The operating system was licensed by Google
The app was downloaded from the Play Store (thus requiring a Google account)
Device security checks have passed
While there is value to verify device security,this strongly ties the app to many Google properties and services,because those checks won't pass on an aftermarket Android OS
I would like to strongly urge to abandon this plan.
Requiring a dependency on American tech giants for age verification
further deepens the EU's dependency on America and the USA's
control over the internet.
Especially in the current political climate I hope I do not have
to explain how undesirable and dangerous that is.
As a resident of the aforementioned political climate, I find their concerns to be reasonable.
There are a number of comments in that same thread that indicate a mandate to utilize Google services may run afoul of EU member nations' integrity and privacy laws.
"Device security checks" is the most horrifying aspect as it basically means "officially sanctioned hardware and software", and leads straight into the dystopia that Stallman warned us about in Right to Read.
There is some amusing irony in the EU relying on the US for furthering its own authoritarianism. It's unfortunate that freedom (in the classic rebellious, American sense) never became that popular in the EU, or for that matter, the UK.
> leads straight into the dystopia that Stallman warned us about
IMHO, the push for age verification is just a stepping stone towards requiring a mandatory ID for all social media posts made from EU. Given the current trends against freedom of speech, it's not unreasonable to think that by the end of the decade any site, including HN, might need to link usernames with their respective eIDs in case posts come from EU IP addresses.
> officially sanctioned hardware and software
Right now, if you want to run an alternative OS, it's already an uphill battle to use tons of member state services, as well as to do banking. Even if you have microG available, the situation is terrible. I imagine it's going to become harder. I cannot understand why the European Commission wants to reduce our reliance on FAANG services, and at the same time they make Google Play a de facto standard, reinforcing the mobile duopoly. In this context, free alternative mobile platforms, such as Sailfish, cannot flourish.
When Microsoft proposed such a scheme in the early 2000s under the name "Palladium", even the mainstream press decried it as a nightmare scenario. Google did pretty much the same thing in 2014 with Safetynet and there was barely a whimper. How did we lose our way?
Hate to say it mate, UK is already one of the worst offenders.
In their own "internet bubble," with curated Google searches that only present a very "Commonwealth countries bias" in search results. After I worked in the UK for a couple of years, I noticed there is a strong bias toward the same sites (Government and UK companies, especially biased toward "facts"). Second, you leave the UK. You will never get it. Try a VPN outside of the UK and search for the same stuff, you will notice it right away.
The UK have used the "think about the children" excuse for different stuff they don't like (Remember the Porn pass Idea? Where you had to go down to your local Tesco to get a "wanker pass" from the cashier.)
Same thing, now just for EU, and they use the "protect the children" excuse, but they have now started to aim at video game companies and others to "verify" age for the sake of "protecting the children". It is horrifying that they want to ID children in the excuse of their "safety". In a couple of years, they will likely offer free in-game currency to trick users into giving away their personal information.
> There is some amusing irony in the EU relying on the US for furthering its own authoritarianism.
I think you're trying too hard to post cynical remarks as if the were this major gotcha. Even though the bill is quite awful, Occam's razor is quick to point out this has all the hallmarks of an overzealous technocrat than authoritarianism. Try to think about it for a second:
- the goal of the legislation is to ensure adult content is not provided or actively pushed to children,
- adult content is pushed primarily by tech platforms,
- the strategy is to allow access to adult content only to users who prove they are adults,
- the strategy followed is to push an age verification system.
- technocrats know age verification systems can be circumvented if tampered with.
- technocrats proceed to add provisions that mitigate the risk of tampering age verification systems.
The detail you're glancing over is US's hegemony over social media and tech platforms. The world is dominated by three platforms: Microsoft's, Apple's, Google's. Even Samsung is not European. How do you expect to push a technical solution for an authorization platform without leveraging the systems that people use?
Also, the way the current US administration is pushing their blend of fascism onto the world is something I do not find funny. If anything, this would mean the American fascists are succeeding.
You can't have privacy-friendy age verification that is also compatible with tinkering.
The problem is relay services that supply positive age verification results to any interested user for a fee. With a non-privacy-preserving solution, those aren't a problem, law enforcement can just track whose credentials those services are using and shut them down.
I'm not a fan of the whole idea in general, but if we have to choose, I choose privacy over hackability.
You don't even need to consider politics to acknowledge this is dangerous, wildly irresponsible of a government to tie internet access to a foreign corporate entity's control. The privacy concerns of not being able to use a device free from Google services, may only be second to the sovereignty issues it introduces.
Whoops, Google have delisted your government app from the Play Store, how quickly can you de-couple your citizens internet access from the corptocracy?
Guardians of minors are responsible for what they view, as well as what they drink or breathe. So they should make sure their devices are configured properly, same way they make sure there is no alcohol or tobacco intake.
> As a resident of the aforementioned political climate, I find their concerns to be reasonable.
No. The lesson is that stuff like this is concerning what ever the "political climate".
Anyway, you mainly don't want the gov in your vicinity to snoop. Non-local OS:es is probably advantageous in that regard if you choose to run proprietary code...
>No. The lesson is that stuff like this is concerning what ever the "political climate".
We say this, but many also want to entrust all our PC games to one closed source launcher. Or have videos/TV all on one subscription service. There's definitely a spectrum of benevolent and greedy dictators people draw lines on.
From the telegraph.co.uk: "Elite police unit to monitor online critics of migrants" and there are people worried about the "political climate" in the US lmao
The UK in the last 2 decades has been far more totalitarian than the US, even up to 2025. But the people in England seem to accept it and openly defend government encroachment even here on HN. While even smallest steps towards eroding rights in US have people there decry it, so it's far more controversial and newsworthy
But it's nice so many people care about the last few places where hard freedoms exist. The biggest risk is missing the forest for the trees and not seeing the local extensions of short term political comprise.
I am forever thankful that Trump won the last election. If it were a Democrat party at the helm it would be practically impossible to have opposition to this, as most of the left would simply fall in line and cancel anyone daring to oppose the party. Look at how Obama strengthened the Patriot Act and carried out mass deportations with but a tiny grumble from the press.
Here is a list of every state and federal bill proposed in the United States in recent history (that I could find). Have a look at the letter beside the names of the sponsors. Then, after you've discovered that online surveillance bills are almost entirely written by republicans, go read about how your president is bankrolling ICE and their purchase of US citizen's air travel data.
Protecting Kids from Social Media Act (Tennessee HB 1891)
Sponsors Representative William Lamberth (R‑TN)
Requires: Social media platforms to verify users’ ages and obtain parental consent for under‑18 users; restricts retention of verification data; allows parental monitoring & time limits. Went into effect January 1, 2025.
Utah Social Media Regulation Act (SB 152 & HB 311)
Sponsors: Sen. Michael McKell (R) , Rep. Jordan Teuscher (R-District 44)
Requires: Mandatory age verification for all users; parental consent and oversight for under‑18s; bans algorithmic targeting to minors; curfews; data‑privacy protections. (As of mid‑2025, enforcement blocked by litigation.)
The Walker Montgomery Protecting Children Online Act (Mississippi HB 1126)
Sponsors: Walker Montgomery (R‑MS)
Requires: Digital service platforms to verify age using "commercially reasonable" methods, obtain parental consent for users under 18, limit collection/use of minor’s data, moderate harmful content (self‑harm, grooming, etc.)
Texas SCOPE Act (HB 18, “Securing Children Online Through Parental Empowerment”)
Sponsors: Bryan Hughes (R-District 5)
Requires: Platforms to verify the parent/guardian age if the account is for a minor; parental consent before collecting data for users under 18; content filtering for self‑harm, etc. Enforcement partially blocked by lawsuit.
Kids Online Safety & Privacy Act (S. 2073 – pending)
Sponsors: Sen. Jon Ossoff (D-GA)
Requires: Commission study into age‑verification technologies; does not mandate verification itself
Utah Social Media Regulation Act S.B. 152
Sponsors: Sen. Todd Weiler (R)
Requires: Mandatory age verification, parental consent, time‑bed restrictions, limits on algorithmic recommendations; currently blocked in court
Mississippi Walker Montgomery Protecting Children Online Act (HB 1126)
Sponsors: Representative Walker Montgomery (R‑MS)
Requires: Age verification for digital services, parental consent, limits on data collection and harmful content moderation
Georgia Protecting Georgia’s Children on Social Media Act (SB 351 / Act 463)
Sponsors: State Senator Brandon Beach (R)
Requires: Platforms verify age of new users; under‑16 require parental consent; schools to ban social media access
Virginia Amendment to VA Consumer Data Protection Act (SB 854)
Sponsors: Sen. Schuyler VanValkenburg (D) , Sen. Lashrecse Aird (D)
Requires: Requires age determination, parental consent for under‑16, limits usage to 1 hour/day unless overridden by parent, fines up to $7,500 per violation
Louisiana HB 142 (and HB 570) Online Age Verification for Adult Content
Sponsors: Representative Laurie Schlegel (R)
Requires: Websites where ≥ 33% of content is adult must verify users are 18+ via IDs or transaction data; private causes of action allowed
Ohio HB 96 (2025 law)
Sponsors: Bryan Stewart (R-Ashville)
Requires: Criminal penalties for commercial sites failing to verify adult content users
Iowa SF 207 / HF 864
Sponsors: Kevin Alons (R-Disctrict 7)
Texas SB 2420 (App-Store Age Verification)
Sponsors: Angela Paxton (R)
South Carolina HB 3405
Sponsors: Representative Brandon Guffey (R‑SC) prefiled Jan 2025
Proposed: Require app stores to verify age and obtain parental consent for minors; still pending
Protecting Kids on Social Media Act (S. 1291 federal bill)
Sponsored by: Senator Brian Schatz (D‑HI), Senators Tom Cotton (R‑AR), Chris Murphy (D‑CT), Katie Britt (R‑AL)
Requires: Social media platforms to verify user ages, prohibit access to under‑13s, block algorithmic feeds to users under 18, require parental consent for minors
App Store Accountability Act (H.R. 10364 / companion Senate bill)
Sponsored by: Rep. John James (R‑MI‑10); Senate version by Sen. Mike Lee (R‑UT) with Sen. Richard Blumenthal (D‑CT)
Requires: App store operators verify ages and obtain parental consent before minors download apps or make in‑app purchases; federal preemption and FTC enforcement
The war on the free internet is accelerating. Without real push-back to these dystopian laws and consequences for the people proposing and lobbying for them, you'll miss what will ultimately end up being a temporary anomaly of mostly unrestrained free flow of information. It's not an hypothetical scenario or something that will develop down the line, it's happening today, worldwide.
I heard from a friend last night that they were unable to see posts on X about current protests in their country because those were considered "adult" content which can now only be viewed after submitting to an ID check. Not porn, video of a protest.
It’s really important to remember in this context that “the purpose of a system is what it does.”
Do not think for a moment that ID verification primarily protects children and only incidentally enables authoritarian restrictions on speech. Do not think for a second that verification initiatives are designed without anticipating this outcome.
Sadly the old guard of free speech and privacy activists on the internet has long gone, drowned by a sea of unprincipled populist reactionaries - if their team decided that the content is "problematic", then they are entirely justified in censoring and punishing the speakers for daring to speak it, and entirely justified in protecting everybody else from having to suffer the horror of reading/seeing/hearing it, and it matters not whether the mechanisms are legal or ethical because the ends justify the means.
Not commenting on ID checks but depending on the protest, some images can be violent and definitely "adult".
I never understood why we go out of our way to "protect" children against seeing naked people, but real people in a pool of blood, nah, no problem. I think that people bloodily fighting each other for causes that I have a hard time understanding even as an adult may not be what we want children to be exposed to without control. Images of violence create a visceral reaction and I don't think it is how we should approach political problems, in the same way that porn may not be the best approach to sex, the same argument for why we don't let children access porn applies to political violence too.
The point I wanted to make is that whatever your opinion is on ID checks to access to adult content, "adult" doesn't and shouldn't just mean "porn".
We are approaching a time when most of that free flowing information is LLM generated propaganda and advertising. The average person can no longer go on the internet and trust any of the things they see or read, so what's the value of such information? I would prefer the free internet of the 90s and 00s, but we're losing it even without these laws.
> We are approaching a time when most of that free flowing information is LLM generated propaganda and advertising. The average person can no longer go on the internet and trust the things they see or read
The average person could never do that; critical evaluation was always needed (and it was needed for the material people encountered before the internet, too.) The only thing that is a change from the status quo ante in the first sentence is “LLM generated”.
This reliance on hackers and other antisocial snowflakes in FOSS world is one of the reason we are where we are.
Political problems cannot be solved through technology or yet another forked FOSS project. They require political power, numbers and threat of violence to those in charge.
The population (especially the youth) is anesthetized by social media, shorts, fear-inducing news, economic hopelessness, climate extremes..
In the meantime, everything is getting integrated - banks, tax systems, tech platforms. Now this age verification..
And of course, AI is being implemented everywhere so that no one can evade the big brother.
As it stands now, this Internet is no longer salvageable imo.
> Without real push-back to these dystopian laws and consequences for the people proposing and lobbying for them
If anything, I’m seeing more calls for internet regulation on HN and other tech places than in the past.
Every time something is shared about topics like kids spending too much time on phones or LLMs producing incorrect output, the comments attract a lot of demands for government regulation as the solution. Regulation is viewed as the way to push back on technological and social problems.
The closer regulations come to reality, the less popular they are. Regulation seems most attractive in the abstract, before people have to consider the unintended consequences.
The most common example I can think of is age verification: Every thread about smartphone addiction come with calls for strict age-based regulation all over the place.
Yet the calls for strict age-based internet regulation generally fail to realize that you can’t only do age verifications on kids and you can’t do it anonymously. The only way to do age verification is to verify everyone, and the only way to verify that the age verification matches the user is to remove the possibility of anonymity.
The calls for regulation always imagine it happening to other people and other companies. Few people demanding internet age verification for things like social media seem to realize that it would also apply to sites like HN. Nobody likes the idea of having to prove your identity for an age check to sign up for HN, they just want to imagine Facebook users going through that trouble because they don’t use Facebook and therefore it’s not a problem.
Engineers want some kind of regulation because they feel like computer systems, which they nominally control, are out of control, because of the business people's demands. They want the right to say no without having to have the consequences of saying no. But then when regulations come in, they're not about regulating business, they're about regulated interactions between people and business. And whereas the idealist sees a regulation as a chance to change things for the better, a regulator sees a regulation as a chance to preserve things as they were just before they became bad. (It takes a politician, not a regulator, to change things.)
They always start with "think of the children", but that's just the opening salvo. The wild west days of the internet are definitely behind us. We'll be lucky if we still have private personal computing in the future, or any semblance of free speech.
If we're to regain any ground here we need to adjust the messaging wrt terms like "wild west" - that's precisely the kind of terminology that scares the average voter into thinking the government needs to do something about this whole internet thing. We need to use patriotic and inspiring language, like "free" as in "free speech for the internet," or "safe and private" etc
I'm not sure this old horror story still works. The things to be afraid of have changed too much and at a far larger scale than people then could comprehend.
The "temporary anomaly" is one of perception. It was individuals talking to individuals. In terms of volume the world has never had this much free flow of information, and its never been easier to transmit encrypted data within a group.
At the same time the problem with letting the internet be without government means it pushes digital crack to all children, and an oligarchy of (natural) monopolies tightly control certain powers through systems like "sign in with Google".
The options for companies to instead use a government backed digital identity seems like an obvious step forward if designed carefully enough.
That requires the right mindfullness of people's rights, eg the right story. I just don't think the war on the free-internet narrative from 30 years ago is up for it.
But the "digital crack" isn't what the government wants to restrict from children.
They want to stop children from accessing porn, which really isn't all that bad. Certainly it's not nearly as bad as wasting hours on perfectly legal social media and streaming sites
We didn't quite yet. We're still here, pretty anonymous, I'm sure your real name is not deadbabe :) IRC still exists where you can just pick a nickname from thin air. And most of these things will stay, underground. It's the commercial mainstream that will bow to this, sadly.
The European union never ceases to amaze me. Whatever happened to becoming less dependent on American corporations?
They flip flop on this stuff at least once a month, and the most annoying part is that they always herald everything they do as some new epoch-defining initiative only to quietly forget about it and do the opposite a few months later.
If nation states are dogs, then EU is the chihuahua: loud, proud and extremely ineffective.
Ineffective? Extremely so? From open borders to open roaming to the various legislation that my tiny country would never be able to force corporations into if we didn't have it at the EU level. Heck, the currency. There's so many aspects I take for granted in life and don't even think about anymore. I can just pay anywhere without thinking or conversion fees. Must have been amazing for trade though it's nearly as old as I am so I don't know how things were before. How in the world you come to a worldview of the EU being extremely ineffective, I cannot imagine. Are you from the EU?
There was an article in the New York Times last week about how many E.U. countries have actually gone back to border checks. Most recently, Germany and Poland.
The European commission, the top of the EU's unelected and mostly unchecked bureaucracy, is currently suing its data protection office after it declared that its use of Microsoft 365 infringes data protection laws.
I mean, the EU wants to force browsers to recognize its own web certificates, while allowing Google to selectively deactivate your phone's capacity to conduct ID checks. It's the same with the "EU Cloud initiative", that at the end was full of non-EU companies.
The aim of the EU bureaucracy is not sovereignty, but extension of its power, nowadays called as "regulation". And when in place, it can't be removed, even if it's clearly self-harming.
The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.
Similar to recent discussions of self-hosting, it's a tradeoff of autonomy/control vs efficiency.
> The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.
Well obviously, these states know how bad the Russians are since they were terrorised by them for decades. They'll be the first on the chopping block. And they know that Europe does not have much deterrent of its own right now so they're screwed without the US. Though this will come.
> Germany tend to be primary proponents of increased EU strategic autonomy
Germany isn't doing this as much anymore, because Germany Inc has become increasingly dependent on their investments within the US [0], especially after the triple whammy of the Biden-era IRA [1], the sanctions on Russia sparking a domestic energy crisis [2], and Chinese players outcompeting German industry in China [3].
