The European Union is in the process of testing an age-verification application, which people can use to verify their age in a privacy-preserving manner (in theory, of course). There’s countless important discussions to be had about whether or not age verification, privacy-preserving or not, is even something we should want, but that’s a topic for another time and for people smarter than I. For now, several member states are currently testing the application on a voluntary basis, and the application itself is open source, with the code hosted on GitHub.
Aside from the obvious concerns about just how private such an application can even be, and concerns about whether or not we should even want something like this, there’s another major problem: the application intends to make use of and require application and device verification by using the proprietary tools for such functionality from Google and Apple, built into Android and iOS, respectively. Listed as future “features”:
App and device verification based on Google Play Integrity API and Apple App Attestation
↫ The application’s GitHub page
This is a massive problem. For reasons that should be obvious to anyone with at least six functioning neurons, the European Union, as well as countless other countries, are trying to reduce their dependency on US technology companies. As such, it’s indefensible to then require anyone who needs to use age verification in the European Union to use an application that will only work on Google-approved Android devices and even then, only when installed from the Google Play Store, with the only alternative being, of all things, Apple’s iOS.
This means that the EU will require anyone who needs age verification to have either a Google or an Apple account, and can only use Google-approved Android or iOS. This application would not work on, say, GrapheneOS or any other non-Google-approved Android ROM – in fact, even if you were to compile the application yourself, you wouldn’t be able to actually use it because it wouldn’t be installed from the Google Play Store. Of course, any mobile operating other than Android or iOS need not apply either.
The danger of tying age verification to Google and Apple did not go by unnoticed, and a GitHub issue raised the issue a few weeks ago.
I would like to strongly urge to abandon this plan. Requiring a dependency on American tech giants for age verification further deepens the EU’s dependency on America and the USA’s control over the internet. Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.
↫ TheLastProject in the GitHub issue
The comment thread attached to the issue is long, but during the two weeks since the issue was raised, nobody from the application’s team has answered or even acknowledged people’s concerns, which doesn’t exactly inspire confidence in this being taken seriously. I just hope that with this entire project being in the early testing phases, at least someone manages to realise tying this to Google and Apple is one of the dumbest ideas in a long, long time.
The whole idea of verified age-verification systems is nonsense. If the real goal were to stop children from seeing certain content, that could be handled just fine by parental controls on the devices those children use. (Maybe there’s space for some HTTP headers about content ratings or some other unverified technical component that could be easily implemented by any browser? But then you have to worry about who decides the content ratings.) If the parents can’t maintain control over the devices their children use, then they probably can’t stop the children from just logging in with someone else’s ID or going to a site that doesn’t respect the age-verification laws.
Which means the actual purpose of these mechanisms can’t possibly be the officially claimed purpose of restricting “adult” sites to adults.
Thanks for posting this, I’ve been hearing a lot about this topic, half of US states have passed laws on it, but it’s all US centric. Our media barely covers European news.
https://www.axios.com/2025/01/16/adult-website-age-verification-states
It’s a slippery slope because most of the groups lobbying for age verification have indicated that age verification isn’t actually their end-goal, it’s a stepping stone towards increasingly censoring content they oppose. This was explicit in project 2025.
https://www.msnbc.com/opinion/msnbc-opinion/project-2025-porn-ban-lgbtq-transgender-rcna161562
Porn is an easy target for many people, but it seems so dangerous and irresponsible to let governments have more power to regulate content. Democracy is about people having power and control over the government rather than the other way around. The authoritarian playbook is always to gain power by doing so in a way that tricks people into thinking there’s a ridged line that won’t be overstepped, but one would be fooling themselves to believe that’s true. The constitution crumbles at the hand of fascists.
As far as the EU’s approach, is it really true the implementation requires locked phones with google & apple accounts? If so, that’s messed up.
Unfortunately they might require a locked down phone if they need to store a key in a secure enclave. It might not need to be Google or Apple but it will likely be whitelisted by the govt. And since the govt will whitelist operating systems they will eventually add extra requirements for them to bless such a OS (DRM, no ad-blocking, govt will be able to ban apps, etc.)
