The European Union is building a single app that will ask people to prove they are old enough to use certain websites. When it was presented to the public in April, it was called ready to use, completely anonymous, and impossible to track. New documents released on 16 July 2026 by the EU department that built it tell a more careful story, and the gap between the two matters for everyone who will one day be asked to open that app.

The idea behind the app is simple, and for most people it will feel familiar. A shop assistant can ask to see identification before selling alcohol. The EU wants the same check to happen online, so that children cannot reach adult content, gambling sites, or other services meant for grown-ups. Instead of showing a full passport to every website, a person would set the app up once, using an identity document, and the app would then answer a single question for each site: is this person over 18, yes or no. Nothing else about the person is supposed to be shared.

That is the promise. The question raised by the newly released documents is whether the promise, as it was described in public, matches what the EU has actually built and written down so far.

What was requested, and what came back

The documents were released because one person asked for them. Morten Larsen, an independent IT specialist carrying out non-commercial research, used the EU's freedom-of-information rules to request internal records about the app. He registered the request on 26 April 2026 and asked for four things: any privacy impact assessment for the app, any records showing how privacy was built into its design, any documents describing how passport data and facial images are handled when someone signs up, and any internal reports on the risk of people being identified or tracked.

The department that answered is called DG CONNECT, the part of the European Commission responsible for digital technology and the body that developed the app. It identified nine documents and gave full access to all of them. The catch is that every one of those nine documents was already public. They were the general technical blueprints, discussion papers, and specification pages that anyone could already read online. Two of the nine even appear to point to the same web page.

In other words, a request for the internal paperwork behind the app produced a folder of material that was never hidden in the first place.

The missing privacy review

The single item at the heart of the request, a privacy impact assessment written specifically for this app, was not handed over. A privacy impact assessment is a formal check that organisations carry out before launching something that handles sensitive personal data. It asks what could go wrong, what data flows where, and how people are protected. For a tool that reads passports and can involve facial images, it is exactly the kind of homework the public would expect to exist.

DG CONNECT said it does not hold such an assessment. Its reasoning is that the responsibility for writing one falls on whoever eventually publishes the app to the public, and that this publisher, not DG CONNECT, is the party legally in charge of the data. Because DG CONNECT does not see itself as that party, it says no assessment is held.

Larsen's point is careful, and worth stating precisely. He does not claim DG CONNECT was necessarily obliged to write such an assessment. His concern is narrower: saying that a future publisher will be responsible does not show whether anyone actually searched for an assessment that might already exist somewhere else, such as with a contractor, a partner company, or a pilot project. Development, testing, and demonstrations already happened. Pointing to a future publisher does not explain what checks, if any, supported the confident privacy claims already made in public.

The claims and the documents side by side

This is the core of the story, and it can be judged directly against the released files.

"Ready to use"

On 15 April 2026, the President of the European Commission presented the app as technically ready. The released documents describe something less finished. They call the app a reference implementation that is not feature complete and that needs further work before it can be deployed for real. The public demonstration version is described as being for testing and illustration, not as a finished product.

The detail goes further. The design expects the app to read passports, check that documents are genuine, detect whether a real live person is present rather than a photo or mask, and compare a face to a document. Yet the specification states plainly that several of these pieces are not included in what was supplied. A service to check whether a passport or identity card is genuine is not included. A service to check that a live person is present and to match their face is not included. These jobs are left to each country or company that later builds on the toolbox. So a tool presented as ready is documented, in the EU's own words, as a starter kit whose identity checks still have to be added by someone else.

"Completely anonymous" and "cannot be tracked"

The privacy promise rested on a technology called a zero-knowledge proof. In plain terms, this is a way to prove a fact, such as being over 18, without revealing anything else, and without leaving a trail that lets different websites recognise the same person. It is a genuinely strong idea. The question is whether it is switched on.

