EU Age Control: The trojan horse for digital IDs
8 hours ago
- #EU regulation
- #age verification
- #digital privacy
- EU Age Control apps are marketed as using zero-knowledge proofs for privacy, but the current reference implementation uses older ISO standard signatures, not active ZK cryptography.
- Platforms can bypass privacy-preserving wallet requirements by using traditional KYC providers, making the privacy features optional and likely underutilized.
- App attestation ties the system to Google and Apple-approved devices, excluding alternative operating systems like Linux, GrapheneOS, or Huawei phones without Google certification.
- Unlinkability of proofs depends on wallet behavior—using each credential once—rather than cryptographic guarantees, making it vulnerable if credentials are reused or replayed.
- Relay attacks (e.g., 'Grandma-as-a-Service') allow circumvention by proxying verification requests, as the protocol lacks proximity checks and cannot enforce one-time use after issuance.
- The system is a 'Trojan horse' for digital ID, potentially leading to revocable credentials linked to other systems like the Digital Euro, enabling remote control and censorship.
- Reported 'hacks' are often bugs in the mock-up reference app, but structural issues like relay attacks and dependence on wallet compliance are inherent to the protocol and will persist in national implementations.