Brussels' Age Verification App Got Hacked in Two Minutes. Shocked? Neither Am I.
There’s a story doing the rounds this week that made me nearly spit out my latte. Brussels launched an age verification app — presumably to protect kids from online pornography — and hackers cracked it in about two minutes. And then, almost as if on cue, EU officials quietly walked back their earlier confidence and admitted the app is “still a demo.” Right. A demo. That’s not what was being claimed a few days ago, but okay.
Look, I work in IT. I’ve spent the better part of two decades watching governments and large organisations announce tech solutions with the confidence of someone who absolutely did not consult an engineer before the press release. This story has that energy in spades. The gap between what politicians think technology can do and what it actually does is, frankly, one of the most consistent and exhausting themes of my career.
But let’s be fair here, because the technical failure is almost a sideshow to the bigger conversation. What are we actually trying to solve? Online safety for kids is a genuinely serious issue. Nobody reasonable is arguing that unlimited access to hardcore pornography is great for a developing brain. The question is whether an age verification app is anywhere close to the right tool for the job — and whether the cure might be worse than the disease.
The privacy implications alone should give everyone pause. When you build a system that requires people to prove their identity before accessing parts of the internet, you are building infrastructure that will be misused. Maybe not today, maybe not by this government, but the architecture exists. One commenter in the discussion I was reading pointed out that the Spanish PM has already floated the idea of deanonymising all internet posting. That’s not a slippery slope fallacy — that’s someone in power literally describing the slope.
And the security angle isn’t just an inconvenience. If you create a centralised database or verification system linking real identities to online behaviour, and that system gets breached — which, given this app’s two-minute lifespan against hackers, seems basically inevitable — you haven’t protected children. You’ve handed bad actors a detailed map.
There’s also the deeply unsexy but completely correct point that a lot of this comes down to parenting, which I say as someone with a teenager at home. It’s not that parents don’t care — most do, deeply — it’s that the technical literacy required to actually monitor and guide a teenager’s internet use is genuinely steep. I can set up DNS filtering on our home network. Most people cannot, and telling them to “just Google it” isn’t a policy. Someone in the thread made the point that ISPs could ship routers with content filtering enabled by default, with the account holder (who must be an adult) able to disable it. That’s actually not a terrible idea — it puts the default in a sensible place without building a surveillance apparatus.
What actually works, though — and I know this sounds boring — is the conversation. Talking to your kids about why certain content isn’t appropriate, why the internet can be a genuinely dark place, why some things they’ll stumble across are distorted or harmful versions of reality. My daughter and I have had some awkward conversations over the years. They were worth having. No app replaces that.
The other thing history consistently teaches us — and yes, I’m going to invoke history because I find it genuinely instructive — is that prohibition doesn’t eliminate demand, it just redirects it somewhere less regulated and more dangerous. Teenagers who can’t access mainstream platforms will find other ways. They’ll end up somewhere with no moderation, no accountability, and no safety net. That’s not protection.
The solution here isn’t a hackable demo app masquerading as policy. It’s a combination of sensible ISP-level defaults, actual digital literacy education in schools, meaningful platform accountability, and yes — parents being engaged with their kids’ digital lives to whatever extent they’re capable. None of that is as satisfying as a press release announcing a new app, but it might actually work.
Maybe next time, consult an engineer before the launch. Just a thought.