Problems with the EU age verification app. “Does not meet cybersecurity standards”

“Could undermine trust in future digital identity wallets.”

The whole situation is turning into an image disaster for Brussels. But beneath the surface, there are much deeper controversies surrounding the code disputes between privacy advocates, children's rights organizations, technology companies and politicians on how to properly protect minors online — at a time when leaders are pledging to protect children from social media and pornographic sites.

Just hours after the EU released the app, Paul Moore, a security consultant, stated that the tool saves sensitive data on the user's phone and leaves it without proper protection. He announced this in a widely commented post on the X platform (formerly Twitter). Moore claims he was able to hack the app in less than two minutes.

Baptiste Robert, a famous French “white hat” (ethical) hacker, confirms many of these findings. In an interview with POLITICO, he notes that the application's biometric mechanisms can be bypassed, which means that you can skip entering the PIN code or using Touch ID when accessing the application.

Olivier Blazy, a cryptography expert and member of the French digital identity team, explains: “Let's say I downloaded the app, proved I was over 18, and then my nephew can take my phone, unlock the app and use it to prove he is of age too.

On Friday, the European Commission maintained its position that the application is technically ready. – Yes, she's ready. Perhaps it's worth adding: “it can always be improved,” Commission spokeswoman Paula Pinho told journalists.

— When we talk about the final version, then […] we still have a demo version, added Thomas Regnier, EC spokesman for digital affairs. He stressed that the final product is not yet available to citizens, and the code will be constantly updated and improved. — Today I cannot rule out or determine whether further updates will be necessary.

On Thursday, the European Commission said in a statement to POLITICO that hackers were examining an earlier “demo version” of the app, made available for testing and development purposes. As assured, the detected defect “has been repaired”. However, both Moore and Blazy say they conducted their tests on the latest version of the EU code available online.

– It's good that they made the application open source so that experts could test it. The problem is that the shared source code does not meet cybersecurity standardsthat we would expect from such an important application, says Blazy.

— We were afraid that the Commission would release its app in a hurry, regardless of security issues, and now we see that wants to implement something that is not technically ready – adds Blazy. — Such a rushed rollout could undermine confidence in future digital identity wallets.

Inti De Ceukelaire, a well-known ethical Belgian hacker, comments: – In the case of open-source projects like this, it would also be a good move making safety assessments public before the premiereso that everyone can balance the benefits and risks.

“This whole process is forced under political pressure”

The online storm around the EU app shows how deep the division is over internet users' access to content such as pornographic websites and social media platforms. The European Union and many member states are implementing age verification systems online – driven political pressure to better protect children online.

French President Emmanuel Macron gathered the leaders of European countries on Thursday evening for a videoconference devoted to this topic. It was attended by, among others: von der Leyen, Giorgia Meloni, Pedro Sanchez and Friedrich Merz.

At the end of last year, the European Commission announced a tender for an age verification application worth EUR 4 million (approx. PLN 17 million), which was won by the Swedish company Scytales and Deutsche Telekom.

The app allows users confirm your age using your passport, ID card or trusted providers such as a bank. Technology platforms can check through the app whether a person is over a certain age, but they do not have access to other personal data – this is called method zero-knowledge proofdesigned to protect privacy.

National governments can design their own AI applicationsch mutual compatibility is intended to enable smooth age verification throughout the Union.

However, critics of age blocks argue that the technology enabling reliable age verification while respecting privacy and data protection is not yet ready – and even if it were, Internet users can easily bypass it by using, for example, a VPN that hides the location.

Blazy was one of more than 400 privacy and security experts who wrote an open letter to the Commission in March calling for a “moratorium on the deployment of until there is a scientific consensus on the benefits and risks age verification technologies and the possibilities of their implementation.

As Marketa Gregorova, MEP of the Czech Pirate Party and main author of the new act on cybersecurity, says“this whole process is forced under political pressure”. Gregorova emphasizes that Europe should take a closer look at the app “to assess whether all security and privacy measures have been implemented.”

In a comment for POLITICO, Birgit Sippel, a German center-left politician, called the app “half-baked solutionwhich does not even meet [unijnych] standards”.

MEP Piotr Müller (PiS) declared: “Brussels is again pushing for a centralized, EU-wide technological tool. A hastily announced age verification application poses a huge threat to citizens' privacy. […] We cannot agree to the gradual creation of a Chinese-style internet in Europe.”