The European Commission’s newly unveiled age verification app has come under immediate scrutiny after cybersecurity and privacy experts said they found major flaws in the code, challenging Brussels’ assertion that the tool is technically ready for use. The app, presented in Brussels on Wednesday by Commission President Ursula von der Leyen, is intended to help verify users’ ages online as European governments move to restrict minors’ access to social media and pornographic content.
Von der Leyen said the app was fully open source and that anyone could inspect the code. But within hours of its release on GitHub, experts reported what they described as serious weaknesses in the app’s privacy and security design, triggering a broader debate over whether the European Union is moving too quickly on a politically charged technology.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Hackers and Researchers Raise Immediate Concerns
Security consultant Paul Moore said the app stored sensitive data on a user’s phone without adequate protection and claimed he was able to hack it in under two minutes. French ethical hacker Baptiste Robert said he had confirmed several of the issues and told POLITICO that the app’s biometric authentication could be bypassed, allowing access without a PIN code or Touch ID.
Olivier Blazy, a cryptographic researcher involved in a French task force on digital identity, said the design could allow one person to prove they were over 18 and then hand the phone to someone else, who could use the app to do the same. He said that while making the code open source was the right step, the version released did not meet the cybersecurity standards expected for such an important application.
The European Commission initially said the vulnerabilities had been found in an earlier demo version released for testing and development purposes, and said the issue had been fixed. But both Moore and Blazy said they had tested the latest version of the code available online.
Commission Defends Rollout Amid Mixed Messaging
Despite the criticism, the Commission maintained on Friday that the app was technically ready. Chief Spokesperson Paula Pinho said it was ready, while adding that it could still be improved. Digital spokesperson Thomas Regnier said that while officials referred to it as a final version, it remained a demo version and was not yet available for citizens.
That distinction did little to calm criticism, as experts warned that a rushed rollout could damage trust in future EU digital identity systems. Belgian ethical hacker Inti De Ceukelaire said it would be useful for the Commission to publish any security assessments conducted before launch so that experts and the public could properly weigh the risks and benefits.
The controversy has quickly become an embarrassment for Brussels, but it has also exposed deeper disagreements over how far governments should go in trying to police young people’s online access, and whether the tools being proposed are sufficiently mature to justify deployment.
Debate Deepens Over Privacy and Child Protection
The age verification app is part of a wider European push to strengthen protections for children online. French President Emmanuel Macron held a video meeting on the issue on Thursday with several European leaders, including von der Leyen, Italy’s Giorgia Meloni, Spain’s Pedro Sánchez and Germany’s Friedrich Merz. Australia, meanwhile, became the first country in the world in December to impose restrictions on social media use by children under 16.
The Commission opened a €4 million (₹4.38 crore) tender for the app last year, which was awarded to Swedish digital identity company Scytáles and Deutsche Telekom. The system is designed to let users prove their age using a passport, national identity card or trusted third-party providers such as banks. Platforms would receive only confirmation that a user is above a certain age, rather than broader personal data, through a zero-knowledge proof method intended to preserve privacy.
Critics, however, argue that age assurance technology remains insufficiently developed and could be bypassed easily through tools such as VPNs. In March, more than 400 privacy and security experts signed an open letter calling on the Commission to halt deployment until clearer scientific and technical consensus emerges. Several lawmakers have now echoed those concerns, with Czech MEP Markéta Gregorová warning that the process was being rushed under political pressure, German lawmaker Birgit Sippel calling the app half-baked, and Polish lawmaker Piotr Müller saying the proposal risked becoming an excessive centralised tool that threatened citizens’ privacy.
