Security Now #1044: The EU's Online Age Verification
September 24, 2025
Host: Leo Laporte
Guest: Steve Gibson
EPISODE OVERVIEW
This episode unpacks the urgent issue of online age verification, spotlighting Spain's privacy-centric solution using W3C verifiable credentials—a system that Steve Gibson believes could finally "work." Steve and Leo also dig into hot topics in cybersecurity: continued vulnerabilities in DDR5 RAM, Consumer Reports’ push for extended Windows 10 support, China's Deep Seek AI serving up flawed code based on user identity, and the continuing drama of U.S. and EU regulatory responses to protecting children online. As always, they provide sharp analysis, practical takeaways, and the occasional wry geek humor (plus: the irony of the week as seen in a sinking boat named "No Worries").
MAIN THEME: Age Verification Online—the EU/Spain Model
Spain’s government is pioneering a privacy-preserving digital age verification system, using open-source W3C technology to comply with EU child protection mandates and set a new baseline for web standards. Steve details how this novel approach could solve the seemingly intractable challenge of verifying age without exposing identity or enabling surveillance—even as global lawmakers, notably in Brazil and the UK, clamp down on simple “self-declaration” methods.
KEY SEGMENTS & DISCUSSION POINTS
[02:30] – Episode Agenda Overview
- Hot Topics:
- Spain’s announced age verification technology—privacy-preserving, could “actually work”
- New laws in Brazil and the UK requiring stricter age checks
- Ongoing issues: DDR5 Rowhammer attacks, Consumer Reports vs. Microsoft on Windows 10, China’s Deep Seek and code quality, new browser security flaws, NPM supply chain attacks
- Listener feedback, notably on phishing, patching, and Apple/Android device security
[13:08] – Consumer Reports Slams Microsoft on Windows 10 Support
- Stacy Higginbotham’s Letter to Microsoft ([13:53]):
- "Tying free support to unrelated Microsoft products forces consumers to jump through unnecessary hoops just so Microsoft can eke out a bit of market share over competitors." – Stacy Higginbotham ([22:25])
- Points made:
- Many users have newer Windows 10 hardware incompatible with Windows 11
- Microsoft breaking its legacy of hardware/backward compatibility
- Risks of hundreds of millions of unpatched, vulnerable devices
- Support termination creates waste and hurts national security
- Consumer Reports urges free Windows 10 security updates, responsible recycling
- Steve’s Analysis:
- Hardware requirements for Win11 are “nonsense” and 2.0 TPM not mandatory for genuine security ([24:21])
- Call for Microsoft to keep pushing security updates to Win10 devices for "the next three years” ([25:20])
[31:26] – US Department of Defense Cyber Ops Waste
- GAO Report:
- Over 61,000 internal DoD staff and 9,500 contractors in cyberspace ops
- 500+ overlapping organizations, 22,000 unfilled cyber jobs, rampant redundancy
- Steve’s Take:
- Classic “waste, fraud, and abuse” (mostly waste in this case)
- Calls for streamlined training and consolidation
- “…having a budget is a mark of having power. So everyone wants their own training group…” ([33:10])
[40:07] – China’s Deep Seek AI Censors and Weaken Code for Disfavored Groups
- Key Findings:
- Deep Seek produces intentionally flawed or insecure code for users identified with groups disliked by the Chinese government (e.g., Tibet, Taiwan, Falun Gong)
- "The Deep Seek AI engine returns code with security flaws if it determines that the coder is associated with a specific minority group." – Washington Post ([40:25])
- Steve's Reaction:
- “Sad and predictable… you have to be careful how it's trained” ([41:38])
[42:06] – WebAssembly 3.0 and Browser Security
- WebAssembly 3.0:
- Finalized, but Apple’s Safari lagging behind
- Steve: “Stack-based intermediate languages—great for compilers, but not for humans” ([43:05])
- [47:24] – FIREFOX 143 Update:
- Sandboxing/securing improvements, web app pinning, tab pinning, better camera selection, ongoing weak browser fingerprinting, and minor feature highlights
[55:13] – Entra ID (Azure AD) Catastrophic Token Flaw Previously Exposed All Tenants
- Vulnerability Summary:
- Flawed, undocumented actor tokens enabled total cross-tenant impersonation
- "...with a token I requested in my lab tenant I could authenticate as any user, including global admins in any other tenant." ([59:07])
- Impact:
- Complete authentication bypass. No effective logging.
- Patched swiftly by Microsoft, but "the most impactful vulnerability I will probably ever find." – Researcher Dirk-Jan Mollema ([60:29])
- Steve’s Concern:
- Did adversaries know about this and use it before the fix?
- Microsoft’s relentless feature-churn keeps introducing bugs
[69:59] – DDR5 and the Enduring Rowhammer Problem
- Google Security Report:
- “Current mitigations for rowhammer attacks are not sufficient and the issue remains a widespread problem across the industry.”
- Even “probabilistic” countermeasures like ECC and TRR can be bypassed
- Steve sums up:
- DDR’s high density and shrinking noise margins = unfixable attack vector. "Kluge" solutions like per-row activation counting (PRAC) are desperation moves ([77:15])
[88:53] – Privacy, Security, and Late-Stage Capitalism
- Samsung smart fridges now show ads on integrated touch screens
- "Welcome to late stage capitalism." ([89:19])
- China bans Nvidia chips and launches domestic AI rivalries
[93:33] – NPM Supply Chain Attacks Intensify
- "300 more malicious npm packages were found and taken down last week. We have built a dependency on dependencies.” ([93:24])
[143:43] – FEATURE SEGMENT: The EU’s (Spain’s) Online Age Verification
Context:
- Brazil, the UK, and soon the EU are mandating actual age verification—no more "click yes if you’re 18".