The released files do not describe it as switched on. The app's own requirements say it should implement the zero-knowledge proof mechanism, using the word reserved for something recommended rather than required. A separate part of the specification, under a heading that reads Experimental features, says a future version will include the zero-knowledge proof solution as an experiment, based on a cryptography research paper from 2024. For now, the specification says privacy is protected in a different and weaker way: the app is handed batches of single-use passes, recommended at thirty at a time, with the time stamps on them deliberately blurred so they are harder to link.

The foundational document is even clearer. The wider technical framework for the EU's digital identity system, one of the nine released files, carries a direct note stating that discussions on zero-knowledge proofs are still ongoing and that no specific version has been chosen to be used. It explains that building this into secure phone hardware is complex and that current hardware does not yet support it. A promise of complete anonymity delivered through this technology is hard to square with an official document saying the technology has not yet been selected.

Who actually built it: a dependency on Deutsche Telekom

There is a further point that does not appear in the public headlines but sits in plain sight in the technical documents, and it concerns who built the tool. The specification that DG CONNECT released refers throughout to the group that developed the app by a short code, T-Scy. The document spells out what that stands for: the Scytáles and T-Systems Age consortium. The software Europe wants every citizen to use was not written inside the Commission. It was contracted out to two private companies.

One is Scytales AB, a Swedish digital identity firm. The other is T-Systems International GmbH, a German IT services company that is a subsidiary of Deutsche Telekom, one of the largest telecommunications operators in Europe. So a tool presented as a neutral, public, European solution rests, at the level of who wrote the code, on a private telecoms group and a private software vendor. The app is published as open-source, so the code can be inspected and reused, and that openness is real. But the reference version, and much of the expertise behind it, sits with these contractors rather than with a public institution.

Why does that matter for an ordinary person? Three reasons stand out, and none of them requires assuming bad intent.

The first is concentration. A single company being central to both the design and the working knowledge of a Europe-wide identity check gives one commercial actor a great deal of influence over infrastructure meant to be common to everyone. If its version becomes the default that member states adopt, the practical shape of age checking across the continent is influenced heavily by decisions made inside one firm.

The second is that Deutsche Telekom's involvement in digital identity runs wider than this one app, as covered in PPC Land's reporting on the EU's plan. The company's subsidiary operates a telecoms-based identity system called UTIQ, which already has arrangements with major European carriers including Orange, Telefónica, and Vodafone. A telecoms group that both helps build the public age verification tool and runs its own commercial identity network sits on more than one side of how Europeans are identified online, which is worth watching.

The third reason ties back to the privacy question already raised. The public promise is that this tool cannot track anyone and reveals nothing beyond a yes-or-no answer. Judging whether that promise holds means understanding not just the cryptography but the companies running the pieces, what data passes through their systems during sign-up, and who is accountable if something goes wrong. Knowing that the tool depends on a private telecoms giant makes the missing privacy review more important, not less.

So, is the criticism fair?

On the evidence in the documents, Larsen's factual observations hold up. The nine released items were already public. No app-specific privacy review was released. The specifications do describe an unfinished reference build, do leave the document and face checks to others, and do treat the headline privacy technology as recommended or experimental rather than switched on. Each of these can be traced to the source documents, not to opinion.

The narrower legal question stays open, and Larsen himself frames it modestly. The issue is not proof that anyone broke the law. It is that the confident public description of the app, ready, completely anonymous, impossible to track, would normally be expected to rest on written analysis, and the released material does not show that analysis, nor does it show that a proper search for it was made. The honest summary is not scandal but distance: the words used in public described a finished, private, untrackable tool, while the released files describe an unfinished one whose strongest privacy feature is, by the EU's own labelling, still an experiment.

Where the case stands now

The paperwork dispute has two tracks, and only one has closed. Because DG CONNECT missed an earlier deadline to reply, Larsen had filed a formal complaint about the delay on 18 June 2026. Once the department finally issued its decision on 16 July 2026, the Commission's Secretariat-General closed that complaint on 17 July 2026, on the basis that the late reply had replaced the earlier silence.

The argument about the documents themselves has not closed. Larsen has filed a fresh challenge, with a deadline of 10 August 2026, asking the Commission to search properly across its services, contractor records, and pilot files, to say clearly whether any privacy analysis is held anywhere, and to explain an apparent contradiction in the decision, which states both that full access was granted and that parts of some documents were withheld.

