April 19, 2026
Digital ID or digital stalker?
The EU digital ID wallet can't deliver the privacy properties it claims
‘EU Wallet’ privacy promises crushed as internet screams “digital ID, same old spying”
TLDR: A critic says the EU’s new digital ID wallet can’t really protect people’s privacy because it still allows hidden tracking and data hoarding. Commenters are split between calling it a slow-motion surveillance nightmare and mocking it as feel-good privacy theater that ignores what users actually fear.
The EU’s shiny new digital ID wallet – a government-approved app to prove who you are or how old you are – just got dragged by privacy nerds, security pros, and regular paranoid internet users. A researcher laid out how the system claims to protect your privacy, but then quietly leaves loopholes big enough to drive a data broker’s truck through. That was all the community needed to go full popcorn mode.
The biggest outrage: the system doesn’t clearly ban companies from sneaking in hidden tracking data when you show your digital “proof of age.” Commenters are fuming that this basically turns a simple age check into a secret “follow this person around the internet” tag. One side yells, “This is how you build a surveillance state,” while the more cynical crowd shrugs and says, “Congrats, you’ve reinvented cookie banners, but for your ID.”
Tech-savvy commenters are begging the EU to make strong privacy tools mandatory instead of optional, mocking the current design as “privacy theater.” Memes are flying, with people joking the wallet should come pre-installed with a “Track Me Daddy” button. Others are posting fake EU slogans like, “Your Data, Our Problem Now.” Underneath the jokes, there’s a real chill: the fear that a tool sold as freedom could quietly become the ultimate tracking device.
Key Points
- •The article identifies that Section 4.3 of the EU digital ID wallet specification does not explicitly prevent Attestation Providers from including additional data in Proof of Age attestations that could break unlinkability when portraits are not transmitted.
- •It notes that Section 4.1.1 does not clearly state that its listed attributes form the maximum allowed set, leaving room for Attestation Provider–defined attributes that might be trackable.
- •The author proposes explicitly requiring that Attestation Providers must not include any data in Proof of Age attestations that could compromise unlinkability and must not store associations between issued attestations and users once issued to the AVI.
- •The article recommends adding a requirement in Section 4.4 that Relying Parties must not store proof-of-age attestations after the end of the relevant user session.
- •It concludes that the effective long-term fix is to make zero-knowledge proof–based age verification presentations mandatory, using a BBS-like construction or a ZKP-on-top-of-mdoc approach such as the zk-longfellow form.