EU age‑check bypassed

The European Commission said its new age-check app was ready on April 15; a day later, a researcher said he bypassed it in under two minutes. (commission.europa.eu, cybernews.com) The app is meant to let people prove they are old enough for age-restricted sites without handing those sites their full identity. The Commission says it is anonymous, open source, free to use, and available for implementation now, with citizen access coming soon. (digital-strategy.ec.europa.eu, commission.europa.eu) This is a stopgap before the European Union Digital Identity Wallets arrive by the end of 2026. The Commission’s technical documentation says the age-check system is built on the same framework so member states can fold it into their national wallets later. (github.com, digital-strategy.ec.europa.eu) Age verification is the basic idea of proving “over 18” or “13-plus” without revealing a birth date, name, or address. The Commission says its system supports the Digital Services Act, which pushes platforms to protect minors and handle legally age-restricted services. (digital-strategy.ec.europa.eu, github.com) The immediate criticism was not about the policy goal but about how the app stores and checks access on a phone. Cybernews reported that consultant Paul Moore said he could reset the app’s PIN by deleting local values, then keep access to credentials created under the earlier profile. (cybernews.com) The same report said the app’s rate-limit counter was stored in an editable configuration file and biometric login could be disabled by changing a single true-or-false flag. Moore and other developers argued that phone hardware security features should have been used instead. (cybernews.com) The Commission has pitched the app as an answer to platforms that said privacy and enforcement made age checks hard to deploy. Ursula von der Leyen said on April 15 that platforms now had “no more excuses,” and a senior official told reporters the Commission expected Europe-wide apps to be ready to download in the coming weeks. (politico.eu, commission.europa.eu) Officials have also said people will be able to verify age through a passport, a national identity card, or trusted providers such as banks or schools. Politico reported that national versions are due later in 2026 after testing in France, Denmark, Greece, Italy, Spain, Cyprus, and Ireland. (politico.eu, usnews.com) The Commission’s case for open source is that public code lets governments and companies adopt the system and inspect its privacy claims. The first real inspection arrived almost immediately, and it focused on whether the app’s local defenses match the privacy promises Brussels made this week. (digital-strategy.ec.europa.eu, cybernews.com)