Opinion by: Agata Ferreira, assistant professor at the Warsaw University of Technology

Recently, Europe came alarmingly close to approving mass surveillance of private communication through the proposed Chat Control regulation. The proposal faced intense backlash from the community, as it would have obliged providers to scan all private messages.

It was rejected only after Germany refused to support it. Just nine EU member states opposed the proposal, while 12 backed it and six remained undecided.

That narrow vote highlights the fragility of the legal consensus surrounding privacy. Even within the European Union, home to the Charter of Fundamental Rights, the European Declaration on Digital Rights and Principles and some of the world’s strictest personal data protection laws, policymakers are increasingly treating privacy and encryption as problems to be scrutinized rather than as critical properties of digital infrastructure to be defended.

The flawed argument that safety requires and justifies mass surveillance is gaining traction on the regulatory agenda, a development that is worrying.

When surveillance becomes infrastructure

A recent Amnesty International report, “Shadows of Control: Censorship and Mass Surveillance in Pakistan,” illustrates what happens when that logic is applied and misused against society. Pakistani authorities deployed surveillance technologies from international companies to create a nationwide system for monitoring, interception and filtering that turned the country’s digital environment into a widespread surveillance machine, which grants intelligence agencies real-time access without any judicial oversight.

The report’s findings are not unique to Pakistan. They illustrate what happens when a vulnerable, centralized internet architecture, riddled with single points of control, intersects with an unchecked appetite for surveillance. The result is a digital environment that undermines trust, erodes rights and weakens the fabric of societies.

The systemic weakness of internet governance

These problems are not limited to any single regime. Every modern digital infrastructure, from national networks and cloud platforms to Web3 protocols, crosses the same vulnerable checkpoints: access, discovery, decision logic, data storage, transmission and user interfaces. Each can either support freedom or reinforce control. The current trend toward centralization means that networks are increasingly visible, with a handful of global indices managing discovery and corporate and government actors mediating access. The original vision of an open and decentralized internet has been replaced by a model centered on surveillance and control.

The Web3 turning point

Web3, often championed as an alternative, is not immune to this issue. Web3 users still rely on a small number of trusted endpoints, clearnet front-ends and public ledgers that reveal transactional metadata. This dynamic recreates the chokepoints and surveillance risks familiar from legacy web infrastructure. When core blockchain operations depend on centralized providers for broadcasting and interface hosting, such infrastructure lacks sovereignty. Without a deliberate shift, the Web3 tech stack risks replicating and even amplifying the very problems it set out to solve.

***Related: ***EU Chat Control hinges on Germany’s decision

That said, an ecosystem of privacy-preserving technologies is emerging. These innovations include network-level privacy, programmable private transactions, verifiable front-ends, disintermediated access to protocols, lightweight client verification and zero-knowledge-based solutions. Such features are being designed as foundational guarantees, not optional add-ons. Privacy becomes a prerequisite for trust, not an afterthought or a privilege.

A regulatory lag

Regulatory attitudes have not kept pace with this shift in technology. The scrutiny and, in some cases, prosecution of privacy protocol developers,* *such as those behind Tornado Cash, reflects a misunderstanding that privacy is a liability. In reality, it is the lack of privacy that introduces risk, damages trust and exposes societies to abuse. Failure to recognize this dynamic risks repeating patterns that have been documented by Amnesty, where infrastructure becomes a tool for control and oppression. Treating privacy as a threat ultimately undermines democratic legitimacy.

Stewardship as legal duty

The regulatory and policy path forward demands a shift from scrutiny to stewardship. Law and policy should move away from prohibitive stances and should instead support privacy-preserving infrastructure and recognize it as a civic commons. Effective stewardship means defending strong encryption, supporting privacy-preserving innovation and ensuring that fundamental rights are embedded in the digital architecture itself, not just secured by law.

Privacy, integrity and resilience cannot just be aspirational ideas but must be hardwired into the digital architecture that carries our communications, our assets and our collective memory. Decentralization should be viewed as a form of institutional redundancy, ensuring that digital systems cannot be compromised or disrupted by a single point of failure, malicious actor or regulatory overreach.

This is not a proposal for regulatory leniency but rather a recognition of responsibility in the digital age. Protecting the infrastructure that upholds our rights is as essential as protecting those rights through constitutions and regulations.

A turning point for digital governance

The debate over Chat Control and Amnesty’s findings are two different sides of the same coin. One exemplifies a dangerous temptation authorities face to default to mass surveillance, while the other exposes the human cost when that temptation is realized. Without clear legal and policy stewardship for the protocols that address today’s internet vulnerabilities, risks to digital infrastructure — and the freedoms it should guarantee — will only increase.

The responsibility of lawmakers and regulators is not to regulate privacy technologies out of existence but to guarantee their permanence, making sure the fundamental rights and civil liberties written in constitutions, charters and conventions are hardcoded into the digital systems we rely on.

Web3 efforts must secure a digital architecture that prioritizes freedom and where privacy, verifiability and autonomy are embedded from the ground up. Regulators must support this goal.

Opinion by: Agata Ferreira, assistant professor at the Warsaw University of Technology.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.