Europe unveiled a ‘be all, end all’ app solution for age verification. It’s already leaking data and has been hacked.
People pushing age verification laws have a major problem on their hands. The technology they want to deploy to “solve” the problems that they see doesn’t exist. Experts including us have been saying this for years now. You are never going to get an age verification system that is both almost entirely accurate and respects the privacy of users. It’s a fools errand, but BS artists pushing these laws have long insisted that the technology not only can be built, but is already on the market awaiting adoption.
Sadly, the BS artists are winning on the legislative front. Armed with obvious lies of how the technology is “highly effective” and “protects the users privacy” even though what exists does nothing like that, laws are being passed mandating the deployment of this technology. Experts were left in despair as they knew they were on the cusp of witnessing disaster unfold.
… and unfold it did.
People were defeating the technology with sharpies, pictures of golden retrievers, and, of course, VPNs. While the technology being deployed was busy getting owned by the kids the makers swore it would “protect”, it just as quickly became a privacy disaster. We’ve seen the Discord data breach, the AgeGO scandal, and other data leaks and breaches along the way.
In other words, all the warnings that experts had have come to fruition in a highly predictable manner. If anything, it raised eyebrows at just how badly the deployment of the technology was. While media outlets quickly tried to re-write history and say that age verification is going swimmingly, reality seemed to be defeating the heavy levels of denial being deployed. We knew it would be bad, but people like myself didn’t think it would be this comically bad. Of course, we said that it would all fail spectacularly not because we had no faith in the private sector to come up with solutions. Instead, we knew it would fail because the private sector was handed a fools errand. Failure was inevitable regardless of who was going to work on this.
Of course, for lawmakers working in their own reality bubble, all of this is the wrong answer. They feel that a perfect deployment of the technology is totally possible. For them, it’s just a case of the private sector simply not nerding hard enough. So, the European government took matters into their own hands and deployed their own app. This with all the bravado you’d come to expect from people pushing age verification. Specifically, some were arguing that there are now “no more excuses” and that this was truly the be-all, end-all solution. The government did the dirty work and put together the perfect app that would solve all of the privacy and security problems of age verification. No way this would possibly end badly now!
If you believed what the European government said here, I have a bridge to sell you.
As it turns out, and props to one of my readers pointing this out, it seems that the app was neither safe nor secure. As it turns out, for the low low price of a whopping 2 minutes of your time, you can hack the app yourself. What’s more, it is already leaking sensitive user data as well. From Politico:
Cyber experts say they have found holes in Brussels’ age verification app, despite claims by the EU executive that it is “technically ready.”
Cyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the app’s design.
The saga is turning into a PR disaster for Brussels. But underneath the controversy over the code lie deeper divisions between privacy campaigners, child rights groups, tech firms and politicians over how to protect minors online — as leaders promise to shield kids from social media and porn sites.
Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes.
Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: “Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18.”
The European Commission on Friday stood by its statement that the app is technically ready. “Yes, it is ready. Maybe we can add, ‘and it can always be improved’,” Chief Spokesperson Paula Pinho told reporters.
“It’s a good thing they made the app open source for experts to try and test it. The problem is the released source code does not meet cybersecurity standards we would expect for such an important app,” Blazy said.
“We were worried that the Commission would launch its app in a hurry, no matter its security issues, and now we can see it wants to launch something that is not technically ready,” Blazy added. “Such a rushed launch could undermine trust in future digital identity wallets.”
The fail here is spectacular. Other sources are also reporting how bad this app truly is. From CyberInsider:
Additional issues include a rate-limiting mechanism that can be reset by modifying a counter in the same file, and a biometric authentication flag stored as a simple boolean that can be toggled to bypass checks.
In a separate proof-of-concept, the security consultant showed that the system can be bypassed without using the official app. By replicating its logic in a browser extension, he generated valid verification responses that relying services would accept. The extension detects QR codes in verification flows and returns forged payloads indicating the user is over 18.
This points to a broader design flaw where verification tokens are trusted without being securely bound to a device or identity. Strengthening this link would likely require persistent identifiers, potentially undermining the app’s privacy goals.
The European Commission has not yet responded to the findings. The speed at which these issues were uncovered highlights the difficulty of building systems that handle biometric data while balancing privacy and security.
This is so bad, it’s practically its own comedy show. How do you fail this spectacularly, anyway? I knew they weren’t going to succeed in the first place, but man, this is worse then what I was expecting. I’m almost speechless here.
The thing here is that the government can patch this thing many times over and it will never deliver on what it promised. It was never going to be ready for prime time, but even if these issues get fixed, there’s going to be new issues cropping up. The hilarious thing is that government officials are defending this whole thing by shrugging and saying how it can always be improved. The fact of the matter is that the European government rolled out a really broken technology and all the kings horses and all the kings men are not going to put the age verification app back together again.
Ultimately, Europe is still going to push this app, so it is clear that they are not done embarrassing themselves. I can only see the humiliation continuing – especially after this epic fail of a start to things.
Drew Wilson on Mastodon, Bluesky and Facebook.
Discover more from Freezenet.ca
Subscribe to get the latest posts sent to your email.
