Hacker News new | past | comments | ask | show | jobs | submit

European "age verification" "app" forcing everyone to use Android or iOS

https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/discussions/19
I agree wholeheartedly with the argument raised in this github issue, but I think people are wrong to be skeptical about the concept of a government-issued age verification app.

Thing is, the status quo is absolutely worse. My 13yo son likes making Roblox games. Suddenly, some months ago, Roblox made a change where you’re not allowed to share your games with friends unless you do “age verification”, apparently in some misguided bid to beat the pedos. In Roblox’ case, this means sharing your 3D likeness with some sketchy American business who pinky promises to delete said data after. I don’t want random American tech companies to have my kids’ biometric info like that, able to sell it to whoever asks. Nor my passport or anything like that.

I’d much prefer a government supplied app, that’s guaranteed to protect my privacy, and has no business incentive to sell my data, where I can see what data about me (or my son) is shared with Roblox or whichever sleazy business wants it.

Obviously this only makes sense if the government is less sleazy than the average American tech business, but for all its faults, I think that currently holds for the EU (and most of its member countries). There’s plenty precedent of EU governments doing privacy-conscious apps right (the Dutch covid tracking app comes to mind).

I hope they see reason and fix this here issue.

You can (and should) be mad at the government and at Roblox at the same time.

Also, don't use Roblox, you can freely share games made with PICO-8, Löve, Godot, Rpgmaker, Game maker and the like, no need to go to the hell scape that is Roblox and its dark patern and locked down ecosystem.

loading story #48906968
None of the engines you mentioned are nearly as approachable as roblox when it comes to making a 3D game with little programming or art skills.

Don't get me wrong. I agree roblox is a very shady operation, but that does not erase the fact that their platform is unmatched when it comes to letting kids make games.

Roblox is a non transferable skill and I know multiple people who left it for that reason.
RpgMaker is really approachable for a 13yo.

There also Luanti, the new name of MineTest, which is closer to the Roblox experience (in the sense that there already a playable game there, and creating new stuff is closing to modding than to game making).

Government issued versus corporate issued age verification is a false dichotomy. There are other options, such as refusing games that require them. (Yes, we do have a teen, and yes we did exactly that with Roblox.)
Pretending that those options are equal is a false dichotomy. Not participating is an option up to a point, and then it is increasingly limiting all other options.
>There are other options, such as refusing games that require them.

How about the option of the state not being so tyrannical in meddling about what people anonymously do online in their free time?

> a government supplied app, that’s guaranteed to protect my privacy

This is a bit of a 64,000 euro question, though. Look very closely at what the government exemptions for GDPR are.

What are they?
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re... for example. (Yes I know about Brexit, but this is basically identical to when the UK was in the EU and subject to the Directive)
The "app" could be a good solution, if it didn't require attested Android or iOS. It could, for example, have me plug my ID chip into my GNU/Linux system and expose it with a standard protocol. That would be no problem. The problem is that they do not want such a way.

In any case, I think that age gating would not be needed if the platforms were regulated to remove addictive recommendation algorithms.

Funny you use Netherlands as a good example, considering that famously, their existing unusually thorough registry was super helpful for the Nazis rounding up jews later.

I don't think it's Godwin's Law when you are so spot on, exactly describing the worst case.

Additionally there was a leak of the personal information of covid patients, the official tracking app was not affected as far as I can tell.

However even if the app is secure the storage and handling of the information is a different matter and it has been shown that care is not always taken.

Why would an age verification app need to know your ethnicity/religion?

Governments likely already know your name, age, place of birth, so having an app with a standard API for verifying users isn't giving the government additional data.

