1. Forum
  2. FidoNet Int
  3. consprcy

  • EUs age verification app has a privacy problem

    From Mike Powell@1:2320/105 to All on Sat Apr 25 09:31:56 2026
    The EUs age verification app has a privacy problem and it may be more than just a 'bug in an app'

    Date:
    Fri, 24 Apr 2026 14:54:25 +0000

    Description:
    The European Commission promises its app is a secure and private solution to let citizens prove their age without exposing their sensitive data. While
    it's an improvement compared to many, security experts aren't convinced.

    FULL STORY
    On April 15, the European Commission announced its age verification app was "technically ready." A week on, the app is already facing its first privacy and security hurdles but the problem may go deeper than just one bug in the system.

    President Ursula von der Leyen maintains there are " no more excuses " to delay mandatory age verification . Drawing on the framework of the COVID-19 certificate app, the Commission has built a template that EU member states
    are now expected to use for their own national applications. The app is designed to be user-friendly across all devices while adhering to high
    privacy standards. Ideally, this will allow citizens to verify their age for restricted content without jeopardizing their most sensitive personal data.

    "It is completely anonymous: users cannot be tracked,"
    von der Leyen said, claiming that "users will prove their age without
    revealing any other personal information."

    On paper, it's a welcome improvement over current age assurance
    methods, which often require scanning IDs or biometrics into third-party databases. These systems have already proven vulnerable; for instance, a breach of a Discord third-party service previously exposed records of more than 70,000 users . The app has attracted praise from some, with Alex Laurie, CTO of identity management firm Ping Identity, saying it represents "a step toward making decentralised identity a living reality." However, others
    remain skeptical and a number of security experts have suggested the issue isn't just a bug or a flaw, but a fundematal issue with the entire approach.

    Flaws discovered in 'two minutes' -- One of the app's primary strengths is its open-source framework, which allows anyone with the necessary technical expertise to inspect the source code for vulnerabilities.

    Security consultant Paul Moore did exactly that following the Commission's announcement, claiming to have identified a critical flaw in under two
    minutes . Specifically, he found that the app stored sensitive data
    including biometrics and photos unencrypted on the device.

    The European Commission claimed to have fixed the vulnerability in a new version released on April 17, as reported by Politico . However, Moore responded with a follow-up test of the updated app and found that it could be easily bypassed.

    His verdict? It was still fundamentally flawed. "They've tried to solve a problem they don't truly understand... much like the concept itself," Moore wrote.

    When contacted by TechRadar, European Commission spokesperson Thomas Regnier said the Commission is "very open to feedback," adding that "we're of course ready to improve what can be improved."

    Ping Identitys Laurie argues that Moore's findings highlight a "classic honeypot risk," even when localized to a single device. According to the identity expert, the principle of data minimization under GDPR is non-negotiable.

    "If an app fails to purge high-resolution passport scans or selfies after a crash or cancellation, its creating a toxic accumulation of unmanaged risk
    for the user," he told TechRadar.

    Laurie maintains, however, that a correctly implemented decentralized
    identity system could be a major breakthrough, precisely because it would allow users to prove their age without surrendering their entire digital identity to a third-party site.

    Moore is less optimistic. While he acknowledges that the Commission is attempting to improve the app's security, he maintains that the primary issue isn't the application itself it's the underlying framework.

    "The concept simply doesn't work, even if the implementation were perfect,"
    he told TechRadar.

    Most security experts agree on one crucial point: the EUs age
    verification efforts may fail simply because the system remains easy to bypass.

    Echoing Moore's view, Bart Preneel a Belgian cryptographer and professor at KU Leuven warns against focusing solely on technicalities. He argues that
    the objections to the EU's initiative are "much more fundamental than a bug
    in an app."

    "Technical flaws can be fixed, and then you can have the impression that the problem is fixed. But the real problem is that you roll out a technology that's not going to work," he told TechRadar.

    Both Preneel and Moore highlighted how Virtual Private Networks (VPNs) and other privacy tools may play in undermining the rollout of age verification measures.

    Users could also create modified or fraudulent apps mirroring the issues
    seen with fake COVID-19 certificates but the wider concern is that strict verification may push younger users toward obscure, less-regulated platforms that are often even less secure. Structural problems In a rare shift, the app's technical security isn't the primary concern of the experts I spoke to. Instead, it's the underlying concept that cybersecurity specialists, data scientists, and cryptographers believe to be fundamentally flawed.

    Preneel is particularly concerned about the "collateral damage" the app could cause specifically the digital exclusion of individuals without official documentation, such as refugees or migrants.

    Despite the Commissions assurances, Preneel warns the system could lead to
    the end of anonymity online, potentially allowing governments "to unmask people who criticize them anonymously."

    It's a concern shared by Proton CEO Andy Yen, who recently criticized the global push for age verification as a threat to fundamental digital rights.

    The real problem is much more fundamental than a bug in an app Bart Preenel, Cryptographer Ultimately, Preneel who was among 400+ scientists calling for
    a halt to age verification measures views the issue as structural. While
    sold as a way to protect minors, he argues these verification mandates may create more problems than they solve.

    Consequently, critics suggest the solution lies beyond technology

    "Rather than enforcing regulations on the companies, we are putting rules on our own population, which is a very strange response," Preneel noted, suggesting that digital literacy and parental involvement are more effective tools for child safety.

    The need to protect children online is real and demands a robust response. Whether a solution exists that can satisfy all stakeholders remains to be seen, but current expert sentiment suggests it is unlikely to be found in a single age verification app.

    If such systems are the path governments choose, the focus must shift to ensuring they are implemented correctly. As the experts Ive spoken to warn, the challenge now is to make sure we don't sleepwalk into a crisis larger
    than the one they intend to solve.

    Disclaimer We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone using a VPN service to break the law or conduct illegal activities. Consuming pirated content that is paid-for is neither endorsed
    nor approved by Future Publishing.

    Link to news story: https://www.techradar.com/vpn/vpn-privacy-security/the-eus-age-verification-ap p-has-a-privacy-problem-and-it-may-be-more-than-just-a-bug-in-an-app

    $$
    --- MultiMail/DOS
    * Origin: Capitol City Hub (1:2320/105)