← Back to context

Comment by Sweepi

1 day ago

These are the sources cited by the article:

[1] https://xcancel.com/Paul_Reviews/status/2044502938563825820

[2] https://xcancel.com/paul_reviews/status/2044723123287666921

[3] https://csa-scientist-open-letter.org/ageverif-Feb2026

| "The saga is turning into a PR disaster for Brussels. "

imo: mostly because the Author wants it be a disaster.

The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.

"For selfie pictures:

Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.

This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."

2 comments

Sweepi

Reply
michelb  2 hours ago

>The App has not launched, they published the source code in order to invite external review.

I read that from many reactions in discussions, but not from their own channels? (Maybe I missed that)

It is ready for deployment: https://commission.europa.eu/news-and-media/news/european-ag...

The message is that it is ready, 'ticks all the boxes' (the published code does not) and that is now ready for integration by other countries. https://xcancel.com/vonderleyen/status/2044340323120193595#m

Then in the article I read that what we see now is a 'demo' version. So the code on Github is not the current code?

deminature  4 hours ago

Not immediately deleting the selfie is a pretty fundamental and egregious mistake to make. People are particularly sensitive to selfies not being handled correctly after Discord lost thousands of them, despite promising to delete them after age verification occurred (and then not doing so) https://www.bbc.com/news/articles/c8jmzd972leo

The damage is limited because the selfie is only retained on device, but it still does not signal competency from the EU to fail at the most basic hurdle of disposing of the selfie once verification is complete.