It is one extra attack vector. There is a data leak reported every week, and it is now apparent we cannot trust any organization to handle any datum securely, at all. It has gotten to the point where I now consider every piece of information compromised and sold on the dark web as soon as I am forced to transfer it to a third party. Because those are the odds.
"government" age verification app will be made and maintan ed by some corp anyways.

so it will gather extra data, sell it sideways and leak like hell. (as they already do with all the data they already have)

Not necessary to hearken back so far in history. In our present age the intelligence services consistently do not respect privacy rights of citizens, even when they are legally bound to.

https://www-bitsoffreedom-nl.translate.goog/2026/07/06/aivd-...

loading story #48911393
This is the elephant in the room regarding the big "digital sovereignty" talks in the EU. For the moment in the EU institutions the focus is mostly at the post-acceptance stage that everything must eventually migrate off US clouds. There is still some denial and hope that things will go back to "before" because it's going to be extremely costly to migrate, but at least high level EU civil servants start to see the strategic value of moving out.

However there is ZERO talk about mobile platforms... No alternative solution like linux for the desktop, no money or care given to the few alternative that tentatively exist, and zero talk about forcing companies (at least for the ones shipping android phones) to open up their firmwares and allow users to install alternative OS if they want to sell in the EU.

So whilst the backend guys more or less got the memo about sovereignty, I think there is still a lot of educational work to do regarding end user devices and what kind of digital slavery hole we're digging ourselves in...

loading story #48904876
Isn't AOSP a thing?
This app requires Google Play. AOSP alone won't cut it.
In fact, it requires attestation: even if you install Google Play on some Android in an emulator/container/VM, on an alternative Android distro or in a rooted device, the app will not accept it.
Writings on the wall can’t be clearer on AOSP’s future…
It is true that Google (de facto) controls the platform and made themselves (de facto) essential to utilizing the platform by integrating their proprietary services so deeply into the OS that you need to be a behemoth of Samsungs caliber to even attempt to meaningfully re-purpose the AOSP, and this was a brilliant strategy because it has allowed Google to solidify their spot in the duopoly / oligarchy while seeming "open". But. I do believe that Google will continue to publish the AOSP source code under a permissive license and that this code will be indispensible to a European Manhattan project for tech sovereignty, should policymakers ever see the light.
You mean giving China control over it?

(because you still need the hardware made, and it's not like the EU commission is even prepared to fix BSPs for that hardware)

The EU has endlessly sold critical infrastructure to US, India and China while actively sabotaging efforts to rebuild it and now want it back - for free. This is criticized as having a low chance of success, as well as being a pretty unreasonable demand.

Because this is all a political move. This so-called "EU sovereignty" drive is in fact aimed at further reducing sovereignty of the member states via further transfer of power and control to the EU.

These digital ID wallets do exactly that. Member states lose control of the ID infrastructure, which will now be controlled by the EU. There isn't much sovereignty left at national level...

This is totally not the EU version of China's social credit score system and WeChat SSO system.

It will totally not be used to sanction you the moment you become a nuisance to the EU elites by saying "wrong speech" that goes against their mandated doctrine or pointing out their acts of corruption or dismantling of democracy.

The EU building in Brussels even has the word "DEMOCRACY" plastered on the front in large bold letters[1], in case you forgot.

[1] https://audiovisual.ec.europa.eu/en/media/video/I-287829

Don't fall for the trap. The question isn't how we should technically force age verification on anybody. The question is why they're pushing it onto everyone. I did not consent to this, neither did you.
loading story #48904410
loading story #48909077
loading story #48904048
Related:

"EU age verification app to ban any Android system not licensed by Google" 27-jul-2025 https://www.reddit.com/r/BuyFromEU/comments/1mah79o/eu_age_v...

and

"EU age verification app not planning desktop support" 24-sep-2025 https://news.ycombinator.com/item?id=45359074

Funny how the worry of "digital exclusion" of the elders who would never be able to use a smartphone has been thrown out of the window in recent years.
loading story #48904328
loading story #48904118
Regardless of whether you personally use Android or iOS, I think that we can all agree that it is not right to be forced to use a specific platform in order to access almost any Internet services.
loading story #48903996
loading story #48904342
Yeah, I am leaning towards never to use anything that is forced to implement any kind of age verification.
loading story #48904108
loading story #48910038
Two platforms that are not owned by companies in the EU. Effectively handing the keys to your state ID to private foreign enterprise.

What will you do when Apple/Google or the US Government effective immediately delete/block your app? The impact initially may be small but after a few years if widely used, you can break a country.

