EU age verification app not planning desktop support
85 comments
·September 24, 2025bilekas
j0057
> Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
qiine
This read more like "we thought pc was a dead relic of the past" sadly
sjw987
To me it reads that, since many people already believe this is more about tracking than safety, they are focusing on a device which is the perfect surveillance system, and which conveniently already accounts for 7+ hours of many peoples daily computer/internet interaction.
A desktop computer doesn't necessarily have a microphone or camera, and doesn't necessarily have to be connected to the internet. I'd wager most crime, including that which affects children is done on "disconnected devices" in this sense.
amelius
I think it's more that smartphones have built in security measures that prevent hacking. It already works for bank apps, so why not use it for government stuff too?
It sucks, yes, but that's probably how these people think.
dathinab
but if age verification is used for what it claims it is such hacking protections are not only unnecessary but fundamentally harmful (i.e. if a child hacks their PC it's fine if they circumvent age verification, the main responsibility still lies with parents and as such tools like parent controls are much more relevant)
the main reason is that this is not a reference implementations or "this is the app everyone must use" case but a "to see what is technical possible/practical" "research/POV" project
this also makes the "EU age verification app" title quite misleading
littlestymaar
> I think it's more that smartphones have built in security measures that prevent hacking.
Which is a joke when you know that most phones in the wild are using an obsolete OS version (most of the time due to lack of software support from the manufacturer, but sometimes because people just refuse to update because updates are in fact downgrades — looking at you iOS).
Luker88
> oes that mean we will see a return of the 'desktop applications'...?
No. It's still required by law, which means that your desktop application will require some interaction with your smartphone.
cenamus
Further forcing everybody to have their phone on person at all times
nehal3m
And as a prerequisite enforcing dependency on titanic (and in my case foreign) tech companies that are free to unilaterally ban you from communicating with your government. This is a BAD idea.
jeroenhd
Depending on the implementation, you can run the app on your computer. I don't see why the iOS app wouldn't work on macOS, and there are tons of tools to run Android apps on Windows and Linux.
If the actual implementations do copy the dependency on Play Integrity and other such APIs, that does become a problem (getting past that is a major annoyance on amd64 computers because there are so few real amd64 Android devices that can be spoofed).
However, the law regarding these apps specifically states that the use of this app must be optional. I'm not sure websites and services will implement other solutions, but in theory you should not need a phone unless you want the convenience and privacy factor of app verification. I expect alternatives (such as 1 cent payments with credit cards in your name) to stick around, at least until we get a better idea about how this thing will work out in practice.
pessimizer
I've been saying this for years: eventually not having your phone on you and powered up at all times will not be a crime, but it will be grounds for questioning and search.
One day, there will be a knock on your door.
"Good morning, this is the police. Is there something wrong with your phone? Is your phone broken? Can we provide you with a charge?"
"No, I must have turned it off accidentally."
"Can we assist you with an upgrade? The newer models don't have power buttons."
izacus
My EU country allows tapping the ID card on a NFC reader on PC for verification. No smartphone needed for desktop use.
Why wouldn't that be sufficient?
201984
Most PCs don't have NFC readers.
Aaargh20318
The wallet app can be started using a QR code. You can then finish the verification on your phone and continue on the desktop website/app/whatever.
hellojesus
What if you don't have a phone? Or what if your phone runs a custom rom and can't pass google's attlestation?
snickerdoodle14
How can I do this when I don't have a phone?
mrtksn
App not available doesn't mean age verification not required. You can be required to confirm your account from your mobile phone or scan some QR code on mobile that will take you to age verification session and once completed you can continue from the desktop.
I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
Levitz
>I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
That only works in a world in which the government provides speedometers, which restrict the vehicle automatically, and in this case they refuse to provide them at all for blue cars.
whatevaa
So a loss of mobile phone will mean loss of everything? Maybe we should just kill people if they lose a portable mobile device which can just stop working by itself? I fully expect there to be some idiotic scenarios where to get x, you need to already have x.
zelphirkalt
Be as much work as possible in all places, where the default option is to do something with your mobile phone. If enough people do that, then the alternative to using your phone will need to have good process, so that it is not holding up everyone else.
If something doesn't work without your phone, report it being broken. If they tell you to use your phone, tell them you don't have one. If possible, leave their service, if they don't care.
We have to make it their issue as much as possible, when they try to push their shit onto us.
Surprisingly often there is a workable alternative to using ones smart phone. We have to make use of those as much as possible, so that the cost for them to get rid of those options will be high and they think twice before doing that and offending us.
mrtksn
Why would loss of a mobile phone be that dramatic? Go buy a new one? Having the equipment in something that requires an equipment is pretty reasonable when the price range is within the reach of everybody.
baq
This is hardware attestation in a nutshell: a double edged sword, and a sharp one at that.
