Comment by ulrikrasmussen
20 hours ago
And meanwhile the exact same agency spits out government Android apps that use Play Integrity so citizens cannot ditch Google for GrapheneOS. This is symbolism, the minister does not actually care about digital sovereignty for the citizens.
> This is symbolism
I don't think so. It's more complicated than that. The state is not a monolith. Different heads are doing different things and it's a enormous bureaucracy. The divisions pumping out Android will eventually catch up to what's going on and the vulnerability they're exposing themselves to. These things take time. It doesn't all happen at once. People (who are not very technical, barely knowing what a computer is) need to understand what's going on and that can take a while. Let's just hope they figure it out before it matters.
denmark spearheads the EU push for chat control , this is a bit of an impediment to the good will argument
There is no "good will" argument being made here. The state doesn't care about good, it cares about it's own survival. Being independent from foreign interference in the software they use and having deep insight into what residents within the territory of that state are talking about are critical to that mission. It has nothing to do with morals. It is a machine.
4 replies →
> This is symbolism
It is probably unintentional. I work and worked in such projects (in The Netherlands), and the process is -rightfully- chaotic.
Governments typically don't have a central single team that builds all their android apps. They usually write a tender with loads of requirements and app-agencies will then build it. Or freelancers. Or volunteer teams. Or all of that. So there's no central team governed by one minister who can dictate what should happen today. There's hundreds of companies, teams, freelancers, interims, running around trying to make deadlines
Between writing a spec and the delivered app, there's chasms: could be a year between the specs are written and the first app pushed onto a phone. In a (trump)year a lot can change. But also between how specs are requirements or wishes in real life. "No user data may ever reach a google server" (actual specs are far vaguer and broader) may sound good, but will conflict directly with "user must receive push notifications of Foo and Bar". Or "passport NFC data must be attested for login", requiring a non-rooted, android, signed-by-google hardware attestation thingymajick.
So no, this is not malice. Nor incompetence. This is a sad reality, where we've allowed the monopoly to dictate what we, and users, expect, and to have that monopoly be the only option to provide those expectations.
As someone in the Netherlands, and also with a company in this space, could you point me to some relevant resources (like ongoing projects)? I'd love to help our country get more sovereign (in small steps).
Btw, NRC has a nice podcast series on the topic. One thing hampering the sovereignty effort is the enormous amounts of Azure/AWS/GCP certified people. Their career is build on these platforms.
I'm not familiar with all current ongoing projects. Because of the situation mentioned above.
Currently I'm involved in projects surrounding https://developer.overheid.nl/kennisbank/security/standaarde... . Have a look there. It's not FLOSS in the way that you can just provide PRs of things you'd like different, but FLOSS in the way that you can get in touch and with enough expertise, have people listen to you.
Upvote for wanting to help with digital soverign effort (UK national here).
I think it has more to do with ignorance. Device attestation is not trivial to adopt while both Apple and Google promise you a very simple abstraction. So it takes being informed and having leverage in the process to be able to make a difference.
For me the blame is squarely on the technical “experts” who are behind the architecture and implementation of such apps.
Device attestation is precisely the thing I do not want my government to ever adopt. I have a Danish CPR number. They've given me a FIDO secure token generator as my phone is degoogled for MitID. Most Danes don't know what those words mean, and if they did, wouldn't understand why I distrust (all) governments (and indeed things! Three default scientific position is scepticism, albeit with varying degrees of priors)
The thing is, device attestation is fundamentally incompatible with digital freedom so governments should never adopt it to begin with. We lived without digital solutions that depended on device attestation and we will continue to do so.
Because if they were serious about it, they'd have replatformed completely in 5 minutes.