The Identity Gap: Investigating the EU’s New Age-Verification App

In April 2026, the European Commission unveiled a flagship digital project: a universal, privacy-centric age-verification app designed to shield minors from inappropriate online content, gambling, and adult services. To the public, the message was unequivocal: the tool was "ready to use," mathematically anonymous, and impossible to track. It promised to replace the invasive practice of uploading full passports to every website with a simple, binary "yes or no" verification.

However, a tranche of internal documents released on July 16, 2026, following a freedom-of-information request by independent IT researcher Morten Larsen, suggests a significant disconnect between the Commission’s marketing and its technical reality. The documents reveal that the "finished" product is, in fact, an unfinished reference build, and that the robust privacy technologies touted as the app’s backbone remain largely experimental.

The Chronology of a Request

The tension between public narrative and internal documentation began when Morten Larsen, an independent IT specialist, sought to peel back the curtain on the project. On April 26, 2026, shortly after the app’s high-profile unveiling, Larsen filed a request under the EU’s freedom-of-information protocols. He sought four specific categories of records: privacy impact assessments (PIAs), documentation on the software’s privacy-by-design architecture, protocols for handling biometric data, and internal risk reports concerning user tracking.

The response from DG CONNECT—the Commission’s department for digital technology—was unexpected. The department provided nine documents, yet every single one was already available in the public domain. These files, consisting largely of general technical blueprints and specification pages, provided no new insights into the specific security safeguards governing the app. Two of the documents were duplicates, pointing to the same web portal.

Larsen’s quest hit a further roadblock regarding the most critical piece of evidence: the privacy impact assessment. DG CONNECT stated that it held no such document. Their justification? The Commission is merely providing a "reference implementation," and the legal onus for performing a privacy assessment rests solely on the future entities—such as national governments or private service providers—that will eventually launch the app to the public.

The Discrepancy: Claims vs. Documentation

The discrepancy between the official rhetoric and the technical reality is not merely academic; it strikes at the heart of user trust.

The Myth of "Ready to Use"

During the April 2026 launch, the President of the European Commission presented the app as a finished, deployable solution. Conversely, the internal technical documentation describes it as a "reference implementation." The files explicitly note that the software is "not feature complete" and requires significant development before it can be safely deployed in a real-world environment.

Crucially, the app’s architecture relies on complex tasks: verifying the authenticity of physical passports, detecting "liveness" (ensuring a real person is present rather than a digital mask or photograph), and performing facial matching. The documentation reveals that these core functionalities are absent from the provided "toolbox." Instead, the EU expects individual member states or third-party developers to build these features themselves. The app is, in essence, a starter kit, not the turn-key solution advertised to the European public.

The "Zero-Knowledge" Experiment

The most significant selling point of the app was its reliance on "zero-knowledge proofs"—a cryptographic method that allows a user to prove they are over 18 without disclosing their date of birth or any other personal identifier. This was marketed as the guarantee that the app was "impossible to track."

However, the internal documents paint a different picture. The zero-knowledge proof mechanism is described in the requirements as a recommendation, not a mandate. Even more telling, a section labeled "Experimental features" clarifies that a fully functional zero-knowledge solution is intended for a future, yet-to-be-developed version. The current iteration relies on a less robust system of "single-use passes" with obscured timestamps. Furthermore, the foundational framework document admits that hardware limitations—specifically the difficulty of implementing these proofs on current mobile processors—mean that a final, secure version of this technology has not even been selected yet.

The Hidden Hand: Dependency on Private Contractors

While the European Commission frames the app as a neutral, public-sector solution, the technical documentation identifies the developers as the "T-Scy" consortium. This group comprises Scytales AB, a Swedish identity firm, and T-Systems International GmbH, a subsidiary of the German telecommunications giant Deutsche Telekom.

The reliance on a major private telecommunications firm for the development of pan-European public infrastructure raises critical concerns regarding commercial influence and data concentration. Deutsche Telekom is already a key player in the digital identity space through its involvement in commercial networks like UTIQ, which works with major carriers such as Vodafone, Orange, and Telefónica.

Entrusting the architecture of a public identity tool to a firm that already operates private identity-tracking networks creates a conflict of interest that the European Commission has yet to address. If the infrastructure used for age verification is built by a company with deep ties to the commercial tracking ecosystem, the promise of "untrackable" identity becomes much harder to verify.

Implications for the European Citizen

The disconnect between the Commission’s promises and its technical documentation carries profound implications for the 450 million citizens of the EU.

1. The Crisis of Trust

The primary risk is the erosion of public trust. Citizens are being asked to provide their most sensitive identity documents to an app under the banner of "absolute anonymity." If that guarantee is based on experimental technology rather than battle-tested security, the public is being misled. Informed consent requires transparency; if the user is told the app is "impossible to track" when the technology is actually in its infancy, that consent is invalid.

2. The Danger of Biometric Mishandling

The app’s reliance on third-party verification for facial recognition and document scanning introduces high-stakes risks. Recent history in Europe provides a cautionary tale: the regulator in Spain recently fined the identity firm Yoti nearly one million euros for failure to protect biometric data and improper consent procedures. Similarly, a separate breach on a popular dating app recently exposed thousands of selfies and identity documents used for age verification. If the EU’s "reference" tool does not set rigorous, non-negotiable standards for how this data is handled, it risks becoming a central point of failure for millions of users.

3. The Digital Divide

Finally, there is the issue of access. Previous reporting has highlighted the app’s dependency on Google-certified Android software to run its verification checks. This creates an immediate barrier for users who utilize de-Googled, open-source, or alternative mobile operating systems. A tool presented as a universal European solution that inadvertently excludes privacy-conscious users or those on budget devices contradicts the EU’s own goals of digital inclusion.

Official Responses and Next Steps

The administrative saga is far from over. Following the release of the documents, Morten Larsen has initiated a formal challenge to the Commission’s decision. The challenge, which must be addressed by August 10, 2026, demands that the Commission perform a genuine search for a privacy impact assessment across all relevant departments, contractors, and pilot projects.

Furthermore, Larsen has highlighted a glaring contradiction in the Commission’s formal response: the agency claimed to grant "full access" to the requested files while simultaneously citing "redactions" or "withheld portions" in the same document. This lack of administrative clarity has only fueled skepticism among digital rights advocates.

Conclusion: A Gap in Accountability

Protecting children online is an essential, universally supported objective. The vision of a system that allows users to verify their age without handing over their entire digital identity is a sophisticated and necessary goal. However, the current state of the EU’s project serves as a reminder that technological ambition must be matched by rigorous, transparent, and verified implementation.

The evidence currently available does not suggest malice, but rather a dangerous gap between political messaging and technical reality. The EU has marketed a finished, secure solution to the public while internally treating that same solution as a prototype with experimental security features. For a project that will eventually stand as a gatekeeper for the entire European internet, "good enough for now" is not an acceptable standard. Until the Commission can provide a comprehensive, independent privacy impact assessment and prove that the promised anonymity is not just a future goal but a present reality, the public is right to view this "ready to use" app with significant caution.