EU advances age-verification apps amid privacy and security concerns

The European Commission unveiled new technology this week designed to power smartphone apps that verify users’ age online, part of an effort to make the internet safer for children by limiting access to pornography sites, social media accounts, and online alcohol purchases. Experts remain divided on whether the system will work effectively in practice.

The technology is intended to prevent users from falsely claiming they are old enough to access restricted content or services. Instead of relying on self-declared ages, new apps using the EU system are expected to be developed, with the first countries planning to roll them out later this year.

Under the system, users would scan a passport or national ID card within an app to confirm their age. Once verified, they would be able to access websites with minimum age requirements. The app is designed to confirm only that a user meets the age threshold, without revealing their identity.

Jaap-Henk Hoepman, a senior lecturer in digital security at Radboud University, said the approach effectively makes age verification universal, noting that “in practice, everyone will have to prove they are old enough when visiting such a website.”

However, shortly after the system was presented, the European Commission updated the app following reports that it could be hacked. The app’s code had been made publicly available on GitHub, where developers reportedly found that it was possible to bypass the verification system and fake being an adult.

The Commission said a revised version of the app will be released on Friday. A spokesperson added that they cannot rule out the need for further updates, while maintaining that the system is still “ready for use.” The app has not yet been released for public download.

Bart Jacobs, professor of computer security at Radboud University, said the system could still be bypassed in practice, for example by using another person’s verified device. He also noted that adoption by companies remains limited, as businesses may be reluctant to introduce extra steps that could discourage users.

Critics, including digital rights group Bits of Freedom, argue the proposal will not address broader issues such as social media addiction, and point to user migration to other platforms when similar systems are introduced elsewhere.

Hoepman also raised concerns about privacy and dependence on large tech companies, since the system would rely on mobile operating systems such as Android and Apple’s iOS.

Despite the concerns and the recent update, the Commission maintains that the system is ready for use, leaving it up to EU member states to decide whether to implement the verification app.