Brussels launched an age checking app. Hackers took 2 minutes to break it

Original Article ↗ Hacker News Discussion ↗

Status and purpose of the app

  • Several commenters stress the app has not “launched”; what’s public is a reference / demo implementation and code under the EU Digital Identity Wallet / eIDAS framework.
  • Goal: allow users to prove they are over a threshold age without revealing identity, ideally via zero‑knowledge proofs (ZKPs), reducing the need to upload IDs to each site.

Reported “hack” and code issues

  • The widely cited “2‑minute hack” involves:
    • Selfie images written to local storage and not deleted.
    • PIN data in shared preferences that could be altered if an attacker has root access.
  • Some see this as a serious basic‑hygiene failure, especially after prior high‑profile selfie/ID leaks.
  • Others argue it’s overblown: data stays on-device, root is required, and this is exactly what pre‑launch open‑source review is for.

Zero-knowledge proofs and architecture

  • The technical spec references ZKPs and anonymous credentials, but several people question how true anonymity coexists with:
    • Revocation and rate‑limiting to prevent mass proxying.
    • Reliance on Apple/Google attestation and external issuers.
  • Debate over whether the scheme can prevent large‑scale credential sharing without re‑identification or timing side channels; consensus: strong privacy is possible in theory, but details and mandatory ZKP use are “unclear”.

Effectiveness, collusion, and device sharing

  • Many note no system can stop adult–minor collusion; design goal is to block direct minor access, not every proxy scenario.
  • Phone sharing with children is common; critics say that makes app-based checks weak, supporters respond that phones can be protected with PIN/biometrics and that parents must still parent.

Privacy, surveillance, and centralization concerns

  • Strong current of skepticism: “age verification” is seen by some as a gateway to broader identity verification and surveillance, justified by child protection.
  • Others argue the ZKP/double‑blind design is specifically meant to avoid central tracking, and that this is better than today’s ad‑hoc ID uploads.

Alternatives and design suggestions

  • Proposals include:
    • Smart ID cards or wallets that answer “is this user allowed X?” without disclosing age.
    • Bank‑mediated age checks (e.g., Dutch iDIN‑style flow), though that leaks browsing metadata to banks.
    • OS/browser‑level age or rating enforcement instead of central infrastructure.

EU process and communication

  • Some praise the EU for open‑sourcing and inviting attacks; others see political overstatement (“it’s ready”) clashing with demo‑quality code, creating a PR problem.
  • Side debate over using “Brussels” as shorthand for EU institutions and how that shapes public perception.