Comment by makerofthings
12 hours ago
Requiring people to use products from one of two private American companies with a bad track record of locking people out of their accounts is more than “not great”. Some things are better not done if they can’t be done well.
So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away.
Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ...
I'm not sure I want my government to develop that technology.
Government software is usually low-quality, expensive procurement crap, often riddled with security holes, and an exercise in checkbox checking. UX and user friction can't be expressed as a verifiable clause in a procurement contract, so they're ignored.
Besides, every time EU governments tried to force smartphone manufacturers to pre-install government apps, the population freaked out over (unwarranted) surveillance concerns. This isn't something you can do without pre-installing apps (you don't want these APIs opened up because then attestation loses all meaning).
It's not that difficult, just `git pull lineage`.
In case of Android - AOSP attestation.
Not necessarily the company that locks out entire family because one of the family member jacked off on the chat with Gemini model.
That seems like a weak argument to require attestation? What would attestation prevent that scenario, specifically?
Oh I see your confusion. It is not trying to prove it's not cheating with the UI (or remote control, or ...) to the owner of the phone. It's proving to the owner of the website (or app, or SIM, or ...) that it's really the user agreeing to the contract on the screen. Or, more to the point, it's proving it to courts after the fact so they'll convict the owner of the phone rather than the business or government.
The scenario it would prevent is that a government gets a filled in form with someone requesting unemployment benefits, or reimbursement for a medical procedure on account X ... and then government finds out after payment, later, in court, that the owner of the phone never agreed to it and it needs to pay it out again (because the claim, true or not, that a scammer initiated the payment agreement in some way rather than the owner). Same for business and agreeing to a loan and ...
It is NOT to protect you, the owner of the phone, against scammers (it does not really do that at all), it is to protect companies and especially governments AGAINST the owner of the phone. It is a way to fire most EU government employees by allowing automation that currently can't work because you can't legally trust phone and internet automation to be binding in court.
3 replies →
There are no alternatives.
I mean you could use Huawei and others, but the FUD campaigns against chinese manufacturers was pretty agressive in the EU.
Yes but in the real world all smartphones are either Apple or Android. Europe has zero footprint in either software or hardware. It is not creating a requirement to use specific products, it is using the products people already have.
So one may argue that the implementers are only taking the pragmatic approach regarding something that is out of their hands.
It literały has created the dependency on google when thought Android offers the standard/generic AOSP attestation.
Also you weirdly forget all the Chinese phones. There's also some tiny European brand which will have absolutely no way to limit their users dependency on the famously hostile and unconctactable provider.
Most Chinese smartphones run Android (Huawei uses HarmonyOS).
We're talking about an essential government service, not just another weather app. You have to look at this through the lense of national security, the debate about EU digital sovereignty, and the requirements of the GDPR in light of the US CLOUD Act, as well as prior decisions of EU courts about these issues.
Yes all that you wrote is true. But that does not magically change anything to what I previously stated: in the real world all smartphones are either Apple or Android...
I don't know what the eIDAS 2.0 requires in term of security but it may make the choice the implementers made here unavoidable in practice, as hinted by @webhamster.
If so, it seems that a solution, if technically possible, might be to mandate that OSes provide the required security features without tie-in.
The outrage in the comments feels a bit like people yelling at clouds...
8 replies →
Maybe that will force the companies to not be allowed to just lock you out of the account.
Ya, sorry, no, maybe is not really a durable position here.
You, your siblings, your parents, etc, etc.