The EU Digital Age Verification solution is based on "secure key store" and what that means to any possible future linux phones
Posted by rebellioninmypants@reddit | linux | View on Reddit | 107 comments
So, as the post title implies - since the official spec for age verification protocol implementation in the EU says clearly, that a secure, anti-tampering environment is a requirement for the solution to work, the easy conclusion to reach is this will never go outside of Android and iOS.
The spec doesn't outright say "use Google Play Services", but let's be real, most Android apps implemented downstream by EU member states will just take the route of GPS APIs unless outright prohibited in the spec.
So there's multiple conclusions you can reasonably make from this:
- Linux-based smartphones are a pipe dream - no one will have the funds, patience, and reach to actually convince people that the device is compliant with the requirements, and then even if that happens, someone would actually have to write a user-facing wallet app for linux for its users to even be able to access anything meaningful on the internet - or just always carry a second phone with android on them to reverify age periodically on the other device, lmao
- The Motorola + GrapheneOS partnership is a few months too late for anyone to have any meaningful use for it. Even assuming the age and ID verifications actually launch on it without throwing "suspicious device" errors, you will still be legally required to use google play services to access the app, and, subsequently the internet. Basically defeats the purpose of getting a GrapheneOS phone in the EU
Anything non-mainstream, be it lineageOS, /e/, Graphene, linux phone, or even a dumb phone has a real potential to lock EU citizens out of taxes/healthcare/social media/communication apps, or whatever they end up deciding to apply this stuff to.
That's the result of my recent research - anyone has any counterpoints or anything else to add?
SoilMassive6850@reddit
If you would just read the spec https://ageverification.dev/av-doc-technical-specification/docs/architecture-and-technical-specifications/#42-age-verification-app
ScratchHistorical507@reddit
False. That's exactly what ARM's secure world (or whatever that second rudimentary OS in their chips is called) is there for. It's basically just a TPM. As I understand it, that would be something that could technically be handled like that online banking mockup Google showed around the release of the first Pixel generation. The OS submitts the data to that second OS and through keys hard-wired to that chip the user does their input. Tampering would be basically impossible.
Also, it depends on the definition of "anti-tampering environment", technically an immutable distro should fulfill that.
rebellioninmypants@reddit (OP)
Yeah but you're thinking on a low level. The people who write this spec don't think like that and especially the individual countries will implement an app for their citizens with the least amount of effort and the most widely available approaches (Android + Google Play Integrity whatever it's called) + iOS
ScratchHistorical507@reddit
That doesn't matter though. What they specify is what counts, not what they mean. Courts can't just do wild guessing around what may or may not be meant.
And you think there can only be one app per country? I very much doubt that. In the end, it's the same argument as for the Google Play Integrity API. Technically all apps could just use that, but enough developers seem to not be too convinced by that, as otherwise it would be impossible to use e.g. any banking apps on systems other than Android and iOS. But for all I know, on both custom ROMs and e.g. SailfishOS' Android compatibility layer quite a few banking apps just work.
Tricky-Emotion@reddit
Courts do it all the time. Just look how many of the US Courts have interpreted the phrase "Shall not be infringed" written in the 2nd Amendment, then make rulings that are actually infringing.
I only bring this up to refute the quoted text. Don't flame me for pointing it out.
jimicus@reddit
They won’t have to.
Sooner or later, there will be a certification process. Those processes invariably cost quite a bit of money to get through
ScratchHistorical507@reddit
Who says there will be? The people in power on the european level won't be in power forever. And the age verification thing is likely just to be a phase. Just like the chat monitoring has never managed to get beyond a voluntary basis which now has also been abolished, it's far from unlikely that this nonsense will eventually also be stopped.
mdedetrich@reddit
This is wrong, the spec was revised many times by actual technical people, not lawmakers.
All the spec is asking for is that a system needs a secure environment/enclave. For x86 thats typically TPM, for ARM that's secure world, for Apple ARM thats secure enclave etc etc.
monocasa@reddit
Secure world on arm is basically just another address bit.
RPis for instance boot in secure world, but it provides no extra anti-tampering capabilities there.
zlice0@reddit
ya i read it as 'tpm' too =/
Annual-Advisor-7916@reddit
Maybe I'm terribly out of the loop, but why would I require google play service to access the internet? Nobody can force me to install an app, at least not with the current legislation.
rebellioninmypants@reddit (OP)
You do not know that most countries in the EU are trying to make it to where by 2027 you need to have an app that uses your national ID to allow you access to websites/apps that EU considers "inappropriate for all ages"?
Mostly people talk about social media and porn, but this can potentially affect other things like ecommerce, video games, taxes, healthcare, and so on.
Effectively if you don't connect the website with the app, you don't get access.
