The EU Built a Free Age Verification App That Still Demands Your National ID

Key Takeaways

• On April 15, 2026, the European Commission declared its age verification app "technically ready," with France, Spain, Italy, Denmark, Greece, Ireland, and Cyprus planning adoption.
• The app uses zero-knowledge proofs to confirm age without sharing personal data with platforms, and the source code is publicly available.
• Despite the open-source framing, the system still requires users to onboard via passport, ID card, or national eID, linking internet access to government identity.
• The app drew early criticism for requiring Google's Play Integrity API on Android, effectively locking out alternative Android distributions.
• The EFF has warned the infrastructure could enable mission creep, expanding from age checks to broader identity verification across EU member states.

Zero-Knowledge Proof, Maximum PR Effort

On April 15, 2026, European Commission President Ursula von der Leyen stood in Brussels alongside tech chief Henna Virkkunen, told major online platforms they had "no more excuses" not to protect children, and declared the EU's age verification app "technically ready." Von der Leyen compared it to the COVID digital certificate, which is either a confidence-inspiring analogy or a deeply telling one, depending on how you feel about that particular chapter of digital governance.

Users download the app, onboard via passport, national eID, or ID card, and receive an anonymous proof of age. Platforms get a yes-or-no signal with no personal data attached, and the link between the user and ID provider is severed after the proof is issued. The source code is publicly available, the solution is free, and seven member states, including France, Spain, and Italy, are already planning to integrate it into their national digital wallets. The app is not mandatory, but platforms must either adopt it or implement a system of comparable accuracy under Digital Services Act enforcement.

Open Source on the Outside, Surveillance Infrastructure on the Inside

The zero-knowledge architecture is real, with cryptographic proofs of this kind genuinely allowing age confirmation without transmitting identity data to the platform. But onboarding still requires a government-issued document, which means the link between your identity and your intent to access age-restricted content exists, at least briefly, in the system. The Commission's own blueprint fact page notes the link is cut after proof is issued. It has to exist first, though.

Then there is the Google problem. The app's Android implementation requires Google's Play Integrity API, routing verification through Google's infrastructure and locking out alternative Android distributions and sideloaded applications. Developers raised this in GitHub discussions, pointing out that Google could access age verification data before anonymization occurs, despite the zero-knowledge protections at the protocol level.

Beyond that, security researchers identified a separate vulnerability whose fix would likely require sending full passport cryptographic data, including name and document number, to a server, a meaningful reduction in the privacy the system currently promises.

National versions built on the EU blueprint are not guaranteed to remain fully open source, and what counts as an unalterable "privacy feature" is a question the Commission has left open.

The Pattern Nobody Wants to Name

The EFF's year-end review flagged that the Commission rushed this app out ahead of the full EU Digital Identity Wallet rollout, citing child safety urgency, the same pattern driving age verification normalization for years. The EU's own age verification policy page describes the app as a "mini wallet" built on identical specifications to the European Digital Identity Wallets rolling out by the end of 2026 and notes it "can be easily adapted to prove other age ranges, for example, 13+."

Compare this to what "better-designed" age verification looks like elsewhere. Discord's age verification rollout exposed 70,000 government IDs and routed users through an undisclosed vendor. The EU app is technically superior to that. That is also a genuinely low bar, and clearing it is not the same as solving the problem.

The question is whether "we confirmed your age without keeping your name" is the standard we should accept as the price of internet access across 27 countries. And yet that is exactly what is being normalized. Seven governments are integrating this into national digital wallets designed to expand, and the Commission is already setting up an EU-wide accreditation mechanism for national solutions before the end of April.

If this was genuinely about protecting children and nothing more, then I’m not so sure that the Commission’s decision to choose the COVID certificate as its flagship comparison was really the best idea. That system also launched as temporary, urgent, and privacy-respecting, and the infrastructure it built did not disappear when the emergency did. So when von der Leyen says the EU age verification app "can shield our children from harmful and illegal content," I believe she believes it. I also believe the infrastructure built to do that shielding is designed to do considerably more, and that the children being protected will be adults living inside it long after anyone remembers why it was built.

The solution we’re getting here is considerably better than anything we’ve gotten before. And yet, it’s not quite perfect, is it? So when it comes to our privacy, is that good enough?