The European age verification system raises concerns

Europe rubbed its hands when unveiling a new control tool, presented as a simple web health belt. On paper, the mechanism protects minors, reassures parents, and gives platforms a clear rule to apply. In the tech corridors, however, several glances are already hardening in front of this regulatory toy with a polite new look. And when Pavel Durov gets involved, the debate swiftly leaves the digital daycare to enter the field of suspicion.

Beneath the protective varnish, Europe advances a very sensitive tool

At first glance, Brussels sells an almost surgical technology. Ursula von der Leyen promises an “entirely anonymous” app, open source, and supposed to work on any device. In her message on X, she assures that the tool ticks all the boxes, including maximum privacy, ease of use, and some of the highest standards.

Officially, the mechanism must allow tech platforms to verify that a user is over 18 without swallowing their full identity.

The device, presented in July 2025 then declared technically ready on April 15, 2026, already fits into a broader logic. The Commission wants to facilitate applying its rules and push platforms to stop their excuses.

Yet, a contextual note attached to von der Leyen’s message already challenges the scene: the app would only work on Android and iOS, with Google or Apple accounts, without computers or degoogled systems, according to X readers that day.

The tech promise cracks when the code speaks

Then tech started to speak without a costume. Security consultant Paul Moore claims to have bypassed the app in under two minutes. His audit describes an encrypted PIN then stored in shared_prefs, a missing cryptographic link with the identity vault, a resettable rate limiting, and biometrics disabled by a simple boolean variable. In other words, the lock would be painted steel but screwed into cardboard.

The political promise then finds itself suspended to a contested architecture. The tool was supposed to reassure the tech sphere and provide a simple basis for platforms. It suddenly becomes a brutal demonstration: a system touted as robust can be bypassed with little difficulty.

Moore even issued this warning: “This product will, one day, be the catalyst for a massive breach. It’s only a question of time“.

And there, Brussels loses the luxury of slogans: the technology no longer protects its narrative, it exposes it to the public eye.

Durov already sees the slippery slope of control

Finally, Pavel Durov pushes the debate beyond the tech failure. On X then on Telegram, Durov describes a three-step mechanism: sell a privacy-respecting app, let hacking happen, then remove privacy in the name of repair. For the Toncoin issuer, the problem goes beyond the bug and touches the logic of power.

This reading directly clashes with the Brussels version. Where the EU speaks of protecting minors, Durov sees a stepping stone towards social network identity verification and not a decentralized verification. Where the Commission promises user data control, Telegram suspects a slippery slope towards the tech surveillance infrastructure in Europe.

Durov writes it black on white:

Step 1: offer a privacy-respecting but hackable solution. Step 2: get hacked. Step 3: remove privacy to fix it. Result: a surveillance tool sold as privacy-respecting. 

Useful benchmarks before deployment

• The app was first presented in July 2025 by the European Commission;
• Ursula von der Leyen said it was technically ready on April 15, 2026;
• Paul Moore claims to have bypassed the system in under two minutes;
• Several countries have already tested this device before a wider deployment;
• The price of TON was around 1.40 dollars during this political sequence.

This warning hardly surprises Pavel Durov. As early as February, he was already attacking the Spanish age verification project in the name of anonymity. Today, the topic returns to Europe: protect minors, yes, without creating a digital social passport.