Google wants to turn its Google Wallet app into the internet’s gatekeeper. Its first target is Europe. The company is preparing to control and log access to websites regulated by age or, eventually, by other criteria. For Google, the resulting data could then be clearly linked to the identity of individual users.
The system creates an illusion of security because it relies on a zero-knowledge process. The website receives a simple yes or no answer to the question it asks. Among other things, the app is intended to provide age verification for social media and other portals with age restrictions.
The process is simple and therefore tempting. Users only have to identify themselves clearly to Google once. A digital identity or proof of age is then stored in Google Wallet.
In effect, EU member states are required to make at least one European Digital Identity Wallet available, while some national digital identity systems already exist. In Germany, digital identity verification is already possible using the national identity card, the electronic residence permit or the eID card for EU and European Economic Area citizens.
The German national identity card can be used for online identification with the AusweisApp, a suitable NFC-enabled smartphone or card reader and a six-digit PIN. The card also stores biometric data, but that data are not part of the standard online identification process for ordinary service providers.
A Simple Yes or No
Google has also secured a partnership with Germany’s savings banks. Identity can therefore be verified through savings banks as well. The proof of age comes not from a state-issued ID, but from bank confirmation. Age checks using bank account data or credit cards are already technically possible. Banks provide the infrastructure for numerous services, including the activation of SIM cards for smartphones. When verification is carried out through a savings bank, Google also stores the data in Wallet. For the user, age verification then requires only the app, and the website can be accessed.
When age verification is carried out through Google Wallet, the website checks only whether a person meets the required age threshold. The app, or rather the infrastructure behind it, then draws on the credential, Wallet and certification by a trust center to provide a yes or no answer. In such a system, the website ideally receives neither the identity document nor the date of birth nor the full identity.
Google announced in 2025 that it would integrate zero-knowledge-proof technology into Wallet for such purposes, allowing users to prove their age without directly linking the request to their identity for third parties. The technology is also to be made available through Google’s Digital Credential API, a programming interface integrated into other apps and websites. Websites can then use it directly.
Less Data for Websites, More for Google
Under this system, the website does receive less data. That is the method’s clear advantage. Yet the process merely shifts where the data goes. The individual website does not receive the digital ID or date of birth. Instead of transmitting name, address and age, a central intermediary stands between the user and the online service.
Google, however, can see and store that a check took place, when it took place and what kind of access it was used for on which website. The problem of online surveillance is therefore not solved, but displaced.
The crucial question is not only what data a website receives, but who can see and log the verification process in the background. The result, by default, is a complete record of the online activity of every clearly identifiable user.
That exposes the dark reverse side of zero-knowledge technology. With direct verification, many websites receive the data of specific users in a decentralized way, but cannot see where else the user goes online. In a zero-knowledge process, the website receives only an authorization, while the service provider, in this case Google, can learn everything and can clearly assign it to the user’s identity. What happens to that data, where it is stored, how it is processed and to whom it is passed on remain entirely unclear.
It takes little imagination to picture how eager state authorities and intelligence services will be to obtain the data once it exists.