Updated · Center for European Policy Analysis · Jun 3
European Commission Age-Check App Was Bypassed in Under 2 Minutes After April Launch
Updated
Updated · Center for European Policy Analysis · Jun 3
European Commission Age-Check App Was Bypassed in Under 2 Minutes After April Launch
3 articles · Updated · Center for European Policy Analysis · Jun 3
Summary
Security consultants defeated the European Commission’s new age-verification app within hours of its April 2026 debut, bypassing checks in less than two minutes.
The app was meant to give platforms a bloc-wide way to verify users’ ages without directly sharing personal data, replacing ineffective self-declared “over 18” boxes.
Its design still raises privacy and security concerns because scanning identity documents could create a “goldmine” for data breaches and identity theft.
Even a stronger age gate would not fix the broader problem regulators are targeting: addictive platform design, harmful recommendation algorithms, and child-safety risks that persist after verification.
The setback lands as Europe tightens child-online-safety rules and public support grows for minimum social-media ages, while courts and regulators on both sides of the Atlantic press tech companies harder.
Fines and age-gates are failing. Can we child-proof the internet without redesigning the algorithms that drive addiction?
Tech faces its 'Big Tobacco moment' over addictive design. Will court-ordered platform changes be the final outcome for social media?
EU Age Verification App Breached in 2 Minutes: How a Flawed Launch Exposed Systemic Risks to Child Safety and Digital Rights
Overview
In April 2026, the European Commission launched a new age verification app, promising a privacy-first, open-source solution that used zero-knowledge proof to confirm users’ ages without exposing personal data. However, severe security flaws were quickly discovered, as a researcher bypassed protections in minutes by exploiting the app’s design, which stored critical security controls like PIN limits locally on users’ devices. This fundamental weakness exposed the app to easy manipulation, undermining its privacy and security goals. The incident highlighted the risks of poor implementation and the need for secure-by-design principles in digital identity solutions.