Seeding

UK approach was to seed foreign intelligence agencies and criminals with British people personal data.

Sounds like the EU has provided a base far more sane than trying to bake the verification into the operating system like some American states are proposing.

You simply can not allow such information and applications to potentially interfere with the normal operation of an operating system, especially during login. It goes far beyond a "nanny state" mentality, and I see no reason for the USG's approach to things other than a desire to have the hooks in place for embedding backdoors and remote shutdown commands.

> "You simply can not allow such information and applications to potentially interfere with the normal operation of an operating system, especially during login."

Not on mobile you can't. The vast majority of mobile users already can't use their devices in way that manufacturers and/or OS vendors don't intend.

If this remains easily bypassed on desktops/laptops, it's not unreasonable to worry that governments could up the ante and require identity verification be overseen by a system's TPM.

The end goal is for every user to be identified in everything they do. The identity fetishists in government pursue that because they're control freaks. They'll gladly be helped by Big Tech, which has a far more practical and widespread use for identity: advertising. The latter is far greater of a practical threat for most users. While government surveillance is objectionable to free people who are doing nothing wrong, it has far less an impact to daily lives than the pervasive data harvesting and manipulative advertising pushed by Big Tech.

Age verification starts with things that nannies can easily rail against: porn, gambling, social media, etc. The next step after that is "making sure you aren't a bot" which will be coming if identity verification isn't stopped in its tracks. Just wait for John Q. Public to get frustrated with "bots" and he'll gleefully activate the Google-provided identity verification app. Google will happily suck up his data and keep him constantly dosed with manipulative crap.

much more sane than American states

If i understand what the app does it only proves whoever provides the age check to some web site has access to an app where someone not necessarily the current user of the app) previously enrolled and passed using one of the supported age verification methods.

It is of course totally impossible that someone sympathetic would enroll on their younger friends mobile so the system is 100% secure. /s

Smartphone + App Store Required == No Privacy

Europe can publish all the code it wants, but it's laughable to call this privacy preserving when the platform it runs on isn't.

It's a problem even as a standalone app. Integrating it into a nationalized wallet app (I feel gross just typing that) compounds the problem.

Re: Smartphone + App Store Required == No Privacy

Doesn't your six year old child carry his national id card in his wallet? I agree, WTF could possibly go wrong? Someone should make a list.

Unbreakable security?

The Commission has delivered an unbreakable identity system.

I just wonder how long it will stay unbroken. My guess is that holes in it will be found before it is even into use.

Re: Unbreakable security?

Already happened.

Politico: [1]Brussels launched an age checking app. Hackers say it takes 2 minutes to break it.

"Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes."

"Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app."

[1] https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/

Re: Unbreakable security?

You'd have to unlock the screen anyway to open the app. Does entering your PIN or scaning your fingerprint twice make it more secure?

Re: Unbreakable security?

Yes.

Extremely personal data should not be stored in an accessible format on a device's filesystem. That's really bad.

It's also not unreasonable to harden sensitive functions against anyone who might have access to an unlocked device. If the goal of this is to prevent kids from seeing a nipple, it's not unreasonable to secure it against the kid who might be handed dad's unlocked phone, or who might be able to guess dad's device PIN because it was reused, say, perhaps from an electronic lock on the family's house door.

It speaks very poorly of the lack of thought which went into this app when developers didn't consider several of the most basic threat scenarios.

Re: Unbreakable security?

Where's the accessible format? It's in the app's storage area, it's not accessible by other apps.

So if the kid knows the unlock PIN once, he's going to know it twice.

If the kid is handed Dad's phone by Dad, then that's the parent's choice.

Re: Unbreakable security?

If the kid is handed Dad's phone by Dad, then that's the parent's choice.

I'm not a mobile developer, but risk seemed to be that users could access the app data, and modify it to bypass the illusion of security. So from the Politico article-

Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.

Then because data can be edited, could that also be moved? So get Dad's phone, rip the authentication data to kid's phone, then kid shares that method & 'authenticated' file(s) with other kids.. Which if it's possible, kids will do. Then because it's supposedly a zero-knowledge proof system, back-ends won't know that kid is not dad, and dad doesn't have 1,000+ kids, all using the same credentials.

But then this is almost certainly just a (super)state sponsored trojan to get an app onto people's devices, then because of insecurity, expand the scope into a full-blown digital identity system that becomes 'essential' to get online. I mean if AlphaGoo and Apple already have mobile based mass surveillance systems, why can't the EU? Won't someone think of the children!

