EU Age Verification app integrity checks won’t depend on Google, Apple: Scytales

A controversy has erupted over a rumor that the Age Verification app in development by the EU may only allow the required age checks to be completed for apps and operating systems that are approved by U.S. tech giants Google and Apple. Scytales, which is developing the white-label app, has responded to the concerns with reassurance that other methods of ensuring integrity will be available.

The EU Digital Identity Wallet initiative’s expansion into age assurance was met with a mix of incredulity and skepticism at the Global Age Assurance Standards Summit in Amsterdam earlier this year. Attendees from among age assurance providers suggested that public money could be better spent addressing a problem that was not already addressed by products in the market. The threat of age assurance becoming a mechanism for market capture by tech giants like Meta and Google was also a popular topic of discussion.

Those fears came to a head this week when a Reddit user pointed out that the Github repository for the EU’s white label app’s source code includes a disclaimer that appears to make owning a Google account necessary to use it, and give the company say over whether any app on an Android phone can be used.

The disclaimer says that the current Age Verification (AV) Android Implementation is only intended to deliver basic functionality. But future versions will include “App and device verification based on Google Play Integrity API and Apple App Attestation.”

The problem with this approach is that it means any app would have to be downloaded from the Play Store, by a person with a Google account, and running on an OS licensed by Google. This means anyone running GrapheneOS, for example, would be effectively unable to use any app requiring an age check in Europe.

Scytales responds

The issue was flagged by the community, and though no response was posted in one of the Github threads dedicated to the issue, it did catch the attention of the app’s developers.

The panic is premature, Scytales Co-founder and Chief Communications Officer Anna Seddigh tells Dutch tech news site Tweakers.

“The app must be able to verify the device and that can be done in various ways. This is a white label app, so apps based on it can verify the device in multiple ways,” Seddigh explains, as machine-translated. “The Play Integrity API is one of them.”

Key attestation will also likely be supported, according to Seddigh. She points out that the code is still in development, and responding to community input is part of the process.

Indies have integrity too

The issue may be resolved for the EU’s Age Verification app, but the general problem of how to ensure app integrity without relying on the dominant OS providers has cropped up elsewhere.

Commenters on Reddit noted similar issues with Denmark’s MitID and Norway’s BankID. The digital ID’s work only with Android or iOS unless the user employs a physical authenticator device.

Apps that are independent of the U.S. OS duopoly’s official distribution channels should still be available to people in the EU after age check requirements take force, but there are clearly broader challenges around ensuring the integrity of devices and apps without forcing everyone to rely on the mobile ecosystem’s dominant players.

Article Topics

age verification  |  digital ID  |  EU  |  EU age verification  |  EU Digital Identity Wallet  |  mobile app  |  Scytáles