The European Union has launched an application to verify the age of users and limit minors' access to certain content, but the tool has already come under scrutiny for possible privacy and security flaws.
The application's own official documentation states that bodies such as the Police, the intelligence services of member countries or presidential offices can read and modify users' personal data. That scope over the stored information has opened doubts about the system's real guarantees.
Doubts about the privacy of the tool
The president of the European Commission, Ursula von der Leyen, publicly defended that the application "respects the highest privacy standards in the world." However, a subsequent technical analysis has questioned that assertion.
"The European age verification application is technically ready. It respects the highest privacy standards in the world. It is open source, so anyone can review the code. I did. It didn't take me long to find what appears to be a serious privacy problem." - Paul Moore, security consultant
The security consultant Paul Moore maintains that he detected a relevant vulnerability in a short time after reviewing the open source code of the tool. His examination points both to the storage of sensitive data and to the protection of user access.
Device access and PIN change
Moore showed that the application can be compromised in less than two minutes if physical access to the device is available. The described method consists of editing the shared preferences file to delete the encrypted PIN values.
Furthermore, the encryption presents flaws that, always according to that analysis, would allow an attacker to change a user's PIN and access their personal information. This is an especially sensitive point as it is an application intended to manage identification data.
Selfies stored without temporal limit
Another of the aspects pointed out affects the initial registration. The selfie-type photographs used to register the user remain stored on the disk indefinitely, without there being an automatic deletion after completing the verification.
The combination between that prolonged storage, the capacity of certain organizations to access and modify personal data, and the failures detected in the protection of the PIN places the application at the center of the debate on digital privacy in the European Union, at a time when its declared objective is to strengthen the protection of minors on the internet.