The European Union’s new age verification app, which is designed to protect children online, can be hacked in “two minutes”, according to the boss of popular messaging app Telegram.
Pavel Durov joined cyber security experts and privacy campaigners in questioning the security of the new initiative, describing it as a “surveillance tool”.
“The EU age verification app was hackable by design – it trusted the device (that’s instant game over),” he wrote on X.
“But don’t rush to laugh at EU bureaucrats. All they needed was another excuse to erode our freedoms. This ‘surprising hack’ just handed it to them.”
The European Commission announced the new age verification app last week, claiming it would “hold online platforms accountable” and prioritise children’s safety over commercial interests.
It is designed to roll out across Europe, requiring citizens to input a recognised government ID like a passport in order to access online platforms.
Ahead of its release, European Commission President Ursula von der Leyen said the app “respects the highest privacy standards in the world” and would not reveal a user’s personal information to third party sites and services.
“Put simply, it is completely anonymous,” she said. “Users cannot be tracked.”
She also revealed that the app is fully open source, meaning anyone can check the underlying code.
Award-winning security software you can trust. Always.
Get All-in-One Protection for Your Digital Life.
LEARN MORE
ADVERTISEMENT
Award-winning security software you can trust. Always.
Get All-in-One Protection for Your Digital Life.
LEARN MORE
ADVERTISEMENT
This prompted security researchers to see what data it stored on a person’s device, as well as how easy it is to bypass.
In a widely shared post on X, security consultant Paul Moore claimed to have uncovered a “serious privacy issue”.
He said that the source image of the passport, ID or selfie used to collect a user’s biometric data was not encrypted and could not be properly deleted.
“Leaving the original image on disk is crazy and unnecessary,” he wrote. “I don’t think anyone disputes the need to protect children from online harm, but this really isn’t the solution.”
A spokesperson for the European Commission said that the app is technically ready for launch, but added that it is still a demo version.
“Yes, it is ready,” said chief spokesperson Paula Pinho on Friday. “Maybe we can add, ‘and it can always be improved’.”
No date has been set for the app’s public launch. The Independent has reached out for further information.
