This post is restricted to the context of the European Union and is intended to be factual.

The EU age verification app is intended to be a pilot to the EU Digital Identity Wallet (EUDIW), which EU law requires to be deployed everywhere in Europe by the end of 2026. (Thus your "worry" is in fact the explicit plan of record.)

The EUDIW will store more attributes than age. Think of it as a digital form of a passport (with name, address, etc.). The exact set of attributes is determined by local laws.

Thus, the DOCUMENT that you obtain is tied to you, and of course the state knows what is in the DOCUMENT since the state creates the document in the first place.

The state does not generate proofs. The phone generates proofs. Given a proof (and only the proof), nobody can associate the proof to the phone or to you.

Now I switch to less factual statements, which are still approximately correct.

Why would you trust the wallet software not to phone home to the state or us (Google)? The EUDIW regulations require that the wallet software be open source. However, states will only issue DOCUMENT to their own certified wallet software---you cannot just take the open source and recompile it, since the state won't issue DOCUMENT to your uncertified wallet. (Maybe your gym will issue a gym membership to your raspberry pi wallet, since it's not a big deal.)

The reason for this strictness is that the EUDIW is intended for official or semi-official uses. For example, you can open a bank account with it, or use it as ID to get a mortgage. The bank must by law accept DOCUMENT, the state guarantees that DOCUMENT is correct, and you get better privacy than handling over a piece of plastic that is then photocopied by who knows whom. This is the tradeoff of the current EU law. It would be inappropriate for this kind of official, passport-like documents to store attributes such as your profession (journalist or whatever), and nobody is talking about it.

Thanks for replying to me. I'm having a tough time understanding how it's zero knowledge, but also tied to a person's identity. At some point I'm going to try to read the manuscript you linked to someone else, but I started skimming it and I'll be lucky if I understand a tiny fraction of it.

> The state does not generate proofs. The phone generates proofs. Given a proof (and only the proof), nobody can associate the proof to the phone or to you.

I get that part. I visit a website and it basically asks me to prove my DOCUMENT has an attestation for age and my phone generates the proof. The part I don't get yet is how it proves the issuer.

> However, states will only issue DOCUMENT to their own certified wallet software---you cannot just take the open source and recompile it, since the state won't issue DOCUMENT to your uncertified wallet.

I don't get why that would matter. I think of it in terms of proving you have a signed DOCUMENT (like a signed executable), but that concept doesn't work for a proof with a subset of data in the DOCUMENT. The wallet can't be trusted either, can it? What would stop me from running a proxy to tamper with the responses?

> Why would you trust the wallet software not to phone home to the state or us (Google)?

To be honest, I don't and I think calling certified wallets "tamper proof" is incorrect. They're tamper proof from the perspective of the users, but the designers, maintainers, policy makers can "tamper" at will.

> For example, you can open a bank account with it, or use it as ID to get a mortgage.

This starts to get into the biggest issue for me. As an average person, all I know is that I have this DOCUMENT with all my vital personal information on it and some of that information can be sent to a 3rd party that asks for it. Because it's such a complex technical system I have no way of understanding what's happening or verifying I'm only sending the information I expect them to be asking for. If it's a permission system like we have on phones, that's broken. People have been conditioned to think they need to click yes on everything or things won't work. I'd worry that suddenly people will be giving away vital information without even knowing.

> you get better privacy than handling over a piece of plastic that is then photocopied by who knows whom

On a technical level, that's right. On the level of an average person understanding what information they're handing over and how it's being used (or potentially misused), that's wrong. I understand perfectly what I'm handing over when I give someone my credit card or drivers license. A digital ID system is basically opaque to me.

We have to put 100% faith in a few companies; Google, Apple, etc.. We need to trust they're acting in good faith and getting the implementation perfect. The saying is trust but verify, but what happens when the system is so complex that not enough people can verify it does what it says, or, more importantly, that policy makers aren't giving classified orders that force the handful of certified wallets to change the way things work?

The technology is very cool. When I see documents like that manuscript you linked I'm envious. I wish I could understand the math well enough to conceptualize the whole system. I think there's a ton of value in leveraging technology to modernize identity. I also have no doubt the people working on the implementation are acting in good faith. Flat out though, I don't trust the institutions. There's always someone willing to act in bad faith for one reason or another.

I think it's important to understand there's a difference between analog verification systems and digital verification systems. If someone is checking my ID or comparing my face to pictures in a book of banned patrons, that has a natural limit on the scalability. Once things are digital, all bets are off. Think of the difference between a manager banning someone from a single store vs facial recognition being used to ban someone from every store in a chain. Digital IDs could very well be the next step up where people can be banned from participating in society.

Also think about the difference between fingerprint unlock for releasing a digital ID vs Face ID. With a fingerprint, you're creating a limit on what people will tolerate in terms of the number of times their ID is queried. With Face ID, people will tolerate a much larger volume. If the biometric ID is cached and allows multiple uses of a digital ID within X minutes, the number goes even higher. With a watch that's unlocked until you take it off your wrist, it's unlimited.

So, if you're working on these systems, consider there's more than just an algorithm and the implementation can leverage what the average person will tolerate to act as a bit of a check on the system. The fingerprint unlocking above is a good example where 1 fingerprint scan = 1 proof. People can understand that. Please don't build a system that allows for continuous identification.

Thanks for trying to explain some of the goals and how the system actually works. It's really hard to separate the politics from the technology, because they can't be separated, but I find it helps to have a better understanding of the technology as it helps when trying to focus on pragmatic concerns.