ByteHaven - Where I ramble about bytes Avatar
ByteHaven - Where I ramble about bytes

Highest Standards Available (For About Two Minutes)

The EU launched an age verification app to protect children online. A researcher broke it in two minutes. That's not actually the problem.

correction: as of posting it hasn't launched yet...my bad.

The European Commission launched its age verification app on April 15, 2026. President von der Leyen announced it herself. She compared it to the EU COVID digital certificate. She said it met the highest standards of privacy available.

A UK security consultant named Paul Moore broke it in under two minutes with a text editor.

That's the headline. But the headline isn't the story. The story starts much earlier, and it doesn't end with a buggy app.

Let's be clear about something before going further.

Kids encountering harmful content online is a real problem. The concern is legitimate. Nobody reasonable is arguing otherwise.

What's being argued here is that what's being built doesn't solve that problem. And that the cost of building it — paid entirely by adults, in data they can never get back — is being waved away by people who haven't looked closely at either the systems or the history.

Because the kids who really want in are getting in. They have been getting in. They will keep getting in.

This is not a technology problem. It is an adolescence problem. It has always been an adolescence problem.

Every generation of teenagers found the dirty magazines. They knew which gas station didn't card. They knew whose older brother would buy the beer. The specific contraband changed. The dynamic never did. Some kids got access to things they probably shouldn't have. Most of them turned out fine. The ones who didn't — that wasn't the magazine's fault, and it wasn't solved by a better ID check at the 7-Eleven.

What we built in response to the 7-Eleven problem was not a surveillance database of every adult's government ID. We asked the cashier to card people. The cashier sometimes didn't. Fifteen-year-olds got beer. Society continued.

One industry report found that nearly one in four attempted logins at age-gated sites were suspected minors. After all the infrastructure. After all the compliance costs. After all the ID uploads. One in four. The kids determined to get in are getting in with VPNs, borrowed credentials, AI-altered selfies, and accounts on devices with verified sessions already active. The friction lands almost entirely on adults.

Now let's talk about the specific app the EU built to solve this.

A security researcher broke it in under two minutes with a text editor.

During setup, the app asks you to create a PIN. It encrypts that PIN and saves it in a local file called shared_prefs. The rate limiting that prevents brute-force guessing is stored in the same file. As a counter. That you can edit. Reset it. Bypass the PIN. Bypass the age check.

That was the two-minute version. Moore kept going. He rebuilt the app's verification logic as a browser extension. Platforms accepted it as valid proof-of-age. Biometric authentication can be disabled by flipping a single setting. Sensitive data that belongs in secure hardware is sitting in editable configuration files. A separate March 2026 analysis found the app's issuer component can't actually confirm that passport verification happened on the user's device at all.

Von der Leyen compared this app to the EU COVID certificate at the launch press conference. The COVID certificate was the one time European digital infrastructure worked at scale, quickly, under pressure, without a major breach.

This one didn't make it through day one.

Here's where it gets worse. Go search for how to bypass any of these systems. Not on a hacker forum. Just Google it.

What comes back is a thriving, openly-indexed, ad-supported content industry. VPN comparison sites. Affiliate guides. "Top 5 VPNs for bypassing age verification in 2026." Ranked by platform, by country, by use case. Monetized with referral links. Written in a weekend and indexed by Monday.

Right now most of those results are just sketchy SEO farms chasing affiliate commissions. Annoying, but mostly harmless. A kid who finds one installs a VPN and connects to a Canadian server. Done.

Here's the part nobody is saying loudly enough: if age verification becomes the universal standard across every major platform — and that is explicitly what the EU, UK, US states, and Australia are pushing toward — that search query becomes one of the most valuable traffic streams on the internet. And when that happens, those results will not stay as slightly-dodgy VPN affiliate farms.

They will be malware delivery vehicles. Drive-by downloads dressed as bypass tools. Credential harvesters wrapped in tutorials. The same playbook as fake game cracks and pirated software, applied to something teenagers will be actively motivated to search for and click on without telling their parents.

The age verification push will create, at scale, a high-value malware vector aimed squarely at minors. The exact population it claims to protect.

And that's before we get to what the systems that actually work collect from you.

Every age verification system that does work — that actually ties you to a real identity — requires you to hand over something you cannot replace.

Government ID. Passport scan. Facial biometrics. The kind of data that, when a password database leaks, you can fix by changing your password. The kind of data that, when it leaks, you cannot fix at all. You get one face. You get one passport number.

And these databases leak. This is not hypothetical.

In late 2025, Discord's third-party age verification vendor was breached. Roughly 70,000 government ID photos, selfies, and associated personal information were exposed. Discord stopped using that vendor. It switched to Persona. Researchers then found Persona's frontend sitting open and unsecured on a government-authorized server. Discord dropped Persona too, and delayed their global rollout to the second half of 2026.

Before that, a major identity verification company called AU10TIX left login credentials exposed online for over a year. The credentials gave access to a logging platform containing names, dates of birth, nationalities, ID numbers, document types, and images of the actual documents. Not a breach in the dramatic sense. Just credentials, sitting there, for twelve months.

The EFF has been saying for years that age verification is incompatible with privacy. Not "difficult to reconcile with privacy." Incompatible. The architecture requires centralized honeypots of the most sensitive data that exists. Those honeypots will be breached. The only question is when, and by whom.

But here's the thing that gets skipped in almost every conversation about this.

Set aside the breach risk for a moment. Set aside the malware vectors. Set aside the teenager with a VPN and forty-five seconds of patience.

Assume the system works exactly as intended. Assume it's secure. Assume nobody breaks in.

What you have built is a government-linked database that knows who you are, verifiably, tied to your national identity documents — and knows what you accessed, when, and from where. Every site. Every session. Logged against your passport.

That database does not exist in isolation. It exists inside legal systems that have subpoena processes, national security carve-outs, and data sharing agreements between member states and partner governments. It exists in a political environment where the same Commission that launched this app is navigating relationships with governments that have, in living memory, used surveillance infrastructure for purposes well beyond its stated mandate.

The EFF's position is not that European governments are about to start arresting people for watching adult content. Their position — and it's worth reading carefully — is that 81% of the world's internet users already live in countries where people have been arrested or imprisoned for what they posted online. The infrastructure being built in Brussels does not stay in Brussels. It becomes a template. It gets exported. It gets adopted by governments who were never interested in protecting children and are very interested in knowing what their citizens do online.

And even in countries with strong rule of law today — laws change. Governments change. What gets built for one purpose becomes available for the next purpose that needs an expedient solution. The EU app was explicitly described as a "mini" version of the full Digital Identity Wallet — released ahead of schedule, tied to national ID, with the stated intent of expanding it. The Commission said so. The infrastructure for broader identity-linked internet access is not a slippery slope argument. It is the published roadmap.

Von der Leyen stood at a podium and announced a system that ties your government-issued identity to your online activity, called it the highest standards of privacy available, and a researcher broke the actual app before the press conference was over.

The app was embarrassing. The architecture behind it is not a joke. It is a foundation.

What gets built on top of it is not up to the researcher who found the editable config file. It's not up to you. It's not up to the platforms. It's up to whoever holds the keys to the database — and whoever comes after them, and whoever comes after that, for as long as the database exists.

Which, if history is any guide, will be considerably longer than they told you when they asked for your passport.

Find me on Mastodon at @ppb1701@ppb.social. No ID required.

ageverification blog eu infosec privacy security surveillance userhostile