This can be seen with Germany purchasing American weapons for Ukraine over French objections [4]
> They flip flop on this stuff at least once a month
Because in the background it's a French vs German vs Irish vs Czech vs $insert_eu_state business interests competing with each other.
Notice how it's almost always French legislators and businesses that mention "domestic EU tech" and not Polish, Czech, Romanian, Dutch, or even German policymakers or businesses?
That's why.
National interests always end up trumping the EU in it's current form. And for a large portion of the EU, American BigTech represents the majority of FDI (tech and overall).
Japanese and Korean automotive players did the same thing with the US in the 1980s-90s in order to ensure their interests remained aligned (though the Plaza Accords did play a role)
(the entire video is interesting and informative, I've skipped it to the France-US specific part, up to about 11:02 where Australia is introduced as the US sycophant it is)
Whether it's logical or not, offences past, even those thought forgotten, are easily recalled when under similar pressures.
On one hand, there is a will from some people to be less dependent.
On the other hand, the EU bodies as well as national reps are besieged by lobbyists and diplomats, and without much backlash from constituents, it's very hard not to find someone that will do what you want. Just look at this former EC commissioner [1] working for Uber.
Flip-floping happens occasionally when the public catches up.
EU is a great chihuahua, authoritarian laws get passed, national politicians say that there's nothing they can do, but they benefit greatly from all the new posibilities of control over the internet.
I mean.. great for the politicians, not for an average european.
You need to put yourself in the EU governing people shoes for a minute.
Their predecessors, who were from the WW2 and Silent generations, did not care about the free Internet because they relied on the large mainstream media consuming baby boomers. They had a direct line to them.
But the boomers are between 60 and 80 and vanishing. The following generations are in panic mode.
So until recently the "free" Internet did not matter politically in the EU. Tech was used to trigger color revolutions abroad where the demographics were younger.
But now the unelected EU commission inherited that Internet things and are on the wrong side of it. Worst almost everybody in the EU speaks English and listen to Joe Rogan & co.
And while the US Gov might be able to control the Joe Rogan type the EU does not.
So their only move is to crack down on the Internet and limit it with a Chinese firewall type system. But they obviously do not have the ability to do so without the capabilities of an US tech giant (remember their own systems are on Office 365, every phone is Android or Apple). And this would also be in the interest of the US because it would give them a solid control over the EU.
Remember the first goal of a system is to survive and I do not see another realistic path.
Essentially, the core user journey is a privacy preserving "over 18" check. I suppose this prevents under 18's from accessing porn, in the same way that most blocking technologies impose an expense on everyone but fail to block tech-savvy children.
Doesn't seem like it could ever stop someone with a bittorrent client, unless you have to attest you are over 18 to even use bittorrent.
If they could have stopped BitTorrent they would have long ago.
So no, this is totally ineffective. And it's not like there's actually a problem. There's no crisis of messed up kids or young adults. We all had access to porn in some form and we all turned out fine. I used to watch the late night pay tv which was just 'scrambled' by removing the sync signal. It was easy to put that back with some electronics chops. I saw my share of gangbangs and cumshots and I did not get messed up or get weird ideas. In fact I often get compliments I'm a sensitive and caring lover. I never do or push for the dirty porn tropes (unless she asks for them :)
So did most of my school friends. Also video tapes got passed on at school and later CDroms (when the writable DVD came I was already an adult). We all had plenty.
This is all to mitigate a "crisis" which doesn't actually exist.
I don't want to ban porn or anything but the problem has definitely become worse than when I was growing up. I have a zoomer roommate that had unfettered access to the Internet and has some trauma she's still working through. I think the intense age verification laws popping up are going to be a big net negative but I think something needs to he done. I just don't know what that is. Maybe educating parents and children?
There's a difference between passing on video tapes and having a pocket machine with an unlimited amount of adult content. Just my opinion, but I think it's worrying kids can access it in basically a few clicks.
But I agree, forcing verification will not be effective enough, kids will find their way. The real solution is more education on this topic from younger age.
There is actually a crisis of messed up kids and young adults and access to porn is related to it, but in the opposite way. The thing that is messing up boys and girls is anti-male puritanism that condemns male sexuality as inherently degrading and evil.
As girls grow up and become women, they become disinterested in men, due to the perceived danger. When boys grow up they become avoidant men who are scared of approaching and asking out women, due to the perceived risk of ridicule, shaming and legal action. This prevents the formation of stable marriages, which then culminates in low birth rates.
> There's no crisis of messed up kids or young adults
This is objectively not true. Not to say that a porn ban combined with age restrictions would help, but it's just objectively not true.
* Rise of incels as a thing, and even violence committed by them
* Various loneliness epidemics
* Rise of movements such as the 4B in South Korea, where women flat out refuse traditional relationships with men
* the rises in STDs and teen pregnancies can probably be explained by other factors
* The rises in various diagnosis (ADHD, etc) and rates of sexual assault can probably be explained by just having more rigorous reporting and testing, as well as higher awareness, but the rise of specific types of sexual abuse (like a popular one, choking without consent, which can easily lead to brain damage) can be directly linked to its prevalence in porn
* significant differences in opinion on equality and general political leanings between boys and girls
That's not to say that porn is a problem, and removing it for <18 will magically make everything fine. But things are decidedly messed up for a lot of teens and young adults, and parts of that messed upness can be potentially inspired by porn, and "the manosphere". The second one is more important IMO.
If I were a kid, I could see myself downloading Opera GX and enabling the free VPN. It's probably not "tech-savvy" because the browser gets a lot of ad views on YouTube; it would be pretty obvious.
Or using a torrent. Or trading a fileshare with your friends. Or finding a box in the woods. Or finding dad's "tax returns" folder. Or getting on TOR. Or finding an open directory. Or asking AI to produce something.
Basically anything other than going to a legally compliant website and trying to attach your mom's passport to the age verification app and doing the challenge.
I think social media does more damage than porn. We should just instead legislate that all social media has to shutdown and just let everyone watch porn and be done with it. Sure, you wind up with ED if you watch that stuff since you were a kid, but hey, if birth rates around the world are anything to go by, no one seems to really want to bring children into this world anymore anyway, so it's not as if that actually matters anymore.
The one good thing (in principle) about a service like this is that social media is much more centralized, so this kind of system could put seemingly-effective age restrictions on social media. For example, no under-14's, or under-14 requires a supervising guardian and has other guardrails.
But this still wouldn't stop determined kids from VPNing to another country to make their account, and wouldn't stop peer pressure on kids from bleeding to parents to help them.
It seems reversed, that the default is legal eligibility, and that minors should need to prove their status. They're the ones who need policing, after all, not us.
For instance, it's not illegal for me to be served alcohol. If I'm not carded when being sold a drink, nothing illegal has taken place.
If the lawmakers are being cowards and not saying they want to round up and ID all the children from birth until they are eligible to participate in the adult world, that's their battle to fight and not our burden.
> Essentially, the core user journey is a privacy preserving "over 18" check.
You can not check the age without breaking the privacy, technically it is Not possible; this is like a religious faith exercise, not science.
What one read in the specification is, firstly you install an official software in your device, the device becomes identified "as you" the first time you verify your ID and receive your unique internet ID hash, linked to your personal data at the identifier platform.
In addition, your unique internet ID hash will become you, and each time a Non-porn-related platform ask for it, you will leave track of who are you -as internet ID- to the platform (finger printing), and also what you visit to the identifier platform.
Yeah, I said Non-porn-related platform, literally, because what we are reading here is about an Internet digital ID hash for each EU citizen,
Lets be clear, if it were to protect the children from porn, it would say "verify with the personal internet ID only for porn sites", in company with all the adjectives derived from porn, exclusively, with specificity, nothing more.
But what we are seeing here about this matter is deliberately open to interpretation, they say "platform that can be considered to be accessible to minors"... boom, What does this mean, News for adults? Criticise a corrupt government for adults? In my village this is called a back door trojan, because when they want they redact the directives, laws, with precision.
Anyway, I invite the reader to take a look to the Digital ID directive on its own,
After this, they only have to define progressively, frog cooking time, and increase the affected Internet platforms with obligatory identification, and then we will think that the Great Chinese Firewall was a children game compared with this.
The "it's to protect the children" political tactic to break privacy is quite old. In addition we should remember the other EU law about breaking the encryptions.
My humble opinion.
PS: Ironically no more of two months ago I was saying that as I was European I have freedom and I didn't need a tooling for circumvent something like the Russian and Chinese censure. Oh my... If I were know this, I was absolutely blind about what someones try to cook.
I keep coming back to the actual solution being to keep kids off the internet period. If you are under 18, and online without some sort of adult supervision, we have failed you. Maybe that ship has sailed with so much coursework requiring online access, but I maintain that perhaps we should declare it lost at sea and try again.
Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is *other people.* Other addictions still exist. Removing one vice without solving the underlying systemic problem merely shifts the goalposts, and everyone is up in arms about what a slippery slope that is for good reason.
EDIT: Clarity here because I phrased that badly in a hurry: I'm in disfavor of internet access being a requirement for schoolwork, but I failed to set that context initially. If parents trust their kids enough with access, once they've reached a certain point of maturity, that's fine. I'm against technological age gates and I'm against removal of bad content from the net at large. Parents should decide when their kids are ready, and guide them appropriately.
I will leave my original remarks unedited so the remaining discussion is sensible. (Sorry!)
> I keep coming back to the actual solution being to keep kids off the internet period.
W T F ? ? ?
> Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is other people.
Bad news, Champ. Other people also exist off of the Internet. They always have. The world is not entirely safe. And that does not mean children shouldn't get to be part of the world.
While there are absolutely issues with kids coming across things they shouldn’t, I’d argue an equally large issue is parents buying into the delusion that they can keep their children contained within a bubble of perfect innocence until adulthood.
That idea has never really been realistic short of keeping them isolated from society until 16-18 (which most would consider abuse), but it’s not even slightly possible today with how readily available information has become. It’s an inevitability that they will learn about the topics you’ve been avoiding and take on external influences you may not approve of.
Now to be clear, I’m not advocating for letting kids run wild on the internet with no guardrails, especially earlier on. Guardrails are important, but it’s even more important in my opinion to try to stay ahead of what they may encounter by talking with them about those things so when they eventually run across it, they’re not flying blind and might even seek your guidance about the incident since they know you’re not going to get angry about it. That’s much more likely to bring positive outcomes than if they ran into these things without parental support.
Couldn’t disagree more. I watched my first beheading video at 13, let alone porn. I still remember it, Nick Berg. I think I turned out ok. My online freedom was largely why I became who I am.
As for other people being the danger, there’s some truth to that for women. I have a daughter, so this will be a concern. But you know, she won’t die. Everyone goes through trauma. The key here is to make sure she feels comfortable enough to talk to me and to my wife before doing anything (too) stupid.
I snuck out of my parents’ house to go see a girl when I was 16. Took my dad’s station wagon. On the way, some car tried to pass me and ended up hitting a big truck on the side. Truck was fine, I was fine, that fella was not. He ended up on the side of the road. Me and trucker just kept going. I still think about that guy a lot, because obviously the correct thing to do would have been to call 911, but I was a dumb 16yo who was out past midnight to go see a girl.
Point is, if things went a little differently, I could have been the one who crashed, or even dead. But that doesn’t mean that the girl I was going to go see was somehow a threat to me. It means I was doing something dangerous.
Again, this is easy to say as a man. The threat model for women is different. But prohibiting minors from the internet without supervision is totally absurd, and I feel bad for any parent who helicopters their kids like that.
Ultimately your kid will grow up and have their own life. Do you want to be remembered as the parent who had them under lock and key in the name of safety, or as a parent who monitored from a distance and occasionally let them do stupid things so that they could learn from it? For me, the latter is far more preferable.
So many people advocating for this in HN and elsewhere when it's so clearly a draconian slippery slope for invasive surveillance and choice restriction. After these things get implemented people pretend it was always like this.
We don't need the governments to mass surveil us to protect us. We need them to sort the economy and stop invading countries and being deferential to corporate interests instead of the people they represent.
It's such an obvious push that If you don't want to see it, it makes me think you're shielding yourself to avoid contending with the reality: These politicians and govs all around, including the countries you claim "work" are absolutely power hungry and beholden to interests other than yours and will push for as much total surveillance as they can, including as much curtailment of freedoms as they can.
Obviously that won't mean elites will actually face justice or crimes will actually be solved because more surveillance is not accompanied with more government transparency, quite the opposite and bigger and more powerful burocracies, with more authoritarianism, allow for easy hidden exceptions that you can't question.
It's nothing new. Corruption is common. It's just mediocre to see "hackers" pushing for it just because the government and corporations tell them to, because foreign country bad, bad social media influences kids, drugs, word-ism, etc.
At the time this comment was posted there was only one other comment in this entire thread.
You say “so many people are advocating for this in HN” but this thread was empty except for one other comment (which was also critical of this) at the time you posted your comment.
I think if you use critical thinking to read you may easily find I'm talking about my experience with reading comments in relation to imposing age verification for online access, which means digital ID for internet access.
HN and even the GitHub comments mostly start with the assumption that of course we should do this. Of course we should restrict social media to under 16/18s and either are in favor of ID to access the Internet or pretend it won't happen by consequence of this.
Now try to address what I said instead of poorly calling me out.
I don't think you are fully wrong, but the issue is your rhetoric is very much used by conservatives or "both sides are bad" which are just mask-on conservatives who end up voting the same way. And the problem with conservatives is not really the ideals and ideas, but the fact that they vote Republican (or whatever the equivalent party is in other countries), that all pretty much are the exact opposite of those ideals.
Age verification is already a thing IRL, there is no reason to not extend it online considering so much of our lives is digital. Overall I think anonymity should be reduced on the internet in general - a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
How can you criticize those for voting Republican when you're advocating for the extremely authoritarian and dystopian position of banning anonymous discourse online?
> a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
See, I wouldn't have as much of an issue if you were honest about this real intention, because of how on the nose it is to reasonable people.
The idea that I will have to upload 3D models of my face and ID, or get permission from Google, just to go online because you don't like the idea of someone else's kids using the internet is absurd.
Please stop using appeals to children in your quest to "stop ideas from growing".
> Age verification is already a thing IRL, there is no reason to not extend it online considering so much of our lives is digital. Overall I think anonymity should be reduced on the internet in general - a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
Ah yes. Anonymity is the only thing that enables dishonesty and of course it's the government's moral duty to regulate it.
Once anonymity is banned, the world will be honest and good and True and we'll all look back on the Bad times thinking how silly we all were.
The best part of minority report was the way everything constantly tracked identity through retinal scans; i can't wait for the future!
> it's so clearly a draconian slippery slope for invasive surveillance and choice restriction
It's a privacy preserving over 18 check.
Is it a "slope"? Sure, you can imagine an extension to the system that is "worse".
Is it "slippery"? This thing isn't draconian enough to be effective. It will be a minor speedbump that prevents exactly zero determined under-18's from accessing anything that they'd want to. So then the question is, does the government react by trying something more draconian, or does it give up?
Things like this are a pain in the ass for GrapheneOS users. It's not great to get locked out of legitimate usage of things when using an OS that actually puts privacy first.
Do you really think this will stop there? Websites need to contact an attestation server and the EU can just ban verification for any website they don't like.
It is amazing. All the US companies have to do is dangle a “free” solution and the EU will go for it, and then be all surprised pikachu at the terms they agreed to.
EU isn't at all capable of doing that because it's not a hegemonic state, it's just bunch of a countries coming together to coordinate on doing stuff.
My guess on what happened this time is, people were tasked to implement a way to verify age anonymously and this was the only feasible way to do it because of their constraints that don't allow them to do bigger stuff that China or USA will able to do through having the budget and enforcement power.
I don’t disagree, my argument is why continue? The scientific method is thrown out the window. Age verification, oh you need the cooperation of member nations of the EU, ok, wait, everyone has different systems, ok, new objective - standardize the systems so we can do age verification like we want.
I know politics isn’t logical but if you keep drilling down the root cause, eventually you’ll hit bedrock.
Regulation and lack of capital. Just read the report from Mario Draghi if you don't believe me.
We have EU regulations, those are much tighter than in US, on practically every front. Labor, finance, environment, data, AI, you name it, we have it regulated. And then you have the country level regulations on top. That's right, EU sets the floor, not the ceiling.
Suppose you have a start up in Poland, you have managed to get funding and you are offering services in your country. You want to do that in Germany? Get ready for complying with new set of regulations. And you better hope that individual German states don't have something extra on top of those.
All of those regulations have purpose, it is possible that they were designed by well meaning people and bring some benefit. But their compound effect is catastrophic. It is not that you can't push trough, you can, just look at Kiwi or Mikrotik. But it's an uphill battle and your competition from overseas has it so much easier, that they can end up outgrowing you, and eventually buying you out.
Because most politicians in most countries (even most dictatorships) feel that interfering with the free market is too radical. They feel it's fickle and too risky to upset.
Anyway, if a government tried to make a European smartphone design, it would be treated as any other government supply contract, resulting in a terrible design-by-committee. So in the end, all politicians are willing to do is wait around and say "someone should do something".
It's actually a little better than that. One thing they can do, and have done, is make funds available for individuals and small groups who want to have a go themselves. Notably NLnet funds a lot of projects. They're all small projects though so they're not really capable of displacing megacorps in the free market. Stuff like MNT hardware remains niche hacker stuff.
Google rolls into town and wants to spend half a billion euro on a datacenter? Sure thing. They'll say that it'll boost the local economy while being built - by creating a couple of thousand jobs for the contractors that are going to build and maintain it, and then some onsite jobs for the next decade or two, creating a couple of hundred jobs for techs / engineers.
And as long as they keep playing ball with google, projects like that will pop up once in a while. If you're difficult, there's also a risk of the rich tech companies taking their business some other place.
With that said, I've recently noticed more voices for building our own stuff - as there's a real risk that US tech companies will simply comply if pushed enough, say, by a POTUS that's out for blood and wants to hurt certain foreign users. Ban/lock out certain users from gaining access to software, turn off their infrastructure, etc. who knows.
