• We Already Know How This Ends
• Age Verification Everywhere
• The Singapore Preview: This Is What “Voluntary” Looks Like
• The Net Neutrality Ghost
• Nobody Asked You
• The Circle Is Closing
• The Clipper Chip: The Blueprint for Defeat
• The Financial Dimension
• The Last Exit

The European Commission just announced that its age verification app is “technically ready.” Commission President Ursula von der Leyen declared that online platforms have “no more excuses.” Europe, she explained, has built a “free and easy-to-use solution” to shield children from harmful content. The app requires you to scan your government-issued ID or passport. In return, the EU promises you’ll remain anonymous.

If you believe that, well you probably believe that Covid came from eating bat soup from a Wuhan wet market. The truth is that this has absolutely nothing to do with child safety. Just in case you hadn’t realized, this app is a key component of the digital ID surveillance infrastructure being built under the guise of a child safety costume, and we have seen this exact playbook before. 

§We Already Know How This Ends

If you recall the genesis of Know Your Customer laws, the Bank Secrecy Act, the Financial Action Task Force’s (FATF) global anti-money-laundering framework. When governments first required banks to verify every account holder’s identity, log every transaction above a threshold, and report suspicious patterns to state authorities, their pitch was almost identical to Von der Leyen’s: we are protecting you. We are stopping criminals.

Was that what actually happened though? Absolutely not. Sadly every purchase you make is now a data point in a surveillance architecture so vast that your bank, your government, and dozens of third-party brokers can reconstruct your life in granular detail from where you eat, what you read, who you donate to, which medications you buy, to even which political causes you fund. With data being the new oil, this infrastructure is used to mine data on everyone under the guise of stopping criminals. Ever since KYC and anti-money laundering regulations were imposed, only a pathetic 0.1% of money laundering activities have been stopped thanks to them; despite the inconvenience and security risks they introduce.

The logic of financial KYC was always this; if we just know who everyone is, we can prevent the bad thing. It sounds reasonable when the bad thing is terrorism financing or child exploitation. The problem is that the infrastructure built to stop the bad thing never goes away once the bad thing has been addressed. Its scope always continues to expand, its repurposed for other nefarious uses and then eventually normalized. In 2001, prior to 9-11, it was unusual for your bank to know your political donations. By 2021 that had all changed, with financial surveillance of activists, journalists, and civil liberties organisations becoming the new normal. The apparatus built for criminals became the apparatus turned on citizens. 

The EU has now decided to build the same architecture for the internet. The age verification app is the Bank Secrecy Act equivalent for all your online activities. So much for privacy.

§Age Verification Everywhere

During the same press conference that Von der Leyen announced the app, Executive Vice-President Henna Virkkunen assured the press that the system uses zero-knowledge proof technology, meaning you stay “in full control of your data.” You upload a government-issued identity document. A system built and operated by EU member states processes it, and the promise is nobody is tracking you or hacking your data.

An X user who goes by the handle @Paul_Reviews posted on his page how easy it was to hack the app in under two minutes. That’s in addition to how it also potentially violates GDPR regulations on privacy because it retains biometric data after processing it, without any legal basis for doing so. Furthermore in March 2026 a security analysis of the app’s own open-source code found that the issuer component has no way to verify that passport verification actually occurred on the device. The privacy guarantee rests on a foundation that security researchers have already identified as architecturally flawed and the researchers noted that fixing the flaw would likely require sending your full passport data, name and document number included, to the server. The privacy promise and the security fix are in direct conflict with each other.

Then there is the small matter of Google. The app requires Google’s Play Integrity API on Android, creating a mandatory dependency on Google’s infrastructure. An open-source app that requires Google’s permission to run is not a privacy tool. It is a privacy performance, that has the aesthetic of privacy wrapped around a surveillance dependency baked directly into its architecture.

Let’s imagine for a moment, the most charitable reading. Say the zero-knowledge proof works exactly as described. Say no central authority ever links your identity to your browsing. Even in that best case, you have established something important: the infrastructure for doing it exists. The plumbing is in place and what’s to stop the abuse of this architecture when an emergency situation arises in future? This is exactly what happened with financial KYC. 

German MEP Christine Anderson, also shares the same privacy concerns as she pointed out that the app is a trojan horse for digital surveillance. In an interview with Brussels Sigal she said, “The Commission’s age verification app is presented as a narrow child-safety tool but it creates the infrastructure for broader digital identification online…Under the Digital Services Act, voluntary solutions like this quickly become mandatory in practice, forcing users to identify themselves to access basic services. Give Brussels an inch of discretion and it will take a mile of your freedoms..”

