The EU’s new age verification app, set to act as a ‘porn passport’ to access online porn in EU member states, has reportedly been found to have serious security and privacy problems, almost immediately after the EU declared that it was “ready”.
The app hasn’t officially been rolled out yet, but last week (beginning April 13, 2026) the European Commission said it was ready for implementation. The system works by having users submit official ID or bank information to prove their age before accessing age-restricted adult content: passport scans, bank credentials, selfies, the whole uncomfortable suite of data you’d rather not hand over in exchange for watching porn.
Cybersecurity experts dug into the app’s source code on Github as soon as it was released online last week, and quickly claimed that there were serious problems with it. French white hat hacker Baptiste Robert told Politico that the app’s biometric authentication features could be bypassed.
Security consultant Paul Moore said that images used for age verification in the app, which could include pictures of passport pages, were written to disk without encryption and not deleted correctly.
Moore added that selfies taken on a phone for age verification on the app remain on the phone, unencrypted. He said: “You can encrypt data taken from it until you’re blue in the face… leaving the original image on disk is crazy and unnecessary.”
He also said that if biometric age verification processes fail on the app, the image used for the verification remains on its original device, in cache, without encryption. In scenarios like this, the user may not be aware that the images they submitted are being stored on their device.
What followed was a flurry of contradictory Commission messaging. One spokesperson stood by the “ready” claim, while another described it as “still a demo version.” These are obviously not compatible positions.
One European Commission spokesperson said that “the code will be constantly updated and improved… I cannot today exclude or prejudge if further updates will be required or not.” A spokesperson also said that the app’s vulnerability had been “fixed”.
The security findings were a bad start for a system already under scrutiny for privacy and civil liberties concerns, and they fit a depressingly familiar pattern. As SEXTECHGUIDE covered when Discord’s age verification system exposed 70,000 government IDs, third-party identity infrastructure becomes a high-value target the moment it’s mandated at scale. The Commission presenting an unencrypted, biometrically-bypassable demo as production-ready suggests the gap between regulatory ambition and implementation reality hasn’t narrowed much.
The prospect of passport scans, bank credentials, and selfies being harvested at scale for porn access purposes has unsurprisingly alarmed privacy campaigners, and raised the obvious question of what happens when that database gets breached.
People have pointed out that VPNs may easily allow porn site access from within the EU without app verification, by simply selecting a non-EU country on your device’s VPN.
The app was built by Swedish digital identity company Scytáles and Deutsche Telekom, the partially state-owned German telecoms giant. It is set to be integrated into the European Identity Wallet (EUDI), a new form of digital ID that’s set to launch for EU member states.
Porn sites will be able to direct users to use the app to verify they are adults, although this won’t count as device-level verification. Porn sites would still be legally responsible for preventing minors from accessing their content and ensuring that age verification was being implemented properly.
Aylo has said that its porn sites, which include Pornhub and Redtube, will take part in the app’s pilot project. The porn site company has been lobbying governments and tech firms to focus on device-level age verification rather than making it the responsibility of sites.
European Commission President Ursula von der Leyen said the app will be available soon, though no firm launch date has been announced. Given the week it just had, that vagueness may be the most sensible decision the Commission has made throughout this process.
Leave a Reply