But, alas, there just isn't the same willingness to pour in capital on the important things. For private investors it doesn't make much sense, unless they have a bulletproof contract with domestic users willing buy their service - and using state funds isn't too popular, either.
Truth be told, any of the big tech businesses can undercut any competition, and probably build better and faster. If anything, it could be the case for tariffs - outsourcing critical infrastructure will leave you very exposed. If European countries all over the board started to abandon US tech companies, they'd cry to Trump, who in turn would probably start a trade-war.
Now replace Google with an EU company doing it in the EU for EU jobs and everything you described. It’s not like money only comes from the US.
You are right to be worried. US companies under this administration can’t be trusted to follow the law. Why should they, when our commander in chief isn’t and has a panel of judges who let him do whatever. Just the other day he suggested Obama be investigated for treason. So yeah, we’re toxic, and you all should seriously quarantine yourselves.
It's largely a political issue. At this stage you can't create alternatives to Google and other U.S. tech giants without removing them from the market (so essentially the Chinese approach, which has allowed them to build their own massive tech giants). But that path is nearly impossible for the EU due to the risk of U.S. retaliation. The EU can't even implement a digital tax.
You also can't just say, "Here's a few hundred billion in public support to create alternatives to U.S. tech giants", because the U.S. would argue that it's unfair state aid and retaliate.
There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.
We also lack a reserve currency like the USD, so we can't print $2 trillion a year, much of which ultimately flows into the U.S. stock market and further boosts U.S. tech companies, making competition even harder.
EU markets are already fully penetrated by U.S. behemoths that can either withstand or acquire any privately funded competitor, thanks to their massive cash flows and valuations.
For all these reasons, the outlook isn't very promising.
>>There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.
That can be improved by making traditional investments (real estate, land) less attractive while making investments into businesses more attractive. You just need to change tax incentives by removing capital gain tax and introducing real estate/land value tax (or raising it).
Removing red tape would help as well and then making the common market really common.
As it is there is very little incentive to invest in companies here.
What outlook? What planet are we on? Why are we debating who makes better handcuffs? Do E.U citizens prefer their handcuffs be made in Europe? I'm so confused.
The only will you get from EU is to protect incumbents and the only plan is to make another centrally planned fund that distributes money to chosen entities.
EU is very good at removing the carrot while wielding a big stick for would be entrepreneurs.
Because national interests always end up trumping the EU in it's current form.
American companies like Google [0][1], Amazon [2][7], and Microsoft [3][4][5][6] have spent billions in FDI and hiring, thus building strong relationships with EU states like Ireland, Romania, Poland, Finland, Sweden, and others, but French and German competitors haven't (or don't exist depending on the service or SLA).
This means a significant portion of EU member states have an incentive to maintain the relationship, because the alternative means significant capital outflows. A Polish legislator doesn't have to answer to French voters, so they will incentivize the relationship with BigTech. Thus, these nations will lobby tooth and nail against destroying the relationship.
It's the same reason Hungary courts Chinese FDI [8] and enhancing the Sino-Chinese relationship as leverage against the EU pushing too hard [9].
Don't kid yourself, the US is going to war against anyone that tries to regulate big tech as we are seeing with the US government going against Brazil and the Pix payment system
No it doesn't work that way. That's a lot of political will for little monetary gain. Don't forget that countries in EU are still quite capitalist and many of the bigger companies have huge investments in the US. EU itself is a quite neoliberal org too. It has all sorts of forced privatization laws.
The post WWII doctrine of US that's applied in Europe is strengthening the bigger businesses. Those businesses use US tech since investing in an actual European tech sector is expensive. Especially after all the first players took critical positions.
The time to invest in that sector was in the 80s and 90s. Europe had a different relationship with the US and it was trying to encite small ex-Soviet states to join, so they can exploit the cheap labor. So nobody actually invested in local tech sector.
It is now an uphill battle that'll cost more than the original investment. Only countries with strong independence urge like France is willing to fight it. Most of the EU countries are not.
Where do you get from that we are capable of doing it ourselves? All EU-made software I've used was terrible, and the one that was a bit better than terrible was bought by a US company.
Where do you live? I live in Sweden and I have used a lot of not so bad software from Sweden. Maybe its just your country, but at least in Sweden the government can make software for its services that works well, better than what I've seen from the US government.
> and the one that was a bit better than terrible was bought by a US company
But here you say EU can make great software? Just that USA then buys it. So we should just ban USA from buying our great software companies, is that what you are saying?
Most closed source US software is garbage too. Some stuff, like Steam, is beloved anyway. But actually the program itself is terrible and slow even on decent computers.
Struggling to think of corporate produced software that doesn’t suck. iOS Safari is ok, I guess.
At least in Norway, the user -facing state services are good. They used to suck, but are now good.
I can do most anything online, haven’t had to physically visit an gov office for years, outside voting and getting a new passport photo. And everything just works.
Edit: and before anyone points out that we’re not in EU, yes - but we’re in the EEA.
I use GrapheneOS as a daily driver and I absolutely love it. It should be the default. There's already one app I use that must do something similar and absolutely just won't run on it, so I have an entirely separate phone running stock Android just for that one app. Still worth the hassle.
Glad I don't live in a place where all this madness is taking root, but still, the trend itself sucks.
By design, this app isn't mandatory. There should be an alternative way to do age verification. If you can't access a service because you can't run the app, the service fucked up.
Furthermore, there's nothing stopping the governments implementing these standards from permitting GrapheneOS' signature. It's one of the ROMs that actually has a reliable signature so unlike random images from XDA there's a case for it to be permitted. Google's integrity check isn't just a binary check, it's a combination of a hash and a pre-defined list of suggested acceptable hashes.
> By design, this app isn't mandatory. There should be an alternative way to do age verification. If you can't access a service because you can't run the app, the service fucked up.
So you complain to the service, they either ignore you or tell you to use the app, and then what? They are not breaking any law as far as I can tell.
And even if it was, class actions in Europe are close to inexistent, and it's not worth it for any one consumer to take the multinational running the service to court.
> there's nothing stopping the governments implementing these standards from permitting GrapheneOS' signature
Alternatives to legal identification requirements being available isn't my experience. How do you even imagine that? Going to a local post office to show an ID anytime you want to open pornhub and your i_am_adult=token cookie has expired?
The only winning move is not to play the game. One has to have a phone these days but you don't have to do your computing on it (during personal time). Use a real computer instead.
EU wants to push more control on the internet, today it's "think of the children" but when the infrastructure is rolled out, it'll be "real name verifiction" on social media, chat control, etc.
Whoever is pushing this in EU has to be removed before things will get better.
This has nothing to do with age verification, but everything to do with identifying users on various services. They can compell the providers of said services to give them access to how each, now identified, user is using the service. Since a lot of our lives are digital, this is a major transfer of power from the people to a select few.
A question I have is who voted for this? I sure didn't.
> They can compell the providers of said services to give them access to how each, now identified, user is using the service.
The whole point of this is that they can't, which is unlike the systems they had used before. The only information that the service provider receives is that an age check has passed.
Without getting into the ideological weeds too much, is there a solid technical reason for this? Like if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool? If so, is there a straightforward way to prevent this without involving Google?
> if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool?
Kinda, yes.
(slightly simplifying the mechanism here)
This seems to be based on the EU Wallet project, which is still work in progress. The EU wallet is based on OpenID (oidc4vci, oidc4vp). The wallet allows for selective disclosure of attributes. These attributes are signed by a issuing party (i.e. the government of a EU country). That way a RP (relying party) can verify that the data in the claim (e.g. this user is 18+) is valid.
However, this alone is not enough, because it could be a copy of that data. You can just query a wallet for that attribute, store it and replay it to some other website. This is obviously not wanted.
So the wallet also has a mechanism to bind the credential to a specific device. When issuing a credential the wallet provides a public key plus a proof of possession of the associated private key (e.g. a signature over an issuer-provided nonce) to the issuer. The issuer then includes that public key in the signed part of the credential. When the RP verifies the credential it also asks the wallet to sign part of the response using the private key associated with that public key. This is supposed to prove that the credential was sent by the device it was issued to.
Now this is where the draconian device requirements come in: the wallet is supposed to securely store the private key associated with the credential. For example in a Secure Enclave on the device. The big flaw here is that none of this binding stuff works if you can somehow get access to the private key, e.g. on a rooted phone if the wallet doesn't use a secure enclave or with a modified wallet app that doesn't use a secure enclave to store the private key. You could ask a friend who is 18+ to request the credential, copy it to your phone and use that to log in.
Even if the private key is perfectly bound to the device and can't be copied, can't you still just ask a friend who is 18+ to scan the QR code on their device and verify age? I don't see what problem these device requirements solve exactly, unless the plan is to somehow criminalize verifying on behalf of other people
> You can just query a wallet for that attribute, store it and replay it to some other website.
Uh, replay attacks are a solved problem in pretty much any industry standard challenge-response authentication, including OpenID. Am I missing something?
The tool could have a mode where it just reads the cryptographic chip in your ID card via NFC and passes on the information to the verifying party. This information is signed by your government and they could verify it with the public key
Instead, they're trying to shoehorn your device into providing the same safety level and, in doing so, making it by design impossible for you to control your own device. Obviously if the sites trust a device that you control, you can make it tell them anything. The ideological part is that it's not your device anymore then and imo we should oppose that. The technical solution is to use the hardware security chip you already have with a reading mechanism that (nearly?) every smartphone already has and even works on any OS that can run a USB NFC reader. It could be an entirely open standard
I'm pretty sure all you need is the ability to login to a website and for that site to vouch for your age based on having examined your identification documents (or something like a network of PGP web-of-trust type notaries). I have a hunch that using a hardware token and biometrics is required to prevent fraud (FIDO and passkeys etc should work). The trick is preventing simulated tokens from existing/working which is where secure boot etc enter the picture.
Can you clarify what fraud you're thinking the "secure boot" (which I take to mean: being denied the access to control your own device) would prevent? Since the identity documents you already have, have this chip that works the same as your bank card, you really don't need a relaying party (your phone, your ISP, etc.) to be trusted for the receiving website to be able to verify the cryptographic signature on the data
Yeah it’s sort of like all the apps that would refuse to run on a jailbroken iPhone.
Basically on such a system you can potentially manipulate the process. Here that would probably be to install the credentials of someone else on the device.
So they want a locked down OS environment where user does not have root privileges and software has to be verified (in this case by Google) to be installed.
You would need to release a kernel and OS that requires users who modify the attestation and hardware token components of it to provide their own signing key rather than your production EU-registered one, chained back to the HSM signature emitted by the phone’s HSM signed bootloader; and then you would simply let the app check that its secure boot attestations chain to a secure bootloader/image/OS triplet that’s on file with the EU. Mix in some tech spice for the EU to prohibit OS releases that are validly signed but whose specific instance of a signature is found to be exploitable to bypass age checks and you’re set. None of this would prevent users from modding their devices, any more than macOS prevents modifications today if you turn off the security protections; but once you turn off the security protections, it can no longer attest with Apple’s signature because your modifications don’t match the signature any longer, and so Apple Wallet is inaccessible.
None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.
The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.
It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.
All of this assumes that the device, a relaying party for your identity document, needs to be secure in the first place. We don't attest the OS of the router and your ISP before being allowed to use them to relay this information to pornhub. Why does your phone need to be under a third party's control just to relay information that the government already signed onto your NFC-enabled identity documents?
But even if you were to want user's phones to be roots of trust...
> as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining
> None of this prohibits users from modifying their bootloader, kernel, or OS image;
... unless they don't want to turn their device into a boat anchor that nothing else will talk to. It's not going to stop with age verification.
Counterproposal: fuck attestation, and fuck age verification. Individual users, not corporations, associations, or organizations, get to use any goddamned software they want any time they want for any purpose they want, and if you set up some system that can't deal with that, tough beans for you.
> that bothered to implement hardware-to-app attestation chaining live in production end-user devices
This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.
> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.
I am not sure if I am more disturbed by the user journey they want to introduce for accessing websites or the fact that a private company (american, chinese, I don't care) has to become the gatekeeper to let me in.
The under educated, unthinking unwashed masses. Just look at the tea leak. The amount of people that do not care about freedom or privacy on the internet vastly outnumber those that do. And because they do democracy unmasks itself in the digital realm as the tyranny of the unthinking majority.
The lazy middle class who don't like to take the responsibility of actually contributing to their community and running their family.
ps: Had to add this post after the others identified the low class and the upper class as responsible for this ;). But depending on where you are, the low class might not be "the masses".
I'm getting pretty tired of the EU trying to shove internet-crippling regulations down my throat. This, along with ChatControl, is clearly a path towards totalitarian control.
Who are the politicians making these decisions? How did they get elected? Did anyone vote for Totalitarianism 2.0?
Politicians are all that stands between corporations and absolute corruption. It's why they're both their primary target and the ambition of greedy people.
> I'm getting pretty tired of the EU trying to shove internet-crippling regulations down my throat
And I'm getting tired of people pulling out pitchforks without reading anything. This is how democracies end up electing people like Trump. There are no regulations to require age verification here. The EU is simply giving guidelines for implementing harmonized age verification across the EU if any member states or companies that do business in the EU want to use it instead of making people scan ID cards like they currently do and making the receiver of said scans have to understand updates to the designs of the various ID cards used throughout the EU.
Are they, though? The people don't elect the European Commission. The European Council selects candidates and the European Parliament can vote for them. The people in the European Parliament are often politicians who no one knows but sort of vote for because they're associated with their preferred party.
I don't recall any party campaigning on reducing internet freedoms.
Unless their governments start issuing Android devices to all of their citizens, I don't understand how they can require use of this app for anything official.
> Unless their governments start issuing Android devices to all of their citizens, I don't understand how they can require use of this app for anything official.
Not sure who you mean by "they" but you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria). At least in practice that is almost impossible.
> you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria).
That's terrible. They have official services that require an app and can't be used via a standard browser or even paper forms? What do elderly people without smartphones do?
They don't require the app for anything official. Uploading (partially redacted) scans of your ID like you would be obligated to today, or physically verifying your age for things like alcohol delivery, should also suffice.
> Uploading (partially redacted) scans of your ID like you would be obligated to today
Redacted, I wish...
To vote in the upcoming election, I was asked to upload an uncensored copy of an identity document to the website of the municipality of The Hague
To keep the domain I registered in 2014, the French TLD required me to send them the same thing by unencrypted email a few months ago. I tried sending a link to a PNG so it wouldn't linger in their inbox forever but they absolutely required it to be an attachment
To buy a prepaid card in Germany, I was required to show an uncensored identity document. I had put a tiny piece of tape tape over only the burgerservicenummer that the germans can't make use of anyway because it's the Dutch numbering system that's beholden only to specific authorities
There's scarcely anyone who appears to know what EU legislation says on identity numbers. The Dutch government themselves apparently don't
A while ago, when the topic of the EU digital ID was brought up, I said clearly that this was going to be shit-show and that the intent was going to use this as tool to muzzle the population.
It turns out I was right. This is the intent. First require digital ID to access content/post anything on social media, then make it impossible to use said ID outside of the walled garden of Android and Apple, then tie this digital identity to your real world ID and make sure it can be revoked at anytime by the powers that be.
Bonus point, make sure everything you say or do is stored for unlimited access by law enforcement to protect the democracy(TM) or protect the children(TM).
If that is not a slippery slope, then I don't know what it is.
I also pointed out that creating a database of everyone in the EU containing a lot of PII in terms of religious preferences, sexual preferences and so on is a the stupidest idea that anyone could have considering that this tool could be used by the next parties in power to hunt down political/religious opponents.
The problem isn't being handcuffed by Google or an American company, it's being handcuffed at all. Is it some kind of psychological coping skill to misdirect from the obvious problem (an age verification app that bans user software preferences)?
Who cares if it's Google or an American company. The point is you decided to let the E.U dictate what software you can run on your phone.
Unfortunately many more people than you might think are in full support of this type of thing. The UK in particular is a very nanny state and this is sold as protecting children. You're not against protecting children, are you?
It is a rhetorical appeal to emotion, which is used to override rational debate, discourage criticism, and create false dichotomies, e.g. "you're either with the children, or you're with criminals".
This "think of the children" rhetoric targets encryption, anonimity, decentralized platforms, and private communication channels like messaging apps, VPNs, Tor, etc. It is nasty. Keep in mind that it does not actually prevent child exploitation and grooming. Most of the pedophiles are on Discord and Roblox anyways.
In any case, there are ways to prove someone is over 18 without revealing identity, but that is not that goal, is it? There are cryptographic schemes just for that, such as zk-SNARK, etc. ZKPs in general.
The whole Chat Control crap is bullshit no one asked for, and unfortunately many countries in the EU are in favor of it. There is a map somewhere that shows the countries that are against it, I cannot find it right now.
EU citizens voted for this. Unfortunately, EU citizens are too lazy to vote a lot of the times, and the ones that do vote are turning more and more right-wing authoritarian.
As much as the EU pretends there's some kind of united Europe, it covers different countries, with laws ranging from "sex work is just taxed work" to "all prostitution and porn is illegal". Even basic rights like gay marriage aren't consistent between member states.
However, everyone I've talked to about it said they don't care about it so they don't want to bother, which is probably what the people behind these laws are banking on.
I'm growing pretty tired of this rhetoric / rhetorical sleight of hand, but maybe this is a reasonable opportunity to discuss it:
- not all citizens of a jurisdiction are eligible for voting: in this case, cursory search suggests only 400M (88.8%) of 450M were eligible - seems a bit too high to me, but let's roll with it regardless
- not all who are eligible actually vote: voting in the EU parliamentary elections, which is what EU citizens can actually vote on, like most elsewhere, is not mandatory; it's a right, not a duty: turnout was 50.74%, and that is of the eligible population, so really just 45.1% (203M)
- most voting systems are mathematically unfair [0]: extensively researched, doesn't quite apply necessarily in this case though as per the next bit
- several key positions in the various bodies are elected indirectly: same here in the EU, at which point all bets are off
- laws, regulations, and policies are not voted for or against by citizens: same here in the EU too, nobody could have even possibly voted for this in the literal sense
It's a run of the mill representative system and I think it'd serve discussions a great deal if this was acknowledged properly. Surely it's agreeable at least that this wouldn't be such news if people were all just completely on board as the sentence "EU citizens voted for this." implies when read naively and literally.
