Comment by defrost
14 days ago
Let's assume I'm familiar with the theory, what pragmatic open verification exists for the implementation of this EU app?
Edit: the EU asserts the app is "privacy preserving" and "Additionally, work on the integration of zero-knowledge proofs is ongoing."
~ https://digital-strategy.ec.europa.eu/en/news/commission-mak...
It's not the assertions made that trouble me, it's the quality of any actual implementation and the scope for deliberate or accidental side leaking of knowledge that should be zero .. but likely (in a pragmatic view of a political world) is not.
If it's coordinated by the browser then it would be possible to see what requests are made and where
Absolutely, security is entire process that needs frequent sanity checks, by nature it's hard to get right in practice no matter how sound some central component is.
To be fair my main motivation for comment was the up thread comment about physical ID checks of the past being an indicator that not much would change with digital checks.
In the event of a physical store ID check system failure you have one owner at one location having access to just the ID's checked (perhaps blackmailing underage drinkers into dubious acts).
In the event of a digital ID check failure there's potential to leak all the ID's and access patterns of all users across the board thanks to the ease of digital storage and communications.
Well yes that is true. If provider is what ties together age and identity... If all the eggs are in one basket then hacking one provider hacks all. Having many providers and doing real security audits and requiring them to not keep logs and all that might help but not 100%...
And a shady government might sort out some shady deal or backdoor with providers. I don't think EU is that government though (I bet Russian is but ironically they don't care about this stuff they just install black boxes at all ISPs and monitor your traffic directly)