Age verification mandates are spreading fast, and they are ushering in a new era of online surveillance and exclusion, not just for young people, but for everyone. Once verification is embedded at the browser and operating system level, there is no anonymous internet remaining. With this in mind, the unyielding resolve Western governments have displayed since the plandemic to purge the internet of “disinformation, misinformation, and malinformation” makes this latest move very suspicious to say the least. Especially given that Australia and the UK were the first movers in this crusade to KYC the internet, using the exact same rhetoric of child protection. Will we be seeing more arrests for social media posts that the state doesn’t like? It’s almost guaranteed should this slow steady march towards a technocratic world order continue unchallenged.

§The Singapore Preview: This Is What “Voluntary” Looks Like

Before Europe tells you this will be smooth, privacy-respecting, and limited in scope, look at Singapore where a* near-identical regulatory approach* went live on April 1, 2026.

Singapore’s Online Safety Code required major app stores to implement age verification. Microsoft, Apple, Google, Samsung, and Huawei all had to comply. The stated goal was identical to the EU’s: protecting children from adult content.

The reality? Singaporean gamers who had already purchased and downloaded Xbox titles suddenly found themselves locked out and told they needed to scan their face, upload a government ID, or authenticate via Singpass, Singapore’s national digital identity system, just to keep playing games they already owned.

Each company chose its own method, revealing exactly the kind of divergent surveillance architectures that regulatory ambiguity spawns. Apple requires your National Registration Identity Card (excluding passports and debit cards) meaning proof of adulthood requires linking your Apple account to your legal name and financial records. Samsung and Huawei took only credit card data. Google deployed something far more sinister, dubbed “age estimation”, which is  a machine learning model that watches your search activity, analyses which YouTube categories you watch, and estimates your age from behavioural signals already attached to your account. In reality, this is nothing less than continuous behavioural profiling rebranded as access control.

This is what child protection looks like when it hits the ground and it is coming to Europe next, at continental scale, with state-issued credentials as the root of trust. Should any of these services be hacked, what happens then?

§The Net Neutrality Ghost

There is a precursor to this current architecture that rarely receives the scrutiny it deserves: the net neutrality wars. That decade-long struggle was, at its very core, a battle over the same fundamental question, who ultimately controls the gatekeeping layers of the digital world?

Net neutrality, the principle that internet service providers must treat all data equally, regardless of source, destination, or content, was killed in the United States in 2017 with a dismissive shrug toward the four million public comments opposing the move. Recall the rhetoric of the telecom giants during those skirmishes; their vision was one of tiered access and the authority to throttle services they deemed disfavoured. Their goal was to embed themselves as a mandatory, controlling intermediary between the user and the open web. Every argument launched against net neutrality was, at its core, a plea for a managed internet—a world where access is strictly conditional and intermediaries wield far more power than the individuals they supposedly serve.

The EU’s age verification app achieves all of that without touching the network layer. It doesn’t slow down packets or charge extra for certain websites. It simply requires that you present your papers before you’re allowed to see certain content. The gatekeeping function, the very thing net neutrality defenders fought to prevent, has been moved one layer up the stack.

The ISPs who argued against net neutrality were at least honest about their commercial motivations. The Commission is definitely being deceptive about their real agenda, and it will eventually be clear once the digital ID and the digital euro are rolled out. By the time that happens, the digital prison for EU citizens would have been fully complete.

§Nobody Asked You

Von der Leyen closed her press conference with: “Children’s rights in the European Union come before commercial interest and we will make sure they do.”

The framing is designed to be unassailable. You cannot argue against it without appearing to argue against children. The Commission knows this. It built the infrastructure before any serious public deliberation about whether a centralised, government-controlled digital identity layer over internet access was the right approach. It is presenting Europe with a fait accompli wrapped in the most sympathetic justification imaginable.

The comparison von der Leyen herself reached for was the COVID digital certificate, a “huge success,” she said, following “the same principles, the same model.” She said it as if it were reassuring, but her statement indirectly reveals the continuation of some of the diabolical plans that they had intended to roll out during the plandemic. The COVID certificate, which was actually a movement license,  was sold as a temporary emergency measure. By the time it was deployed, it had been established that access to public life; restaurants, concerts, travel, could be conditional on presenting a digital government credential. That idea and the accompanying infrastructure around it did not evaporate when the pandemic ended. It was normalised, as several countries quietly kept the infrastructure running. 