I really don't see a point to this phrase other than inciting others. And before anyone brings it up, yes, this is common in US threads as well, yes, is often expressed by EU folks against US folks, but no, that does not make this better. Why dig ourselves into rhetorical holes unnecessarily? Being narratively justified to frame things this way doesn't mean one should (or must).
And "offering feedback" is not a vote nor a voting I'd say.
No, I fucking didn't vote for this, I hate everything about it. The worst part? Even if all of our MEPs voted against this BS, it would pass and be forced upon us anyway. All because we have given up our sovereignty to EU.
This collision course has been a long time brewing, though I'm not even sure why integrity checking is included in this. The data source for the age information is the governments, there's no need to trust the clientside per se, it's just a middleman.
One thing I find reassuring is the nature of pushback on display on the repo (only read the first few comments there, mind you). Really not what I expected phrasing and rhetoric wise (unlike here), honestly kind of restored a very very tiny and fragile bit of faith in humanity in me, it's very reserved and reasonable stuff.
"age verification app," is such a phony pretext. They know that android fragmentation and the lack of consistent verifiable hardware is what prevents govts from implementing a punitive digital ID that is sufficient to punish and fine people using western standards of evidence and legal defense.
these people are monsters. don't help them, and don't be complicit. working on digital ID tech, and even disclosing vulns in it is like helping Hollerith make faster and more efficient punch cards.
They use attribute based attestation which should be mostly anonymous. The long term goal was also to implement zero knowledge proofs which would make things like age verification fully anonymous, but because of technical reasons and development constraints that idea seems to have been postponed.
The reason you can't distribute a huge amount of proofs is that the app won't let you. To make sure the app won't let you, the app tries to verify that you're not running a modified app or a modified system environment. That's the remote attestation that "bans any android system not licensed by Google".
These tokens are signed and only usable for a limited amount of time so you can't just generate a million of them and sell them for others to use.
If the app can't rely on the system working as it should, it'll need to contain less privacy-friendly measures for limiting large scale token abuse.
For the proof to be traced back to your identity, you'd need to be tracked consistently across websites, possibly with the aid of the government itself. If ZKPs make it into the app, tracking you is basically impossible.
Of course, if you're authenticating with your full name and birth date, when opening a bank account for instance, you're not going to get the anonimity benefits. Still, you do get to see what party you've authenticated with and get a button in the app to request deletion or report suspicious behaviour if you think it was a scam.
The technical specification can be found here[1], with further details here[2].
Well, it's more like a framework, so not a ton of details. I've just glossed over it, but from what I can gather they have thought about it:
No personal data, especially no information from personal identification documents such as national ID card, is stored within an [Age Verification App Instance]. Only the Proof of Age attestation, specifically indicating "older than 18", is utilized for age verification purposes
Stored Verification(8b): [Relying Parties] may optionally store information derived from the Proof of Age attestation in the User's account, allowing the User to bypass repeated verification for future visits or purchases, streamlining the User experience. In this case, authentication methods such as WebAuthN should be utilised to ensure secure access while enabling the User to choose a pseudonym, preserving privacy. Risks in case of the device sharing should be considered.
Even if they can't be traced back to a name/photo identity, it would still be a privacy disaster if you could only make one proof per service.
If a user can only make one then they'll have to use that identity with that service forever. That's a nightmare for privacy. Sometimes people need another account, unknown to their employer/family/friends. People should be able to make multiple accounts without those being tied together through a common "age check" identifier. But, of course, there is no way to prevent those from being distributed.
At some level I believe that's the purpose behind some of this. If someone can only have one proof, then someone can only have one account to speak with. They'll be easier to monitor, easier to identify, easier to silence. That's why I think these types of laws and behaviors should be resisted and protested.
I've mentioned in a previous comment that it's telling that big tech isn't resisting these totally-just-coincidental ID laws coming from western countries. It supercharges their surveillance and tracking abilities, and widens their moats.
Also, porn is a smokescreen. The definition of "adult" content will rapidly expand, and these put the ID issuers in censorious a position of control over people and services. Nothing stops a government attestation server from rejecting a request because someone is blacklisted from "mass communication services" because they're a felon, protestor, LGBT activist, etc... or because a service has fallen out of favor.
The idea is, that you have a 'digital ID' on your phone, tied to your real identity, that will today be used to prove you're 18, but when the infrastructure exists, it will be used for other stuff too... like needing to attach your real name to any social media account (you already have an app that does that on your phone for the 18+ thing, so adding real name is easy to implement), and that will greatly affect freedom of speech.
This is the pr on it [0]. It was linked on hn at the time too [1]
For all the shit Google deservedly gets they seem to be genuinely trying to implement good and privacy preserving solutions to a lot of these problems.
The issue of course is that there's essentially no way to do all this stuff with software and hardware the user actually controls themselves, so you end up with hard requirements that you use big tech as gatekeepers.
This is the slippery slope that IMO eventually ends the open web.
If you take that outcome as inevitable, which at this point I basically do given all the forces lined up to restrict access to information, I suppose Google is about the best steward you could hope for.
I don't and I wish Google et al would take a god damned stand against it. All it takes is 2 or 3 big companies to just not play along with the destruction of the open internet (the very same responsible for their genesis and incredible success), and the bureaucrats will eventually relent. Unfortunately they've chosen the path of least resistance, which also is the path of regulatory capture to their sole benefit. Sad to see that win over the ideals of the early net.
You can't use device verification in production anyways. (ATM)
This has no effect, is it even used in production anywhere? It seems to be part of eIDAS which is a good thing, most countries already have their own identity systems as is stated in the README. The three or for id apps I have seen all have some kind of device check that is sent to the ID provider, it is not usually accisible for ServiceProviders though. On those apps you either get no indication or just a "seems suspicious" score.
This does not make it possible to filter out people. And honestly considering the amount of shady phones people have I am not sure this will every work. Apple is sadly another issue, too many normals there.
It is nice that this is pointed out so we do not get a distopian future.
What "things" are going to depend on this Android-locked age check? What about Apple users? What about accessing it via a laptop or desktop (shock horror: running Linux!)?
My dad gets by in his "my dad" way of life without a mobile phone at all, I wonder how much longer this will be possible. I was about to rant about being forced to have a mobile if you want to participate in society, but then he uses a desktop for some of the services for which the rest of us use a mobile, so my rant falls down in that, for a while now, to participate in society you've needed either a computer or a mobile.
Hopefully computer-only can eke out some kind of base-adequate participation for a while longer.
You can also buy an Apple device but that was never your device to begin with so nothing is lost when the EU requires Apple to be the only party with the capability to modify what your device can run
iOS also be supported and will use Apple's remote attestation capabilities. But, as there are no real alternative ROMs for iOS devices, only Android users are really affected by this.
From a legal point of view, the app should be a reliable convenience feature and not replace traditional (physical) identity verification. How much your dad will be affected will depend on how shitty and lazy the services he uses are. If he doesn't use a phone or a computer, he probably won't notice the difference.
Funny how EU politicians complain about dependency on American tech and the next day do something like this.
It's all cheap talk anyway as they have 0 intention to make EU based alternatives possible but it's rarely in your face so much.
No evidence is given that they won't implement non-Google remote attestation solutions like https://attestation.app/about
Indeed, the bug links to another bug where the author says that it isn't restricted to Play Services remote attestation and recently followed up with a documentation update making that clear. https://github.com/eu-digital-identity-wallet/eudi-app-andro...
> No evidence is given that they won't implement non-Google remote attestation solutions like https://attestation.app/about
Unfortunate that it doesn't matter, because they're not going to accept anything that's not attested by some authority.
Attestation in itself is a bad thing, guaranteed to be horrifically abused in ways far, far worse than any problem it could possibly solve. You do not need to know what software I am running, period.
What an absolute clown show - the EU fines Google and Apple for being monopolistic and abusing market power and then proceed to implement apps like these that can only be used on American operating systems.
I mean there's a perfectly rational possible explanation for this - if the fines are actually just an extra targeted tax on these companies (but it's politically inconvenient to just do it honestly by levying a tax), and they would therefore adjust the laws to make sure they could still fine them if they had already complied...
It may be that the people in charge in the EU don't really care about the market dominance as long as they can collect enough extra money from them...
Internet has become a commidity that needs to be reinvented with a focus in the real human interactions and the privacy.
How?, who?, Where? I'm afraid it is too late to find a group of people interested in creating a real network outside of the system. The best that i found was the LoRa communities but are useless for anyone submerged in the Tiktokian distopy.
The linked Reddit discussion is about the issue of attestation in the EU age verification application requiring a licensed version of Android to function properly.
The EU is not banning non licensed Android systems. This would make it hard for EU citizens to use those though, if they need that app.
I don't understand what device verification is even meant to do here. What's the threat model of a child who knows how to root their phone and defeat verification checks manually but doesn't know how to find an adult to create an account and give them the password?
I think this misses the forest for the trees. I could care less if the app requires a Google Android phone or non-jailbroken iPhone to work. I care that age verification exists in the first place, when it most definitely shouldn't. Arguing and ranting about how a huge privacy compromise functions misses the point that privacy is being compromised.
It's just odd to see them bringing up America when their own government created this. Not the US. How about fight the actual problem instead of making sure the problem works on more devices.
We shouldn't need Age Verification checks for adults in the first place.
Create a better, standardized, open-source parental control tool that is installed by default on all types of device that can connect to the web.
The internet aspect of the parental control should be a "Per Whitelist" system rather than Blacklisting. The parents should be the ones to decide which domains are Whitelisted for their kids, and government bodies could contribute with curated lists to help establish a base.
Yes, there would be some gray area sites like search engine image search, or social media sites like Twitter that can allow you to stumble into pornography, and that is why these devices that have the software turned ON, should send a token through the browser saying "Parental Control". It would be easier for websites to implement a blanket block of certain aspects of their site than expect them to implement whole ID checks systems and security to make sure that no leaks occur (look at the TEA app) like the UK is expecting everyone to do.
Also, I'm for teenagers (not little children) having access to pornography. I was once a teenager, every adult was, and we know that it's a natural thing to masturbate which includes the consumption of pornography for most in some way. Repressing their desires, their sexuality, and making this private aspect of their life difficult isn't the way. Yes, yes, there is nuance to it, (very hardcore/addiction/etc) but it should be up to the parents to decide with given tools if they trust their kid to consume such a thing.
As for the tool itself. Of course we have parental tools, but they can be pretty garbage, their all different, they're out of the way, and I understand that many people simply don't know how to operate them. That's why I believe that creating a standardized open-source project that multiple governments can directly contribute to and advertise for parents is the way, because at the end of the day, it should be up to the parents to decide these things, and for the government to facility that choice.
Obviously, besides the internet aspect, the tool should have all the bells and whistles that you'd expect from one, but that's not the topic.
EDIT: And yes, some children would find a way, just like they're doing now for the currently implemented ID checks. It's not lost of me that VPNs with free plans suddenly exploded in 4 digits % worth of downloads. A lot of those are tiny people who are smart enough. Or using an app like a game to trick Facial Recognition software.
The first comment was hilarious: "so how does one report the EU for breaching GDPR" and it reminds me of a comment on r/androiddev where Google was requiring solo devs to have a verifiable phone number for support and the commenter said something like: "Meanwhile, Google itself do not have a support phone number for his Android devs!"
A lot of discussion, but one contradiction seems to have gone unnoticed; notably, the EU's DMA decision about Apple having to allow alternative app stores. Go figure again about these contradictory moves.
> [...] free flow of information is the only safeguard against tyranny. [...] Beware of he who would deny you access to information, for in his heart he deems himself your master
Lol. People put way too much trust in governments.
If it's not unbelievably obvious, there's an entire class of people flying private jets to "world summits" where the transcripts aren't disclosed. What do you think is going on? Use your brain.
I don't know why people on here love the Government. They are probably advocating for a Government, but not this. A government that does its basic functions, without too much overreach, something like minarchism.
This is ridiculous but it's worth pointing out that if the EU would provide their own infrastructure for "age verification" it would be even more Dystopian. The problem is not really that the EU in this case would give Google and Apple monopolies that locks out all competition, the problem is the "age verification" itself. Nobody needs, nobody wants it, and it's the starting point for all kinds of browsing and chat control measures dictated by governments.
The GDPR data locality requirement is that personal data must remain in the European Economic Area (unless an exception applies.) It has no requirement that data remains local to each state.
That's easy for a company like Google to comply with. In fact the company I work for uses Google European data centers to comply with GDPR.
In the case of Android, genuine means:
While there is value to verify device security, this strongly ties the app to many Google properties and services, because those checks won't pass on an aftermarket Android OS
The issue is being raised here: https://github.com/eu-digital-identity-wallet/av-app-android...
As a resident of the aforementioned political climate, I find their concerns to be reasonable.
There are a number of comments in that same thread that indicate a mandate to utilize Google services may run afoul of EU member nations' integrity and privacy laws.
"Device security checks" is the most horrifying aspect as it basically means "officially sanctioned hardware and software", and leads straight into the dystopia that Stallman warned us about in Right to Read.
There is some amusing irony in the EU relying on the US for furthering its own authoritarianism. It's unfortunate that freedom (in the classic rebellious, American sense) never became that popular in the EU, or for that matter, the UK.
> leads straight into the dystopia that Stallman warned us about
IMHO, the push for age verification is just a stepping stone towards requiring a mandatory ID for all social media posts made from EU. Given the current trends against freedom of speech, it's not unreasonable to think that by the end of the decade any site, including HN, might need to link usernames with their respective eIDs in case posts come from EU IP addresses.
> officially sanctioned hardware and software
Right now, if you want to run an alternative OS, it's already an uphill battle to use tons of member state services, as well as to do banking. Even if you have microG available, the situation is terrible. I imagine it's going to become harder. I cannot understand why the European Commission wants to reduce our reliance on FAANG services, and at the same time they make Google Play a de facto standard, reinforcing the mobile duopoly. In this context, free alternative mobile platforms, such as Sailfish, cannot flourish.
193 replies →
When Microsoft proposed such a scheme in the early 2000s under the name "Palladium", even the mainstream press decried it as a nightmare scenario. Google did pretty much the same thing in 2014 with Safetynet and there was barely a whimper. How did we lose our way?
11 replies →
>or for that matter, the UK.
Hate to say it mate, UK is already one of the worst offenders.
In their own "internet bubble," with curated Google searches that only present a very "Commonwealth countries bias" in search results. After I worked in the UK for a couple of years, I noticed there is a strong bias toward the same sites (Government and UK companies, especially biased toward "facts"). Second, you leave the UK. You will never get it. Try a VPN outside of the UK and search for the same stuff, you will notice it right away.
The UK have used the "think about the children" excuse for different stuff they don't like (Remember the Porn pass Idea? Where you had to go down to your local Tesco to get a "wanker pass" from the cashier.)
Same thing, now just for EU, and they use the "protect the children" excuse, but they have now started to aim at video game companies and others to "verify" age for the sake of "protecting the children". It is horrifying that they want to ID children in the excuse of their "safety". In a couple of years, they will likely offer free in-game currency to trick users into giving away their personal information.
> There is some amusing irony in the EU relying on the US for furthering its own authoritarianism.
I think you're trying too hard to post cynical remarks as if the were this major gotcha. Even though the bill is quite awful, Occam's razor is quick to point out this has all the hallmarks of an overzealous technocrat than authoritarianism. Try to think about it for a second:
- the goal of the legislation is to ensure adult content is not provided or actively pushed to children,
- adult content is pushed primarily by tech platforms,
- the strategy is to allow access to adult content only to users who prove they are adults,
- the strategy followed is to push an age verification system.
- technocrats know age verification systems can be circumvented if tampered with.
- technocrats proceed to add provisions that mitigate the risk of tampering age verification systems.
The detail you're glancing over is US's hegemony over social media and tech platforms. The world is dominated by three platforms: Microsoft's, Apple's, Google's. Even Samsung is not European. How do you expect to push a technical solution for an authorization platform without leveraging the systems that people use?
Also, the way the current US administration is pushing their blend of fascism onto the world is something I do not find funny. If anything, this would mean the American fascists are succeeding.
8 replies →
My phone is rooted and passes "Device security checks", even though it's not supposed to.
I don't know how it works technically, but clearly there's a way to fake it.
6 replies →
It's no irony.
Well payed "transatlantic" lobbyists across all political parties of the EU at work.
They are self-serving and learnt to give a big F* about the citizens of the EU.
You can't have privacy-friendy age verification that is also compatible with tinkering.
The problem is relay services that supply positive age verification results to any interested user for a fee. With a non-privacy-preserving solution, those aren't a problem, law enforcement can just track whose credentials those services are using and shut them down.
I'm not a fan of the whole idea in general, but if we have to choose, I choose privacy over hackability.
2 replies →
It's already happening for several apps such as banking apps, payment apps, government ID apps, etc.
Or, for that matter, the US. https://www.congress.gov/bill/118th-congress/house-bill/7891...
And people used to be ridiculed by claiming the EU is basically a Soviet Union with better looking face.
But slowly slowly it will turn into mass terror and deaths. The control freaks in power are taking our freedoms away inch by inch.
You don't even need to consider politics to acknowledge this is dangerous, wildly irresponsible of a government to tie internet access to a foreign corporate entity's control. The privacy concerns of not being able to use a device free from Google services, may only be second to the sovereignty issues it introduces.
Whoops, Google have delisted your government app from the Play Store, how quickly can you de-couple your citizens internet access from the corptocracy?
Guardians of minors are responsible for what they view, as well as what they drink or breathe. So they should make sure their devices are configured properly, same way they make sure there is no alcohol or tobacco intake.
Then we have systems like:
PICS https://en.wikipedia.org/wiki/Platform_for_Internet_Content_...
POWDER https://en.wikipedia.org/wiki/Protocol_for_Web_Description_R...
ASACP/RTA https://en.wikipedia.org/wiki/Association_of_Sites_Advocatin...
Proving we do not need a system prone to PII leaks, just collaboration between content providers and guardians, helped by OS & browser vendors.
