These are the sources cited by the article:

  [1] https://xcancel.com/Paul_Reviews/status/2044502938563825820
  [2] https://xcancel.com/paul_reviews/status/2044723123287666921
  [3] https://csa-scientist-open-letter.org/ageverif-Feb2026

| "The saga is turning into a PR disaster for Brussels. "

imo: mostly because the Author wants it be a disaster. The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.

"For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.

This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."