Re: Unbreakable security?

Theoretically.

And theoretically, attackers shouldn't ever have access to password hashes, either. We salt them and hash with Argon2 as additional protection should other security measures fail.

That storage area is accessible by the operating system. It also becomes accessible when other security measures fail. Plenty of examples.

An app this sensitive should have been designed from the ground up with defense-in-depth. The EU didn't consider this, which tells us they didn't have their best people working on it.

Re: Unbreakable security?

Au contraire. I'm sure they did, in fact, have their best people working on it, but their stated purpose isn't the same as their actual purpose (as has been postulated above.)

Re: Unbreakable security?

You first need physical access to the phone in order to 'break' the app. If that happens with your phone, you've got bigger problems than age checks.

Re: Unbreakable security?

Yeah, as it is totally impossible that a youngster manages to physically access Dad's mobile when Dad is sleeping in on Sunday morning.

Re: Unbreakable security?

On a child's IOS/Android device? Who are you trying to kid? I was 45 when I stupidly left a Galaxy Tab S2 in a restaurant. I can't tell you how many things I lost when I was a kid.

Re: Unbreakable security?

his account is well worth following - he's providing consistent updates showing there is fundamental flaws in the design philosophy of the whole app.

https://x.com/Paul_Reviews

Re: Unbreakable security?

Loving his [1]latest clapback against another age verification proponent who stupidly writes:

"We already effectively have digital ID - everyone's digital footprint is tracked all day, every day, only at the moment the only people who benefit are the social media platforms and tech giants who harvest our data and use it to line their coffers. The main thing is to protect young people from these unscrupulous vultures, who refuse to take any responsibility for the harms they cause. @LauraTrottMP and @KemiBadenoch have six children between them, and so understand perfectly the need for these protections, as do most parents. This is a pathetic and lazy argument against enforcing basic online boundaries for minors." - @WestminsterWAG

Just because she signed up to be digitally stalked by Big Tech doesn't mean everyone wants to.

The framing here speaks volumes: the identity mongers are telling us digital ID is inevitable because they've already accepted Big Tech surveillance as an inevitability, when it's not.

She doesn't seem to get that opting-in to Big Tech digital surveillance is a choice. Choosing not to might be inconvenient at times, but it is a choice. I won't be letting Big Tech deploy a geolocated identity device in my pocket 24/7.

[1] https://nitter.net/Paul_Reviews/status/2049471333461803496

"Open source tool", "the technology", "the app"

No link, no name, ...

Am I the only one who does not know what tool/app/technology the article is talking about?

Re: "Open source tool", "the technology", "the app"

[1]https://ageverification.dev/

[1] https://ageverification.dev/

Re: "Open source tool", "the technology", "the app"

Thank you :)

A mobile app working on a PC?

It's bad enough I have to fart around getting a text when I spend a tenner on ebay now. Do I now need a smartphone to use a PC? That is barking.

Why not just ban kids from using the internet and mobile phones entirely? It would be easier, cheaper, and simpler. If it is so dangerous, they can use it when they are old enough, and not before. Or is this just another Chinese-style ID grab.

Re: A mobile app working on a PC?

Not just Chinese - it's every Government. They all want to know everything about you.

We're approaching the end of capitalism, when the poor have no option but to revolt against those rich enough to be in control. They're desperate to prevent that, and the only way is to exert absolute control over everyone so the revolution can be held down.

All those dystopian novels are being used as guides to shape the future...

Re: A mobile app working on a PC?

Brave New World, not 1984.

The plebs will be controlled through their pleasure. That pleasure will be delivered through digital services and entertainment, which are light on resources. Physical resources are reserved for the new ruling class.

If you don't want to be happy following $MEGASTAR on Facebook...well, then you lose out on the pleasure. Resources, however, will be quite costly and out of reach.

Always the same excuse. Lose rights and privacy in the name of "protect the children." Companies need to refuse, if the EU doesn't like it, shut them down.

Why would Eurocrats want to shut it down?

The EU wants to identify everyone in everything they do using "protect the children" as the excuse for embedding digital identity into the smartphone which every citizen consumer is expected to have.

Maybe I wasn't clear in my initial comment. The companies need to shut down the services to the EU.

Is there a penalty for providing an unlocked device, or a device and the unlock/verification passcode to use it as an adult, to a child? Your own child? Someone else's child?