But it seems restricting minors is a side effect, at best, of the on going theatre.
> As a resident of the aforementioned political climate, I find their concerns to be reasonable.
No. The lesson is that stuff like this is concerning what ever the "political climate".
Anyway, you mainly don't want the gov in your vicinity to snoop. Non-local OS:es is probably advantageous in that regard if you choose to run proprietary code...
>No. The lesson is that stuff like this is concerning what ever the "political climate".
We say this, but many also want to entrust all our PC games to one closed source launcher. Or have videos/TV all on one subscription service. There's definitely a spectrum of benevolent and greedy dictators people draw lines on.
13 replies →
We don't even need this google layer. There already is a digital EU ID.
https://commission.europa.eu/strategy-and-policy/priorities-...
>Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.
this is not the way to make a point that the other party will find persuasive.
What do you mean by 'the other party'? Many places have more than two parties.
8 replies →
[flagged]
3 replies →
“We have both kinds of music: country _and_ western”
Why is it I can use my German national ID online without these Google requirements, but age verification suddenly requires dependency on Google?
Someone opened an issue about changing the wording https://github.com/eu-digital-identity-wallet/eudi-doc-archi...
So remote attestation?
Europeans are completely domesticated and servile to America, this is to be expected. Germans even let them spy on their government!
so what option is??? do you rely on third party store to do check??? I bet its more secure than google has verify it for you
So we wouldn't be real EU citizens, unless Google says so? Can we get rid of passports then? /s
I think Google login at the borders should be fine.
From the telegraph.co.uk: "Elite police unit to monitor online critics of migrants" and there are people worried about the "political climate" in the US lmao
The UK in the last 2 decades has been far more totalitarian than the US, even up to 2025. But the people in England seem to accept it and openly defend government encroachment even here on HN. While even smallest steps towards eroding rights in US have people there decry it, so it's far more controversial and newsworthy
But it's nice so many people care about the last few places where hard freedoms exist. The biggest risk is missing the forest for the trees and not seeing the local extensions of short term political comprise.
> Especially in the current political climate
I am forever thankful that Trump won the last election. If it were a Democrat party at the helm it would be practically impossible to have opposition to this, as most of the left would simply fall in line and cancel anyone daring to oppose the party. Look at how Obama strengthened the Patriot Act and carried out mass deportations with but a tiny grumble from the press.
Here is a list of every state and federal bill proposed in the United States in recent history (that I could find). Have a look at the letter beside the names of the sponsors. Then, after you've discovered that online surveillance bills are almost entirely written by republicans, go read about how your president is bankrolling ICE and their purchase of US citizen's air travel data.
1 reply →
The war on the free internet is accelerating. Without real push-back to these dystopian laws and consequences for the people proposing and lobbying for them, you'll miss what will ultimately end up being a temporary anomaly of mostly unrestrained free flow of information. It's not an hypothetical scenario or something that will develop down the line, it's happening today, worldwide.
I heard from a friend last night that they were unable to see posts on X about current protests in their country because those were considered "adult" content which can now only be viewed after submitting to an ID check. Not porn, video of a protest.
You're 100% right that it's happening today.
It’s really important to remember in this context that “the purpose of a system is what it does.”
Do not think for a moment that ID verification primarily protects children and only incidentally enables authoritarian restrictions on speech. Do not think for a second that verification initiatives are designed without anticipating this outcome.
https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_wha...
8 replies →
Sadly the old guard of free speech and privacy activists on the internet has long gone, drowned by a sea of unprincipled populist reactionaries - if their team decided that the content is "problematic", then they are entirely justified in censoring and punishing the speakers for daring to speak it, and entirely justified in protecting everybody else from having to suffer the horror of reading/seeing/hearing it, and it matters not whether the mechanisms are legal or ethical because the ends justify the means.
13 replies →
> Not porn, video of a protest
Not commenting on ID checks but depending on the protest, some images can be violent and definitely "adult".
I never understood why we go out of our way to "protect" children against seeing naked people, but real people in a pool of blood, nah, no problem. I think that people bloodily fighting each other for causes that I have a hard time understanding even as an adult may not be what we want children to be exposed to without control. Images of violence create a visceral reaction and I don't think it is how we should approach political problems, in the same way that porn may not be the best approach to sex, the same argument for why we don't let children access porn applies to political violence too.
The point I wanted to make is that whatever your opinion is on ID checks to access to adult content, "adult" doesn't and shouldn't just mean "porn".
1 reply →
We are approaching a time when most of that free flowing information is LLM generated propaganda and advertising. The average person can no longer go on the internet and trust any of the things they see or read, so what's the value of such information? I would prefer the free internet of the 90s and 00s, but we're losing it even without these laws.
> We are approaching a time when most of that free flowing information is LLM generated propaganda and advertising. The average person can no longer go on the internet and trust the things they see or read
The average person could never do that; critical evaluation was always needed (and it was needed for the material people encountered before the internet, too.) The only thing that is a change from the status quo ante in the first sentence is “LLM generated”.
3 replies →
There's still messaging between groups of people who already know each other and can verify each others' online identities offline.
It's in the UK, EU and soon to the US.
The west is going to be less and less free.
I'm sorry I feel the chill writing this, but I hope the hackers keep the flame alive.
Hackers: keep giving the finger to regulators when they overreach. They don't get to make the future.
This reliance on hackers and other antisocial snowflakes in FOSS world is one of the reason we are where we are.
Political problems cannot be solved through technology or yet another forked FOSS project. They require political power, numbers and threat of violence to those in charge.
It's not a war.
The population (especially the youth) is anesthetized by social media, shorts, fear-inducing news, economic hopelessness, climate extremes..
In the meantime, everything is getting integrated - banks, tax systems, tech platforms. Now this age verification.. And of course, AI is being implemented everywhere so that no one can evade the big brother.
As it stands now, this Internet is no longer salvageable imo.
> Without real push-back to these dystopian laws and consequences for the people proposing and lobbying for them
If anything, I’m seeing more calls for internet regulation on HN and other tech places than in the past.
Every time something is shared about topics like kids spending too much time on phones or LLMs producing incorrect output, the comments attract a lot of demands for government regulation as the solution. Regulation is viewed as the way to push back on technological and social problems.
The closer regulations come to reality, the less popular they are. Regulation seems most attractive in the abstract, before people have to consider the unintended consequences.
The most common example I can think of is age verification: Every thread about smartphone addiction come with calls for strict age-based regulation all over the place.
Yet the calls for strict age-based internet regulation generally fail to realize that you can’t only do age verifications on kids and you can’t do it anonymously. The only way to do age verification is to verify everyone, and the only way to verify that the age verification matches the user is to remove the possibility of anonymity.
The calls for regulation always imagine it happening to other people and other companies. Few people demanding internet age verification for things like social media seem to realize that it would also apply to sites like HN. Nobody likes the idea of having to prove your identity for an age check to sign up for HN, they just want to imagine Facebook users going through that trouble because they don’t use Facebook and therefore it’s not a problem.
Engineers want some kind of regulation because they feel like computer systems, which they nominally control, are out of control, because of the business people's demands. They want the right to say no without having to have the consequences of saying no. But then when regulations come in, they're not about regulating business, they're about regulated interactions between people and business. And whereas the idealist sees a regulation as a chance to change things for the better, a regulator sees a regulation as a chance to preserve things as they were just before they became bad. (It takes a politician, not a regulator, to change things.)
They always start with "think of the children", but that's just the opening salvo. The wild west days of the internet are definitely behind us. We'll be lucky if we still have private personal computing in the future, or any semblance of free speech.
If we're to regain any ground here we need to adjust the messaging wrt terms like "wild west" - that's precisely the kind of terminology that scares the average voter into thinking the government needs to do something about this whole internet thing. We need to use patriotic and inspiring language, like "free" as in "free speech for the internet," or "safe and private" etc
[dead]
There wont be any consequences if you expect them to legislate against themselves, or handcuff themselves and throw themselves into a cage.
Let's stop beating around the bush. We all know this doesn't make any sense.
I'm not sure this old horror story still works. The things to be afraid of have changed too much and at a far larger scale than people then could comprehend.
The "temporary anomaly" is one of perception. It was individuals talking to individuals. In terms of volume the world has never had this much free flow of information, and its never been easier to transmit encrypted data within a group.
At the same time the problem with letting the internet be without government means it pushes digital crack to all children, and an oligarchy of (natural) monopolies tightly control certain powers through systems like "sign in with Google".
The options for companies to instead use a government backed digital identity seems like an obvious step forward if designed carefully enough.
That requires the right mindfullness of people's rights, eg the right story. I just don't think the war on the free-internet narrative from 30 years ago is up for it.
But the "digital crack" isn't what the government wants to restrict from children.
They want to stop children from accessing porn, which really isn't all that bad. Certainly it's not nearly as bad as wasting hours on perfectly legal social media and streaming sites
It's not accelerating, it's over. We lost.
We didn't quite yet. We're still here, pretty anonymous, I'm sure your real name is not deadbabe :) IRC still exists where you can just pick a nickname from thin air. And most of these things will stay, underground. It's the commercial mainstream that will bow to this, sadly.
17 replies →
[dead]
The European union never ceases to amaze me. Whatever happened to becoming less dependent on American corporations?
They flip flop on this stuff at least once a month, and the most annoying part is that they always herald everything they do as some new epoch-defining initiative only to quietly forget about it and do the opposite a few months later.
If nation states are dogs, then EU is the chihuahua: loud, proud and extremely ineffective.
Ineffective? Extremely so? From open borders to open roaming to the various legislation that my tiny country would never be able to force corporations into if we didn't have it at the EU level. Heck, the currency. There's so many aspects I take for granted in life and don't even think about anymore. I can just pay anywhere without thinking or conversion fees. Must have been amazing for trade though it's nearly as old as I am so I don't know how things were before. How in the world you come to a worldview of the EU being extremely ineffective, I cannot imagine. Are you from the EU?
From open borders
Better check on that.
There was an article in the New York Times last week about how many E.U. countries have actually gone back to border checks. Most recently, Germany and Poland.
3 replies →
Ineffective against the US corporations.
The European commission, the top of the EU's unelected and mostly unchecked bureaucracy, is currently suing its data protection office after it declared that its use of Microsoft 365 infringes data protection laws.
I mean, the EU wants to force browsers to recognize its own web certificates, while allowing Google to selectively deactivate your phone's capacity to conduct ID checks. It's the same with the "EU Cloud initiative", that at the end was full of non-EU companies.
The aim of the EU bureaucracy is not sovereignty, but extension of its power, nowadays called as "regulation". And when in place, it can't be removed, even if it's clearly self-harming.
Because of goomba fallacy.
The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.
Similar to recent discussions of self-hosting, it's a tradeoff of autonomy/control vs efficiency.
> Because of goomba fallacy.
> The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.
Well obviously, these states know how bad the Russians are since they were terrorised by them for decades. They'll be the first on the chopping block. And they know that Europe does not have much deterrent of its own right now so they're screwed without the US. Though this will come.
7 replies →
> Germany tend to be primary proponents of increased EU strategic autonomy
Germany isn't doing this as much anymore, because Germany Inc has become increasingly dependent on their investments within the US [0], especially after the triple whammy of the Biden-era IRA [1], the sanctions on Russia sparking a domestic energy crisis [2], and Chinese players outcompeting German industry in China [3].
This can be seen with Germany purchasing American weapons for Ukraine over French objections [4]
[0] - https://flow.db.com/more/macro-and-markets/us-german-trade-r...
[1] - https://www.bloomberg.com/news/articles/2022-12-14/german-go...
[2] - https://oec.world/en/blog/bavarias-dependency-on-russian-gas...
[3] - https://www.reuters.com/business/majority-german-firms-feel-...
[4] - https://www.politico.eu/article/europe-donald-trump-weapons-...
> They flip flop on this stuff at least once a month
Because in the background it's a French vs German vs Irish vs Czech vs $insert_eu_state business interests competing with each other.
Notice how it's almost always French legislators and businesses that mention "domestic EU tech" and not Polish, Czech, Romanian, Dutch, or even German policymakers or businesses?
That's why.
National interests always end up trumping the EU in it's current form. And for a large portion of the EU, American BigTech represents the majority of FDI (tech and overall).
Japanese and Korean automotive players did the same thing with the US in the 1980s-90s in order to ensure their interests remained aligned (though the Plaza Accords did play a role)
France has some history in being disappointed by the US, so it doesn't really surprise me that France is beating the independence drum the loudest.
https://www.youtube.com/watch?v=Px9qhDGv300&t=150s.
(the entire video is interesting and informative, I've skipped it to the France-US specific part, up to about 11:02 where Australia is introduced as the US sycophant it is)
Whether it's logical or not, offences past, even those thought forgotten, are easily recalled when under similar pressures.
4 replies →
One wonders how much of the French foreign policy is affected by an online influencer trolling campaign.
4 replies →
On one hand, there is a will from some people to be less dependent.
On the other hand, the EU bodies as well as national reps are besieged by lobbyists and diplomats, and without much backlash from constituents, it's very hard not to find someone that will do what you want. Just look at this former EC commissioner [1] working for Uber.
Flip-floping happens occasionally when the public catches up.
[1]: https://www.ombudsman.europa.eu/en/opening-summary/en/181717
If nation states are dogs, then the EU is the parrot: loud, proud, and not a dog.
Trouble with your key strength being regulating is you need someone else to make stuff.
EU is a great chihuahua, authoritarian laws get passed, national politicians say that there's nothing they can do, but they benefit greatly from all the new posibilities of control over the internet.
I mean.. great for the politicians, not for an average european.
You need to put yourself in the EU governing people shoes for a minute. Their predecessors, who were from the WW2 and Silent generations, did not care about the free Internet because they relied on the large mainstream media consuming baby boomers. They had a direct line to them. But the boomers are between 60 and 80 and vanishing. The following generations are in panic mode.
So until recently the "free" Internet did not matter politically in the EU. Tech was used to trigger color revolutions abroad where the demographics were younger.
But now the unelected EU commission inherited that Internet things and are on the wrong side of it. Worst almost everybody in the EU speaks English and listen to Joe Rogan & co. And while the US Gov might be able to control the Joe Rogan type the EU does not.
So their only move is to crack down on the Internet and limit it with a Chinese firewall type system. But they obviously do not have the ability to do so without the capabilities of an US tech giant (remember their own systems are on Office 365, every phone is Android or Apple). And this would also be in the interest of the US because it would give them a solid control over the EU.
Remember the first goal of a system is to survive and I do not see another realistic path.
> almost everybody in the EU speaks English and listen to Joe Rogan & co.
Is this meant as a joke? It's not even remotely plausible.
1 reply →
95% of Europeans are running American OSes today. Should age verification just wait 20 years for EurOS to be deployed?
what's the rush on age verification? why does it need to happen now and not in a decade after working on digital ID and battle testing that etc?
12 replies →
They could just choose not to depend on OS level verification tools
Why exactly do we need age verification, again? Other than the classic "But the children!" excuse of course.
1 reply →
Yes, and when that comes to pass, we should find something else it should wait another 20 years for.
Yes please. Never would be even better.
For those wondering what the purpose is: https://ageverification.dev/Technical%20Specification/archit...
https://ageverification.dev/Technical%20Specification/media/...
Essentially, the core user journey is a privacy preserving "over 18" check. I suppose this prevents under 18's from accessing porn, in the same way that most blocking technologies impose an expense on everyone but fail to block tech-savvy children.
Doesn't seem like it could ever stop someone with a bittorrent client, unless you have to attest you are over 18 to even use bittorrent.
If they could have stopped BitTorrent they would have long ago.
So no, this is totally ineffective. And it's not like there's actually a problem. There's no crisis of messed up kids or young adults. We all had access to porn in some form and we all turned out fine. I used to watch the late night pay tv which was just 'scrambled' by removing the sync signal. It was easy to put that back with some electronics chops. I saw my share of gangbangs and cumshots and I did not get messed up or get weird ideas. In fact I often get compliments I'm a sensitive and caring lover. I never do or push for the dirty porn tropes (unless she asks for them :)
So did most of my school friends. Also video tapes got passed on at school and later CDroms (when the writable DVD came I was already an adult). We all had plenty.
This is all to mitigate a "crisis" which doesn't actually exist.
I don't want to ban porn or anything but the problem has definitely become worse than when I was growing up. I have a zoomer roommate that had unfettered access to the Internet and has some trauma she's still working through. I think the intense age verification laws popping up are going to be a big net negative but I think something needs to he done. I just don't know what that is. Maybe educating parents and children?
4 replies →
There's a difference between passing on video tapes and having a pocket machine with an unlimited amount of adult content. Just my opinion, but I think it's worrying kids can access it in basically a few clicks.
But I agree, forcing verification will not be effective enough, kids will find their way. The real solution is more education on this topic from younger age.
4 replies →
There is actually a crisis of messed up kids and young adults and access to porn is related to it, but in the opposite way. The thing that is messing up boys and girls is anti-male puritanism that condemns male sexuality as inherently degrading and evil.
As girls grow up and become women, they become disinterested in men, due to the perceived danger. When boys grow up they become avoidant men who are scared of approaching and asking out women, due to the perceived risk of ridicule, shaming and legal action. This prevents the formation of stable marriages, which then culminates in low birth rates.
1 reply →
> There's no crisis of messed up kids or young adults
This is objectively not true. Not to say that a porn ban combined with age restrictions would help, but it's just objectively not true.
* Rise of incels as a thing, and even violence committed by them
* Various loneliness epidemics
* Rise of movements such as the 4B in South Korea, where women flat out refuse traditional relationships with men
* the rises in STDs and teen pregnancies can probably be explained by other factors
* The rises in various diagnosis (ADHD, etc) and rates of sexual assault can probably be explained by just having more rigorous reporting and testing, as well as higher awareness, but the rise of specific types of sexual abuse (like a popular one, choking without consent, which can easily lead to brain damage) can be directly linked to its prevalence in porn
* significant differences in opinion on equality and general political leanings between boys and girls
That's not to say that porn is a problem, and removing it for <18 will magically make everything fine. But things are decidedly messed up for a lot of teens and young adults, and parts of that messed upness can be potentially inspired by porn, and "the manosphere". The second one is more important IMO.
