EU Age Verification App Exposed: Raw Biometrics and State Data Streamed to Unknown Servers
The EU Age Verification app is reportedly flawed, writing raw, unencrypted source images—both NFC biometrics and selfies—directly to the disk, violating GDPR mandates for special category data, according to security analysts.
Contributors point to systemic weaknesses across the board. Paul Moore flagged that PIN encryption isn't tied to the identity vault and that bypassing the biometric steps is trivial via shared_prefs file manipulation. Furthermore, Moore detailed how the Android app logic can be ported to a Chrome extension to generate identical payloads, entirely sidestepping the required biometric handoff. Another source noted that vendor Persona exposes deep surveillance capabilities, matching faces to PEPs and tracking adverse media.
The overwhelming technical consensus views mandatory age verification as a mechanism for creating massive, permanent data honeypots. The consensus is that the inherent risk of a breach makes the system fundamentally flawed, regardless of stated privacy standards, as it centralizes irreplaceable biometric and government ID data.
Key Points
Raw, unencrypted biometric images are written to disk by the EU Age Verification app.
Analyst on infosec.pub noted this violates GDPR principles for special category data.
The EU Age Verification app is susceptible to basic technical bypasses.
Paul Moore pointed out that manipulating the shared_prefs file can bypass rate limiting and biometric checks.
Age verification systems force the centralization of immutable personal data.
allende2001 argues this creates a permanent privacy risk upon any inevitable breach.
The vendor Persona demonstrates surveillance infrastructure targeting sensitive data.
allende2001 reported Persona's exposure of 2,456 files showing face matching to PEPs and adverse media tracking.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.