Comment by Aldipower

"Not great" is quite an understatement from a European perspective.

We're talking about a state-issued digital identity system, the European equivalent of your ID card, that cannot function without accounts at two US corporations. That's not a UX limitation. That's a structural dependency on foreign infrastructure for core state sovereignty.

The concerns aren't abstract. The US has a documented history of mass surveillance programs (PRISM, XKeyscore) that directly targeted European citizens and governments. Both Apple and Google operate under US jurisdiction, which means CLOUD Act requests, national security letters, and executive pressure are all legal avenues for US government access. PlayIntegrity is explicitly described in your own architecture docs as a black box: "we do not know what they are actually doing in their backend." A critical security component of a state identity system, and you don't know what it does. That's not an engineering trade-off, that's an accountability gap.

GrapheneOS being "on the list" is not reassuring. It means the system launches in a state where European citizens who have actively chosen to reduce their dependence on US Big Tech are excluded from their own national digital identity infrastructure.

The EU passed GDPR to establish digital sovereignty. It's building eIDAS to establish identity sovereignty. Baking in a hard dependency on Google and Apple at the attestation layer undermines both, by design, at launch.