Magnusmaster,
I’m not sure where you heard that, but it’s not completely true. Modern devices can have secure enclaves that don’t draw from OS security. For example TPM on x86, and TrustZone on ARM. A real hardware based secure enclave is designed to stay secure independently of the operating system. I wouldn’t go so far as to claim everyone uses it correctly, however in principal it invalidates the claim that apple and google devices have to be locked down to provide a secure enclave. That said, it sure is a convenient argument for manufactures who may want to use these laws as an excuse to lock owners out of their own hardware “we had no choice but to lock y’all out”.
Can someone with root modify an app that stores a key to the secure enclave to store it in regular storage instead? Because if you can then that’s enough reason for governments and banks to lock down everything.
Magnusmaster,
It depends on what the secure enclave has been requested to do, but in this instance I would think it appropriate to have the secure enclave generate and hold a private key and not release it back to the OS. The corresponding public key would then be registered and could be used to attest the presence of the private key without compromising it, which is one of the secure enclave’s functions.
It’s not clear to me that the project is going to be cryptographicly secure because it explicitly acknowledges that the current project is not robust, making that a TODO.
This leaves it unclear to me if any of this is going to be cryptographically robust or just security by obscurity. Maybe we should assume they know what they’re doing, however your average politician has a poor grasp of technology and crypto, so it doesn’t really follow that the laws/specs need to make any technical sense.
I’d really like to hear how they intend to keep kids from going underground (to even shadier websites)? The government has to be aware that for any of this to have a chance of working, they will need to force more and more content providers across the world to build lock and key mechanisms into public facing websites. So it seems logical to conclude that after this is deployed, the next step inevitably has to be a massive government crackdown on public facing websites to lock down the content. It will be done in the name of controlling adult content, which is where things start, but I can’t shake the feeling this opens pandora’s box to government increasingly seeing itself fit to take control of more free speech and owner rights. We can’t ignore mission creep (whether intentional or inadvertent).
Our defenses may be down because we normally associate the risks of censorship and oppression with other countries like China/Iran/North Korea/etc, but I think we need to face the reality that our own governments are more at risk of fringe politics than we care to admit and the tools of oppression that we add to their arsenal could end up being used against all of us.
Alfman,
I’ll be blunt this has been the worst ever week for the Internet in its history. Worse than Great Wall of China, worse than Snowden, and worse than any other even I remember.
1. UK implemented draconian rules “for the children”, and many websites and apps had to shut down. Others require a government id
2. EU is passing similar laws
3. US is trying for the “n-th” time The Kids Online Safety Act (KOSA) which is similarly bad.
How bad can it be?
We have already seen a taste. A private application called Tea was collecting similar identification information. What it did is beside the point. But someone on 4chan got access to its cloud database, and posted the images, of all users, along with geo-locations on a map.
So, not only the access was restrictive (with government ids), it also showed what could happen if those ids become a target (and they will become a very juicy target)
And before the governments, the private sector led by a small agitative group in Australia forced Steam to take down content… the first time in their history. To be honest, that content is distasteful and basically “garbage”, but it starts from there. (And the “slippery slope” immediately worked. They shut down the entire NSFW category on itch.io. Again distasteful, and I would not be interested in. But freedom of speech required tolerating that).
I’m not sure what the next steps be. But if we sleep, in a very short while all Internet might require a “passport” to access. (Maybe even a literal government passport).
This is “bi-partisan”, every part of the political spectrum seems to be complicit in taking away basic rights, and I fear our Supreme Court will not stop them this time.
(The last time late justice Antonin Scalia had given a very powerful and stern lesson on freedom of speech when they wanted to ban “violent” video games. And I fear there is no such person in the bench this time).
Sorry for the rant, I’m not very happy about this.
sukru,
I agree. Most adult sites are in favor of parental controls, which is a more reasonable approach without threatening freedom on the internet.
Alfman,
The sentiment is “we responsible adults are paying the price for inattentive parents not taking basic care of their children”
Why do we need the government in our business?
But again, all of these are smoke and mirrors. They already wanted to have full control over the Internet, and children are always a nice excuse.
According to some people on Hacker News the reason this app will require app attestation is due to it requiring to store a key in a secure enclave. If the key is leaked by a modified version of the app then age verification can be spoofed much like how people are currently spoofing Google Play Integrity results. Depending on what alternative age verification methods are available this issue might be moot.
