The Commission expects European-wide apps to be ready to download in coming weeks, developed by companies that will be verified by the Commission, a senior official told reporters. EU countries will launch their own versions later this year, the official said.
There are three ways people can verify their age: via their passport, a national ID or via trusted providers such as banks or schools. That can then be used by the tech platforms to check if a person trying to access a service is of the required age.
Von der Leyen has convened a panel of experts to draft a recommendation on an EU-wide social media ban by the summer. The panel will hold its second meeting on Thursday. Von der Leyen will attend the meeting, an agenda seen by POLITICO showed.
I do think that it would be less worse if there are a range of non-government issues identity methods to verify your age. Your boss, your gym club, etc. Of course there would be a bit of fraud, but commonsense limits would limit it. Though even a bit of fraud is not the end, the goal is to make it harder for kids, not impossible.
Per reddit, in theory the app is zero knowledge “to let users cryptographically prove they meet an age requirement without revealing their identity or personal data. It works via a trusted credential issued once and stored locally, then generates privacy-preserving proofs on demand so services only receive a yes/no result rather than sensitive information.”
Github is here. At least it is open source:
Really think devil is in details. This obviously isn’t an ideal situation. But it doesn’t seem to be as bad as it could be either. It certainly is a better situation than what is being proposed in USA regarding OS level age checks. If the app truly is zero knowledge, it might be the most privacy preserving way possible to address the moral panic and political hot button issue of protecting children online right now.
Can anybody with more knowledge than I verify if the app is truly zero-knowledge?
So I found on this post that those verification aren’t one time-only, it seems it has an expiry date. This is really concerning. The id stops being a way to prove your age once, but becomes a necessity to continue proving it regularly.
Does this app run on any OS, including free and open source ones, or is it iOS+Android only (with Play Integrity checks on Android) like the EUDI wallet app?
Europe does seem to be waking up to their dependence on US Big Tech and the benefits of open source and Linux, so let’s hope that suggestion gets ignored.
Since the app tells the social media plattform if someone is old enough or not with an true or false bool.
While on an actual ZKP (Zero Knowledge Proof) the website should not get the answer like that rather in a way more abstract and not 100% correct format.
So the website can only say that to 99.999999999999999999999999999999999999999999999999999999999999999999999999% the user is over 18, while there might be a theocratic possibility that the system returned a false statement and the user is actually under 18.
Ali Baba Cave analogy is one example of it.
So I would assume that their ZKP is not an actual ZKP.
According to Moore, the app stores an encrypted PIN locally, but crucially, the encryption is not tied to the user’s identity vault, where sensitive verification data is kept.
That opens the door to a surprisingly simple bypass. By deleting specific values tied to the PIN from the app’s configuration files and restarting it, an attacker can set a new PIN while still retaining access to credentials created under the previous profile.
In effect, the app accepts reused identity data under a newly defined access control.
Moore also pointed to additional weaknesses that make brute-force or bypass attempts even easier.
Rate limiting, typically used to prevent repeated guessing of PINs, is stored as a simple counter in the same editable configuration file. Reset it to zero, and the system forgets how many attempts have already been made.
Biometric authentication, meanwhile, is controlled by a single boolean flag. Flip it from “true” to “false,” and the app simply skips biometric checks altogether.
Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes.
Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: “Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18.”
I just wish they would stop lying to gullible people. Further, it does nothing for online safety. Quite the opposite. They know this, but peddle this nonsense to people who believe it. Sadly, this is the mainstream.