Back Original

European "age verification" "app" forcing everyone to use Android or iOS

Jul 16, 2025

· 282 comments · 325 replies

In the README, the following is listed:

App and device verification based on Google Play Integrity API and Apple App Attestation

I would like to strongly urge to abandon this plan. Requiring a dependency on American tech giants for age verification further deepens the EU's dependency on America and the USA's control over the internet. Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.

You must be logged in to vote

Furthermore I am surprised this is considered an important next step, given apps like the Dutch identity app Yivi (who has no such dependency) already exist and can be used for age verification by the government just fine (on the few select platforms that work with it). Yivi is even available on Open Source app stores like F-Droid.

I think Yivi's existence should be sufficient proof that Google Play Integrity integration is unnecessary.

Yivi (formerly IRMA) homepage: https://yivi.app/en/

You must be logged in to vote

0 replies

You must be logged in to vote

0 replies

In addition, tying age verification to specific operating systems and their vendors (large American tech companies) violates two of the three principles listed elsewhere in this org:

  • made available to anyone who wants to use it
  • controlled by users
You must be logged in to vote

0 replies

You must be logged in to vote

0 replies

Digital sovereignty is a necessary step to reduce the risks of data processing. There should be no dependencies for external services from third parties at all since each one adds a whole ecosystem of potential security issues.

You must be logged in to vote

0 replies

This is insane, what's the threat model? Someone remotely exploiting a device to steal proof of age of majority just to watch p__n (most common use case)? Is it even realistic? Why does this service need an app at all? Just create a modern web app, maybe even leveraging Digital Credentials API. I'm tired of app-for-everything.

You must be logged in to vote

0 replies

This happens because those who draft the technical specifications don't know how the technologies they propose work.

As I've explained elsewhere, this is ridiculous. Here's a brief excerpt from one of my posts elsewhere:

It's incredible that the European Commission sanctions Google for abuse of dominant position and asks to open the operating system to other stores to allow "free" competition and you [the writer of technical specifications] impose the use of tools that exclude the free choice of the user and give to Google all the power of choice, that's really INCREDIBLE...

There are dozens of ways to secure these apps' certificates without using proprietary systems.

You must be logged in to vote

0 replies

There are dozens of ways to secure these apps' certificates without using proprietary systems.

Does it need to protect those certificates at all? Maybe I'm too naive, but couldn't this simply be implemented by verifying random challenge signed by a national identity provider?

  1. User goes to p__n website
  2. Website detects user is visiting from Europe
  3. Website downloads them a file containing a random string
  4. Website tells them to visit verifyage.gov.example
  5. User logs via identity provider and uploads the file
  6. Challenge is signed and downloaded through the browser
  7. User goes back to the p__n website and uploads the file
  8. Website verifies the challenge is signed by a trusted entity

Avoids having to protect the signed challenge at all since it's single use, scheme is similar to authenticating with SSH or WebAuthn. I haven't checked the architecture thorough, perhaps does something similar in the end with more bloat in between.

You must be logged in to vote

9 replies

@feldim2425

Perhaps the logical conclusion would be that strict age verification just isn't a useful thing to try, and instead parents should be encouraged to actually make use of the client-side filters that pretty much all smartphones have. I've made that argument here.

I agree, however given the people* currently see the internet helped by certain incidences (*cough* Roblox *cough*) I'm not very hopeful that this view will change in the near future. Maybe it could change once the system is implemented and fails horribly but that will take time.

* Note: With "people" I don't just mean politicians. I've heard this from clueless parents as well as people from the "I've nothing to hide"-crowd that truly believe there is no way this could ever go wrong.

@nukeop

What the hell is a p__n website?

@k8ieone

Porn, pornography. I see no reason fo the self-censorship here.

@lukefromdc

I was just following the format of the post I was originally responding to

@k8ieone

Please listen the ongoing issues with the Italian Wallet related to Play Integrity:

mega thread:

Duplicates:

You must be logged in to vote

0 replies

You must be logged in to vote

0 replies

A mandatory Google account is unacceptable in a OSS Project

You must be logged in to vote

1 reply

@Kobaxidze256

Getting access to a website as a EU citizen by accepting the TOS of EU-penalized American megacorp is peak 1984.

You must be logged in to vote

0 replies

Besides the privacy issues, this feels like South Korea's IE6 problem back in the days, everything was so tied and dependent on it, that they couldn't get rid of it. But I guess we are just humans repeating mistakes, getting influenced by lobbyists, uninformed people, people who can't imagine how things will look like in 10 or more years

You must be logged in to vote

0 replies

This would be massive hinderance to all South EU states, where adoption of non google phones is large.

