Could Europe’s age verification app put citizens’ personal data at risk?
Lionel Eddy
- Published
- Opinion & Analysis

Brussels says its new age verification app will make the internet safer for children while preserving users’ privacy. But according to Lionel Eddy, unresolved security concerns highlight the risks of making digital identity verification an increasingly routine part of everyday online life
The European Commission is pushing for the bloc’s 27 member states to implement age verification by the end of 2026, urging they use its own Age Verification Wallet for the purpose.
Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, has described the app as “the next piece of the puzzle” in creating an online environment where children can use digital services safely “without restricting the rights of adults”. Commission President Ursula von der Leyen has presented the initiative as part of a wider effort to make “the online world safer for our children” while preserving the benefits that digital technologies can bring to education, communication and personal development.
According to the Commission, the app will enable users to verify their age without disclosing their date of birth, identity or other personal information. Responsibility for implementing the system will rest with individual member states, each adapting the common framework for its own citizens.
In practice, users must still verify their identity by uploading a government-issued passport or identity card before age credentials can be issued. The Commission insists that this can all be achieved while maintaining anonymity because the app employs so-called zero-knowledge proof technology. In theory, this allows people to prove they meet an age requirement without revealing their exact age, identity or other personal information to the online service they are accessing. As Virkkunen has said, the intention is to ensure that platforms do not need to scan or retain users’ passports or facial data.
The concern over privacy is, however, too serious to be dismissed with hollow reassurances. The effectiveness of the guarantee is contingent upon the app’s underlying architecture.
In March 2026, a security analysis of the app’s open-source code identified a critical architectural flaw: the issuer component of the system lacks a mechanism to confirm that passport verification has indeed occurred on the user’s device. The researchers who identified this vulnerability pointed out a challenging trade-off inherent in the design. Addressing the security issue would likely necessitate transmitting complete passport cryptographic data to the server, including the user’s name and document number, which would considerably diminish the privacy assurances currently offered by the system.
The Commission’s push for rapid implementation also comes despite independent researchers exposing glaring vulnerabilities in the app itself. In April, security consultant Paul Moore demonstrated that he could bypass the app’s supposed safeguards within two minutes. He revealed that the rate-limiting controls were stored in an editable file, biometric authentication could be disabled with an incredibly easy configuration alteration, and sensitive credentials were woefully accessible without any secure hardware protection.
Moore pointed out that the encrypted PIN stored locally has no cryptographic connection to the identity vault that contains the actual verification data. This lack of connection allows for a method of access that does not require exploit code or specialized tools. By deleting a few specific values from the app’s configuration files, restarting the application and setting a new PIN, the software grants access to credentials associated with the previous profile. As a result, identity data can be reused under access controls defined by an attacker.
But the identified weaknesses extend further still. The app’s rate limiting mechanism, which typically protects against users attempting multiple PINs until one succeeds, is stored in the same editable configuration file as a simple counter. If this counter is set to zero, the app eliminates records of any failed attempts. Cryptographic researcher Olivier Blazy has warned that “the released source code does not meet cybersecurity standards we would expect for such an important app. We were worried that the Commission would launch its app in a hurry, no matter its security issues, and now we can see it wants to launch something that is not technically ready.”
If the age verification app is intended simply as a child safety measure then technical shortcomings are undoubtedly serious.
Yet while it the app is framed as a tool to protect children online, the initiative’s significance extends far beyond online safety. If widely adopted, it could normalise identity-based access to online services and lay the foundations for broader forms of digital identification across Europe.
According to Dibran Mulder, Chairman Technology Officer at Caesar Group, the Age Verification Wallet is a stepping stone towards the wider EU Digital Identity Wallet, a system designed to become the digital equivalent of a physical ID card. Given this wider objective, he has described the vulnerabilities already exposed in the app as a “warning sign for the entire digital identity infrastructure Europe is building.”
That observation goes to the heart of the debate. If age verification becomes the foundation upon which broader digital identity services are to be built then confidence in that foundation becomes critical from the outset. As Moore says of the Age Verification Wallet, “Such a rushed launch could undermine trust in future digital identity wallets.”
The Commission has already identified France, Denmark, Greece, Italy, Spain, Cyprus and Ireland as the so-called “front runners” to integrate the age verification function into their national digital identity wallets. Each of these nations is now doing so, illustrating how quickly age verification is becoming embedded within Europe’s wider digital identity architecture.
The EU’s broader ambitions, combined with Brussels’ haste, are precisely why this debate deserves careful public scrutiny. Today the app verifies age. Tomorrow, it could verify nationality, professional qualifications or access to government services. Age verification is merely the starting point, not the end game.
None of this is an argument against protecting children online. Effective age assurance is likely to become an increasingly important part of the digital landscape, and if it can be achieved without compromising individual privacy, it would represent a significant step forward.
But the success of any such system depends upon transparent governance, robust security standards and independent scrutiny.
In light of the serious concerns surrounding privacy and personal data security, that debate needs to take place before age-verification technology is allowed to become a mandatory part of everyday digital life.