- Parental oversight and banning under-18s from certain content are now legal requirements.
- Self-declaration or a simple check-box is officially “out” as regulators affirm “the greater good.”
Why the Problem is Tough:
- Internet authentication historically tied to returning, not proving age
- Needs a true “identity anchor,” typically citizens' legal IDs
- Age verification must be strongly bound to the real-world person but not expose identity (“privacy preserving”)
[148:15] – Spain’s Solution: W3C Verifiable Credentials
How It Works (per official explainer video):
- User downloads a dedicated “age verification” app (open source)
- Establishes identity by presenting national ID, eID, or in time, passport
- Credential is issued to app—not tied to any outside server
- App holds a Verifiable Credential (VC) in privacy-preserving format
- No personal data (e.g., name, birthdate) is stored—only proof of “over 18/21”
- When accessing restricted content:
- Website presents a QR code challenge
- The user scans it with the app, which cryptographically proves age (but not identity) to site
- Alternatively, on-device access (e.g., mobile) submits the proof directly
Spain’s Claims:
- "The key requirement... is the privacy untraceability of users activity... using W3C verifiable credentials... users can choose to share only the necessary information (e.g., over 18) without revealing more.” ([149:43])
- Trust built through managed whitelists—only trusted entities can issue/verify credentials
- Open source, customizable, aligned with GDPR/privacy law, and can be adopted by other EU members
[154:02] – Notable Quotes from Official Video:
“Only the information confirming that the user is over a certain age will be saved in the age verification app. No name, no birthday or other information of the user is stored. The data privacy of the user is fully respected... No user profile can be generated.” – EU Age Verification Demo ([154:48])
Steve’s Take:
- Impressed: “They got it all exactly right…This could actually work.”
- No transfer of personal identity, just cryptographically verifiable age
- The process is similar to certificates—site trusts that the app’s credential was signed by a root authority
- Potential weak spot: app access by PIN or optional biometric (“a little weaker than we might be able to have, but some may consider biometrics a privacy concern”)
- Other jurisdictions (e.g., California) could implement similarly using digital licenses
[155:00+] – Broader Implications & Listener Backlash
- Commenters ranged from fears of surveillance state/“1984” to complaints about “parenting failure.”
- Steve: The change is inevitable; the "yes I'm 18" box was always nonsense.
- Laws now reflect long-established real-world policies (e.g., children can’t access adult stores/clubs). Cyberspace is finally catching up.
[161:11] – Spain’s Approach May Be Uniquely Feasible
- Spain issues national IDs at birth; all citizens can, in theory, use the system
- But process can generalize (Steve notes several US states already have digital IDs with age assertions)
- Steve: “I'm hoping people are now going to be pointing at Spain and saying, hey, let's do what they did because it works.” ([169:27])
ADDITIONAL HIGHLIGHTS & QUOTES
- On Browser Privacy:
“I left Firefox for Brave when it turned out that Firefox really had done nothing there…EFF’s cover your tracks site still says my browser’s fingerprint is unique.” ([54:12]) - On Microsoft's Patch Policy:
“They only have to stop preventing them from flowing…[security updates] have been flowing all along…All they need to do is not flip that cutoff switch in Redmond.” ([25:20]) - On Social Engineering & Phishing:
“'Don’t click links in email' is an impossible nonsense recommendation… The solution is least privilege and network design that assumes user mistakes.” ([102:33], [103:08]) - On Apple’s iOS 28 Security:
“Apple’s gone way past the point of diminishing returns. They’ve chosen to do it right, at great cost. Android and Google probably don’t care enough to match it—and maybe they shouldn’t… For most users, Apple's new security will be overkill.” ([116:08], [123:53])
TIMESTAMPS OF IMPORTANT SEGMENTS
- 02:30: Episode themes preview
- 13:08–31:26: Microsoft, Windows 10 support, and Consumer Reports letter
- 31:26–37:12: GAO report on cyber-waste at Department of Defense
- 40:07–42:04: Deep Seek—China’s AI delivers intentionally flawed code
- 42:06–55:13: Browser security, WebAssembly, Firefox, and Chrome updates
- 55:13–69:59: Entra ID flaw exposes all tenants, zero-day drama
- 69:59–86:14: DDR5 Rowhammer attack remains unsolved
- 88:53–93:33: Smart appliances serve ads, supply chain attacks continue
- 143:43–177:53: Feature segment—Spain and W3C verifiable credentials for privacy-preserving online age verification
CONCLUSION
Spain’s bold movement toward a privacy-respecting, cryptographically secure, vendor-neutral age verification for the Internet—built on W3C open standards—may finally deliver a workable and non-invasive solution to a challenge every government is rushing to solve. Steve gives high marks to their design and suggests the rest of the world should take note: the time for secure, anonymous, and effective online age verification is now.
For privacy advocates, technologists, and legislators alike, this episode is a must-listen.
Listen to the full episode for deep dives, anecdotes, and further discussion of privacy, technical nuances, and the future of regulated access on the Internet.