This would be also massive dependency on google.

Furthermore, why on earth are you building digital ids but then not doing IDPs, then forcing users to use some extra app for agecheck... they and their OS maintains...

It is bad UX, it causes issues, not sure if adds any security.

You must be logged in to vote

0 replies

I work in cybersecurity and this is a privacy and security nightmare. Just stop.

Using a EU-controlled website with national credentials like it is proposed here #18 is the only reasonable solution.

Or maybe just do not implement this at all. People are going to go to p*** websites a way or another anyway.

You must be logged in to vote

1 reply

@SOglf

This is one sane response.

I will word it differently: if this cannot be implemented without hurting A LOT OF PEOPLE, then maybe it should not be implemented to solve just one problem.

Let's be honest.... Normal people who root their devices won't try to crack or tamper the app or bypass protections. Also.... If you care about the files of the app in /data/data/com.package.name you could just encrypt the most important ones even with a key generated during the first open of the app which will use entropy. What can do root now? Is the problem stuff like http toolkit? Detect it and in case block it or block adb, but even if someone can know what calls the app does, the app is opensource anyway so there is no point in doing it... You see? What is the point of fighting root? Are you scared that someone could replace the ID or values used during verification process? Don't store them but use identifiers and immediately drop them after verification is successful. This way unless the person provides a valid ID immediately they will fail to verify. Play integrity is unnecessary, are you scared of people tampering the apk itself? Add signature verification to the apk, if that's tampered app will fail to start displaying signature doesn't match. Are you scared someone will anyway beat the app internal signature system? Verify it as well by a server check. Again, play integrity being useless.

You must be logged in to vote

7 replies

@ell1e

If the key is on your smartphone, some people are going to manage to extract theirs at some point no matter what security through obscurity attestation stuff is in the way...

@Skorpion96

You see? What is the point of fighting root? Are you scared that someone could replace the ID or values used during verification process?

They don’t want people to pull the private key and host a fake age verification service where you can download or buy age attestation from a server.

As I said, if this key would be server side there would be no way of replacing it

@nukeop

@Secret-chest

At this point just make it server-side, instead of turning citizens' "phones" into your servers and sheep.

@Secret-chest

You must be logged in to vote

11 replies

@solodeveloping

@solodeveloping

I mean, the whole thing is public knowledge

"Star of That ‘70s Show and a host of Hollywood hits, 45-year-old Kutcher resigned as chairman of the Thorn board in mid-September amid uproar over a letter he wrote to a judge in support of convicted rapist and fellow That ‘70s Show actor Danny Masterson, prior to his sentencing."

@solodeveloping

@solodeveloping

@solodeveloping

Did my comment about my 1984 comment getting removed really get removed??

Damn.

Tells me all I need to know.

You must be logged in to vote

1 reply

@solodeveloping

see no evil, hear no evil, speak no evil 😂

You must be logged in to vote

2 replies

@Skorpion96

Waiting for the EU to do an "universal bootloader unlock" law....

@SOglf

That's exactly it. Just in a frog boiling mode.

Do not let boil yourself. Age checks today, locked hardware tomorrow. Australia ALREADY INCREASED FINES for bypassing age checks, next step will be a mandatory "locked hardware" to stop bypassing age checks. The UK ALREADY EXPANDED age checks from porn to "harmful content".

THEY WILL NOT STOP.

Remember that EU actions, for better or worse, are imitated all over the world.

You must be logged in to vote

1 reply

@solodeveloping

It's more like all the politicians are corrupts and taking order from oligarchs and private lobbies

If the concern is Russian farms offering automated ID verification for a cost, do note that this "security" can and will be spoofed, with a new method appearing almost a few days after the current one is patched. It will only hurt legitimate users.

You must be logged in to vote

24 replies

@solodeveloping

Remember the goold old days where biometrics and creepy surveillance were seen as dystopian? 😂

Talking about effectiveness: the only way to make sure someone does not kill someone else is to cut his arm and legs, remove his teeth too, so this is probably what nukeop wants too

@nukeop

That's actually what you want, you keep saying it's not effective enough.

@solodeveloping

My opinion is "fuck this shit"

A reason for that is "it will never work"

Another is "they're not doing it for "the kids""

@Secret-chest

No, the idea is that it only hurts legitimate users who simply do not want Android or iOS, and it's not even effective against the ones it attempts to block (and no sane system can be). So the best way is not to have it.

