Could Europe’s age verification app put citizens’ personal data at risk?

Brussels says its new age verification app will make the internet safer for children while preserving users’ privacy. But according to Lionel Eddy, unresolved security concerns highlight the risks of making digital identity verification an increasingly routine part of everyday online life

The European Commission is pushing for the bloc’s 27 member states to implement age verification by the end of 2026, urging they use its own Age Verification Wallet for the purpose. 

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, has described the app as “the next piece of the puzzle” in creating an online environment where children can use digital services safely “without restricting the rights of adults”. Commission President Ursula von der Leyen has presented the initiative as part of a wider effort to make “the online world safer for our children” while preserving the benefits that digital technologies can bring to education, communication and personal development.

According to the Commission, the app will enable users to verify their age without disclosing their date of birth, identity or other personal information. Responsibility for implementing the system will rest with individual member states, each adapting the common framework for its own citizens. 

In practice, users must still verify their identity by uploading a government-issued passport or identity card before age credentials can be issued. The Commission insists that this can all be achieved while maintaining anonymity because the app employs so-called zero-knowledge proof technology. In theory, this allows people to prove they meet an age requirement without revealing their exact age, identity or other personal information to the online service they are accessing. As Virkkunen has said, the intention is to ensure that platforms do not need to scan or retain users’ passports or facial data.

The concern over privacy is, however, too serious to be dismissed with hollow reassurances. The effectiveness of the guarantee is contingent upon the app’s underlying architecture.

In March 2026, a security analysis of the app’s open-source code identified a critical architectural flaw: the issuer component of the system lacks a mechanism to confirm that passport verification has indeed occurred on the user’s device. The researchers who identified this vulnerability pointed out a challenging trade-off inherent in the design. Addressing the security issue would likely necessitate transmitting complete passport cryptographic data to the server, including the user’s name and document number, which would considerably diminish the privacy assurances currently offered by the system. 

The Commission’s push for rapid implementation also comes despite independent researchers exposing glaring vulnerabilities in the app itself. In April, security consultant Paul Moore demonstrated that he could bypass the app’s supposed safeguards within two minutes. He revealed that the rate-limiting controls were stored in an editable file, biometric authentication could be disabled with an incredibly easy configuration alteration, and sensitive credentials were woefully accessible without any secure hardware protection.

Moore pointed out that the encrypted PIN stored locally has no cryptographic connection to the identity vault that contains the actual verification data. This lack of connection allows for a method of access that does not require exploit code or specialized tools. By deleting a few specific values from the app’s configuration files, restarting the application and setting a new PIN, the software grants access to credentials associated with the previous profile. As a result, identity data can be reused under access controls defined by an attacker. 

But the identified weaknesses extend further still. The app’s rate limiting mechanism, which typically protects against users attempting multiple PINs until one succeeds, is stored in the same editable configuration file as a simple counter. If this counter is set to zero, the app eliminates records of any failed attempts. Cryptographic researcher Olivier Blazy has warned that “the released source code does not meet cybersecurity standards we would expect for such an important app. We were worried that the Commission would launch its app in a hurry, no matter its security issues, and now we can see it wants to launch something that is not technically ready.”

If the age verification app is intended simply as a child safety measure then technical shortcomings are undoubtedly serious.

Yet while it the app is framed as a tool to protect children online, the initiative’s significance extends far beyond online safety. If widely adopted, it could normalise identity-based access to online services and lay the foundations for broader forms of digital identification across Europe.

According to Dibran Mulder, Chairman Technology Officer at Caesar Group, the Age Verification Wallet is a stepping stone towards the wider EU Digital Identity Wallet, a system designed to become the digital equivalent of a physical ID card.  Given this wider objective, he has described the vulnerabilities already exposed in the app as a “warning sign for the entire digital identity infrastructure Europe is building.”

That observation goes to the heart of the debate. If age verification becomes the foundation upon which broader digital identity services are to be built then confidence in that foundation becomes critical from the outset. As Moore says of the Age Verification Wallet, “Such a rushed launch could undermine trust in future digital identity wallets.”

The Commission has already identified France, Denmark, Greece, Italy, Spain, Cyprus and Ireland as the so-called “front runners” to integrate the age verification function into their national digital identity wallets. Each of these nations is now doing so, illustrating how quickly age verification is becoming embedded within Europe’s wider digital identity architecture.

The EU’s broader ambitions, combined with Brussels’ haste, are precisely why this debate deserves careful public scrutiny. Today the app verifies age. Tomorrow, it could verify nationality, professional qualifications or access to government services. Age verification is merely the starting point, not the end game.

None of this is an argument against protecting children online. Effective age assurance is likely to become an increasingly important part of the digital landscape, and if it can be achieved without compromising individual privacy, it would represent a significant step forward. 

But the success of any such system depends upon transparent governance, robust security standards and independent scrutiny.

In light of the serious concerns surrounding privacy and personal data security, that debate needs to take place before age-verification technology is allowed to become a mandatory part of everyday digital life.


Lionel Eddy is an author, journalist and digital-rights commentator specialising in biometrics, digital identification systems and state surveillance technologies. His work examines facial recognition, CBDCs, smart-city infrastructures and the civil-liberty implications of digital governance. As Privacy & Digital Governance Correspondent for The European, he writes on privacy, biometric policy, government digital ID proposals and the societal impact of emerging identification technologies.




READ MORE: Is Europe sleepwalking into identity-linked internet access?‘. As Brussels pushes ahead with interoperable digital identity systems for businesses and citizens alike, Lionel Eddy fears that Europe may be moving towards a future in which proving identity becomes an increasingly unavoidable condition of participation online.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.

Main Image: Vitaly Gariev/Pexels

TOP STORIES

Could Europe’s age verification app put citizens’ personal data at risk?

TOP STORIES