BRUSSELS — The European Union’s unveiling of a mobile app to check people’s age online has quickly turned sour, as cybersecurity experts found glaring privacy and security problems with the code.
European Commission President Ursula von der Leyen presented the age-verification tool in Brussels on Wednesday, saying it was “technically ready” and will soon be available to use as countries move to ban kids from social media.
“It is fully open source. Everyone can check the code,” von der Leyen said.
Cyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the app’s design.
The saga is turning into a PR disaster for Brussels. But underneath the controversy over the code lie deeper divisions between privacy campaigners, child rights groups, tech firms and politicians over how to protect minors online — as leaders promise to shield kids from social media and porn sites.
Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes.
Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: “Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18.”
The European Commission on Friday stood by its statement that the app is technically ready. “Yes, it is ready. Maybe we can add, ‘and it can always be improved’,” Chief Spokesperson Paula Pinho told reporters.
Digital spokesperson Thomas Regnier said: “Now, when we say it’s a final version, it’s … still a demo version.” He added the final product is not yet available for citizens and “the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not.”
The European Commission on Thursday told POLITICO in a statement that the hackers were probing an earlier “demo version” of the app that was released for “testing and development purposes.” The vulnerability “was fixed,” it said.
But both Moore and Blazy said they were conducting their tests on the latest version of the EU’s code online.
The European Commission on Friday stood by its statement that the app is technically ready. | Jpix/NurPhoto via Getty Images“It’s a good thing they made the app open source for experts to try and test it. The problem is the released source code does not meet cybersecurity standards we would expect for such an important app,” Blazy said.
“We were worried that the Commission would launch its app in a hurry, no matter its security issues, and now we can see it wants to launch something that is not technically ready,” Blazy added. “Such a rushed launch could undermine trust in future digital identity wallets.”
Inti De Ceukelaire, a prominent Belgian ethical hacker, said: “For open source code projects like this one, it would be a good move to also publish any security assessments prior to launch, so everyone can balance out the benefits versus the risks.”
‘Half-baked’
The online row over the EU’s app reveals a fierce divide on how to handle internet users’ access to everything from porn sites to social media platforms.
The EU and many of its member countries are in the middle of rolling out ways to check people’s ages online — driven by a political push to better protect kids on the internet.
French President Emmanuel Macron gathered heads of state from across Europe for a video call on the issue on Thursday evening, attended by von der Leyen, Italy’s Giorgia Meloni, Spain’s Pedro Sánchez, Germany’s Friedrich Merz and other leaders.
Australia in December became the first country in the world to implement restrictions on kids’ use of social media, effectively banning under-16s from using popular platforms like TikTok and YouTube.
The European Commission in 2024 opened a €4 million tender for the age verification app late last year, which was won by Swedish digital identity company Scytáles and Deutsche Telekom.
The app allows users to verify their age via their passport, a national ID or via trusted providers like a bank. Tech platforms can ask the app if a person is over a certain age, but wouldn’t have access to more personal data — in what’s known as a “zero-knowledge proof” method aimed at preserving privacy.
National governments can equally design their own apps, and the apps are meant to work together to allow for smooth age checks across the bloc.
But critics of age blocks say the technology to check people’s ages with proper privacy and data protections just isn’t ready — and even if it was, internet users would easily bypass it with things like virtual private networks (VPNs) that mask their location.
Blazy was part of a group of more than 400 privacy and security experts who sent an open letter to the Commission in March to impose a “moratorium on deployment plans until the scientific consensus settles on the benefits and harms that age-assurance technologies can bring, and on the technical feasibility of such a deployment.”
According to Markéta Gregorová, a member of the Czech Pirate party in the European Parliament and the lead lawmaker on a new cybersecurity bill, “this process is being rushed under political pressure.” Europe should take a much closer look at the app “to assess if all measures were taken for cybersecurity and privacy,” Gregorová said.
Birgit Sippel, a prominent German center-left lawmaker, called the app a “half-baked app solution that doesn’t live up to [the EU’s] own standards,” in a comment to POLITICO.
Piotr Müller, a Polish lawmaker for the European Conservatives and Reformists, said: “Brussels is once again pushing for a centralized, EU-wide technological tool. The hastily announced age verification app poses a massive risk to the privacy of citizens … We cannot agree to the step-by-step creation of a Chinese-style internet in Europe.”
Laurens Cerulus contributed reporting.
English (US) ·