The biggest issue is that the attestation hardware and the application client is the same device with the same manufacturer, who also happens to have a slight conflict of interest between monetizing customers and preserving any sort of privacy.
IMHO the pro-attestation forces are so overwhelming that we should all cherish the moment while we have anything open left.
disruptiveink
The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".
This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.
This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.
jeroenhd
The app this discussion is about is a reference implementation that is part of a long-term process for building a digital identity app. Specifically, this discussion is about the age verification part of the app, which is the first part expected to be finished but is also only a small part of a much wider ideal.
Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.
ronsor
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because the EU doesn't actually care about privacy, otherwise they wouldn't be trying to do this and ChatControl. They care about being the main ones to spy on you, and maybe using fines as additional "taxes" on rich foreign companies. That's it.
IlikeKitties
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because this is being pushed by lobbyists to use hardware attestation to make it piratically mandatory for every citizen in the EU to be registered to either Apple or Google with a real id for all non-trivial online interactions at all times. The people behind this push neither have the technical knowledge nor care in the slightest that this is the consequence.
brookst
How does private access token (PAT) compromise privacy in the name of monetization?
qiine
This could be a boon to all sorts of new kind of hardware though (wishful-thinking mode)
dvdkon
I finally took a look at the DSA, and it only mentions anything relevant to age verification in three places:
- Recital 71, which vaguely suggests minors' privacy and security should be extra-protected, but says that services shouldn't process extra personal data to identify them.
- Article 28, which says that platforms should provide a high level of "privacy, safety, and security of minors", again without processing extra personal data to identify them. It also says that the Commision may "issue guidelines", but says nothing suggesting age verification should be implemented.
- Article 35, which says that "large online platforms" should maybe implement age verification.
Furthermore, recital 57 says that the regulations for online platforms shouldn't apply to micro/small enterprises (which has a definition somewhere). All together, I don't see anything suggesting that anyone but the largest online services is being forced to implement age verification right now.
Judging by various posts by the Commision I've seen online, they're certainly pushing for the situation to be seen this way, but de iure, that's currently not happening.
EDIT: I found the guidelines mentioned [0], and a nice commentary on the age verification parts [1].
[0]: https://digital-strategy.ec.europa.eu/en/library/commission-... [1]: https://dsa-observatory.eu/2025/07/31/do-the-dsa-guidelines-...
jeroenhd
The digital identity wallet isn't part of the DSA; it is part of an effort to bring identity to your phone, basically: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
If implemented according to plan, things like ID cards, drivers' licenses, diplomas, train tickets, and even payment control can be handled within such apps entirely digitally. Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
A healthy dose of cynicism would make clear that the moment such optional infrastructure is rolled out, new legislation can be drafted to "save on expenses" by enforcing this digital model and "protect the kids/fight the terrorists" by forcing age verification on more businesses.
dvdkon
Yes, but this isn't part of the digital wallet project. As I understand it, the Commision was so impatient with age-verification that they commissioned this project separately, because they didn't want to wait for the full solution, hence it being called a "mini-ID wallet".
I'm certainly not against vigilance and making sure no new laws mandating the use of either this or the full digital wallet sneak through, but my point is that, despite the Commision's misleading public stance, age verification is (mostly) not mandatory today.
jeroenhd
That's true, but as this is only a small part of the larger project, it's also targeting a very specific part of legislation.
The README for the age verification spec specifically calls out article 28 of the DSA and the Louvain-la-Neuve Declaration. Neither is aiming to be the mandated age verification mechanism for every single website, but rather a specific tool to solve a specific problem: age limits on social media and big tech websites.
If, or, seeing Denmark's recent bullshit: when, we do get mandatory age requirements, it'll be part of new legislation that will likely take years to go into effect, and, seeing how long it took websites to comply with the GDPR, will start affecting most websites even later. This isn't the doomsday law that I would've expected to come from the US if they were to write something like this, and using privacy-first cryptography does give me some faint hope that this isn't just a big performance to hide malicious intent. This could've been as bad as eIDAS 2.0 with the QACs and other unreasonable technical requirements.
zelphirkalt
Well, in the end there may only be one thing left we can collectively do, but which we surely won't collectively do, because too many of us are way too comfortable to accept any discomforts: We can avoid using services implementing shit, so that any business that singles out desktop users or disadvantages them, doesn't have much of a customer base. Voting with out feet.
