EU Age Verification App Proposal Forces Android or iOS Use

EU Age Verification App Proposal Forces Android or iOS Use

TL;DR

The European Commission’s draft age‑verification framework references a reference implementation that uses Google Play Integrity API and Apple App Attestation, meaning only Android (with Google services) or iOS devices could comply. Critics argue this creates a de‑facto mandate for two US‑owned platforms, threatens privacy, excludes alternative OSes, and raises broader concerns about digital sovereignty.


What the proposal actually says

  • The technical specification in the EU Digital Identity Wallet repository lists "App and device verification based on Google Play Integrity API and Apple App Attestation" as the reference method for age verification.
  • No alternative verification mechanisms (e.g., open‑source attestation, hardware‑based TPM, or EU‑hosted services) are mentioned.
  • The repository contains only specifications and a reference implementation; it is not a production‑ready consumer app.

"The specification does not prohibit other methods, but the current reference implementation only supports Google and Apple services." – discussion comment

Why this matters

  • Platform lock‑in: To pass the verification, a device must run either Android with Google Play Services or iOS with Apple’s attestation. Any device using AOSP forks, custom ROMs, or alternative OSes (e.g., Ubuntu Touch, KaiOS) would be unable to comply.
  • Privacy implications: Both Google and Apple would receive attestation data for every user who verifies their age, effectively giving US corporations a new data source about EU citizens.
  • Digital sovereignty: The EU’s stated goal of reducing reliance on US cloud infrastructure is undermined when the only viable client platforms are US‑owned.
  • Accessibility concerns: Elderly, disabled, or low‑tech users who cannot operate a modern smartphone would be excluded, contravening EU accessibility standards.

Community reactions

Privacy‑first argument

"I would prefer a government‑issued app that protects privacy rather than handing biometric data to a sketchy American business." – skrebbel

  • Some users see a government‑run solution as potentially more privacy‑respectful than current commercial practices (e.g., Roblox’s biometric verification).

Sovereignty criticism

"The EU talks about digital sovereignty but ignores the mobile layer; there is no funding for Linux phones or alternative firmware." – blop

  • Commentators note that while EU institutions are pushing backend services off US clouds, they are ignoring the client side, leaving the market dominated by Google and Apple.

Consent and coercion concerns

"We didn’t consent to being forced onto a specific platform; the real issue is why this is being pushed on everyone." – gobip

  • The mandatory nature of the verification is seen as a violation of user autonomy.

Technical feasibility doubts

"Play Integrity also requires a Google account logged in on the phone, adding another layer of data collection." – g‑b‑r

  • The reliance on proprietary APIs raises questions about openness, auditability, and long‑term viability.

Legal nuance

"The specification does not prohibit other methods; it merely provides a reference implementation. Saying it ‘forces’ Android/iOS is a mischaracterisation." – perching_aix

  • Some commenters point out that the repository’s README does not explicitly forbid alternative solutions, though the current guidance heavily favors the two major platforms.

Potential broader impacts

  1. Market distortion – Developers may be compelled to target only Google/Apple ecosystems, marginalising open‑source mobile platforms.
  2. Data centralisation – Every verified user’s attestation data would flow through US‑based services, creating a new vector for cross‑border data extraction.
  3. Precedent for future regulation – If accepted, similar mandates could be extended to other domains (e.g., digital IDs, health records), further entrenching platform lock‑in.
  4. Accessibility backlash – Excluding users who cannot or will not use smartphones could trigger legal challenges under EU accessibility and anti‑discrimination laws.

What alternatives could look like

  • EU‑hosted attestation service using open standards (e.g., WebAuthn, TPM‑based attestation) that any device can call.
  • Multi‑modal verification allowing paper‑based or in‑person verification for those unable to use smartphones.
  • Open‑source client libraries that can be integrated into any OS, avoiding dependence on proprietary APIs.

Conclusion

The EU’s draft age‑verification framework, by leaning on Google Play Integrity and Apple App Attestation, effectively forces compliance onto two US‑controlled mobile platforms. While the specification itself is a reference and not a law, the practical outcome would be a de‑facto mandate that undermines EU digital sovereignty, raises privacy concerns, and excludes alternative operating systems and vulnerable user groups. Robust, platform‑agnostic alternatives are needed to align the policy with the EU’s broader goals of privacy, accessibility, and technological independence.

Sources