@SOglf

There will be more sale points of verified accounts than you could ever imagine. With or without any attestation. What is more, EU already CREATED underground money for that. Congrats EU! If you want to build the biggest underground our world has seen, then you are on a right path.

WHy not use something like this?

Unified Attestation is a free, open-source alternative to Google Play Integrity. It delivers short-lived integrity tokens signed by a single backend, verified offline by app servers, and issued via a privileged Android system service. It can live alongside Play Integrity, and it’s simple to integrate for app developers on both the app and server sides.

An initiative by Volla Systeme GmbH.

You must be logged in to vote

12 replies

@ProGamerGov

Unified Attestation has the same problems. It just puts a different group of companies in charge doing the same bullshit that play integrity does.

@Secret-chest

there should be a fork that removes all Antifeatures like Play integirty and face scanning as that also requires api's that are only found in google play services or only work on vanilla play services device and don't or function worse on alternatives like microG.

There cannot be a fork. Paradoxically, the source is libre, but you can't modify it in practice, because it relies on some attestation to work and this is enforced by all parties.

@vdbhb59

The truth is that these people don't give a fuck about you and everything they do is for the single purpose of screwing you, and maybe make some profit along the way

Very true. Who gives a damn about user privacy, when they can make trillions and beyond fucking out of the data. Also, none of this is about helping a child stay away from p**n, rather, gaining full control over everything citizen does. Safety my foot.

@nukeop

This isn't Tiktok, you don't have to self-censor words like "porn".

@SOglf

Hardware owner has a full right to have full control over his own device and any data on it. Stop introducing elements which silently try to take the ownership away.

Whatever the "security measures", if a child wishes to access a restricted website, they can just... bribe someone into scanning the QR code on their behalf. It is not more secure with the "attestation". It only hurts legitimate users who want freedom.

You must be logged in to vote

0 replies

Will it work on a Nokia 3310, or on my laptop? I don't own a smartphone.

You must be logged in to vote

0 replies

A big problem I see here is that the EU commission requires people

Trump merely amplifies and extends this problem here, but the

Also, this attempts to require of everyone to have a smartphone

You must be logged in to vote

6 replies

@bbbhltz

@rubyFeedback

Also, this attempts to require of everyone to have a smartphone in the first place.

I'm not sure how this will work either. Perhaps a solution has been proposed and I just haven't seen anyone mention it? It also means they need a Google account (which I do not have...) and that the phone must be charged. Phone stipend I guess? Plus a yearly cheque from Google for all the data they harvest from me.

@CiroPen

public corporations, not private

Public only means that they are publicly traded.

@ogregoire

Actually those are public corporations, not private

In continental Europe, "public" means government-managed; "private" means non-government-managed. The English world considers everything from the monetary point of view. The rest of the world doesn't.

@nukeop

That's not true at all. A public company is not a government-owned company, anywhere.

@ThomasHabets

I don't think this issue is for debating the semantics of "public sector company" vs "public company". Maybe "take this offline", as the saying goes. From context it was clear what the commenter meant.

In the README, the following is listed:

App and device verification based on Google Play Integrity API and Apple App Attestation

No, there's not.

You must be logged in to vote

0 replies

Stop hardware attestation at all cost. This is the final warning, if you keep ignoring it, age verification will be a small inconvenience compared to the nightmare which any "attestation" brings.

WAKE UP PEOPLE BEFORE IT'S TOO LATE

You will literally destroy computing if you agree to any "attestation".

DO NOT AGREE TO THEIR DEMANDS, DO NOT NEGOTIATE WITH TERRORISTS. DO NOT USE HARDWARE ATTESTATION AND AGE CHECKS.

You must be logged in to vote

0 replies

It is simple silly to tie anything governmental to specific technologies. It should be based on open standards anyone can implement and integrate with.

You must be logged in to vote

1 reply

@ell1e

I dont believe in age verification at all. Its some more east german stasi bs. Where is freedom? Every youngster will probably go to tor or whatever to access a social network is that what we want? While they are at it they might get up to slightly more nefarious dark web things like ordering a hit on their teach.

You must be logged in to vote

1 reply

@ell1e

I have neither google nor apple software. Will I be unable to use a myriad of online services if I don't bow and give my money and my data to American corporations? Another shot in the foot, as usual.

You must be logged in to vote

1 reply

@ell1e

This discussion was converted from issue #18 on July 31, 2025 08:00.