Brussels has launched a new mobile app to verify the age of internet users, and things quickly took a turn for the worse. Security experts have identified serious privacy and security issues in the code for the age-verification app.
Η Ούρσουλα φον ντερ Λάιεν, πρόεδρος της Ευρωπαϊκής Επιτροπής, παρουσίασε την εφαρμογή την Τετάρτη στις Βρυξέλλες και δήλωσε πως είναι τεχνικά έτοιμη, όμως η πραγματικότητα την διαψεύδει. Η εφαρμογή στοχεύει στο να τακτοποιεί τη ηλικία των παιδιών για την χρήση στα social media, με την Ευρώπη να απαγορεύει πλέον την χρήση τους σε παιδιά κάτω των 16 ετών.
But the application is completely open source, which means that anyone can check it, both for its operation and for its security. And that's what the first users and experts did, who discovered that it has a lot of problems.
Brussels' grand undertaking has turned from a great victory into a disaster for their image. All this with the safety of minors in the background, while the public has been divided into camps for and against the bans.
How was the age verification app breached?
Μέσα σε λίγες ώρες από την κυκλοφορία του κώδικα της εφαρμογής στο GitHub, ένας σύμβουλος ασφαλείας, ο Paul Moore, ανακάλυψε πως η εφαρμογή αποθηκεύει προσωπικά και ευαίσθητα δεδομένα στο τηλέφωνο του χρήστη και μάλιστα χωρίς καμία προστασία, όπως έγραψε σε μια ανάρτησή του στο X, which is making its way around the internet. Moore claims he managed to hack the app in less than two minutes.
Baptiste Robert, a prominent French white hat hacker, confirmed many of the problems and stated that it was possible to bypass the app's biometric verification features, meaning someone could skip entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptography researcher who is part of a French working group on digital identity, said: “Let’s say I downloaded the app, proved I was over 18, and then my nephew can take my phone, unlock my app and use it to prove he’s over 18.”
There is more to be done.
Of course, the application has not yet reached the app stores and of course there will be corrective actions to it, but it is clear that its first version is not secure and anyone can access our application to authenticate on social media and other services. This of course puts users at risk.
On the plus side, the app is open source, so anyone can see how it works and whether it's safe. The fact that researchers had the code before it was released gave them valuable information about what needs to be done to make it safe for everyone to use.
The online controversy over the EU's implementation reveals a sharp division over how to manage internet users' access to everything from pornographic websites to social networking platforms.
Many EU states, like Greece, have begun the procedures for implementing age verification on the internet, with the protection of minors being the forefront of this effort.
The huge cost of implementing age verification
The European Commission in 2024 Open a €4 million tender for the implementation of age verification at the end of last year, which they won the Swedish digital identity company Scytáles and Deutsche Telekom. Speaking of which, 4 million for an app is a huge amount and somewhat absurd, especially when the app is so simple. But that's why it has received so much criticism for the quality of the app that was presented.
In our country, age verification will be done through Kids Wallet or through the Gov.gr Wallet, instead of the European application. They are completely different applications, with different security protocols.
Unfortunately, the EU, despite calls from experts, has not provided precise plans for the operation of age verification and the ways to ensure privacy and security. This is the main reason why there are reactions from various European parties and organizations, and this certainly needs to be corrected.
The idea of protecting children from social media is of course a good one, especially when it is proven that pedophiles are circulating on them, with the knowledge of technology companies. At the same time, they create many problems in the psychological state of children, who are exposed to wrong and dangerous role models.
However, age verification should be done independently of the user. That is, the verification should not link the user's information to their profile, in order to dispel any doubt that the entire system is a means of monitoring citizens.