4 replies →
>but fail to block tech-savvy children.
If I were a kid, I could see myself downloading Opera GX and enabling the free VPN. It's probably not "tech-savvy" because the browser gets a lot of ad views on YouTube; it would be pretty obvious.
Or using a torrent. Or trading a fileshare with your friends. Or finding a box in the woods. Or finding dad's "tax returns" folder. Or getting on TOR. Or finding an open directory. Or asking AI to produce something.
Basically anything other than going to a legally compliant website and trying to attach your mom's passport to the age verification app and doing the challenge.
2 replies →
I think social media does more damage than porn. We should just instead legislate that all social media has to shutdown and just let everyone watch porn and be done with it. Sure, you wind up with ED if you watch that stuff since you were a kid, but hey, if birth rates around the world are anything to go by, no one seems to really want to bring children into this world anymore anyway, so it's not as if that actually matters anymore.
I think I have become far too cynical.
The one good thing (in principle) about a service like this is that social media is much more centralized, so this kind of system could put seemingly-effective age restrictions on social media. For example, no under-14's, or under-14 requires a supervising guardian and has other guardrails.
But this still wouldn't stop determined kids from VPNing to another country to make their account, and wouldn't stop peer pressure on kids from bleeding to parents to help them.
7 replies →
Social media laws are actually being discussed, designed, and even implemented, targeting teenagers at the moment.
1 reply →
It seems reversed, that the default is legal eligibility, and that minors should need to prove their status. They're the ones who need policing, after all, not us.
For instance, it's not illegal for me to be served alcohol. If I'm not carded when being sold a drink, nothing illegal has taken place.
If the lawmakers are being cowards and not saying they want to round up and ID all the children from birth until they are eligible to participate in the adult world, that's their battle to fight and not our burden.
So they are doing this to block the children that are able to “hack” their phones, from watching porn.
Don’t know how to describe how insane this is
> Essentially, the core user journey is a privacy preserving "over 18" check.
You can not check the age without breaking the privacy, technically it is Not possible; this is like a religious faith exercise, not science.
What one read in the specification is, firstly you install an official software in your device, the device becomes identified "as you" the first time you verify your ID and receive your unique internet ID hash, linked to your personal data at the identifier platform.
In addition, your unique internet ID hash will become you, and each time a Non-porn-related platform ask for it, you will leave track of who are you -as internet ID- to the platform (finger printing), and also what you visit to the identifier platform.
Yeah, I said Non-porn-related platform, literally, because what we are reading here is about an Internet digital ID hash for each EU citizen,
Lets be clear, if it were to protect the children from porn, it would say "verify with the personal internet ID only for porn sites", in company with all the adjectives derived from porn, exclusively, with specificity, nothing more.
But what we are seeing here about this matter is deliberately open to interpretation, they say "platform that can be considered to be accessible to minors"... boom, What does this mean, News for adults? Criticise a corrupt government for adults? In my village this is called a back door trojan, because when they want they redact the directives, laws, with precision.
Anyway, I invite the reader to take a look to the Digital ID directive on its own,
https://eur-lex.europa.eu/eli/reg/2024/1183/ (2024)
https://eur-lex.europa.eu/eli/reg/2022/2065/ (2022)
After this, they only have to define progressively, frog cooking time, and increase the affected Internet platforms with obligatory identification, and then we will think that the Great Chinese Firewall was a children game compared with this.
The "it's to protect the children" political tactic to break privacy is quite old. In addition we should remember the other EU law about breaking the encryptions.
My humble opinion.
PS: Ironically no more of two months ago I was saying that as I was European I have freedom and I didn't need a tooling for circumvent something like the Russian and Chinese censure. Oh my... If I were know this, I was absolutely blind about what someones try to cook.
I keep coming back to the actual solution being to keep kids off the internet period. If you are under 18, and online without some sort of adult supervision, we have failed you. Maybe that ship has sailed with so much coursework requiring online access, but I maintain that perhaps we should declare it lost at sea and try again.
Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is *other people.* Other addictions still exist. Removing one vice without solving the underlying systemic problem merely shifts the goalposts, and everyone is up in arms about what a slippery slope that is for good reason.
EDIT: Clarity here because I phrased that badly in a hurry: I'm in disfavor of internet access being a requirement for schoolwork, but I failed to set that context initially. If parents trust their kids enough with access, once they've reached a certain point of maturity, that's fine. I'm against technological age gates and I'm against removal of bad content from the net at large. Parents should decide when their kids are ready, and guide them appropriately.
I will leave my original remarks unedited so the remaining discussion is sensible. (Sorry!)
> I keep coming back to the actual solution being to keep kids off the internet period.
W T F ? ? ?
> Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is other people.
Bad news, Champ. Other people also exist off of the Internet. They always have. The world is not entirely safe. And that does not mean children shouldn't get to be part of the world.
The main problem here is panicky idiocy.
While there are absolutely issues with kids coming across things they shouldn’t, I’d argue an equally large issue is parents buying into the delusion that they can keep their children contained within a bubble of perfect innocence until adulthood.
That idea has never really been realistic short of keeping them isolated from society until 16-18 (which most would consider abuse), but it’s not even slightly possible today with how readily available information has become. It’s an inevitability that they will learn about the topics you’ve been avoiding and take on external influences you may not approve of.
Now to be clear, I’m not advocating for letting kids run wild on the internet with no guardrails, especially earlier on. Guardrails are important, but it’s even more important in my opinion to try to stay ahead of what they may encounter by talking with them about those things so when they eventually run across it, they’re not flying blind and might even seek your guidance about the incident since they know you’re not going to get angry about it. That’s much more likely to bring positive outcomes than if they ran into these things without parental support.
2 replies →
Couldn’t disagree more. I watched my first beheading video at 13, let alone porn. I still remember it, Nick Berg. I think I turned out ok. My online freedom was largely why I became who I am.
As for other people being the danger, there’s some truth to that for women. I have a daughter, so this will be a concern. But you know, she won’t die. Everyone goes through trauma. The key here is to make sure she feels comfortable enough to talk to me and to my wife before doing anything (too) stupid.
I snuck out of my parents’ house to go see a girl when I was 16. Took my dad’s station wagon. On the way, some car tried to pass me and ended up hitting a big truck on the side. Truck was fine, I was fine, that fella was not. He ended up on the side of the road. Me and trucker just kept going. I still think about that guy a lot, because obviously the correct thing to do would have been to call 911, but I was a dumb 16yo who was out past midnight to go see a girl.
Point is, if things went a little differently, I could have been the one who crashed, or even dead. But that doesn’t mean that the girl I was going to go see was somehow a threat to me. It means I was doing something dangerous.
Again, this is easy to say as a man. The threat model for women is different. But prohibiting minors from the internet without supervision is totally absurd, and I feel bad for any parent who helicopters their kids like that.
Ultimately your kid will grow up and have their own life. Do you want to be remembered as the parent who had them under lock and key in the name of safety, or as a parent who monitored from a distance and occasionally let them do stupid things so that they could learn from it? For me, the latter is far more preferable.
6 replies →
[dead]
So many people advocating for this in HN and elsewhere when it's so clearly a draconian slippery slope for invasive surveillance and choice restriction. After these things get implemented people pretend it was always like this.
We don't need the governments to mass surveil us to protect us. We need them to sort the economy and stop invading countries and being deferential to corporate interests instead of the people they represent.
It's such an obvious push that If you don't want to see it, it makes me think you're shielding yourself to avoid contending with the reality: These politicians and govs all around, including the countries you claim "work" are absolutely power hungry and beholden to interests other than yours and will push for as much total surveillance as they can, including as much curtailment of freedoms as they can.
Obviously that won't mean elites will actually face justice or crimes will actually be solved because more surveillance is not accompanied with more government transparency, quite the opposite and bigger and more powerful burocracies, with more authoritarianism, allow for easy hidden exceptions that you can't question.
It's nothing new. Corruption is common. It's just mediocre to see "hackers" pushing for it just because the government and corporations tell them to, because foreign country bad, bad social media influences kids, drugs, word-ism, etc.
At the time this comment was posted there was only one other comment in this entire thread.
You say “so many people are advocating for this in HN” but this thread was empty except for one other comment (which was also critical of this) at the time you posted your comment.
I think if you use critical thinking to read you may easily find I'm talking about my experience with reading comments in relation to imposing age verification for online access, which means digital ID for internet access.
HN and even the GitHub comments mostly start with the assumption that of course we should do this. Of course we should restrict social media to under 16/18s and either are in favor of ID to access the Internet or pretend it won't happen by consequence of this.
Now try to address what I said instead of poorly calling me out.
7 replies →
It's just information. Data. Bytes. We need a proper George Orwell for the digital age.
The internet used to be a bastion of freedom. That era ended around 2005.
I don't think you are fully wrong, but the issue is your rhetoric is very much used by conservatives or "both sides are bad" which are just mask-on conservatives who end up voting the same way. And the problem with conservatives is not really the ideals and ideas, but the fact that they vote Republican (or whatever the equivalent party is in other countries), that all pretty much are the exact opposite of those ideals.
Age verification is already a thing IRL, there is no reason to not extend it online considering so much of our lives is digital. Overall I think anonymity should be reduced on the internet in general - a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
How can you criticize those for voting Republican when you're advocating for the extremely authoritarian and dystopian position of banning anonymous discourse online?
1 reply →
> a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
See, I wouldn't have as much of an issue if you were honest about this real intention, because of how on the nose it is to reasonable people.
The idea that I will have to upload 3D models of my face and ID, or get permission from Google, just to go online because you don't like the idea of someone else's kids using the internet is absurd.
Please stop using appeals to children in your quest to "stop ideas from growing".
2 replies →
> Age verification is already a thing IRL, there is no reason to not extend it online considering so much of our lives is digital. Overall I think anonymity should be reduced on the internet in general - a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
Ah yes. Anonymity is the only thing that enables dishonesty and of course it's the government's moral duty to regulate it.
Once anonymity is banned, the world will be honest and good and True and we'll all look back on the Bad times thinking how silly we all were.
The best part of minority report was the way everything constantly tracked identity through retinal scans; i can't wait for the future!
4 replies →
> it's so clearly a draconian slippery slope for invasive surveillance and choice restriction
It's a privacy preserving over 18 check.
Is it a "slope"? Sure, you can imagine an extension to the system that is "worse".
Is it "slippery"? This thing isn't draconian enough to be effective. It will be a minor speedbump that prevents exactly zero determined under-18's from accessing anything that they'd want to. So then the question is, does the government react by trying something more draconian, or does it give up?
Things like this are a pain in the ass for GrapheneOS users. It's not great to get locked out of legitimate usage of things when using an OS that actually puts privacy first.
Do you really think this will stop there? Websites need to contact an attestation server and the EU can just ban verification for any website they don't like.
Unfortunately this isn't the first time a government has banned Android devices which are not licensed by Google. GrapheneOS has a list of them[1]
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
The Austrian ID App was also blocking GrapheneOS due to SafetyNet verification...
After a lot of angry emails towards the helpdesk, they at least changed it, so a failed check only shows a warning that you can accept.
For Authy I don’t even feel sorry. Proprietary TOTP. sorry for off-topic
Asking my EU friends, why do you let yourselves be bamboozled by the US tech companies when you’re totally capable of doing it yourselves?
Seriously. You don’t need Google. You just need a plan and a will to execute.
It is amazing. All the US companies have to do is dangle a “free” solution and the EU will go for it, and then be all surprised pikachu at the terms they agreed to.
EU isn't at all capable of doing that because it's not a hegemonic state, it's just bunch of a countries coming together to coordinate on doing stuff.
My guess on what happened this time is, people were tasked to implement a way to verify age anonymously and this was the only feasible way to do it because of their constraints that don't allow them to do bigger stuff that China or USA will able to do through having the budget and enforcement power.
I don’t disagree, my argument is why continue? The scientific method is thrown out the window. Age verification, oh you need the cooperation of member nations of the EU, ok, wait, everyone has different systems, ok, new objective - standardize the systems so we can do age verification like we want.
I know politics isn’t logical but if you keep drilling down the root cause, eventually you’ll hit bedrock.
1 reply →
Regulation and lack of capital. Just read the report from Mario Draghi if you don't believe me.
We have EU regulations, those are much tighter than in US, on practically every front. Labor, finance, environment, data, AI, you name it, we have it regulated. And then you have the country level regulations on top. That's right, EU sets the floor, not the ceiling.
Suppose you have a start up in Poland, you have managed to get funding and you are offering services in your country. You want to do that in Germany? Get ready for complying with new set of regulations. And you better hope that individual German states don't have something extra on top of those.
All of those regulations have purpose, it is possible that they were designed by well meaning people and bring some benefit. But their compound effect is catastrophic. It is not that you can't push trough, you can, just look at Kiwi or Mikrotik. But it's an uphill battle and your competition from overseas has it so much easier, that they can end up outgrowing you, and eventually buying you out.
What’s the point of regulations when you’re being bent over by US Tech? You can’t say there’s regulations and then give it all to a monopoly…
2 replies →
You need a pile of money first. And that works differently in the EU.
You have sovereignty of the EU and nations willing. Don’t say it will take money. Money is fake. You can do this.
Everyone’s ready. The only reason US is wealthy is those subscription fees and vendor lock in we have.
5 replies →
how does a pile of money work in the EU?
3 replies →
Because most politicians in most countries (even most dictatorships) feel that interfering with the free market is too radical. They feel it's fickle and too risky to upset.
Anyway, if a government tried to make a European smartphone design, it would be treated as any other government supply contract, resulting in a terrible design-by-committee. So in the end, all politicians are willing to do is wait around and say "someone should do something".
It's actually a little better than that. One thing they can do, and have done, is make funds available for individuals and small groups who want to have a go themselves. Notably NLnet funds a lot of projects. They're all small projects though so they're not really capable of displacing megacorps in the free market. Stuff like MNT hardware remains niche hacker stuff.
Lack of capital. Fear of consequences.
Google rolls into town and wants to spend half a billion euro on a datacenter? Sure thing. They'll say that it'll boost the local economy while being built - by creating a couple of thousand jobs for the contractors that are going to build and maintain it, and then some onsite jobs for the next decade or two, creating a couple of hundred jobs for techs / engineers.
And as long as they keep playing ball with google, projects like that will pop up once in a while. If you're difficult, there's also a risk of the rich tech companies taking their business some other place.
With that said, I've recently noticed more voices for building our own stuff - as there's a real risk that US tech companies will simply comply if pushed enough, say, by a POTUS that's out for blood and wants to hurt certain foreign users. Ban/lock out certain users from gaining access to software, turn off their infrastructure, etc. who knows.
But, alas, there just isn't the same willingness to pour in capital on the important things. For private investors it doesn't make much sense, unless they have a bulletproof contract with domestic users willing buy their service - and using state funds isn't too popular, either.
Truth be told, any of the big tech businesses can undercut any competition, and probably build better and faster. If anything, it could be the case for tariffs - outsourcing critical infrastructure will leave you very exposed. If European countries all over the board started to abandon US tech companies, they'd cry to Trump, who in turn would probably start a trade-war.
Now replace Google with an EU company doing it in the EU for EU jobs and everything you described. It’s not like money only comes from the US.
You are right to be worried. US companies under this administration can’t be trusted to follow the law. Why should they, when our commander in chief isn’t and has a panel of judges who let him do whatever. Just the other day he suggested Obama be investigated for treason. So yeah, we’re toxic, and you all should seriously quarantine yourselves.
4 replies →
It's largely a political issue. At this stage you can't create alternatives to Google and other U.S. tech giants without removing them from the market (so essentially the Chinese approach, which has allowed them to build their own massive tech giants). But that path is nearly impossible for the EU due to the risk of U.S. retaliation. The EU can't even implement a digital tax.
You also can't just say, "Here's a few hundred billion in public support to create alternatives to U.S. tech giants", because the U.S. would argue that it's unfair state aid and retaliate.
There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.
We also lack a reserve currency like the USD, so we can't print $2 trillion a year, much of which ultimately flows into the U.S. stock market and further boosts U.S. tech companies, making competition even harder.
EU markets are already fully penetrated by U.S. behemoths that can either withstand or acquire any privately funded competitor, thanks to their massive cash flows and valuations.
For all these reasons, the outlook isn't very promising.
>>There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.
That can be improved by making traditional investments (real estate, land) less attractive while making investments into businesses more attractive. You just need to change tax incentives by removing capital gain tax and introducing real estate/land value tax (or raising it). Removing red tape would help as well and then making the common market really common.
As it is there is very little incentive to invest in companies here.
2 replies →
Russia can do it. Thinking EU can’t shows only how low the self esteem is. And it’s a very sad story. EU needs to wake up sooner rather than later.
6 replies →
What outlook? What planet are we on? Why are we debating who makes better handcuffs? Do E.U citizens prefer their handcuffs be made in Europe? I'm so confused.
The only will you get from EU is to protect incumbents and the only plan is to make another centrally planned fund that distributes money to chosen entities. EU is very good at removing the carrot while wielding a big stick for would be entrepreneurs.
Because politicians are corrupt
Because national interests always end up trumping the EU in it's current form.
American companies like Google [0][1], Amazon [2][7], and Microsoft [3][4][5][6] have spent billions in FDI and hiring, thus building strong relationships with EU states like Ireland, Romania, Poland, Finland, Sweden, and others, but French and German competitors haven't (or don't exist depending on the service or SLA).
This means a significant portion of EU member states have an incentive to maintain the relationship, because the alternative means significant capital outflows. A Polish legislator doesn't have to answer to French voters, so they will incentivize the relationship with BigTech. Thus, these nations will lobby tooth and nail against destroying the relationship.
It's the same reason Hungary courts Chinese FDI [8] and enhancing the Sino-Chinese relationship as leverage against the EU pushing too hard [9].
[0] - https://www.gov.pl/web/primeminister/google-invests-billions...
[1] - https://www.gov.ie/ga/an-roinn-fiontar-turas%C3%B3ireachta-a...
