The European Commission wants to revolutionize the protection of young people online through an app. However, we all know that what locks, unlocks, especially on the internet.
The EU app that verifies age without sacrificing privacy was presented as a technological milestone for protecting young people. However, a few hours after its presentation by Commission President Ursula von der Leyen, the “milestone” was deflated. Security expert Paul Moore showed X how he “broke” the system in less than two minutes.
His analysis reveals that sensitive data remains unprotected on the device. PINs are not secure, rate limits can be bypassed by resetting simple configuration files, and biometric verification can be disabled with a click. Moore warns: “This product will be the catalyst for a massive data breach.”
French hacker Baptiste Robert confirmed Moore's findings, adding that it is possible to bypass the PIN code or Touch ID completely.
Cryptologist Olivier Blazy cited a practical problem: “Suppose I download the app and prove that I am over 18. Then my nephew can take my phone, unlock the app and use it to confirm his age.”
The Commission is of course defending its tool. A spokesperson simply admitted that things could be improved. Brussels also said that the hackers tested an old version, which the hackers denied. Later, Brussels said that the “final version” available online was a demo application. The final product for citizens will be released later and the code will be constantly updated.
Open Source
The fact that these security holes were discovered so quickly is due to the fact that the application is open source. Blazy praises this approach. However, he criticizes the fact that the source code does not yet meet the expected security standards. A hasty release could undermine trust in future projects such as digital identity EUDI.
Furthermore, the anonymity promised by the Commission President seems questionable. Experts such as Anja Lehmann from the Hasso Plattner Institute disagree.
A promotional video causes irritation: shows a biometric comparison between a facial scan and an identification document – a process that von der Leyen has always rejected for platform operators.
Judith Simon from the University of Hamburg warns that non-connectivity is the prerequisite for true privacy.
But many experts wonder why the EU is building a parallel infrastructure to the EUDI. Lehmann believes a separate application is “little useful”, as it deviates from established standards on important security criteria. Thomas Lohninger from the NGO Epicenter.works suggests that the Commission reconsider its initiative and focus on the belated implementation of existing internet laws.
Finally, the problem of efficiency remains.
Tibor Jager from the University of Wuppertal describes age verification as “trivial.” Using VPN services, it is possible to simulate a location outside the EU where the rules do not apply. The researcher argues that “digital education” will solve the problem, rather than technical barriers.
The Commission, however, is sticking to the timetable. Eight heads of state support the initiative to restrict social media to minors. Of course, the application is not yet in use, and there is time for corrections.
But the road to the “privacy standard” is still long.
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
