The War on Porn Regular Updates about the Assault on The Adult Industry
Related Articles
BRUSSELS — The European Union’s rollout of a mobile app designed to verify users’ ages online has drawn scrutiny after cybersecurity researchers identified potential privacy and security issues in the code.
European Commission President Ursula von der Leyen presented the tool in Brussels on Wednesday, stating it was “technically ready” and would soon be made available as countries introduce measures to restrict minors’ access to social media.
“It is fully open source. Everyone can check the code,” von der Leyen said.
Cybersecurity and privacy specialists reviewed the publicly available code on GitHub and reported several concerns related to the app’s design.
The development comes as policymakers, privacy advocates, technology companies and child protection groups continue to debate how best to safeguard minors online while maintaining data protection standards.
Within hours of the app’s release, security consultant Paul Moore said the app stored sensitive data on users’ devices without sufficient protection, according to a widely circulated post on X. Moore said he was able to compromise the app in under two minutes.
Baptiste Robert, a French ethical hacker, confirmed several of the findings and said it was possible to bypass the app’s biometric authentication features, allowing access without a PIN code or fingerprint verification.
Olivier Blazy, a cryptographic researcher and member of a French digital identity task force, said: “Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18.”
The European Commission said Friday that the app is technically ready. “Yes, it is ready. Maybe we can add, ‘and it can always be improved’,” Chief Spokesperson Paula Pinho told reporters.
Digital spokesperson Thomas Regnier said: “Now, when we say it’s a final version, it’s … still a demo version.” He added that the final product is not yet available to the public and that “the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not.”
In a statement issued Thursday, the Commission said the issues identified by researchers related to an earlier “demo version” of the app released for “testing and development purposes,” and that the vulnerability “was fixed.”
However, Moore and Blazy said their findings were based on the most recent version of the code available online.
“It’s a good thing they made the app open source for experts to try and test it. The problem is the released source code does not meet cybersecurity standards we would expect for such an important app,” Blazy said.
“We were worried that the Commission would launch its app in a hurry, no matter its security issues, and now we can see it wants to launch something that is not technically ready,” Blazy added. “Such a rushed launch could undermine trust in future digital identity wallets.”
Inti De Ceukelaire, a Belgian ethical hacker, said: “For open source code projects like this one, it would be a good move to also publish any security assessments prior to launch, so everyone can balance out the benefits versus the risks.”
Debate over the app reflects broader disagreements about how to regulate access to online platforms, including social media and adult content.
The EU and several member states are developing systems to verify users’ ages online as part of efforts to strengthen protections for minors.
French President Emmanuel Macron held a video conference with European leaders on Thursday evening to discuss the issue. Participants included von der Leyen, Italian Prime Minister Giorgia Meloni, Spanish Prime Minister Pedro Sánchez, German Chancellor Friedrich Merz and other officials.
Australia in December became the first country to introduce restrictions on minors’ use of social media, effectively barring users under 16 from platforms such as TikTok and YouTube.
The European Commission opened a €4 million tender for the app in 2024, which was awarded to Swedish digital identity company Scytáles and Deutsche Telekom.
The system allows users to verify their age using a passport, national ID or a trusted third party such as a bank. Online platforms can then confirm whether a user meets a required age threshold without accessing additional personal data, using a method known as “zero-knowledge proof.”
Member states may also develop their own compatible applications, intended to function across the EU for age verification.
Some critics have said that current age-verification technologies do not yet provide sufficient guarantees for privacy and data protection, and that users may be able to bypass restrictions using tools such as virtual private networks (VPNs).
Blazy was among more than 400 privacy and security experts who signed an open letter in March calling on the Commission to impose a “moratorium on deployment plans until the scientific consensus settles on the benefits and harms that age-assurance technologies can bring, and on the technical feasibility of such a deployment.”
Markéta Gregorová, a member of the Czech Pirate Party and lead lawmaker on a cybersecurity bill in the European Parliament, said: “this process is being rushed under political pressure.” She added that further review is needed “to assess if all measures were taken for cybersecurity and privacy.”
Birgit Sippel, a German center-left lawmaker, described the app as a “half-baked app solution that doesn’t live up to [the EU’s] own standards,” in a comment.
Piotr Müller, a Polish lawmaker from the European Conservatives and Reformists group, said: “Brussels is once again pushing for a centralized, EU-wide technological tool. The hastily announced age verification app poses a massive risk to the privacy of citizens … We cannot agree to the step-by-step creation of a Chinese-style internet in Europe.”
