The EU brings an online age verification app that seems to come with more problems than solutions

When Ursula von der Leyen announced that the European age verification app is ready, she promised us a transparent, safe and ready solution to protect minors online. However, a few hours after the presentation, security experts discovered serious vulnerabilities, which calls into question not only the functionality of the application, but also the idea that such tools can simply solve a much more complex problem.

• Jjournalist Vlad Dumitrescu sends the Good Tech newsletter every Wednesday morning. If you want to receive practical tools to make your life easier with the help of technology, you can subscribe here:

Within hours of its launch, security experts began to find serious problems: sensitive data stored unprotected, easily bypassed biometric authentication, mundane scenarios where a child can use an adult's phone to trick the system. Basically, the app that's supposed to decide who's allowed on the internet fails to even secure its own access.

However, if we only dwell on these bugs, we miss the real point. The problem isn't necessarily a poorly built app. It is about a fundamental tension that the EU has not yet resolved: how do you protect children online without turning the internet into a space for permanent identification.

“We are deeply concerned about the Commission's plans to link digital identity to the technical implementation of age verification,” Thomas Lohninger, executive director of the Austrian digital rights NGO epicenter.works, told POLITICO.

According to Lohninger, the source code is “far from production ready” and the European Executive should “rethink its plans on age verification and instead focus on (delayed) enforcement of EU online content legislation”.

How would such an application actually work

To understand why the stakes are so high, we have to look at how such an application would actually work. In the version presented by the European Commission, the basic idea is relatively simple: you no longer directly prove to each site who you are, but use an intermediate application that only confirms that you are over a certain age. In theory, that should limit the amount of personal data that circulates online.

In practice, however, things quickly become more complicated. To get to that simple “is over 18 years old”, the user must first authenticate in the application, through an official document (passport or passport).

The application processes this data and generates a digital proof that you can later present to the platforms. The vulnerabilities discovered, however, show how fragile this mechanism actually is.

Security consultant Paul Moore demonstrated that the app's PIN was stored in a simple editable XML file, the mistry counter could be manually reset, and biometric authentication could be disabled by changing a single value from “true” to “false”. Basically, basic protections could be bypassed in minutes.

Beyond the bugs, there are also the structural limits of the system. Cryptography researcher Olivier Blazy described a common scenario: an adult verifies their age once, and then a minor uses their phone to pass the verification. The exact opposite of what the app promises to prevent. To avoid such situations, constant authentication would be needed, meaning even more control.

All this comes in the context where the project cost about four million euros and was developed by companies such as Scytales and Deutsche Telekom. In March, more than 400 security and privacy researchers called for a moratorium pending an independent audit. In vain.

Attraction to criminals

Beyond these point vulnerabilities, there is a broader problem: the more sensitive data such systems collect, the more attractive they become to attackers. An infrastructure that combines official identity, biometrics and access to online platforms obviously becomes a valuable target for fraud, phishing or identity theft. In addition, for the average user, this translates into a new obligation: you have to provide sensitive personal data just to access services that until now functioned without such checks.

In fact, the whole trend of checking age online seems to be based on the idea that complex social problems can be solved by technical tools. Limiting access based on age only touches the surface of the problem (who gets in and who doesn't) but doesn't touch the mechanisms that generate the real problems: algorithms that amplify harmful content, business models based on capturing attention and storing huge amounts of personal data.

The experiences of other countries also raise questions. Where similar restrictions were introduced, a large proportion of minors quickly found ways around them by using adult accounts, VPNs or age estimation system errors. At the same time, there is no clear evidence that these measures significantly reduce risks such as online bullying or abuse. Instead, there is a risk that users will be pushed to less regulated platforms, where control is even weaker.