100% this is about control. They want to be able to basically turn off your access to everything when you write something they don’t like. They being Government and large Central Banking/Corporate Banking/Corporate interests. Which are working in unison to bring in an authoritarian dystopia. There are also parallel efforts under way to ban cash transactions in Australia. Without anonymous speech, and anonymous money you have no political freedom at all. They will be able to track all payments and de-bank people they don’t agree with. We’re seeing de-banking already happening with Valve and Adult games, but it’s been happening in other industries for years. The attempts to control the population in Australia have been getting more blatant since 2020. The government has passed a law Requiring accounts and verification to access online search and YouTube. The control freaks need to be opposed because what they’re proposing can’t lead to a good ending for anyone. Unfortunately the people who have been most opposed to the controls have been fringe right-wing groups. But everyone else is going to need to understand the danger of what’s been proposed to stop it.
Darkmage,
They have already done that to Steam and itch.io customers. In the case of the latter “purchases” were removed from user’s accounts.
(And this was a payment processor, not even the government yet)
I agree this is all about control.
In Canada they de-banked truckers that were protesting the COVID lockdowns, whether you agree with their cause or not, everyone should be opposed to governments seizing money over political protests.
This has been going on for years and the creep forward has been creepy to watch, Tattoo shops, legal vape shops, legal Marijuana growers and legal sex workers in Australia have been getting de-banked, but it’s now spreading into political repression.
In Australia they tried to ban cash transactions over $10,000 around December 2020. Which would make cash useless within a few years of high inflation. It was knocked back. There was also an attempt to pass a misinformation bill which would make talking about government debt and gold/silver investment as an alternative to the Australian Dollar illegal, as it criminalises speech which could shake confidence in the Australia economy. Even though they blew a massive housing/debt bubble which if it pops the government couldn’t afford to bail out the banks even if it wanted to. The misinformation/disinformation bill also contained hate speech provisions which would basically let the government decide what is hate speech.
There is an Australian e-safety commissioner now and she’s on record saying that age verification/censorship laws have to be implemented in line with our international commitments. What international commitments? Who signed up for this, and when were the voters given a vote on it?
This has been pushed mostly from Europe, and the World Economic Forum is where many of these ideas have come from. The Cash Transaction ban in Australia was directly linked to the WEF. They’ve talked for years about the need to control finance, even proposing programmable digital currency/money that governments could issue that expires over time, the need to eliminate cash to control people’s spending, AI control of populations etc. This stuff is creepy as hell and knowing it’s coming from billionaires makes it even more awful.
Yeah. Glad some people get it. This is no more about protecting children than 2020 was about saving grandma.
You seem not to understand. We are the kids. Government is the parent. All they want is parental control, and it is for our own sake.
I have no pity for the likes of Meta, Apple or Tik Tok, this situation is of their own doing. They failed to be good curators of content that gets freely delivered to minors, so now the rules are being taken out of their hands using legal liability as the big stick. Too many kids self-harming, taking their life, regardless of the reason, when the corporates did not act the authorities had to!
The fears of Google or Apple monopoly are greatly overstated, because the liability is huge, too many nations are now involved the US based entities are just service providers. Just the liability on tax bills in some regions will keep them flying straight.
cpcf,
I am not sympathetic for them either. However I have concerns about government overreach as you may notice from my other comments 🙂
Doesn’t this underestimate the market dominance situation though?.The worldwide duopoly stifles the market and kills off competition across the world. I’d like more conformation that the EU’s age verification will actually require apple & google accounts, but if it is true, then the quote I believe you are responding to hits the nail on the head….
I hope this doesn’t pan out to be true, but if it is then I think it’s a very serious problem for the government to implement technology in such a way that bars root and/or alt-os users. The comment in question currently has 2226 upvotes to 6 downvotes.
Alfman,
If this happens as reported, it will literally be a very good example of “regulatory capture”
No other company, especially startups will be able to make a dent in the marketplace, as the barrier to entry is now too high.
Expect even some of the established ones to fall off.
(Just as it happened again and again when governments required unattainable standards. Look at healthcare and what happened to physician owned practices)
In one of his recent rants, a certain He-Who-Must-Not-Be-Named noted that the idea of identity verification is also good because it can help limit the number of bots posting and engaging on websites, thereby reducing the “dead internet” phenomenon.
Vassal state have to do what they’re told.