Comment by digiown
17 days ago
This is really a human right issue. No one should be required to carry an attacker-controlled tracking device, especially not for interacting with the government. It's funny that the EU uses all this mobile attestation BS more than the US does. So much for sovereignty and consumer protection. No monopoly Google can build is as good as the government forcing you to accept their terms.
>No one should be required to carry an attacker-controlled tracking device
What about being required to carry a your-own-government-controlled tracking device?
Because the US or Chine government can't harm me in Europe via the data they collect from me, But the EU authorities can if they want to, so naturally I fear them more if they were the ones hoovering my data.
What are the odds they're using this on-shore tech grab to implement their own domestic version of China's social credit score system, to easily get data on their own citizens who commit "wrong-think", without having to through the effort to twist the arm of US entities every time they want to do that?
Food for thought, but I do think we're living the last years of online anonymity, it's inevitable.
> What are the odds they're using this on-shore tech grab to implement their own domestic version of China's social credit score system, to easily get data on their own citizens who commit "wrong-think", without having to through the effort to twist the arm of US entities every time they want to do that?
What are the odds that once shut down "chat control" will come up under a new name?
> without having to through the effort to twist the arm of US entities every time they want to do that?
Right now, it's more like US corpos are try to twist the arm of EU governments [1][2], pushing heavy propaganda to manipulate our elections [3], allying with the US government to do so. And the US government has been threatening EU govts with invasion [4], leveraging US corpos to harm lawful individuals doing their jobs in the EU [5], and sanctioning elected officials for performing their duties [6], or threatened to [7].
Sure, there's an hypothetical risk of the EU turning sour. On the other hand, when it comes to US corpos, the risk has materialized.
[1]: https://www.bbc.com/news/articles/cly930y90lro [2]: https://www.bbc.com/news/articles/c0589g0dqq7o [3]: https://www.politico.eu/article/twitter-faces-renewed-scruti... [4]: https://en.wikipedia.org/wiki/Greenland_crisis [5]: https://www.lemonde.fr/en/international/article/2025/11/19/n... [6]: https://www.brusselstimes.com/1931733/eu-parliament-blasts-u... [7]: https://www.politico.eu/article/us-accused-threats-eu-diplom...
25 replies →
The odds are very low. It all depents on the people. So far, the European citizens are very privacy senstive. The European institutions are characterized by a huge devision of power. There is no chance that European instutitions can impose their will against a considerable majority of people. If people turn away from liberal democracy, that's another matter. But then everything is lost anyway.
35 years ago, a good chunk of the current EU was under a Soviet-imposed totalitarian rule. Spain was a dictatorship until 1975. And it's been just 80 years since WWII.
It always boggles my mind that most Europeans are absolutely convinced that nothing like that could ever happen again. Meanwhile, many people in the US are convinced that the government will be coming for them any minute now.
26 replies →
> There is no chance that European instutitions can impose their will against a considerable majority of people
The EU commission just passed chat control to have government mandated software in every phone
4 replies →
> citizens are very privacy senstive
Their reaction and opposition to ChatControl (or near complete lack of both) would indicate otherwise? They could hardly care less about privacy.
National governments which have openly declared that believe they have the right to unlimited access to any private communication hardly lost any popularity or faced real consequences.
Very privacy sensitive? In Germany, maybe. Elsewhere in Europe, not so much. See the regular attempts to push through something like chat control.
In Italy were already trying to break that division of power, we’ve a referendum that does just that
> So far, the European citizens are very privacy senstive.
In some areas, sure - like GDPR.
In other areas, absolutely not - like chat control.
As another commenter pointed out, it seems as if government mandated privacy intrusion is OK, while violations by corporations are quickly shutdown. It’s like the opposite of how it works here in the US.
16 replies →
[flagged]
5 replies →
> What about being required to carry a your-own-government-controlled tracking device?
What part of the cellphone manufacturer being based overseas makes you think the government can't track you via it?
Even leaving asides 5-eyes style data-sharing agreements, your US/Chinese smartphone still connects through a domestic cellphone carrier, using a domestic number. That's enough to have at a minimum fine-grained location tracking, call logs, and data usage.
In fact 5g and all previous standards have a provision for lawful intercept. So your domestic intelligence service and police can always turn it into a listening device.
Tracking device might be the wrong thing to focus on. The US has other ways of messing with foreigners who depend on services provided by US companies, like suddenly cutting off those services in the case of ICC judges.
IIRC, ICC judges lost access to their O365 work email accounts. Worst the US can do to me is turn off my Steam, and Gmail but I can easily live without those.
Now imagine being debanked by your own government because they don't like what you're saying and becoming unemployed, homeless and dead. I don't think they're remotely comparable.
