--- title: The EU Age Verification App Was Always Meant to Be Broken Into description: The EU age verification app was reported as hacked. It is an open-source reference implementation published for review. Finding bugs is how open-source software gets secure. author: Darie Nani (Editor-in-Chief) date: 2026-05-01T14:11:32.183Z updated: 2026-05-01T14:11:32.198Z canonical: https://www.sovereignmagazine.com/article/eu-age-verification-app-open-source-defence image: https://cdn.nanimediahouse.com/eu-age-verification-open-source.webp categories: EU Focus, Science & Tech content_type: Opinion region: Europe publication: Sovereign Magazine about: - type: Organization name: European Commission --- Most of the infrastructure behind the internet is open-source software. The web servers, the encryption libraries, the databases, the systems that route traffic between networks: the majority of it is code that anyone can read, copy, modify, and redistribute. Banks run on it. Hospitals run on it. Governments run on it. Open source is not an alternative to commercial software. It is the foundation that commercial software is built on. The reason open-source software is trusted with all of this is that bugs get fixed faster when more people can see the code. When a company builds proprietary software, only its own engineers can find and fix problems. When the code is open source, any developer in the world can read it, find a vulnerability, report it, and verify that the fix works. The software does not arrive finished. It gets stronger over time because it is exposed to scrutiny. Vulnerabilities are expected. They are part of the process. In April, the European Commission [published the source code for its age verification app](https://www.sovereignmagazine.com/article/eu-age-verification-app-open-source) on GitHub, using the same model. The app is a reference implementation, a template for member states to customise before shipping their own versions. The repository says the project is not feature-complete. It is not available for citizens to download. Paul Moore, a UK security consultant, found that he could bypass the app's PIN protection, disable its biometric checks, and reset its rate-limiting counter by editing a single configuration file. It took less than two minutes. The Commission patched the code within days. Milosz Gaczkowski, a mobile security professional, published a counter-analysis: even with Moore's bypass, on a stolen and rooted phone, the worst an attacker could do is confirm their age on an adult website. The app does not contain names, passport numbers, or birthdates. Bug found, bug reported, bug patched, technical debate conducted in public. That is how open-source development works. ## What the Media Got Wrong About the EU Age Verification App The coverage reported Moore's findings as a breach of a consumer product. "EU age verification app hacked." "Bypassed in two minutes." The major outlets did not mention that the app is a reference implementation published for review. They did not explain what open-source development is or that finding and patching bugs in published code is the standard way open-source software gets hardened. The story the coverage missed is about what the app actually does with personal data. The EU age verification app reads the passport chip on the user's phone and keeps the data there. It does not send passport data anywhere. Not to a company, not to a government server, not to the website requesting the age check. When a website asks "is this user old enough", the app hands over a single-use token that says yes or no. The website never sees the passport. The token cannot be reused or traced back to the user. There is no central database of passport scans to hack because no such database exists. The whole exchange is a handshake. In the UK, the same problem is solved by [handing passport scans and facial data to private companies](https://www.sovereignmagazine.com/article/why-age-verification-is-now-a-reputational-issue-for-every-online-business) running proprietary code that nobody outside the company can inspect. If one of those companies gets breached, or sells the data, or simply goes out of business and its assets are acquired, the user has no recourse and no warning. The EU built an alternative where none of that can happen because the data never leaves the phone. The code is public. The architecture has been reviewed by independent researchers. The bugs they found have been patched. And the press covered it as a scandal. ## FAQ **Q: Is the EU age verification app safe to use?** The app is not yet available for public download. The European Commission has published the source code as a reference implementation for member states to customise before release. Researchers have identified vulnerabilities and patches have been issued. **Q: How does the EU age verification app work?** The app reads the chip in a passport or national ID card directly on the phone. It requests single-use digital age tokens from a government-approved issuer without sharing passport data. When a website asks the user to verify their age, the app hands over one token that confirms only whether the user meets the age threshold. The website receives a yes or no, not the user's name or birthdate. **Q: Is age verification required in the EU?** The Audiovisual Media Services Directive and the Digital Services Act require platforms to protect minors from harmful content. The Commission's app provides a privacy-preserving option that member states can adopt. Each country sets its own enforcement timeline. **Q: How does the EU age verification app compare to UK age verification services?** UK age verification is handled by private companies running proprietary code. Users hand personal data to a company and trust it is handled properly. The EU app is open source, does not send data to third parties, and allows anyone to inspect the code and verify that fixes have been applied.