A pointed critique on GitHub has ignited debate over the European Union’s age verification technical specifications. The issue, raised in the eu-digital-identity-wallet/av-doc-technical-specification repository, asserts that the EU digital ID wallet fails to deliver the privacy protections it promises. Developers and cryptographers question whether selective disclosure and unlinkability hold up under real-world scrutiny. Boom. The wallet aims to let users prove they’re over 18 without revealing full identity details, tying into eIDAS 2.0 mandates for safer online spaces. But skeptics argue the implementation invites tracking across verifications.
The controversy centers on zero-knowledge proofs—or their absence. The spec relies on protocols like ISO 18013-5 for mobile driver’s licenses, claiming privacy through selective attribute release. Critics counter that without true zero-knowledge mechanisms, relying parties could correlate proofs via metadata or device fingerprints. “The EU digital ID wallet can’t deliver the privacy properties it claims,” the issue opener states bluntly, linking to a detailed breakdown. No responses yet from maintainers. Silence speaks volumes.
This isn’t isolated. The repository outlines an age verification solution to support the Digital Services Act’s minor protections, bridging until full EUDI wallets launch by December 2026, as per European Commission guidance. It includes operational specs for attestations, security profiles, and even experimental ZKPs in Annex B. Yet the flagship reference app falters. Recent tests revealed plaintext PIN storage and bypasses in minutes, per a comment in the same thread. Hardware-backed crypto? Mandated, but enforcement lags.
And here’s the rub. Member states race toward compliance. Ireland tests its wallet publicly; Denmark opens sandboxes, according to an eID Easy status report from April 6, 2026. Bulgaria, Finland, Italy, and the Netherlands share developer repos now. Progress. But rushed specs risk flaws. The Architecture and Reference Framework hit v2.8.0 recently, detailing PID issuance and attribute catalogues in technical specs. ETSI standards like TS 119 472 underpin electronic attestations of attributes—EAAs for diplomas, licenses, age proofs.
Privacy hinges on selective disclosure. Users share only needed attributes, like “over 18,” via cryptographic proofs. Sounds solid. But GitHub posters highlight gaps: mDoc lacks full unlinkability; SD-JWT alternatives ignored. One X post amplified the issue, calling it a “technical + political breakdown” with receipts. Echoes cryptographer feedback in related repos, pushing BBS+ variants for better anonymity without pairings—workable on secure elements today.
So why the pushback? eIDAS 2.0 demands high-assurance verification by end-2026. QTSPs must check identities and attributes per CIR 2025/1566. Platforms face DSA age-gating via VLOPs accepting wallets from December 2026. Non-compliance? Fines. Yet specs evolve. A fresh implementing regulation, (EU) 2026/798 from April 8, sets remote onboarding rules using ETSI TS 119 461 v2.1.1, per Finextra analysis. It adapts standards for substantial-to-high assurance combos.
Critics fear centralization. Wallets tie to national issuers; verifiers query status lists. Intermediaries abound, clashing with self-sovereign ideals. An arXiv paper flags ARF’s intermediary reliance, urging decentralized checks. Reddit threads decry non-FOSS mDoc, Play Integrity dependencies excluding rooted devices. Fair points. But proponents note EU’s open GitHub process—issues like #26 invite fixes.
Large-scale pilots test real use cases: bank onboarding, uni apps, SIM requests. Over 250 adopters across states refine protocols. Reference implementations now support PID issuance and EAAs, per LinkedIn updates from EU Digital Identity Wallet team. Interoperability demos in Romania this March proved feasible—if standards stick.
But back to #26. It spotlights a core tension: ambition versus execution. Age verification bridges DSA gaps pre-wallet maturity. Annex A defines AV profiles forward-compatible with EUDI. ZKP annex experiments BBS-style schemes for unlinkability. Promising. Developers bypassed PINs via editable files, though—reference code’s plaintext sins undermine hardware mandates.
Commission Implementing Regulation (EU) 2025/1569 updates QEAAs from public bodies, open for feedback. ETSI TS 119 471 sets QTSP policies for attribute services. Momentum builds. Yet without addressing #26—proving privacy claims hold—trust erodes. Member states like Germany eye early 2027 rollout; VLOPs follow.
Industry insiders watch closely. Yousign warns of incomplete specs forcing flexible builds through 2026. Baker McKenzie pegs VLOP acceptance to wallet availability. Zyphe timelines AMLA standards by July. Deadlines loom. A fixed spec? Essential. Or the wallet risks becoming another fragmented EU toolset.


WebProNews is an iEntry Publication