The EU’s age verification app has a privacy problem — and it may be more than just a 'bug in an app'

On April 15, the European Commission announced its age verification app was "technically ready." A week on, the app is already facing its first privacy and security hurdles — but the problem may go deeper than just one bug in the system.

President Ursula von der Leyen maintains there are "no more excuses" to delay mandatory age verification. Drawing on the framework of the COVID-19 certificate app, the Commission has built a template that EU member states are now expected to use for their own national applications.

The app is designed to be user-friendly across all devices while adhering to high privacy standards. Ideally, this will allow citizens to verify their age for restricted content without jeopardizing their most sensitive personal data.

"It is completely anonymous: users cannot be tracked," von der Leyen said, claiming that "users will prove their age without revealing any other personal information."

On paper, it's a welcome improvement over current age assurance methods, which often require scanning IDs or biometrics into third-party databases.

These systems have already proven vulnerable; for instance, a breach of a Discord third-party service previously exposed records of more than 70,000 users.

The app has attracted praise from some, with Alex Laurie, CTO of identity management firm Ping Identity, saying it represents "a step toward making decentralised identity a living reality."

However, others remain skeptical and a number of security experts have suggested the issue isn't just a bug or a flaw, but a fundematal issue with the entire approach.

Flaws discovered in 'two minutes'

One of the app's primary strengths is its open-source framework, which allows anyone with the necessary technical expertise to inspect the source code for vulnerabilities

Security consultant Paul Moore did exactly that following the Commission's announcement, claiming to have identified a critical flaw in under two minutes. Specifically, he found that the app stored sensitive data — including biometrics and photos — unencrypted on the device.

The European Commission claimed to have fixed the vulnerability in a new version released on April 17, as reported by Politico. However, Moore responded with a follow-up test of the updated app and found that it could be easily bypassed.

His verdict? It was still fundamentally flawed. "They've tried to solve a problem they don't truly understand... much like the concept itself," Moore wrote.

When contacted by TechRadar, European Commission spokesperson Thomas Regnier said the Commission is "very open to feedback," adding that "we're of course ready to improve what can be improved."

Ping Identity’s Laurie argues that Moore's findings highlight a "classic honeypot risk," even when localized to a single device. According to the identity expert, the principle of data minimization under GDPR is non-negotiable.

"If an app fails to purge high-resolution passport scans or selfies after a crash or cancellation, it’s creating a toxic accumulation of unmanaged risk for the user," he told TechRadar.

Laurie maintains, however, that a correctly implemented decentralized identity system could be a major breakthrough, precisely because it would allow users to prove their age without surrendering their entire digital identity to a third-party site.

Moore is less optimistic. While he acknowledges that the Commission is attempting to improve the app's security, he maintains that the primary issue isn't the application itself — it's the underlying framework.

"The concept simply doesn't work, even if the implementation were perfect," he told TechRadar.

The EU's approach may never work

Most security experts agree on one crucial point: the EU’s age verification efforts may fail simply because the system remains easy to bypass

Echoing Moore's view, Bart Preneel — a Belgian cryptographer and professor at KU Leuven — warns against focusing solely on technicalities. He argues that the objections to the EU's initiative are "much more fundamental than a bug in an app."

"Technical flaws can be fixed, and then you can have the impression that the problem is fixed. But the real problem is that you roll out a technology that's not going to work," he told TechRadar.

Both Preneel and Moore highlighted how Virtual Private Networks (VPNs) and other privacy tools may play in undermining the rollout of age verification measures.

Users could also create modified or fraudulent apps — mirroring the issues seen with fake COVID-19 certificates — but the wider concern is that strict verification may push younger users toward obscure, less-regulated platforms that are often even less secure.

Structural problems

In a rare shift, the app's technical security isn't the primary concern of the experts I spoke to. Instead, it's the underlying concept that cybersecurity specialists, data scientists, and cryptographers believe to be fundamentally flawed.

Preneel is particularly concerned about the "collateral damage" the app could cause — specifically the digital exclusion of individuals without official documentation, such as refugees or migrants.

Despite the Commission’s assurances, Preneel warns the system could lead to the end of anonymity online, potentially allowing governments "to unmask people who criticize them anonymously."

It's a concern shared by Proton CEO Andy Yen, who recently criticized the global push for age verification as a threat to fundamental digital rights.

Ultimately, Preneel — who was among 400+ scientists calling for a halt to age verification measures — views the issue as structural. While sold as a way to protect minors, he argues these verification mandates may create more problems than they solve.

Consequently, critics suggest the solution lies beyond technology

"Rather than enforcing regulations on the companies, we are putting rules on our own population, which is a very strange response," Preneel noted, suggesting that digital literacy and parental involvement are more effective tools for child safety.

The need to protect children online is real and demands a robust response. Whether a solution exists that can satisfy all stakeholders remains to be seen, but current expert sentiment suggests it is unlikely to be found in a single age verification app.

If such systems are the path governments choose, the focus must shift to ensuring they are implemented correctly. As the experts I’ve spoken to warn, the challenge now is to make sure we don't sleepwalk into a crisis larger than the one they intend to solve.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!