Why this matters for ordinary people

This is not a distant technical dispute. It is about a tool that, by design, is meant to reach every person in the EU across all 27 countries, and to stand between them and parts of the internet.

The first reason it matters is trust. People are being asked to point their passport or identity card at an app in order to browse. The whole reason many would accept that is the assurance that nothing is stored, nothing is shared beyond a yes-or-no answer, and nobody can follow them from site to site. If that assurance is presented as a finished fact when the underlying documents call the key privacy feature an experiment, then people are being asked to trust a guarantee that has not yet been fully built. Knowing the real state of the tool is the difference between informed consent and taking a claim on faith.

The second reason is that these systems can fail in ways that hurt real people. The exact steps the EU app leaves to others, reading a document and checking a face, are sensitive precisely because they involve biometric data. A regulator in Spain fined the identity company Yoti 950,000 euros over failures in handling biometric data and consent, with the involvement of minors treated as an aggravating factor. Elsewhere, a dating app exposed tens of thousands of identity documents and selfies that had been collected for age checks. When age verification is done badly, the material at risk is the most personal a person has.

The third reason is choice and access. A tool meant to be free, open, and usable by everyone should not quietly shut people out. The EU app drew criticism for depending on a Google system that checks whether a phone runs Google-approved software, which would block people using alternative Android systems. That tension sits directly against the same promises of openness and universal access, and it decides who can actually use the app at all.

The fourth reason is that the rules are already moving toward this tool, whether or not it is finished. The EU's approach is built on the Digital Services Act, which requires platforms reachable by children to protect younger users, as covered in PPC Land's reporting on the EU's plans for 2026. Europe's data protection authorities have set out the privacy principles that such a system is supposed to meet, favouring data kept on the person's own device, used locally, and impossible to link across services. Those principles are the yardstick. The gap between what the app was said to do and what its documents show is exactly the kind of difference that yardstick exists to catch.

None of this means the EU's goal is wrong. Protecting children online is a widely shared aim, and an anonymous age check is a serious attempt to do it without turning the internet into a place where everyone must show identification everywhere. The point is narrower and it belongs to every citizen who will be handed this app: the confidence with which it was described in public runs ahead of what the released documents can currently support, and people deserve to know that before they are asked to trust it.

Timeline

  • 11 February 2025: Europe's data protection board sets out privacy principles for age checks
  • 14 July 2025: The European Commission publishes the blueprint for the EU age verification app
  • 15 April 2026: The Commission President presents the app as technically ready, completely anonymous, and untrackable
  • 26 April 2026: Morten Larsen files a freedom-of-information request for the app's internal records
  • 21 May 2026: DG CONNECT extends its deadline to reply by 15 working days
  • 18 June 2026: Larsen files a complaint over the missing reply
  • 16 July 2026: DG CONNECT releases nine already-public documents and states it holds no privacy assessment
  • 17 July 2026: The Commission closes the complaint about the delayed reply
  • 10 August 2026: Deadline for the new challenge on the substance of the release

Summary

Who: DG CONNECT, the European Commission department that built the EU's age verification app, replying to a freedom-of-information request from independent researcher Morten Larsen.

What: The department released nine documents, all of them already public, and said it holds no privacy impact assessment written specifically for the app, arguing the future publisher is responsible for that. The released specifications describe an unfinished reference build and treat the app's headline privacy feature, a zero-knowledge proof, as recommended or experimental rather than switched on. This sits at odds with the public presentation of the app as ready, completely anonymous, and impossible to track.

When: The documents were released on 16 July 2026; a fresh challenge on the substance has a deadline of 10 August 2026.

Where: Across the European Union, where the app is intended to be offered in all 27 member countries.

Why: People will be asked to prove their age online using this tool, and their willingness to do so rests on privacy promises that the released documents do not yet fully support. The gap between the confident public description and the more cautious internal record affects the trust, safety, and access of every European who may one day be asked to use it.