EUs age verification app has a privacy problem - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  EUs age verification app has a privacy problem
De:       Mike Powell
Data:     Sat, 25 Apr 2026 09:31:56 -0500
-----------------------------------------------------------
The EUs age verification app has a privacy problem  and it may be more than 
just a 'bug in an app'

Date:
Fri, 24 Apr 2026 14:54:25 +0000

Description:
The European Commission promises its app is a secure and private solution to 
let citizens prove their age without exposing their sensitive data. While 
it's an improvement compared to many, security experts aren't convinced.

FULL STORY
On April 15, the European Commission announced its age verification app was
"technically ready." A week on, the app is already facing its first privacy 
and security hurdles  but the problem may go deeper than just one bug in the 
system. 

President Ursula von der Leyen maintains there are " no more excuses " to 
delay mandatory age verification . Drawing on the framework of the COVID-19 
certificate app, the Commission has built a template that EU member states 
are now expected to use for their own national applications. The app is 
designed to be user-friendly across all devices while adhering to high 
privacy standards. Ideally, this will allow citizens to verify their age for 
restricted content without jeopardizing their most sensitive personal data. 

"It is completely anonymous: users cannot be tracked,"
von der Leyen said, claiming that "users will prove their age without
revealing any other personal information."

On paper, it's a welcome improvement over current age assurance
methods, which often require scanning IDs or biometrics into third-party 
databases. These systems have already proven vulnerable; for instance, a 
breach of a Discord third-party service previously exposed records of more 
than 70,000 users . The app has attracted praise from some, with Alex Laurie, 
CTO of identity management firm Ping Identity, saying it represents "a step 
toward making decentralised identity a living reality." However, others 
remain skeptical and a number of security experts have suggested the issue 
isn't just a bug or a flaw, but a fundematal issue with the entire approach. 

Flaws discovered in 'two minutes' -- One of the app's primary strengths is its
open-source framework, which allows anyone with the necessary technical 
expertise to inspect the source code for vulnerabilities.

Security consultant Paul Moore did exactly that following the Commission's 
announcement, claiming to have identified a critical flaw in under two 
minutes . Specifically, he found that the app stored sensitive data  
including biometrics and photos  unencrypted on the device.

The European Commission claimed to have fixed the vulnerability in a new 
version released on April 17, as reported by Politico . However, Moore 
responded with a follow-up test of the updated app and found that it could be 
easily bypassed. 

His verdict? It was still fundamentally flawed. "They've tried to solve a 
problem they don't truly understand... much like the concept itself," Moore 
wrote. 

When contacted by TechRadar, European Commission spokesperson Thomas Regnier 
said the Commission is "very open to feedback," adding that "we're of course 
ready to improve what can be improved."

Ping Identitys Laurie argues that Moore's findings highlight a "classic 
honeypot risk," even when localized to a single device. According to the 
identity expert, the principle of data minimization under GDPR is 
non-negotiable. 

"If an app fails to purge high-resolution passport scans or selfies after a 
crash or cancellation, its creating a toxic accumulation of unmanaged risk 
for the user," he told TechRadar. 

Laurie maintains, however, that a correctly implemented decentralized 
identity system could be a major breakthrough, precisely because it would 
allow users to prove their age without surrendering their entire digital 
identity to a third-party site. 

Moore is less optimistic. While he acknowledges that the Commission is 
attempting to improve the app's security, he maintains that the primary issue 
isn't the application itself  it's the underlying framework. 

"The concept simply doesn't work, even if the implementation were perfect," 
he told TechRadar.

Most security experts agree on one crucial point: the EUs age
verification efforts may fail simply because the system remains easy to 
bypass.

Echoing Moore's view, Bart Preneel  a Belgian cryptographer and professor at 
KU Leuven  warns against focusing solely on technicalities. He argues that 
the objections to the EU's initiative are "much more fundamental than a bug 
in an app." 

"Technical flaws can be fixed, and then you can have the impression that the 
problem is fixed. But the real problem is that you roll out a technology 
that's not going to work," he told TechRadar. 

Both Preneel and Moore highlighted how Virtual Private Networks (VPNs) and 
other privacy tools may play in undermining the rollout of age verification 
measures. 

Users could also create modified or fraudulent apps  mirroring the issues 
seen with fake COVID-19 certificates  but the wider concern is that strict 
verification may push younger users toward obscure, less-regulated platforms 
that are often even less secure. Structural problems In a rare shift, the 
app's technical security isn't the primary concern of the experts I spoke to. 
Instead, it's the underlying concept that cybersecurity specialists, data 
scientists, and cryptographers believe to be fundamentally flawed. 

Preneel is particularly concerned about the "collateral damage" the app could 
cause  specifically the digital exclusion of individuals without official 
documentation, such as refugees or migrants. 

Despite the Commissions assurances, Preneel warns the system could lead to 
the end of anonymity online, potentially allowing governments "to unmask 
people who criticize them anonymously." 

It's a concern shared by Proton CEO Andy Yen, who recently criticized the 
global push for age verification as a threat to fundamental digital rights. 

The real problem is much more fundamental than a bug in an app Bart Preenel, 
Cryptographer Ultimately, Preneel  who was among 400+ scientists calling for 
a halt to age verification measures  views the issue as structural. While 
sold as a way to protect minors, he argues these verification mandates may 
create more problems than they solve. 

Consequently, critics suggest the solution lies beyond technology 

"Rather than enforcing regulations on the companies, we are putting rules on 
our own population, which is a very strange response," Preneel noted, 
suggesting that digital literacy and parental involvement are more effective 
tools for child safety. 

The need to protect children online is real and demands a robust response. 
Whether a solution exists that can satisfy all stakeholders remains to be 
seen, but current expert sentiment suggests it is unlikely to be found in a 
single age verification app. 

If such systems are the path governments choose, the focus must shift to 
ensuring they are implemented correctly. As the experts Ive spoken to warn, 
the challenge now is to make sure we don't sleepwalk into a crisis larger 
than the one they intend to solve.

Disclaimer We test and review VPN services in the context of legal 
recreational uses. For example: 1. Accessing a service from another country 
(subject to the terms and conditions of that service). 2. Protecting your 
online security and strengthening your online privacy when abroad. We do not 
support or condone using a VPN service to break the law or conduct illegal 
activities. Consuming pirated content that is paid-for is neither endorsed 
nor approved by Future Publishing.

Link to news story:
https://www.techradar.com/vpn/vpn-privacy-security/the-eus-age-verification-ap
p-has-a-privacy-problem-and-it-may-be-more-than-just-a-bug-in-an-app

$$
--- MultiMail/DOS
 * Origin: Capitol City Hub (1:2320/105)

-----------------------------------------------------------
[Voltar]