verify with them (via a separate channel if possible) that it’s legit. This is how some spyware gets in (like Pegasus could be sent via iMessage link). Many messaging apps now warn or auto-block known malicious links; still, your vigilance is key.
  • Use Two-Factor Authentication (2FA) and Strong Passwords: Make sure your messaging accounts themselves are locked down. For instance, WhatsApp offers 2-step verification (a PIN that’s required if you register your number on a new device). Enable that, so even if someone steals your phone number (SIM swap) they can’t easily take over your WhatsApp. For apps that use usernames/passwords, use a strong unique password and enable 2FA (for example, ProtonMail’s ProtonChat – if it existed – would use Proton account 2FA). This prevents account hijacking which can expose your chats or allow impersonation. Also, protect your primary email account similarly, because password resets often go there.
  • Device Access Control: Never leave your phone unlocked and unattended. Physical access for even a minute or two can be enough to install spyware or a malicious profile. If you must hand your phone to someone (even a friend to show a photo), consider enabling Guided Access (iOS) or Pinning (Android) to lock them to one app, so they can’t snoop elsewhere. When traveling, especially across borders, be aware that authorities might try to search your device or demand passwords. That’s a whole topic, but in short: minimize what’s on your device when crossing hostile borders (use a secondary phone if possible, or cloud-stored data you download after crossing). Within the EU, there are still rights, but it’s worth knowing.
  • Regularly Review Accounts and Devices: Check the logged-in devices or active sessions for your messaging apps if they provide that info. For example, WhatsApp and Telegram show active sessions/web logins – make sure you recognize them. In Signal, if someone registers your number on a new device, your contacts get notified that safety number changed – so pay attention to such alerts; it could mean impersonation. If you see devices you don’t recognize, terminate them and change passwords/PINs.
  • Educate Your Circle: Privacy is a team sport. If you take all these precautions but your contacts practice poor security, you could still be exposed (like the backup scenario). Share this knowledge with friends, family, and colleagues. Teach them about the importance of encrypted apps and how to use them properly. Set agreed-upon channels for sensitive discussions (maybe you and colleagues decide that all internal chats happen on Signal, not on Slack or SMS). The more people around you follow suit, the safer everyone’s communications become.
  • Stay Informed and Involved: Keep up with developments in digital privacy. Laws like “chat control” evolve (the proposal might be amended or new ones introduced). Organizations like EFF, EDRi, Access Now, Mozillaand others often publish updates and calls to action . By staying informed, you’ll know if/when you need to take additional steps – for instance, if a certain app announces compliance with scanning, you can migrate off it immediately. You can also support these organizations or campaigns like Stop Scanning Me , which work to prevent such regulations from coming to pass. Operational security isn’t just reactive; it’s also about advocating for a safer environment.
  • Plan for Contingencies: Have a backup plan in case something does go wrong. If your chat account gets banned or surveilled, how will you communicate? It might be good to have multiple ways to reach key contacts (say, both Signal and an XMPP address exchanged, or a secondary phone). If you suspect your phone is compromised by spyware, have a plan to reset it or a spare device to switch to. Regularly back up important data (securely) so you can wipe a device at a moment’s notice without losing everything. Being prepared reduces panic and data loss if a security incident happens.

By integrating these habits into your daily routine, privacy becomes not a one-time setup, but an ongoing posture. Think of it like personal hygiene: you keep doing it to maintain safety. Each habit – whether it’s double-checking a link or keeping your software updated – adds a layer of defense that makes you a harder target for both mass surveillance and targeted attacks.

Taking Control of Your Chats

The threat of regulations like the EU’s chat control can be intimidating, but as we’ve outlined, you are not helpless. By using robust encryption tools, locking down your devices, choosing privacy-respecting services, and cultivating smart security habits, you can vastly reduce the exposure of your personal conversations. Technology may change – if scanning becomes more prevalent, so will countermeasures in the tech community. In the end, maintaining privacy is a dynamic process: keep learning, stay vigilant, and adapt your tactics as needed.

Remember, privacy isn’t about hiding something wrong; it’s about protecting your fundamental right to a private life, free from constant monitoring. As one coalition aptly put it, phones and laptops should work for us, not act as “bugs in our pockets” for someone else . By following this guide on your mobile devices, you take an active stand to ensure that your phone works for you – securing your chats against prying eyes, whether they be criminals, corporations, or even overreaching laws. Stay safe and private out there!

← Back to Newsroom