[2] - https://www.aboutamazon.eu/news/job-creation-and-investment/...
[3] - https://centraleuropeantimes.com/microsoft-google-invest-big...
[4] - https://www.reuters.com/technology/nordics-efficient-energy-...
[5] - https://www.idaireland.com/latest-news/press-release/an-taoi...
[6] - https://www.government.se/articles/2024/06/prime-minister-to...
[7] - https://aws.amazon.com/blogs/industries/cloud-technology-emp...
[8] - https://hungarytoday.hu/hungary-seeks-to-stay-leading-europe...
[9] - https://theloop.ecpr.eu/hungary-and-the-future-of-europe/
Don't kid yourself, the US is going to war against anyone that tries to regulate big tech as we are seeing with the US government going against Brazil and the Pix payment system
No it doesn't work that way. That's a lot of political will for little monetary gain. Don't forget that countries in EU are still quite capitalist and many of the bigger companies have huge investments in the US. EU itself is a quite neoliberal org too. It has all sorts of forced privatization laws.
The post WWII doctrine of US that's applied in Europe is strengthening the bigger businesses. Those businesses use US tech since investing in an actual European tech sector is expensive. Especially after all the first players took critical positions.
The time to invest in that sector was in the 80s and 90s. Europe had a different relationship with the US and it was trying to encite small ex-Soviet states to join, so they can exploit the cheap labor. So nobody actually invested in local tech sector.
It is now an uphill battle that'll cost more than the original investment. Only countries with strong independence urge like France is willing to fight it. Most of the EU countries are not.
Where do you get from that we are capable of doing it ourselves? All EU-made software I've used was terrible, and the one that was a bit better than terrible was bought by a US company.
Where do you live? I live in Sweden and I have used a lot of not so bad software from Sweden. Maybe its just your country, but at least in Sweden the government can make software for its services that works well, better than what I've seen from the US government.
> and the one that was a bit better than terrible was bought by a US company
But here you say EU can make great software? Just that USA then buys it. So we should just ban USA from buying our great software companies, is that what you are saying?
1 reply →
Most closed source US software is garbage too. Some stuff, like Steam, is beloved anyway. But actually the program itself is terrible and slow even on decent computers.
Struggling to think of corporate produced software that doesn’t suck. iOS Safari is ok, I guess.
2 replies →
At least in Norway, the user -facing state services are good. They used to suck, but are now good.
I can do most anything online, haven’t had to physically visit an gov office for years, outside voting and getting a new passport photo. And everything just works.
Edit: and before anyone points out that we’re not in EU, yes - but we’re in the EEA.
Ugh. There's just no winning with tech anymore.
I use GrapheneOS as a daily driver and I absolutely love it. It should be the default. There's already one app I use that must do something similar and absolutely just won't run on it, so I have an entirely separate phone running stock Android just for that one app. Still worth the hassle.
Glad I don't live in a place where all this madness is taking root, but still, the trend itself sucks.
By design, this app isn't mandatory. There should be an alternative way to do age verification. If you can't access a service because you can't run the app, the service fucked up.
Furthermore, there's nothing stopping the governments implementing these standards from permitting GrapheneOS' signature. It's one of the ROMs that actually has a reliable signature so unlike random images from XDA there's a case for it to be permitted. Google's integrity check isn't just a binary check, it's a combination of a hash and a pre-defined list of suggested acceptable hashes.
> By design, this app isn't mandatory. There should be an alternative way to do age verification. If you can't access a service because you can't run the app, the service fucked up.
So you complain to the service, they either ignore you or tell you to use the app, and then what? They are not breaking any law as far as I can tell.
And even if it was, class actions in Europe are close to inexistent, and it's not worth it for any one consumer to take the multinational running the service to court.
> there's nothing stopping the governments implementing these standards from permitting GrapheneOS' signature
incompetence and/or not caring
Alternatives to legal identification requirements being available isn't my experience. How do you even imagine that? Going to a local post office to show an ID anytime you want to open pornhub and your i_am_adult=token cookie has expired?
2 replies →
The only winning move is not to play the game. One has to have a phone these days but you don't have to do your computing on it (during personal time). Use a real computer instead.
> I would like to pay for goods and services online.
> Very well sir, which digital payment service would you like to use?
> It doesn't matter they all force me to use my phone.
1 reply →
This software doesn't run on a real computer. The point of the submission is that it only runs on a DRM device from two entrenched vendors
2 replies →
Great advice that I just can't take.
There are lots of them, you might want to complain to your competition authority.
https://grapheneos.org/articles/attestation-compatibility-gu...
It's not a tech issue, it's a regulation issue.
EU wants to push more control on the internet, today it's "think of the children" but when the infrastructure is rolled out, it'll be "real name verifiction" on social media, chat control, etc.
Whoever is pushing this in EU has to be removed before things will get better.
Luckily France is part of the EU. They seem to have better removal tools than the rest of us.
This has nothing to do with age verification, but everything to do with identifying users on various services. They can compell the providers of said services to give them access to how each, now identified, user is using the service. Since a lot of our lives are digital, this is a major transfer of power from the people to a select few.
A question I have is who voted for this? I sure didn't.
It's called representative democracy and it's been in crisis for some years now.
It's so indirect it's hard to even consider it a form of democracy.
I don't.
The European Commission is unelected. The European parliament can't choose which laws it wants to vote on. This is a simulacrum of democracy.
> They can compell the providers of said services to give them access to how each, now identified, user is using the service.
The whole point of this is that they can't, which is unlike the systems they had used before. The only information that the service provider receives is that an age check has passed.
Without getting into the ideological weeds too much, is there a solid technical reason for this? Like if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool? If so, is there a straightforward way to prevent this without involving Google?
> if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool?
Kinda, yes.
(slightly simplifying the mechanism here)
This seems to be based on the EU Wallet project, which is still work in progress. The EU wallet is based on OpenID (oidc4vci, oidc4vp). The wallet allows for selective disclosure of attributes. These attributes are signed by a issuing party (i.e. the government of a EU country). That way a RP (relying party) can verify that the data in the claim (e.g. this user is 18+) is valid.
However, this alone is not enough, because it could be a copy of that data. You can just query a wallet for that attribute, store it and replay it to some other website. This is obviously not wanted.
So the wallet also has a mechanism to bind the credential to a specific device. When issuing a credential the wallet provides a public key plus a proof of possession of the associated private key (e.g. a signature over an issuer-provided nonce) to the issuer. The issuer then includes that public key in the signed part of the credential. When the RP verifies the credential it also asks the wallet to sign part of the response using the private key associated with that public key. This is supposed to prove that the credential was sent by the device it was issued to.
Now this is where the draconian device requirements come in: the wallet is supposed to securely store the private key associated with the credential. For example in a Secure Enclave on the device. The big flaw here is that none of this binding stuff works if you can somehow get access to the private key, e.g. on a rooted phone if the wallet doesn't use a secure enclave or with a modified wallet app that doesn't use a secure enclave to store the private key. You could ask a friend who is 18+ to request the credential, copy it to your phone and use that to log in.
What if I refuse to buy a device with a secure enclave that I don't have access to? Am I now censored from a chunk of the internet?
Is the EU essentially foisting a someone-else-owns-your-keys regime onto their citizens?
5 replies →
> You could ask a friend who is 18+ to request the credential, copy it to your phone
Oh no! Imagine you find a willing adult who does the verification on your phone. The whole system is moot!
Don't need "copy" here for that. They can just do the verification on your device without any technical tricks
1 reply →
Wouldn't it make way more sense to just have the RP supply a nonce that gets signed by the IDP? Isn't this how oidc works already?
2 replies →
Even if the private key is perfectly bound to the device and can't be copied, can't you still just ask a friend who is 18+ to scan the QR code on their device and verify age? I don't see what problem these device requirements solve exactly, unless the plan is to somehow criminalize verifying on behalf of other people
> You can just query a wallet for that attribute, store it and replay it to some other website.
Uh, replay attacks are a solved problem in pretty much any industry standard challenge-response authentication, including OpenID. Am I missing something?
2 replies →
The tool could have a mode where it just reads the cryptographic chip in your ID card via NFC and passes on the information to the verifying party. This information is signed by your government and they could verify it with the public key
Instead, they're trying to shoehorn your device into providing the same safety level and, in doing so, making it by design impossible for you to control your own device. Obviously if the sites trust a device that you control, you can make it tell them anything. The ideological part is that it's not your device anymore then and imo we should oppose that. The technical solution is to use the hardware security chip you already have with a reading mechanism that (nearly?) every smartphone already has and even works on any OS that can run a USB NFC reader. It could be an entirely open standard
I'm pretty sure all you need is the ability to login to a website and for that site to vouch for your age based on having examined your identification documents (or something like a network of PGP web-of-trust type notaries). I have a hunch that using a hardware token and biometrics is required to prevent fraud (FIDO and passkeys etc should work). The trick is preventing simulated tokens from existing/working which is where secure boot etc enter the picture.
Can you clarify what fraud you're thinking the "secure boot" (which I take to mean: being denied the access to control your own device) would prevent? Since the identity documents you already have, have this chip that works the same as your bank card, you really don't need a relaying party (your phone, your ISP, etc.) to be trusted for the receiving website to be able to verify the cryptographic signature on the data
3 replies →
Yeah it’s sort of like all the apps that would refuse to run on a jailbroken iPhone.
Basically on such a system you can potentially manipulate the process. Here that would probably be to install the credentials of someone else on the device.
So they want a locked down OS environment where user does not have root privileges and software has to be verified (in this case by Google) to be installed.
You would need to release a kernel and OS that requires users who modify the attestation and hardware token components of it to provide their own signing key rather than your production EU-registered one, chained back to the HSM signature emitted by the phone’s HSM signed bootloader; and then you would simply let the app check that its secure boot attestations chain to a secure bootloader/image/OS triplet that’s on file with the EU. Mix in some tech spice for the EU to prohibit OS releases that are validly signed but whose specific instance of a signature is found to be exploitable to bypass age checks and you’re set. None of this would prevent users from modding their devices, any more than macOS prevents modifications today if you turn off the security protections; but once you turn off the security protections, it can no longer attest with Apple’s signature because your modifications don’t match the signature any longer, and so Apple Wallet is inaccessible.
None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.
The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.
It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.
All of this assumes that the device, a relaying party for your identity document, needs to be secure in the first place. We don't attest the OS of the router and your ISP before being allowed to use them to relay this information to pornhub. Why does your phone need to be under a third party's control just to relay information that the government already signed onto your NFC-enabled identity documents?
But even if you were to want user's phones to be roots of trust...
> as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining
GrapheneOS does that. They guarantee this more than Google because Google allows devices with known vulnerabilities: https://grapheneos.social/@GrapheneOS/114864326550572663 (rest of the thread is worth reading, too)
Using Google Play's instead of Android's attestation framework means that nobody else ever could enter this market indeed, no matter how secure the OS
> None of this prohibits users from modifying their bootloader, kernel, or OS image;
... unless they don't want to turn their device into a boat anchor that nothing else will talk to. It's not going to stop with age verification.
Counterproposal: fuck attestation, and fuck age verification. Individual users, not corporations, associations, or organizations, get to use any goddamned software they want any time they want for any purpose they want, and if you set up some system that can't deal with that, tough beans for you.
11 replies →
> that bothered to implement hardware-to-app attestation chaining live in production end-user devices
This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.
> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.
5 replies →
I am not sure if I am more disturbed by the user journey they want to introduce for accessing websites or the fact that a private company (american, chinese, I don't care) has to become the gatekeeper to let me in.
Who the hell wants this Internet...?
> Who the hell wants this Internet...?
The under educated, unthinking unwashed masses. Just look at the tea leak. The amount of people that do not care about freedom or privacy on the internet vastly outnumber those that do. And because they do democracy unmasks itself in the digital realm as the tyranny of the unthinking majority.
Weep for the future.
The lazy middle class who don't like to take the responsibility of actually contributing to their community and running their family.
ps: Had to add this post after the others identified the low class and the upper class as responsible for this ;). But depending on where you are, the low class might not be "the masses".
Politicians and their buddies scared of having lost control of mass media.
> Who the hell wants this Internet...?
Scared rich people and bureaucrats
Well meaning nordic liberals? They have been pushing chat control, I assume this is their idea as well.
Lengthy GitHub issue about this: https://github.com/eu-digital-identity-wallet/av-app-android...
It really seems like tying this to Google violates some key principles of the EU market.
I'm getting pretty tired of the EU trying to shove internet-crippling regulations down my throat. This, along with ChatControl, is clearly a path towards totalitarian control.
Who are the politicians making these decisions? How did they get elected? Did anyone vote for Totalitarianism 2.0?
Politicians are all that stands between corporations and absolute corruption. It's why they're both their primary target and the ambition of greedy people.
> I'm getting pretty tired of the EU trying to shove internet-crippling regulations down my throat
And I'm getting tired of people pulling out pitchforks without reading anything. This is how democracies end up electing people like Trump. There are no regulations to require age verification here. The EU is simply giving guidelines for implementing harmonized age verification across the EU if any member states or companies that do business in the EU want to use it instead of making people scan ID cards like they currently do and making the receiver of said scans have to understand updates to the designs of the various ID cards used throughout the EU.
Oh come on. You know exactly where this is going. Porn and social media will require age verification before you can say "who voted for this?".
1 reply →
Governments are reflection of their people, like it or not.
Are they, though? The people don't elect the European Commission. The European Council selects candidates and the European Parliament can vote for them. The people in the European Parliament are often politicians who no one knows but sort of vote for because they're associated with their preferred party.
I don't recall any party campaigning on reducing internet freedoms.
If you're wondering what regulatory capture looks like, this is it.
It's more likely to be laziness by the developers.
What kind of services will use this app?
Unless their governments start issuing Android devices to all of their citizens, I don't understand how they can require use of this app for anything official.
> Unless their governments start issuing Android devices to all of their citizens, I don't understand how they can require use of this app for anything official.
Not sure who you mean by "they" but you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria). At least in practice that is almost impossible.
In Austria you can use a web browser + FIDO key as an alternative. It works nicely. https://ida.gv.at/de/hilfe/hilfe-zu-ida/authentifizierungsfa...
By "they" I meant EU member state governments.
> you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria).
That's terrible. They have official services that require an app and can't be used via a standard browser or even paper forms? What do elderly people without smartphones do?
1 reply →
They don't require the app for anything official. Uploading (partially redacted) scans of your ID like you would be obligated to today, or physically verifying your age for things like alcohol delivery, should also suffice.
> Uploading (partially redacted) scans of your ID like you would be obligated to today
Redacted, I wish...
To vote in the upcoming election, I was asked to upload an uncensored copy of an identity document to the website of the municipality of The Hague
To keep the domain I registered in 2014, the French TLD required me to send them the same thing by unencrypted email a few months ago. I tried sending a link to a PNG so it wouldn't linger in their inbox forever but they absolutely required it to be an attachment
To buy a prepaid card in Germany, I was required to show an uncensored identity document. I had put a tiny piece of tape tape over only the burgerservicenummer that the germans can't make use of anyway because it's the Dutch numbering system that's beholden only to specific authorities
There's scarcely anyone who appears to know what EU legislation says on identity numbers. The Dutch government themselves apparently don't
They will support iOS and Android which covers 99.9% of the population.
What about the rest? Don't basic rights apply to them?
A while ago, when the topic of the EU digital ID was brought up, I said clearly that this was going to be shit-show and that the intent was going to use this as tool to muzzle the population.
It turns out I was right. This is the intent. First require digital ID to access content/post anything on social media, then make it impossible to use said ID outside of the walled garden of Android and Apple, then tie this digital identity to your real world ID and make sure it can be revoked at anytime by the powers that be.
Bonus point, make sure everything you say or do is stored for unlimited access by law enforcement to protect the democracy(TM) or protect the children(TM).
If that is not a slippery slope, then I don't know what it is.
I also pointed out that creating a database of everyone in the EU containing a lot of PII in terms of religious preferences, sexual preferences and so on is a the stupidest idea that anyone could have considering that this tool could be used by the next parties in power to hunt down political/religious opponents.
Nobody can say that they did not know.
A URL without requirement to login to Reddit:
https://old.reddit.com/r/degoogle/comments/1mau7yl/eu_age_ve...
The problem isn't being handcuffed by Google or an American company, it's being handcuffed at all. Is it some kind of psychological coping skill to misdirect from the obvious problem (an age verification app that bans user software preferences)?
Who cares if it's Google or an American company. The point is you decided to let the E.U dictate what software you can run on your phone.
It's absolutely abysmal that the EU and UK are implementing laws relating to age verification requirements.
Who voted for this? Who asked for this?
Unfortunately many more people than you might think are in full support of this type of thing. The UK in particular is a very nanny state and this is sold as protecting children. You're not against protecting children, are you?
It is a rhetorical appeal to emotion, which is used to override rational debate, discourage criticism, and create false dichotomies, e.g. "you're either with the children, or you're with criminals".
This "think of the children" rhetoric targets encryption, anonimity, decentralized platforms, and private communication channels like messaging apps, VPNs, Tor, etc. It is nasty. Keep in mind that it does not actually prevent child exploitation and grooming. Most of the pedophiles are on Discord and Roblox anyways.
In any case, there are ways to prove someone is over 18 without revealing identity, but that is not that goal, is it? There are cryptographic schemes just for that, such as zk-SNARK, etc. ZKPs in general.
1 reply →
The whole Chat Control crap is bullshit no one asked for, and unfortunately many countries in the EU are in favor of it. There is a map somewhere that shows the countries that are against it, I cannot find it right now.
https://www.patrick-breyer.de/wp-content/uploads/2024/12/sig...
2 replies →
EU citizens voted for this. Unfortunately, EU citizens are too lazy to vote a lot of the times, and the ones that do vote are turning more and more right-wing authoritarian.
As much as the EU pretends there's some kind of united Europe, it covers different countries, with laws ranging from "sex work is just taxed work" to "all prostitution and porn is illegal". Even basic rights like gay marriage aren't consistent between member states.
Europeans were free to provide feedback to their representatives of course: https://ec.europa.eu/digital-building-blocks/sites/display/E...
