Age‑check app left biometrics exposed

The European Commission’s new age-check app wrote face images and selfies to storage without encryption, according to audits published within hours of its April 15 rollout. (digital-strategy.ec.europa.eu, politico.eu) The app is meant to let people prove they are over 18 for sites like pornography, gambling, and alcohol sales without revealing their identity to the site itself. The Commission says the tool was “technically ready” as of April 15, 2026, and built to support age checks under the Digital Services Act. (digital-strategy.ec.europa.eu, ageverification.dev) In practice, the system asks a user to scan a passport or identity card, read its chip with near-field communication, and record a selfie video so the app can compare the two faces on the device. The contractors behind the project, Scytáles and T-Systems, said on April 15 that matching happens on-device and no data is sent to an external server. (biometricupdate.com, ageverification.dev) Security researcher Paul Moore said the Android build saved the passport chip’s DG2 face image as a PNG file on disk and deleted it only if verification finished successfully. He also said selfie images were written to external storage and not deleted afterward. (cyberinsider.com, politico.eu) That finding landed against the Commission’s public claim that the app offers “the highest standards of privacy available” and that users can prove age without sharing other personal information. The same Commission page says the app is open source and can be customized by publishers without changing its privacy-preserving features. (digital-strategy.ec.europa.eu) Biometric data used to identify a person sits in the European Union’s special category of personal data under Article 9 of the General Data Protection Regulation. The European Data Protection Board said in a February 12, 2025 statement on age assurance that age checks must be risk-based, proportionate, and privacy-preserving. (eur-lex.europa.eu, edpb.europa.eu) Researchers reported a second problem alongside the exposed files: Moore said he could reset the app’s PIN by editing local files, and POLITICO reported that French researcher Baptiste Robert confirmed many of the issues and said biometric authentication could be bypassed. Moore said on X that he could break the app in under two minutes. (cyberinsider.com, politico.eu) The Commission did not concede that the rollout claim was wrong. POLITICO reported that spokesperson Paula Pinho said on April 17, “Yes, it is ready,” while digital spokesperson Thomas Regnier said the code under scrutiny was a “demo version” released for testing and development and would be updated. (politico.eu) The project is bigger than a single app release. The Commission has framed it as a harmonized, EU-wide template that member states and private companies can reuse ahead of national digital identity wallets due by the end of 2026. (digital-strategy.ec.europa.eu, biometricupdate.com) That makes the storage bug more than a coding mistake in a test build. It puts the Commission’s privacy pitch, the app’s open-source blueprint, and the handling of biometric files in age-check systems under immediate scrutiny before citizens can be asked to trust them. (digital-strategy.ec.europa.eu, politico.eu, cyberinsider.com)