EU Age Control: The trojan horse for digital IDs

A technical critique of the EU Age Control reference app reveals three core problems: platforms can bypass the privacy-preserving wallet and use standard KYC providers instead; the system requires Google or Apple device attestation, locking out GrapheneOS, Linux phones, and Huawei devices; and the marketed zero-knowledge proof cryptography is present in the codebase but not actually enabled — the app uses older ISO 18013-5 mdoc with plain signatures instead. Unlinkability depends on wallet behavior (rotating single-use credentials), not mathematical guarantees, meaning credential replay breaks privacy trivially. Relay attacks — where a child routes verification through an adult proxy — are a structural protocol flaw unfixable across all 27 national implementations. The author argues the system is a trojan horse for revocable digital ID infrastructure, enabling government control over internet access, with the privacy framing serving as political cover.