I have very little hope, that the common user will make use of their own agency avoiding a dystopia, or even think about issues associated with their behavior. We can see this everywhere even today. The majority of people are clueless and just accept whatever bone is thrown their way. Need to buy a new phone every year now? OK. Pressured to accept digital surveillance by not even state agencies but private profit oriented companies, that want to sell your data or use it for nefarious purposes? OK. Giving all your communication data to big tech? OK. ... It is all just a big "auto-accept any digital rape" for most people, as they don't even want to think about the technical implications and implications for society. It's all so far above their technological understanding, that they just exit the bus, when it comes to discussing these things. That is the problem we face. How to make the normal person aware and interested in their own digital rights.
Fizzadar
[delayed]
bandrami
I think this ship has sailed; I'm in India and I literally can't spend money without a phone.
EE84M3i
I think the title "EU age verification app not planning desktop support" is misleading because it gives the impression that there will be no way to support EU age verification on the desktop.
This is addressed in the comments:
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
So I think a better title might be "EU age verification example app not planning desktop support"
(don't get me wrong, I'm not a fan of how this is implemented, but it's important to be accurate in our critique)
emigre
This is outrageous and doesn't make sense
throw834920
It makes total sense. The whole point is to punish self-respecting people who use freedom preserving operating systems and treat them as second class citizens.
nicce
Depends on whom you ask. Google introducing the developer verification and sideloading on iOS being even bigger hurdle, they want to stay in control on what you use and they want to make sure you don't have possibility to use anything they explicitly permit. Normal desktop is unfortunately too open for that. Discourage people to use desktops and make rely on controlled gardens even more.
mrtksn
Tangentially, I would love to be able to see the age of everyone on the internet. IRL this gives us so much context when having an interaction.
HK-NC
Further tangent, I'm not big on digital ID and stuff overall but then I'll play an online game with cheaters and wonder if it's not the solution to things like this. Lifetime cross platform online game bans tied to your real life ID which you need to sign into this new all encompassing anticheat.
mrtksn
I don't think that anything should be as harsh ever but yes, having a reputation that goes everywhere with you is how we deal with problematic people in real life. That's how we stay civil without AI systems constantly scan us or some type of police constantly watching. Also, we tend to tolerate, forgive and eventually forget when someones behavior improves, so... Maybe actually having a continuous persona can help with the nihilistic tendencies too?
nickslaughter02
Do you want desktop PC vendors locking down hardware to enforce integrity?
pjmlp
Want do you think Windows 11, latest macOS, ChromeOS hardware requirements are all about?
CoPilot+ PCs even require the same security chip as XBox and Azure Sphere IoT board (Pluton), in addition to TPM 2.0.
https://learn.microsoft.com/en-us/windows/security/hardware-...
hhh
Well, yeah. There’s no way to curb the modern cheating epidemic without increasing security measures. Riot Games via Valorant truly pushed the industry so far ahead by reducing their cheating percentages so low that the cost to cheat for more than a few weeks at a time is thousands of dollars a month.
It’s not the sole reason, but it’s a solid one.
realusername
They have some other secret sauce for sure, there's tons of cheaters on console which is a vastly more locked down platform compared to pc.
realusername
I don't want integrity on my mobile so why would I want it on my desktop?
jampekka
This is insane. USA is already pushing sanctions against Europeans via US companies (e.g. Microsoft revoking ICC accounts), and now they are about to tie basic functioning in the society to two US megacorporations. At the very least this will solidify the duopoly.
At this point I don't find it impossible that critics or other "enemies" of US (or Israel) in Europe will get their phones bricked as sanctions, and as a result become second class citizens.
I don't even see the necessity for having hardware attestation. We've had for decades online ID systems that can you can run on any device with an internet connection.
But think of the children, right?
amelius
Something tells me the granny on the bus can verify her age by going to the local service desk.
jeroenhd
My experience with digitalisation is that the optional physical service desks quickly start disappearing once the younger generations start using digital equivalents.
Card payments and digital banking have closed most bank offices outside the larger cities. Mail dropoff boxes are slowly dying out. Paper bank invoices now cost extra (an unreasonable amount extra).
Granny may be able to verify her age, but the service desk won't necessarily be local.
snickerdoodle14
[dead]
lousken
what if i were to buy a linux phone? it's not even about desktop support, it's about supporting iOS or android and nothing else which is really bad
This is a great example of how this whole requirement hasn't been properly thought out.
> Desktop support is not currently within the project's scope.
What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?
One can dream perhaps. Until then adults who are willing to 'do what they're told' will be the ones who are inconvenienced by this constantly.
Edit: Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.