§The Circle Is Closing

The cypherpunk intuition has always been correct, privacy is not a preference but it’s a precondition for freedom. Anonymous communication, the ability to read, speak, and exist online without your identity being the price of admission;  is what makes dissent possible, journalism possible, dignity possible at all.

The EU has taken a decisive step toward making anonymity illegal. Singapore showed us the destination in miniature: face scans to play video games, behavioural profiling to use a search engine, government ID uploads to access content you already paid for. Right there it’s clear that the scope crept from adult content to dating apps to gaming platforms in a matter of weeks.

§The Clipper Chip: The Blueprint for Defeat

In 1993, the NSA proposed a solution to a problem that will sound extremely familiar. Encryption was proliferating and the US government outlawed it on the basis that criminals might use it. Their solution was the Clipper Chip, a hardware encryption device that would be embedded in all telecommunications equipment and would encrypt your communications, but with a backdoor, held in escrow by the government, accessible whenever law enforcement needed it. Secure for everyone, except the state always had the key.

AT&T Bell Labs researcher Matt Blaze published* a paper* in 1994 demonstrating a fundamental flaw in the Clipper protocol, a mechanism that allowed the backdoor itself to be bypassed, rendering the entire system either insecure for everyone or circumventable by the very criminals it was designed to catch. The NSA had spent years and enormous resources building surveillance infrastructure into the foundation of American telecommunications. A single researcher, a few weeks, and a published paper killed it. Not because the government backed down, but because the technical community demonstrated that the thing didn’t work, and the political cost of continuing to push a broken surveillance system exceeded the benefit. This is the way to go.

The EU’s age verification app has already been handed its Clipper moment. @Paul_Review and The March 2026 security analysis have exposed the app’s vulnerabilities and these are not just mere bug reports. It is a Blaze paper. The Google Play Integrity dependency is not an inconvenient detail. It is a structural exposure that makes the entire privacy guarantee fraudulent on its face. The conflict between fixing the security flaw and maintaining the privacy promise is not a technical problem awaiting a solution. It is a fundamental architectural contradiction that cannot be resolved because the goals themselves are incompatible.

The cryptographers beat the Clipper Chip before it was deployed. They can beat this too, if the research community, the security community, and the civil liberties community treat this with the same forensic urgency that Blaze brought to Skipjack in 1994. Every implementation failure should be made politically toxic before the infrastructure calcifies into permanence.

§The Financial Dimension

Bitcoin exists because someone understood that financial privacy is political privacy. The ability to transact without a government ledger recording who paid whom, for what, and when is not a criminal convenience, but it is the last line of defence for dissidents, journalists, whistleblowers, and anyone living under a government that has decided their cause is inconvenient.

The apparatus being built for “child safety” and the apparatus being built for “financial integrity” are converging on the same point: a world where anonymous value transfer is impossible, where every satoshi is traceable to a face and a passport number. The EU’s Markets in Crypto-Assets regulation requires identity verification for crypto transfers above a threshold that keeps getting lower. The Financial Action Task Force’s Travel Rule is pushing wallet addresses toward mandatory identity linkage globally. These are not parallel developments, but are the same project at different stack layers.

The social credit system does not require a single authoritarian decree. It requires that financial transactions be attributable, that internet sessions be authenticated, that identity be the precondition for participation in digital life. Each piece is being built separately, justified separately, normalised separately. The integration is the last step  and it is much easier than the construction, because by then each piece will already be load-bearing infrastructure that nobody can afford to remove.

§The Last Exit

Once again let’s be honest about what this is.This is neither a child safety measure nor a regrettable but necessary compromise between freedom and protection. This is the foundational layer of a social credit stack and the EU is pouring the concrete right now, in public, while everyone watches. The explanation is that “protecting children” is not the optimisation target. Control is the optimisation target. Child safety is the politically unassailable framing that makes control achievable. You cannot question it without sounding monstrous, which is why it was chosen. 

Philosophically, this is what Frédéric Bastiat called the seen and the unseen; the seen benefit is the child nominally protected from adult content; the unseen cost is the destruction of anonymous communication for hundreds of millions of adults, the infrastructure for authoritarian expansion that will outlast every good intention of its architects, and the chilling effect on every dissident, journalist, activist, and ordinary person who now knows that their reading habits are a government record. The only thing that has ever reliably stopped surveillance infrastructure from becoming permanent is defeating it before it is deployed.