Another juicy threat vector is forcing the app stores to stealthily ship a modified version of the app that sends copies of the IDs and/or tracking data to US intelligence services.

(Reminder: we know Persona's verification software already shares verification data with the federal government. It's a leap to modifying other apps, but within the realm of possibility of US government power. There is absolutely desire from them to gather blackmail material on politically important people, and age verification systems connected to adult sites/apps are a great way to do it)

loading story #48904621
Isn't there a niche platform that can sue the hell out of the EU here?
Im confused, the github discussion says that the README says

App and device verification based on Google Play Integrity API and Apple App Attestation

But I can't find that anywhere. Am I missing something?

loading story #48904445
loading story #48904428
loading story #48904676
It should be stressed that Play Integrity also requires having a Google account and logging in to it on the phone.
The issue is not the issue, the issue is what their "solution" enables for expanding the surface that governments have for controlling details of how you live your life in the future once accepted.
loading story #48908815
loading story #48909634
loading story #48910984
I guess it's that time of the week again. Do we have a sockpuppet account to welcome in you by any chance?

The (actual) complaint of the thread appears to be resolved already (which would make sense given this is old news):

> In the README, the following is listed:

>> App and device verification based on Google Play Integrity API and Apple App Attestation

The README.md does not appear to feature such a section (nor any of the other files for that matter).

Separately, the title is editorializing, and falsely suggests there's some big bad EU app, even though the app that does exist is merely a reference implementation, not for end user usage. There's a reason the repository you're linking a discussion thread from only holds specs.

I agree with the sentiment but is there even any phone that doesn't run Android (or derivatives) or iOS and that can install modern "apps"?
loading story #48904044
loading story #48904358
loading story #48904011
loading story #48904080
loading story #48904007
loading story #48905254
What would this be applied to? Let's check the freshly printed report by the "Special Panel on child safety online and potential age restrictions for social media" (https://commission.europa.eu/document/download/d833504d-5ec3...).

We have a definition at the beginning, for "Social media and other digital services (in short, social media+)":

Within the scope of this report, the terms ‘social media+’ and ‘social media and other digital services’, are used to broadly define services that may be available to minors and contain age-inappropriate and/or risky features (for example, addictive and harmful features, among which infinite scroll, autoplay, recommendation algorithms and persistent notifications) and/or content. Social media and other digital services providers include online platforms serving as intermediaries of content from third parties, such as social media, as well as app stores. AI systems posing risks to minors’ safety and development, including AI companions, video games exposing children to harmful commercial practices or dangerous contacts, and video-sharing platforms enabling age-inappropriate access to minors are also included.

So, let's see, services that may contain age-inappropriate and/or risky content, "online platforms serving as intermediaries of content from third parties".

How quickly can you come up with something that wouldn't fall in that definition?

It seems that anything that allows user-contributed content (such as plain old forums) or communication among users would be comprised in it.

And, yes, to be sure we explicitly include app stores (I guess including e.g. F-Droid, and what about software repositories?) and video games with intercommunication features.

What is this definition used for?

Recommendation 1 of chapter 3: “A harmonised EU-wide access restriction to *social media and other digital services*, including AI companions, for children under 13 is necessary.

This is a report, not law, but it was commissioned by Ursula von der Leyen and “The report is intended to inform future actions to be proposed by the European Commission and EU Member States to reinforce child safety online.

Why the hell EU even needs an age verification app? Who's genius idea is this and what for?
What baffles me the most is how the EU commission constantly works in favour of US corporations in the long run. This is really strange. Something does not work in the explanations given by the EU commission. To me it looks like US lobbyists run the EU here.
loading story #48904204
{"deleted":true,"id":48903984,"parent":48903777,"time":1784019983,"type":"comment"}
loading story #48909088
I am not a fan of such an "app". But the app is, as far as I understand, for things like Facebook, TikTok etc.

Are there any other Operating Systems than iOS, Android or Android flavors?

WebOS was nice but who is still using this? Symbian? Can you even use Social Media Apps with another phone OS?

loading story #48904013
loading story #48904295
loading story #48904046
loading story #48904032
loading story #48904091
loading story #48903999