However, everyone I've talked to about it said they don't care about it so they don't want to bother, which is probably what the people behind these laws are banking on.
> EU citizens voted for this.
I'm growing pretty tired of this rhetoric / rhetorical sleight of hand, but maybe this is a reasonable opportunity to discuss it:
- not all citizens of a jurisdiction are eligible for voting: in this case, cursory search suggests only 400M (88.8%) of 450M were eligible - seems a bit too high to me, but let's roll with it regardless
- not all who are eligible actually vote: voting in the EU parliamentary elections, which is what EU citizens can actually vote on, like most elsewhere, is not mandatory; it's a right, not a duty: turnout was 50.74%, and that is of the eligible population, so really just 45.1% (203M)
- most voting systems are mathematically unfair [0]: extensively researched, doesn't quite apply necessarily in this case though as per the next bit
- several key positions in the various bodies are elected indirectly: same here in the EU, at which point all bets are off
- laws, regulations, and policies are not voted for or against by citizens: same here in the EU too, nobody could have even possibly voted for this in the literal sense
It's a run of the mill representative system and I think it'd serve discussions a great deal if this was acknowledged properly. Surely it's agreeable at least that this wouldn't be such news if people were all just completely on board as the sentence "EU citizens voted for this." implies when read naively and literally.
I really don't see a point to this phrase other than inciting others. And before anyone brings it up, yes, this is common in US threads as well, yes, is often expressed by EU folks against US folks, but no, that does not make this better. Why dig ourselves into rhetorical holes unnecessarily? Being narratively justified to frame things this way doesn't mean one should (or must).
And "offering feedback" is not a vote nor a voting I'd say.
[0] https://youtu.be/qf7ws2DF-zk
1 reply →
No, I fucking didn't vote for this, I hate everything about it. The worst part? Even if all of our MEPs voted against this BS, it would pass and be forced upon us anyway. All because we have given up our sovereignty to EU.
1 reply →
Followers of the far-left regime actually implementing authoritarian measures blame the opposition. A pathetic tale as old as time.
This collision course has been a long time brewing, though I'm not even sure why integrity checking is included in this. The data source for the age information is the governments, there's no need to trust the clientside per se, it's just a middleman.
One thing I find reassuring is the nature of pushback on display on the repo (only read the first few comments there, mind you). Really not what I expected phrasing and rhetoric wise (unlike here), honestly kind of restored a very very tiny and fragile bit of faith in humanity in me, it's very reserved and reasonable stuff.
"age verification app," is such a phony pretext. They know that android fragmentation and the lack of consistent verifiable hardware is what prevents govts from implementing a punitive digital ID that is sufficient to punish and fine people using western standards of evidence and legal defense.
these people are monsters. don't help them, and don't be complicit. working on digital ID tech, and even disclosing vulns in it is like helping Hollerith make faster and more efficient punch cards.
Does anyone know how this is implemented?
If the proof can not be traced back to your identity, then what stops a person from creating large amounts of proofs and distributing them?
If the proof can be traced back to your identity, then... that would suck.
They use attribute based attestation which should be mostly anonymous. The long term goal was also to implement zero knowledge proofs which would make things like age verification fully anonymous, but because of technical reasons and development constraints that idea seems to have been postponed.
The reason you can't distribute a huge amount of proofs is that the app won't let you. To make sure the app won't let you, the app tries to verify that you're not running a modified app or a modified system environment. That's the remote attestation that "bans any android system not licensed by Google".
These tokens are signed and only usable for a limited amount of time so you can't just generate a million of them and sell them for others to use.
If the app can't rely on the system working as it should, it'll need to contain less privacy-friendly measures for limiting large scale token abuse.
For the proof to be traced back to your identity, you'd need to be tracked consistently across websites, possibly with the aid of the government itself. If ZKPs make it into the app, tracking you is basically impossible.
Of course, if you're authenticating with your full name and birth date, when opening a bank account for instance, you're not going to get the anonimity benefits. Still, you do get to see what party you've authenticated with and get a button in the app to request deletion or report suspicious behaviour if you think it was a scam.
The technical specification can be found here[1], with further details here[2].
Well, it's more like a framework, so not a ton of details. I've just glossed over it, but from what I can gather they have thought about it:
No personal data, especially no information from personal identification documents such as national ID card, is stored within an [Age Verification App Instance]. Only the Proof of Age attestation, specifically indicating "older than 18", is utilized for age verification purposes
Stored Verification(8b): [Relying Parties] may optionally store information derived from the Proof of Age attestation in the User's account, allowing the User to bypass repeated verification for future visits or purchases, streamlining the User experience. In this case, authentication methods such as WebAuthN should be utilised to ensure secure access while enabling the User to choose a pseudonym, preserving privacy. Risks in case of the device sharing should be considered.
[1]: https://ageverification.dev/Technical%20Specification/archit...
[2]: https://ageverification.dev/Technical%20Specification/annexe...
Even if they can't be traced back to a name/photo identity, it would still be a privacy disaster if you could only make one proof per service.
If a user can only make one then they'll have to use that identity with that service forever. That's a nightmare for privacy. Sometimes people need another account, unknown to their employer/family/friends. People should be able to make multiple accounts without those being tied together through a common "age check" identifier. But, of course, there is no way to prevent those from being distributed.
At some level I believe that's the purpose behind some of this. If someone can only have one proof, then someone can only have one account to speak with. They'll be easier to monitor, easier to identify, easier to silence. That's why I think these types of laws and behaviors should be resisted and protested.
I've mentioned in a previous comment that it's telling that big tech isn't resisting these totally-just-coincidental ID laws coming from western countries. It supercharges their surveillance and tracking abilities, and widens their moats.
Also, porn is a smokescreen. The definition of "adult" content will rapidly expand, and these put the ID issuers in censorious a position of control over people and services. Nothing stops a government attestation server from rejecting a request because someone is blacklisted from "mass communication services" because they're a felon, protestor, LGBT activist, etc... or because a service has fallen out of favor.
The idea is, that you have a 'digital ID' on your phone, tied to your real identity, that will today be used to prove you're 18, but when the infrastructure exists, it will be used for other stuff too... like needing to attach your real name to any social media account (you already have an app that does that on your phone for the 18+ thing, so adding real name is easy to implement), and that will greatly affect freedom of speech.
This is the pr on it [0]. It was linked on hn at the time too [1]
For all the shit Google deservedly gets they seem to be genuinely trying to implement good and privacy preserving solutions to a lot of these problems.
The issue of course is that there's essentially no way to do all this stuff with software and hardware the user actually controls themselves, so you end up with hard requirements that you use big tech as gatekeepers.
This is the slippery slope that IMO eventually ends the open web.
If you take that outcome as inevitable, which at this point I basically do given all the forces lined up to restrict access to information, I suppose Google is about the best steward you could hope for.
[0] https://news.ycombinator.com/item?id=43863672
> If you take that outcome as inevitable,
I don't and I wish Google et al would take a god damned stand against it. All it takes is 2 or 3 big companies to just not play along with the destruction of the open internet (the very same responsible for their genesis and incredible success), and the bureaucrats will eventually relent. Unfortunately they've chosen the path of least resistance, which also is the path of regulatory capture to their sole benefit. Sad to see that win over the ideals of the early net.
1 reply →
You can't use device verification in production anyways. (ATM)
This has no effect, is it even used in production anywhere? It seems to be part of eIDAS which is a good thing, most countries already have their own identity systems as is stated in the README. The three or for id apps I have seen all have some kind of device check that is sent to the ID provider, it is not usually accisible for ServiceProviders though. On those apps you either get no indication or just a "seems suspicious" score.
The one in Sweden has a "return risk option". https://developers.bankid.com/api-references/auth--sign/auth
This does not make it possible to filter out people. And honestly considering the amount of shady phones people have I am not sure this will every work. Apple is sadly another issue, too many normals there.
It is nice that this is pointed out so we do not get a distopian future.
Play Integrity API requirement dropped: https://github.com/eu-digital-identity-wallet/eudi-app-andro...
That is a different repo
That is the repo that this PoC is forked from.
1 reply →
With the vassalisation of the EU, this is yet another prof that the European Commission and some other countries follow what the US wants.
Bad deal all along.
What "things" are going to depend on this Android-locked age check? What about Apple users? What about accessing it via a laptop or desktop (shock horror: running Linux!)?
My dad gets by in his "my dad" way of life without a mobile phone at all, I wonder how much longer this will be possible. I was about to rant about being forced to have a mobile if you want to participate in society, but then he uses a desktop for some of the services for which the rest of us use a mobile, so my rant falls down in that, for a while now, to participate in society you've needed either a computer or a mobile.
Hopefully computer-only can eke out some kind of base-adequate participation for a while longer.
You can also buy an Apple device but that was never your device to begin with so nothing is lost when the EU requires Apple to be the only party with the capability to modify what your device can run
iOS also be supported and will use Apple's remote attestation capabilities. But, as there are no real alternative ROMs for iOS devices, only Android users are really affected by this.
From a legal point of view, the app should be a reliable convenience feature and not replace traditional (physical) identity verification. How much your dad will be affected will depend on how shitty and lazy the services he uses are. If he doesn't use a phone or a computer, he probably won't notice the difference.
Funny how EU politicians complain about dependency on American tech and the next day do something like this. It's all cheap talk anyway as they have 0 intention to make EU based alternatives possible but it's rarely in your face so much.
No evidence is given that they won't implement non-Google remote attestation solutions like https://attestation.app/about
Indeed, the bug links to another bug where the author says that it isn't restricted to Play Services remote attestation and recently followed up with a documentation update making that clear. https://github.com/eu-digital-identity-wallet/eudi-app-andro...
> No evidence is given that they won't implement non-Google remote attestation solutions like https://attestation.app/about
Unfortunate that it doesn't matter, because they're not going to accept anything that's not attested by some authority.
Attestation in itself is a bad thing, guaranteed to be horrifically abused in ways far, far worse than any problem it could possibly solve. You do not need to know what software I am running, period.
> You do not need to know what software I am running, period.
Your employer needs to know if your devices connected to its network have been rooted without your knowledge.
In any case, this is a completely different discussion from what OP alleged, which I hope we can all agree is completely false.
11 replies →
No evidence is given they will.
You replied after I had updated the comment to provide said evidence.
Adding to what I said earlier, this isn't even an app that any EU member state will use. It's just a PoC, as it says in the README. https://github.com/eu-digital-identity-wallet/av-app-android...
Unfortunately for the authors, the pitch forks are already out, and the mob is on the march. It's too bad that HN is contributing to it.
2 replies →
This is a problem that needs to be solved. I guess we should have solved it before the regulators got involved, alas, here we are.
What an absolute clown show - the EU fines Google and Apple for being monopolistic and abusing market power and then proceed to implement apps like these that can only be used on American operating systems.
Seriously you can't make this stuff up.
Yeah, EU byrocrats love corporate overlords in real life
I mean there's a perfectly rational possible explanation for this - if the fines are actually just an extra targeted tax on these companies (but it's politically inconvenient to just do it honestly by levying a tax), and they would therefore adjust the laws to make sure they could still fine them if they had already complied...
It may be that the people in charge in the EU don't really care about the market dominance as long as they can collect enough extra money from them...
Sure, so much for freedom of choice and twisting people's arms. What is it their fucking leaders sing about being freedom loving and democratic?
I don't understand how the poster of the message goes from the disclaimer tet:
> The current release provides only basic functionality, with several key features to be introduced in future versions, including:
> - App and device verification based on Google Play Integrity API and Apple App Attestation
> - Additional issuance methods beyond the currently implemented eID based method.
> These planned features align with the requirements and methods described in the Age Verification Profile.
to the "In the case of Android, genuine means"...
I don't see the word "genuine" in the disclaimer. Is that a necessary part of using the "Google Play Integrity API" ?
(I'm genuinely asking, I feel like I'm missing some implicit context here.)
I never want to read about how the EU “cares about people’s privacy” unlike the evil US
Neither cares about privacy, to be honest.
EU: "We need to decouple from the independence of the US". Many (local and national) entities proceed to ditch Microsoft for it.
Also the EU: Well if you don't have a Google or Apple account you are not getting age verified.
Internet has become a commidity that needs to be reinvented with a focus in the real human interactions and the privacy.
How?, who?, Where? I'm afraid it is too late to find a group of people interested in creating a real network outside of the system. The best that i found was the LoRa communities but are useless for anyone submerged in the Tiktokian distopy.
> EU age verification app to ban any Android system not licensed by Google
Oh, so now we know who is pushing for age verification. FAANG
They're pushing for anything that makes their services essential and indispensable for every citizen, and thereby locks all future competition out.
Europeans, fighting for European sovereignty, bowing down to Google and Microsoft
How sad is that, Europeans, you have fallen this low
The title of the submission is misleading.
The linked Reddit discussion is about the issue of attestation in the EU age verification application requiring a licensed version of Android to function properly.
The EU is not banning non licensed Android systems. This would make it hard for EU citizens to use those though, if they need that app.
I don't understand what device verification is even meant to do here. What's the threat model of a child who knows how to root their phone and defeat verification checks manually but doesn't know how to find an adult to create an account and give them the password?
It is to create an infrastructure for global surveillance and control of all citizens.
Looks like someone just got a really cushy job at Google when they retire from leading this system.
I think this misses the forest for the trees. I could care less if the app requires a Google Android phone or non-jailbroken iPhone to work. I care that age verification exists in the first place, when it most definitely shouldn't. Arguing and ranting about how a huge privacy compromise functions misses the point that privacy is being compromised.
It's just odd to see them bringing up America when their own government created this. Not the US. How about fight the actual problem instead of making sure the problem works on more devices.
We shouldn't need Age Verification checks for adults in the first place.
Create a better, standardized, open-source parental control tool that is installed by default on all types of device that can connect to the web.
The internet aspect of the parental control should be a "Per Whitelist" system rather than Blacklisting. The parents should be the ones to decide which domains are Whitelisted for their kids, and government bodies could contribute with curated lists to help establish a base.
Yes, there would be some gray area sites like search engine image search, or social media sites like Twitter that can allow you to stumble into pornography, and that is why these devices that have the software turned ON, should send a token through the browser saying "Parental Control". It would be easier for websites to implement a blanket block of certain aspects of their site than expect them to implement whole ID checks systems and security to make sure that no leaks occur (look at the TEA app) like the UK is expecting everyone to do.
Also, I'm for teenagers (not little children) having access to pornography. I was once a teenager, every adult was, and we know that it's a natural thing to masturbate which includes the consumption of pornography for most in some way. Repressing their desires, their sexuality, and making this private aspect of their life difficult isn't the way. Yes, yes, there is nuance to it, (very hardcore/addiction/etc) but it should be up to the parents to decide with given tools if they trust their kid to consume such a thing.
As for the tool itself. Of course we have parental tools, but they can be pretty garbage, their all different, they're out of the way, and I understand that many people simply don't know how to operate them. That's why I believe that creating a standardized open-source project that multiple governments can directly contribute to and advertise for parents is the way, because at the end of the day, it should be up to the parents to decide these things, and for the government to facility that choice.
Obviously, besides the internet aspect, the tool should have all the bells and whistles that you'd expect from one, but that's not the topic.
EDIT: And yes, some children would find a way, just like they're doing now for the currently implemented ID checks. It's not lost of me that VPNs with free plans suddenly exploded in 4 digits % worth of downloads. A lot of those are tiny people who are smart enough. Or using an app like a game to trick Facial Recognition software.
The first comment was hilarious: "so how does one report the EU for breaching GDPR" and it reminds me of a comment on r/androiddev where Google was requiring solo devs to have a verifiable phone number for support and the commenter said something like: "Meanwhile, Google itself do not have a support phone number for his Android devs!"
A lot of discussion, but one contradiction seems to have gone unnoticed; notably, the EU's DMA decision about Apple having to allow alternative app stores. Go figure again about these contradictory moves.
Will this be the end of kyc companies like veriff, onfido, jumio, trulioo and whatever else is this crowded space in europe?
Will people sign up to banks and betting apps with their eu wallet digital identity?
> [...] free flow of information is the only safeguard against tyranny. [...] Beware of he who would deny you access to information, for in his heart he deems himself your master
Lol. People put way too much trust in governments.
If it's not unbelievably obvious, there's an entire class of people flying private jets to "world summits" where the transcripts aren't disclosed. What do you think is going on? Use your brain.
I don't know why people on here love the Government. They are probably advocating for a Government, but not this. A government that does its basic functions, without too much overreach, something like minarchism.
I wonder if this requirement stemming from the recently announced trade deal with the US.
It's not. You can look at the Git history, it was added two months ago: https://github.com/eu-digital-identity-wallet/av-app-android...
This is ridiculous but it's worth pointing out that if the EU would provide their own infrastructure for "age verification" it would be even more Dystopian. The problem is not really that the EU in this case would give Google and Apple monopolies that locks out all competition, the problem is the "age verification" itself. Nobody needs, nobody wants it, and it's the starting point for all kinds of browsing and chat control measures dictated by governments.
I know you can’t access the Internet but at least you can use USB-C. Europe LOL!
Any EU friends can tell me which politicians are behind this?
There is a correct cryptographic solution for information verification online:
https://news.ycombinator.com/item?id=43715884#43722778
All by design :)
Wow, kids are installing random operating systems from internet into their phones right?
I guess GDPR is on the way out, unless Google pinky promises to keep all processing/data local to each EU state?
What if the data stays on the phone?
The GDPR data locality requirement is that personal data must remain in the European Economic Area (unless an exception applies.) It has no requirement that data remains local to each state.
That's easy for a company like Google to comply with. In fact the company I work for uses Google European data centers to comply with GDPR.
At the end of the day someone could always grab this code, remove the verification step, and distribute that as a new app.
That "someone" doesn't understand how hardware backed platform attestation works.
The wikipedia page does a pretty good job at explaining it: https://en.wikipedia.org/wiki/Trusted_Computing
Yes, they do. There's nothing in the spec this app implements that actually requires that step. The app just chooses to do it in this case.
Or rather is planning to. Right now it doesn't even have that integrity check, despite fully implementing the verification flow.
who do we contact for this mess?
[dead]