Annual-Advisor-7916@reddit
I'm aware of that, but it not realistical to happen widespread imo. Government portals are already behind a special ID that doesn't require a smartphone if you don't want to, at least here in Austria. As for other sites, good luck enforcing that, the www is huge and obtaining another geolocation isn't exactly a problem either.
I'm rather relaxed regarding that, but I don't doubt either that they are after as much control as possible, so I might be too naive here.
FreddieSnoo@reddit
They're trying to enslave you and take everything from you that you love. Don't try to find a middle road. There is no safe path. If you're looking for a compromise, you don't understand what's happening. They must be utterly defeated.
Labfox-officiel@reddit
Well the internet's gonna have to split very soon
BrainTheBest50@reddit
The solution to this age verification ordeal is to go against the "scary dangerous addictive social media" and punish them, while also putting effort in making sure parents do their fucking job as parents and look over their kids. Ursula Von Der Leyen is not my mom and she should not be.
hpstg@reddit
The solution is to have a government-backed age verification service where you login with your ID, and the only thing the websites get back from it is a “yes” or “no”, regarding you being legally able to use them. That’s it.
Linux_Account@reddit
No. That is not the solution.
Reqvhio@reddit
im not super informed on these things and just here because of new age verification bill(s). and i want to think that whatever verification module these asshats throw at people, it will just be another field day for hackers in the end.
Business_Reindeer910@reddit
It is a no go if the service knows what site you're asking for access to.
burning_iceman@reddit
That's why the system is does not leak any information either way. The website doesn't get to know anything except a minimum age confirmation (e.g. 18+) and the ID service does not get to know who received the age information. The ID service only knows: this user received 20 new age verification tokens.
Zeikos@reddit
It's fairly obvious this whole thing is in bad faith.
If it were in good faith it'd use a zero knowledge proof mechanism backed by govt ids.
Which I think it's fairly trivial to do.
Electronic IDs are widespread, most EU countries have a "digital identity" system.
It'd be trivial to have a system which tells the website if the configured system user is of age or not.
Also this whole thing makes no sense because many parents will buy/setup the system in their name.
AugustusLego@reddit
This is what it does tho? It just also supports EID
EmbarrassedHelp@reddit
Actually it doesn't use ZKP at the moment. And sers have reported that it has code to silently fall back to less secure algorithms if ZKP fails when its added.
AugustusLego@reddit
Link?
EmbarrassedHelp@reddit
Silently downgrades: https://github.com/eu-digital-identity-wallet/eudi-lib-ios-iso18013-data-transfer/issues/96
AugustusLego@reddit
That's an issue opened by one of the contributors to the project. I assume it will be fixed.
Wyciorek@reddit
That's pretty much what it is. The 'verification application' in the middle is to make sure your 'electronic ID app' has no idea who is asking for that proof. So it protects from having information about your identity and about sites you visit in the same place. The actual 'proof' is just a signed 'over_18=yes' created by your electronic ID app (or bank app) and passed back with the verification app as the middleman.
IntingForMarks@reddit
This whole idea is meaningless unless the whole process is open source
turin331@reddit
It is open source under the EUPL.
fellipec@reddit
It makes no sense because the goal is not protect the childrean
Zeikos@reddit
I know, but it's crystal clear that this isn't about age verification.
Like even if we were to take their motivation at face value these policies don't accomplish that goal.
That was my point.
fellipec@reddit
But that is the idea. "See, it doesn't accomplish the evil things people are afraid!"
That will be slowly implemented and will be done by the version 5.0 or so.
It is similar to my country "safe phone" app. A gov app that is said to completely brick and make your phone useless if you report it as stolen. Call me paranoid, but I'll never install an app that give the government power to brick my phone, and who knows what else more it can do or will be able to do.
Wyciorek@reddit
Nice circlejerk you have going on here. Anybody actually bothered to read the spec?
IntingForMarks@reddit
I did read the spec in depth. It might be fair use or it might be complete bullshit on a paper, since it doesn't say anything at all about implementation. It's just high level requirements
MrAlagos@reddit
There is a public implementation developed in the open since July 2025.
fellipec@reddit
It doesn't matter, the spec could be all unicorns, magic and rainbows. The simple fact this exists is unacceptable.
Bringing technical details as an excuse to something that is morally wrong is stupid.
Wyciorek@reddit
So, you did not read it and you have no f*** clue what are you even talking about.
Technical discussion on r/linux? No, no, no, let's make it all about your feelings
fellipec@reddit
How is the taste of that leather, Mr. Bootlicker, the lover of government specs that shouldn't exist?
Wyciorek@reddit
Do you simply cycle through a short list of moronic slogans because you are too dumb to read and understand anything more complicated than a tweet? Early 2000s chatbots were smarter than you.
burning_iceman@reddit
A system that does only age verification via a zero knowledge proof mechanism is not about age verification? Explain how that works.
tesfabpel@reddit
https://ageverification.dev/av-doc-technical-specification/docs/architecture-and-technical-specifications/#71-zero-knowledge-proofs
Zeikos@reddit
Sweet I love some docs, thanks
DoubleOwl7777@reddit
there are two options. one which you listed, the other one doesnt require that bs. poland is doing the latter, germany the former.