For example, a few years ago, a power tripping gov bureaucrat turned off my unemployment payments over a technicality. Luckily, I had enough money to pay a lawyer to sue them and won, but it was tight. What if I hadn't had the money to hire a lawyer? Since I was in a foreign country, with no family or close friends to fall back on. I was exclusively relying on the welfare state I paid into for years, that then turn its back on me for shits and giggles.
So I don't think you understand just how bad it can be for you if your government decides to turn on you and fuck with you, if you're comparing this to losing access to your work email account.
See the famous case of UK postal workers that got fucked by their government trying to hide their mistakes.
22 replies →
> Because the US or Chine government can't harm me in Europe via the data they collect from me
That's an amusingly naïve perspective. The US government absolutely can harm you, via a multitude of ways.
Not to speak of russia who have been sending assassins to kill people in the EU for a long time, and the EU has not been very good at stopping those.
Also, Chinese-owned firms are known to be transferring EU citizens' data to China in violation of GDPR: https://noyb.eu/en/tiktok-aliexpress-shein-co-surrender-euro...
China's government has strategic goals to destabilise and weaken the EU, and data-farming will be part of their strategy.
Every government is an attacker.
Yeah it seems that some politicians have noticed that they can enact a lot of self serving authoritarian legislation that wouldn't fly otherwise if they push it as populist independence-from-US thing. Can't let a good crisis go to waste, of course.
One only needs a few looks at what the EU Commission has been doing lately to see that if left unchecked their plan is a UK-like total surveillance state.
I don't disagree but that wasn't the point here. The point is they are handing even more control to a different US entity. Putting my tinfoil hat on, I assume the authoritarians are intending to simply buy the data from the American companies to circumvent legal restrictions, as in the Five Eyes arrangement.
The real human-rights issue, in my view, is optionality. If interacting with government or the financial system requires a specific proprietary device tied to a specific ecosystem, that's a problem
Carrying this device is the key here. Eventually we all need to carry it around, track us everywhere.
Most people have mobile phones that need to roughly know your position as a technical necessity, why are you speaking like its 1990's?
Not just the phone needing to know your location, your rough location has to be reported to a central server, because that's how incoming calls/texts are routed to the phone.
I can leave my phone at home and route SMS and voice via http to my real phone.
You are shifting the goal posts here - if we work by this argument, we will never achieve anything.
There's a certain amount of conspiracy theory going on in this thread, but it it right to ask: who will be banned from this payment system, and under what rules? Can we make it a legal requirement to at least provide a justification which can be challenged?
The usual first victims are sex workers, not political minorities.
> It's funny that the EU uses all this mobile attestation BS more than the US does
Attestation in on itself isn't unwarranted which (to me) is an important security measure. Attestation as commonly implemented on Android via Play Integrity (the way banking apps are known to do) is restrictive, sure: https://grapheneos.org/articles/attestation-compatibility-gu... / https://archive.is/snGEu
> important security measure
It's a security measure against the owner of the device, in other words, an attack. Would you be okay with me using a remote control to forcibly slow down your car so I can merge? Using attestation this way is fundamentally incompatible with ownership. If the bank wants some assurance about a device, they need to sell or issue one to me, like credit cards or point of sale machines, which are explicitly not your property.
The fact that the assurance is provided by a third party you have little recourse against just adds insult to injury.
>against the owner of the device
Would you consider MFA to be a measure against you, the owner of the device, because it makes it harder for you to login?
>If the bank wants some assurance about a device, they need to sell or issue one to me
They are offering you free software and are operating under a security model tied to these specific devices. You're still free to walk into their branches, or use their physical cards, if you prefer not use their limited selection of devices.
>Would you be okay with me using a remote control to forcibly slow down your car
Car manufacturers do this as well though. Some of this is for the benefit of their customers (preventing theft from easily cloned keys). Some of this is not for customer benefit, like locking down infotainment systems.
Banks however are only interested in preventing fraud.
2 replies →
> If the bank wants some assurance about a device, they need to sell or issue one to me, like credit cards or point of sale machines, which are explicitly not your property.
In this example, a banking app is not making the entire Android device non functional when it refuses to work when remote attestation like Play Integrity fails.
2 replies →
An important security measure for who, though? The servers at the bank should "never trust the client" in case the attestation is bypassed or compromised, which is always a risk at scale.
If it's an important safety measure _for me_, shouldn't I get to decide whether I need it based on context?
I think it's fair for banks to apply different risk scores based on the signals they have available (including attestation state), but I also don't want the financial system, government & big tech platforms to have a hard veto on what devices I compute with.
It's an anti-brute-force mechanism. It's not for you, it's for all the other accounts that an unattested phone (or a bot posing as an unattested phone that just stole somebody's credentials via some 0-day data exfiltration exploit) may be trying to access.
Sure, banks could probably build a mechanism that lets some users opt out of this, just as they could add a Klingon localization to their apps. There just isn't enough demand.
9 replies →