My EU age verification post triggered a long debate on lobste.rs. Here are the points I found most worth engaging with.
I’ve probably missed some, the discussion was really long, and I’ve also received feedback though other channels. I will post again if I feel there’s more to share on the topic.
Favoring the incumbents
A point I missed the first time.
In the EU design, an authority issues me an attestation that I'm of legal age; it lands in my digital wallet. When a site needs to check, the wallet generates a zero-knowledge proof that it holds the attestation, without disclosing it.
With most wallets, we assume the user protects their credential — nobody voluntarily leaks the password to a wallet holding money for example. Age verification inverts this: the user is part of the threat model. Some users, given the chance, will happily share their "over 18" attestation with a minor.
So the system can't trust the user. It has to trust the device or the wallet instead. And for the issuer to know the attestation stays locked inside, it has to control which devices (modern iOS/Android) and which wallets (those carrying a government-signed certificate) are allowed.
The bottom line, and it's not a bright one:
- In practice, let’s admit it, you'll have to use iOS or Android.
- Probably the official government wallet.
- Experimental mobile OSes are locked out of any site requiring age verification.
- Alternative OSes could qualify, but only by getting EU-certified — which often defeats the point of running one.
The silver lining: your desktop can be anything. Run a hand-compiled Linux distro on obscure hardware with a browser you built yourself — you'll just scan a QR code with your phone when age verification comes up.
How much this shifts the balance is a judgment call. For me it's a mark against the proposal, but not a fatal one.
Can I trust the official app?
The EU open-sourced the wallet. But how do I know the binary my government actually shipped matches that source — that it doesn't quietly log which sites requested verification, or hand those URLs to an intelligence agency?
The EU must address this, and not just for these wallets, but for every piece of software that becomes European digital infrastructure. I'd strongly support a directive mandating reproducible builds and signed source/build metadata. It's the only way citizens can actually trust the stack.
Standards fragmentation
Also valid. The EU has one age-verification standard, the UK another, California a third. What's a site supposed to implement? I don't have an answer.
What's built to "protect the kids" gets used on everyone later
Today it's age. Tomorrow it could be citizenship, income, or gender.
The EU says age is just one use of the wallet — the same design verifies anything. Often that's a real improvement over paper: proving you're eligible to vote, that you live in a school's catchment area, or that you qualify for a youth or senior rail fare, all while revealing less than a physical document would.
But the same machinery turns the other way just as easily: prove your religion, your ancestry, your skin color, that you've never been convicted — to access this service.
I'm uneasy about all of it. Then again, a state that wants to impose such conditions needs no privacy-preserving mechanism, and wouldn't want one. Iran, Russia, China and Afghanistan restrict access to whatever they dislike just fine without it.
Still, the concern stands.