It was intended as a technological milestone for child protection: an EU app that verifies age without sacrificing privacy. But a few hours after Commission President Ursula von der Leyen’s presentation, the project came under fire. Security expert Paul Moore demonstrated on X how he “cracked” the system in less than two minutes.
Read more after the ad
His analysis reveals that sensitive data remains unprotected on the device. PIN codes are inadequately secured, rate limits can be overridden by resetting simple configuration files, and biometric authentication can be deactivated with one click. Moore warns: “This product will be the catalyst for a massive data leak.”
French hacker Baptiste Robert confirmed Moore’s findings. It would also be possible to simply skip the PIN code or Touch ID. Cryptologist Olivier Blazy sees a practical problem: “Let’s say I download the app and prove that I’m over 18. Then my nephew can take my phone, unlock the app and use it to prove himself as an adult.”
The Commission defends its tool. A spokeswoman only admitted that things could still be improved. Brussels also said that the hackers had tested an outdated demo version, which they denied. Later it was explained that the “final version” available online was still a demo. The final product for citizens will only be offered later and the code will be continually updated.
Open source as a corrective
The fact that these gaps were found so quickly is also due to the fact that the app is open source. Blazy praises this approach. However, he complains that the source code does not yet meet the expected security standards. A hasty start could undermine trust in future projects such as the EUDI digital identity.
In addition, the anonymity promised by the head of the commission seems questionable. Experts like Anja Lehmann from the Hasso Plattner Institute disagree. Since the app relies on pseudonyms, website operators could link user activities over longer periods of time. An advertising video causes irritation: It shows a biometric comparison between a facial scan and an ID document – a process that von der Leyen had always rejected from platform operators. Judith Simon from the University of Hamburg warns that unlinkability is the prerequisite for real privacy.
Read more after the ad
Many experts are wondering why the EU is building a parallel infrastructure to the already planned EUDI. Lehmann considers a separate app to be “not very useful” because it deviates from established standards in important security criteria. Thomas Lohninger from the NGO Epicenter.works warns that the Commission must rethink its initiative and concentrate on the overdue enforcement of existing online laws.
Last but not least, the problem of effectiveness remains. Tibor Jager from the University of Wuppertal describes the age test as “trivial to circumvent”. VPN services could be used to simulate a location outside the EU, where the rules do not apply. The researcher advocates “digital traffic education” instead of technical barriers. However, the Commission is sticking to the schedule. Eight heads of state support the move in principle to restrict social media for minors. Since the app is not yet in regular use, there is time for corrections. There is still a long way to go to the “gold standard for privacy”.
(mki)
