The European Union’s ambitious plan to protect minors online through a centralized age verification app is facing intense scrutiny. Following its recent announcement, the initiative has been hit by allegations of fundamental security flaws, with Telegram founder Pavel Durov claiming the system could be compromised in as little as two minutes.
The Core Conflict: Safety vs. Surveillance
The European Commission introduced the app with the stated goal of holding digital platforms accountable and prioritizing child safety over commercial profit. Under the proposed system, users would be required to provide recognized government identification—such as a passport—to access various online services.
However, critics argue that the mechanism intended to protect children may actually create a massive security vulnerability.
- The “Trust” Problem: Pavel Durov criticized the app’s architecture, labeling it a “surveillance tool.” He argued that the system is “hackable by design” because it relies on trusting the user’s device—a vulnerability he claims makes the security of the entire system “instant game over.”
- The Freedom Argument: Beyond the technicalities, Durov suggested that the push for such tools serves as a pretext for bureaucrats to gradually erode digital freedoms.
Technical Red Flags: Encryption and Data Storage
While European Commission President Ursula von der Leyen has defended the app, insisting it meets the “highest privacy standards” and remains “completely anonymous,” security researchers are finding discrepancies between those claims and the app’s actual performance.
Despite the app being open source —allowing for public inspection of its code—initial tests have revealed significant privacy risks:
- Unencrypted Data: Security consultant Paul Moore reported a “serious privacy issue” regarding how the app handles sensitive documents.
- Persistent Images: Moore noted that the source images used for verification (passports, IDs, or selfies) are not encrypted and, crucially, cannot be properly deleted from the device.
- The Risk Factor: Leaving unencrypted biometric and identity images on a device’s disk creates a high-value target for hackers, potentially exposing users to identity theft.
The Commission’s Response
The European Commission has not retracted its plans, though it has acknowledged the need for refinement. A spokesperson for the Commission clarified that the current version is a demo, suggesting that while the technology is “ready,” it remains subject to continuous improvement.
As of now, no official launch date has been set, leaving the future of the initiative in a state of uncertainty as the debate between digital safety and individual privacy intensifies.
Conclusion
The controversy highlights a growing tension in digital governance: the difficulty of implementing robust age verification without creating centralized databases of sensitive biometric data that are vulnerable to exploitation.
