EU Age Verification Platform Faces Backlash Over Google Dependency
The European Union’s efforts to establish a standardized age verification platform for digital services, including those on iOS and Android, are running into criticism due to its initial reliance on Google services for Android implementation. Concerns center on the exclusion of alternative Android distributions and potential violations of the EU’s interoperability requirements.
The first Android version of the age verification system utilizes Google’s Play Integrity API. This interface, however, is exclusively available on Android systems licensed by Google, effectively requiring users to download apps from the Play Store and possess a Google account. While developers initially characterized this as a preliminary step – “only developed for demonstrating the process” – experts argue the approach inherently disadvantages users of alternative Android versions like LineageOS and GrapheneOS.
Security researcher and GrapheneOS developer Daniel Micay, in a post on Github, highlighted a more robust alternative: the hardware attachment API. “This can also be used by alternative Android versions and an ‘unnecessary dependency on the Google Play services and the Google Play Integrity Services’,” Micay stated. Available on devices running Android 8 or newer with current security patches, the hardware API is also considered more secure than the software-based Play Integrity API, which is more susceptible to circumvention.
The reliance on Google is also raising broader concerns about data privacy and the concentration of power in the hands of American tech giants. Sylvia van Os, developer of the Card app Catima, echoed these concerns, emphasizing the deepening “dependence on American tech giants in the age review.” Developers have also expressed reservations about requiring a Google account for open-source projects.
The EU’s stated requirements for the platform emphasize interoperability, mandating “seamless integration via various device operating systems.” Recognizing these concerns, developers have already begun adapting the documentation, removing references to the Play Integrity API and shifting focus to OWASP-MASVS conformity (Mobile Application Security Verification). However, critics maintain this is insufficient, requesting a clear stipulation that the Play Integrity API should not be used for compliant applications.
Initial testing of the age verification system is slated to begin in France, Spain, Italy, Denmark, and Greece, with each country having the flexibility to adapt the solution to its specific needs and integrate it into a national app, according to Reuters.
The ongoing adjustments signal a crucial pivot towards a more inclusive and interoperable age verification system, one that aligns with the EU’s broader digital sovereignty goals.
