EU Age Verification: Privacy Theatre Hiding a Digital ID Pipeline

The EU Age Control system is marketed as a zero-knowledge privacy win, but the reference implementation tells a different story. The Digital Services Act lets platforms skip the privacy-preserving wallet entirely and use traditional KYC providers that scan full passports and run liveness checks — and most will, because integrating with 27 nascent national eID systems is far harder than running a bitmap-and-video pipeline that already works everywhere. The privacy path is technically optional and practically unfinished, with zero production apps on the official trusted list.

The shipped cryptography also diverges sharply from the marketing. The reference Android app uses ISO 18013-5 mdoc with ES256 plain signatures and salted-digest selective disclosure — not zero-knowledge proofs. A ZK library is bundled but never called in the presentation path. Unlinkability depends entirely on the wallet rotating disposable credentials rather than on cryptographic guarantees like BBS+ or CL signatures, so reuse or a misbehaving wallet collapses the privacy property immediately. The README has been quietly softened over 2025 to reframe the project as a white-label toolbox, shifting responsibility to whatever Member States ship.

The deeper lock-in is hardware attestation. Even though the code is open source, modifying a single bit breaks Google Play Integrity or Apple’s signing — meaning GrapheneOS, Linux phones, Huawei devices, and anything outside the Google/Apple blessing cannot participate. An EU sovereignty project ends up gated by two American platform vendors, with NFC passport reads and face matching paving a clean path from “prove you’re 18” to full digital ID infrastructure.