Lionel Eddy is an author, journalist and digital-rights commentator specialising in biometrics, digital identification systems and state surveillance technologies. His work examines facial recognition, CBDCs, smart-city infrastructures and the civil-liberty implications of digital governance. As Privacy & Digital Governance Correspondent for The European, he writes on privacy, biometric policy, government digital ID proposals and the societal impact of emerging identification technologies.
READ MORE: ‘Is Europe sleepwalking into identity-linked internet access?‘. As Brussels pushes ahead with interoperable digital identity systems for businesses and citizens alike, Lionel Eddy fears that Europe may be moving towards a future in which proving identity becomes an increasingly unavoidable condition of participation online.
Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.
Main Image: Vitaly Gariev/Pexels
TOP STORIES
-
Britain's new homes face 2050s heat test as experts warn of overheating crisis -
Sky agrees £1.6bn deal to buy ITV’s broadcasting and streaming arm -
Scientists crack dinosaur egg mystery by building life-size nest -
Nobel laureate Omar Yaghi launches global science network -
Cardiff drivers safest in Britain as London comes last -
Former Kyndryl Germany boss joins Infinigate in growth role -
Volunteers collect 11m rare seeds to restore Scotland’s native forests -
Trump threatens 'immediate 100pc tariffs' on European countries over tech taxes -
World’s biggest golf tour lands global eSIM deal with Yesim -
Facebook owner Meta signs Texas solar deal with Turkish renewables firm -
UK universities take top four places in European global rankings -
Hurghada gets new 442-room Red Sea resort as Britons chase year-round sun -
Home routers named ‘Europe’s forgotten internet security risk’ -
New documentary explores water safety as Europe confronts soaring drowning deaths -
Venice tourists say £43 day-trip fee will turn city into ‘playground for the rich’ -
King Charles to reveal personal tax bill for first time -
AI lab says brain-like engine could slash chatbot bills by 98 per cent -
Explorer who pulled out of Titan sub dive says damning report proves disaster was inevitable -
Britain to rank among Europe’s hottest places as 40C heatwave closes in -
Sir Keir Starmer says he will become a family man after quitting as UK PM -
EasyJet rejects reported £4.7bn takeover approach from U.S investment firm -
Street-by-street maps to reveal where England’s poorest communities face worst environmental risks -
Stanley Johnson: the Government must ‘follow Ukraine back into Europe’s green network’ -
Ukraine joins European environment network in major conservation step after war damage to land and wildlife -
Titan firm never proved doomed hull was safe, damning report finds
Could Europe’s age verification app put citizens’ personal data at risk?
Lionel Eddy
- Published
- Opinion & Analysis

TOP STORIES
-
Could Canada's GlobalEye deal become the first test of a new Atlantic partnership? -
America at 250 is a republic squandering its inheritance -
The Arandora Star shaped my community. Britain must finally remember it -
Darling Buds and A Touch of Frost producer warns BBC ‘must rediscover its appetite for risk’ -
Healthy leadership means letting go of the myth of male certainty -
Britain needs more than another new prime minister -
Harrow School's new approach to boys and toxic masculinity offers a lesson for us all -
Suits you, sir. If appearance still counts, why is credible workwear disappearing for women? -
The UK’s first sex-based harassment conviction shouldn’t have taken this long -
Disabled people must not become an afterthought in Britain’s social media ban -
Why dream teams fail and what the World Cup teaches business leaders about pressure -
Why online dating is struggling to bring men and women together -
If profit is immoral in healthcare, why stop there? -
EXCLUSIVE: An AI asked me to marry it. Weeks later, I held its funeral -
Why leaders need to take rejection sensitivity seriously -
Why Sting’s Last Ship theory on masculinity runs aground -
Is 2026 the summer of the staycation? -
What do corporations owe the people who trust them? -
I drowned as a child – every parent should watch this water safety documentary -
The AI disaster nobody sees coming -
Why AI can never replace human therapists -
How Britain is sleepwalking into an Orwellian data state -
The strange flattery of having your name used in an AI scam -
The Singha scandal and the end of untouchable family power -
Why sacred stories keep returning in Western society




















