EmbarrassedHelp@reddit
If it requires "verification" and isn't just a simple toggle for your age, then its not privacy friendly.
ScratchHistorical507@reddit
What's the other option? I mean beyond just ditching that insanely intrusive age verification bs alltogether.
DoubleOwl7777@reddit
i am not sure what its called anymore but its what the soon to be legacy digital id card in germany uses.
ScratchHistorical507@reddit
Ewww...nobody should ever touch that insecure garbage.
DoubleOwl7777@reddit
you prefer giving your data to fucking google instead?! its just the same concept, not the same system entirely.
ScratchHistorical507@reddit
I prefer to give my data to absolutely nobody. Either there is a good and actually secure implementation or it's not to be used, it's that easy.
That's already bad enough.
Zipdox@reddit
From what I gathered it is open source. So anyone could modify the app to run as they wish.
EmbarrassedHelp@reddit
Only the wrapper on your device is open source. The backend is closed source.
You aren't allowed to modify the app so that you can protect your privacy by generating your own tokens.
MatchingTurret@reddit
It's about the root-of-trust. That needs to be certified.
patrakov@reddit
One possible root of trust is an NFC-enabled passport. Russia already uses this solution for legally binding digital signatures as one of the options.
MatchingTurret@reddit
That has been around in different EU countries for decades. The digtal wallet tries to get rid of the need of physical cards.
fellipec@reddit
You are right and this will either come to desktops and/or personal computers will be forbidden.
The freedom to compute is dying a slow death, the proverbial frog is in the hot water already.
But people will still dismiss this as fearmongering.
Reqvhio@reddit
I like this way of thinking. I'd like to see the governments try this just to see the sheer chaos xD
fellipec@reddit
They will go first after 3D printers
Reqvhio@reddit
arent 3d printers still fringe for the masses? compared to phones and computers/consoles it is a drop in the bucket
zlice0@reddit
this shits so absurd i have to be absurd back - why not just make it so you have to have a license to have kids -_- if you cant parent your kids in regards to tech i meannnnn
idontwanttofthisup@reddit
We should absolutely implement screening for wanna be parents just like we screen people who want to adopt children. A lot of people are not qualified to be parents.
MustUnderstandTrains@reddit
Would you like to be the only who sterilizes these people then?
idontwanttofthisup@reddit
Sure, let’s go!
MustUnderstandTrains@reddit
Enjoy jail when the liberals freak out over you making the world slightly better then.
nullptr777@reddit
As a child of woefully unqualified parents, who has also seen plenty of other woefully unqualified parents, I agree. Extensive mental assessment should be required. Same goes for owning pets, they're sentient creatures as well.
zlice0@reddit
i mean theyre really not but thats the way the world is. unrealistic to do, though some places have had limits and what not. but it's just a outright lie that it's for protecting kids.
IanFoxOfficial@reddit
I don't want this bullshit. Ugh.
yezu@reddit
You're on point. That's why we need push back against this whole mess of an idea.
Mean-Site1006@reddit
yup this is exactly the kind of bureaucratic nightmare that sounds good in theory but completely ignores reality. like someone sat in a room thinking "oh we just need secure verification" without understanding that it basically hands over control to the two biggest tech companies
the part about carrying second phone is so absurd but probably what will actually happen. imagine needing android device just to prove you're old enough to look at whatever website
really feels like they're creating solution to problem that doesn't exist while making actual digital freedom impossible for anyone who doesn't want to live under google's thumb
MustUnderstandTrains@reddit
Why would you assume this is a mistake and not completely on purpose.
fellipec@reddit
Is a reality already for me.
I have my daily driver phone, and my older phone stays home for banking and government apps, and I only turn it own when need to pay bills or sign documents.
Actual__Wizard@reddit
Not kind of, it completely locks their monopoly in, and prevents all competition.
c_a1eb@reddit
Folks in the space are very aware of these issues, it's something that will take funding and tight collaboration to get done but it is something we're working on, hopefully there will be news on this soon
cybik@reddit
> with the most minimal imposition on user freedom
How about "none whatsoever"? Give me a way to use a hardware token provided by "the state" (whomstever tf that might be) and stop screwing up userspace in the name of children.
dasunt@reddit
I would not enjoy the idea of a hardware token issued by the state, due to it being provided to websites.
Seems like it makes privacy worse, not better, by allowing websites a cross-platform unique ID to track users.
cybik@reddit
It's either a hardware token and, or letting The Man into the OS.
