ComplianceData Protection

EU Advances Mandatory Online Age Verification Despite Security Risks

Analyst 207||Source: GovInfoSecurity
Child sitting in a neutral room, looking at a tablet with a concerned expression.

As much as 12% of European children under 13 reportedly log in to Facebook or Instagram — a figure the European Commission cited as it provisionally found that Meta likely breached the Digital Services Act by failing to prevent under‑13s from accessing its services.

European Commission’s provisional finding against Meta

The commission said Wednesday that Meta "failed to diligently identify, assess and mitigate the risks of minors under 13 years old accessing their services," and that the company did not put in place measures that would "adequately prevent minors under the age of 13 from accessing their services [or] promptly identify and remove them, if they already gained access." The Digital Services Act (DSA) was described in coverage as a rulebook for large online platforms, and the commission emphasized that "terms and conditions should not be mere written statements, but rather the basis for concrete action to protect users - including children," in the words of European Commission Executive Vice President Henna Virkkunen.

At the same time the commission reiterated a boundary it has publicly drawn: a commission spokesperson told ISMG that "the DSA does not mandate specific mitigation measures." The spokesperson also said Meta could comply by adopting "stronger internal processes, resources, testing and documentation in relation to minors under 13 accessing the services" and by improving "evaluation of mitigation measures to prevent, detect and remove users under 13 that access the service."

The commission’s age‑assurance app: released, criticized, and recharacterized

To reduce identity sharing, the commission announced an official mobile app intended to let Europeans prove they are above an age limit using a national passport or ID card "without even needing to reveal their identity." The commission described the app as "technically ready" and said some EU countries were "already planning to integrate the app into their national digital identity wallets."

Rather than publishing a binary-ready product, the commission released the app's open source code for inspection. Multiple security consultants then reported that the app was easily hackable. The commission appeared to step back from its initial wording; spokesman Thomas Regnier explained: "When we say it's a final version, it's still a demo version." Virkkunen, however, told reporters the app was "now ready for member states to customize and roll out," and insisted that "member states must now establish a system of proof-of-age attestations."

Those moves follow earlier guidance: in July the commission published recommendations that age verification be "accurate, reliable, robust, non-intrusive and non-discriminatory."

Security and privacy concerns flagged by Tuta and independent testers

Security practitioners warned that mandatory age verification could become a single point of failure. Hanna Bozakov, head of marketing and press officer at Tuta, told ISMG: "When it comes to security, age verification poses a significant risk, not just for minors but for everyone. A large amount of personal data of millions of EU citizens is a gold mine for malicious attackers … malicious hackers will try everything to get hold of this data and use it for their own purposes. Phishing, scamming, hacking attacks - all of these will only get worse if EU citizens must perform age verification to use certain internet services."

The commission and its supporters note that the point of the app was to enable proof of age "without even needing to reveal their identity," and that this approach — if implemented as designed — should limit hand‑offs of personal data to third parties. But independent security reviews that found the demo app hackable make clear that those assurances depend on the robustness of the deployed model.

Lessons from Australia and the problem of circumvention

Practical experience abroad offers a cautionary note. In Australia, where the minimum age for social media use was raised to 16, research by the Molly Rose Foundation found that two‑thirds of 12‑to‑15‑year‑olds who supposedly lost their accounts still have access to at least one account. The charity attributed that persistence partly to platform inaction and partly to account circumvention by family members or use of VPNs; survey respondents were evenly split on whether the new regime made them safer online or not.

Virkkunen acknowledged the circumvention problem directly: "It's difficult, of course, to have the technological solutions that there's no way to circumvent … it's also an important part of next steps to look at [the issue] that it shouldn't be circumvented." That admission echoes the Australia finding and frames a concrete enforcement dilemma for any authority seeking higher minimum ages.

What this means for technologists, policymakers, and parents

  • Technologists and security teams: Expect to be asked to test, harden and audit age‑assurance implementations — including the commission’s open source app — and to weigh designs that avoid centralizing personal data while resisting tampering and exploitation.
  • Policymakers and regulators: The commission is actively promoting age verification and has issued a "blueprint" and interoperability encouragement, but it has not written a binding mandate; an expert panel will deliver recommendations in the summer, and member states are being urged to establish proof‑of‑age systems.
  • Parents and the public: The competing priorities of child safety and privacy are sharply visible: the commission points to widespread under‑13 access on major platforms, while research from Australia shows many young people can and will seek ways around rules, and public opinion about safety effects is divided.

The commission sits at a policy crossroads. It is pressing platforms to act — and offering a technical blueprint to do so — but has also released a demonstrator app that independent reviewers found flawed and stresses that the DSA does not prescribe a single technical cure. With an expert panel due to advise in the summer, member states considering new minimum ages, and clear evidence that circumvention and security weaknesses can undermine intent, the coming months will test whether Europe can convert a blueprint into systems that actually protect children without creating new privacy and security harms.

https://www.govinfosecurity.com/europe-gliding-toward-mandatory-online-age-verification-a-31547

Data ProtectionEmerging ThreatsEuropeGdprMetaSocial MediaPrivacy RegulationsDigital Services ActOnline Age VerificationChild Safety
Related Intelligence

Continue Reading

Multi-layered city infrastructure with payment terminal in foreground.

Fraud Prevention Strategies Target Multiple Elevation Levels

Fraudsters are constantly evolving, and a single-layer defense just won't cut it - that's why IPQS advocates for a layered approach to fraud prevention, because what may seem like a secure transaction to you might be just the tip of the iceberg to a sophisticated scammer. By monitoring at multiple levels, you can stay one step ahead of even the most cunning attackers.

Analyst 207
Government building with empty plaque, person walking away in background.

UK Information Commissioner Resigns Amid Workplace Misconduct Probe

UK Information Commissioner John Edwards has resigned amid allegations of workplace misconduct, including the use of vulgar and highly sexualized language towards staff, which he initially dismissed as misplaced humour. His resignation comes after an internal HR investigation concluded there was a case to answer, with evidence revealing a disturbing pattern of behaviour.

Analyst 207
Formal office setting with desk, chair, and out-of-focus computer.

UK Privacy Watchdog Resigns Amid Poor Judgment Admission

UK Privacy Watchdog John Edwards has resigned with immediate effect, admitting his position had become untenable after being under investigation since February. He announced his decision on LinkedIn, bringing a sudden end to a months-long probe.

Analyst 207
Laptop screen shows retail website checkout page with multiple scripts loading in the background.

New PCI DSS Rules Target Script Security on Checkout Pages

Did you know that over 100,000 sites have fallen victim to web skimming and supply-chain attacks, with Magecart-style attacks often sneaking in through third-party scripts on crowded checkout pages? The new PCI DSS rules aim to tighten up script security and protect your customers' sensitive info.

Analyst 207