Lesser of two evils, and I'm not happy I even WANT to have a hardware token provided to me. Hell, I have one already: my passport is NFC, and that technically counts as an identity hardware token.
dasunt@reddit
If we're going to do this (and let us not pretend that this isn't a way for major social media platforms to avoid legal liability when kids get harmed), then a zero trust solution is best.
Else it's way too easy for an oppressive government to track people. That unique ID will be turned into a tracking token by websites, and that will be easily connected to individual names, allowing data brokers to build a database of individuals browsing history.
And if you think your government will never do that, what about other governments? Imagine what a malicious government could do for pressuring politicians with that info.
c_a1eb@reddit
id much prefer that, age verification is a stupid mechanism
Kirides@reddit
That will show em!
Now moms phone will tell it's user is 40 years old and Facebook, instagram and TikTok will just accept that.
Meanwhile, the parents hand out their phone to their child and go about their own ways.
This age verification mechanisms are bullshit. Full stop. Provide useful parental controls and ACTUALLY USE THEM! Incompetence or unwillingness doesn't protect from the law.
Raising a child is not a 5 minute thing. You need to learn how to do things you never needed to before.
UltraCynar@reddit
Has nothing to do with kids. It’s all about surveillance against citizens and data harvesting whole social media companies can avoid responsibility.
btsck@reddit
Where did you get that info? The statement by von der Leyen says that it is also supposed to be accessible by a web browser. Or does it mean by a web browser on an android/ios phone?
Gugalcrom123@reddit
If you access it via a non-castrated (Android/iOS) computer, it shows you a QR code that you have to scan with Android or iOS.
habarnam@reddit
Where did you get this info form?
Gugalcrom123@reddit
The video and the https://cinema.ageverification.dev
habarnam@reddit
What in the name of LLM slop is that?
Gugalcrom123@reddit
Well, it is official EU documentation!
habarnam@reddit
In the link you posted there's absolutely zero clues that it is part of anything official... not to mention form the EU...
Gugalcrom123@reddit
The root domain is official, their repository is published there...
ScratchHistorical507@reddit
That could very well be meant. That's not really an issue.
habarnam@reddit
With all due respect but you're wrong. Jolla has been putting linux on mobile phones since 2014. And where's a phone, there's a way.
MatchingTurret@reddit
Is Jolla ETSI TS 103 732 certified?
habarnam@reddit
I have no idea. Why is that required?
MatchingTurret@reddit
Because otherwise you won't be able to run apps that rely on the device being MDSCert compliant.
habarnam@reddit
I understood the implication, but where does it say that?
MatchingTurret@reddit
Slide 25: Platform attestations − Android key attestations − Android Play Integrity − IOS DeviceCheck and AppAttest
habarnam@reddit
TY 🙇️
diesal3@reddit
Secure Key Store don't mean shit when the data is also being stored unencrypted
Ok-Winner-6589@reddit
Wait when did the EU made that decision?
And using a Linux phones isn't as easy as just installing Linux on It. There is a reason for rooting android to be a less common activity nowadays
MrAlagos@reddit
This is a system that the EU Commission has developed after, in 2024, all EU members plus Norway have asked for the development of an age verification system.
The EU Commission has published the code and architecture in July 2025, and has been developing it in the open ever since. Right now it's not mandatory in any way nor is it really regulated. It's a tool that EU members can test and decide to use whenever they want, on their own terms.
Ok-Winner-6589@reddit
Fuck the EU Buddy and fuck my country as they want to implement this shit
Jarngreipr9@reddit
Why should I verify my age periodically? Can't go backwards
MrAlagos@reddit
Because the system is anonymous. It doesn't know that it is "your" age and it doesn't track you.
Willy757@reddit
Well it's reasonable to say this might prove like a barrier to a possible linux phone.
This and the entire absence of any project like that that has any kind of traction, and the other dozen standards and missing drivers that they will have to overcome before this even becomes a meaningful factor.
People already do their banking in a browser, whatever the EU does, it will work in a browser too.
benjamin-crowell@reddit
Many banks require 2FA and do not support any option for 2FA other than receiving a text via SMS. An example is fidelity.com.
Even among financial services web sites that do support some other option for 2FA, the other option may only be Symantec VIP, which is proprietary and not supported on the Linux desktop.
The basic trend here is that your phone is becoming your identity, and oligarchs and governments are going to control your phone.
TheJackiMonster@reddit
If the whole spec is public and most of the source code for the Android app for example... couldn't we just build an open-source Linux application that is not "officially approved" but still compatible with the spec? So people on Linux could at least use that.
I would much prefer an official open-source Linux client. But if the alternative is to be bound to Android or iOS, I would much rather trust a community workaround.
MatchingTurret@reddit
You are railing against mathematics. You need a Root-of-Trust.
Tiranus58@reddit
The last point is already true with /e/ without rooting the phone.