Comment by spwa4
10 hours ago
So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away.
Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ...
I'm not sure I want my government to develop that technology.
Government software is usually low-quality, expensive procurement crap, often riddled with security holes, and an exercise in checkbox checking. UX and user friction can't be expressed as a verifiable clause in a procurement contract, so they're ignored.
Besides, every time EU governments tried to force smartphone manufacturers to pre-install government apps, the population freaked out over (unwarranted) surveillance concerns. This isn't something you can do without pre-installing apps (you don't want these APIs opened up because then attestation loses all meaning).
It's not that difficult, just `git pull lineage`.
In case of Android - AOSP attestation.
Not necessarily the company that locks out entire family because one of the family member jacked off on the chat with Gemini model.
That seems like a weak argument to require attestation? What would attestation prevent that scenario, specifically?
Oh I see your confusion. It is not trying to prove it's not cheating with the UI (or remote control, or ...) to the owner of the phone. It's proving to the owner of the website (or app, or SIM, or ...) that it's really the user agreeing to the contract on the screen. Or, more to the point, it's proving it to courts after the fact so they'll convict the owner of the phone rather than the business or government.
The scenario it would prevent is that a government gets a filled in form with someone requesting unemployment benefits, or reimbursement for a medical procedure on account X ... and then government finds out after payment, later, in court, that the owner of the phone never agreed to it and it needs to pay it out again (because the claim, true or not, that a scammer initiated the payment agreement in some way rather than the owner). Same for business and agreeing to a loan and ...
It is NOT to protect you, the owner of the phone, against scammers (it does not really do that at all), it is to protect companies and especially governments AGAINST the owner of the phone. It is a way to fire most EU government employees by allowing automation that currently can't work because you can't legally trust phone and internet automation to be binding in court.
The argument here is kind of hard to follow. Who is the "owner" of the phone, "the user" is also mentioned and it is not clear if these two are the same. Is the owner of the phone in the controlling-software sense, Google, or is it the end user? Both fits, and both are commonly used.
Because if it is the end user, the strong version of the argument would be as follows: The end user signs a document, baked in is an attestation that Google guarantees that this device is an approved Android device with a clean boot chain and a Chrome web browser. Then the end user contests the signature in court, either because they didn't understand what they signed, or they did not sign it at all, or did it under threat. How could the attestation help here?
I do not have experience with all EU countries, of course, but more than one, and nowhere is this an issue today. Countries use a wide variety of electronic identification, from soft certificates and mobile phones to smart cards. But as far as I know, all countries accept signatures made even with normal Windows PCs. You can contest a signed document in court for a multitude of reasons, but that's not specific to electronic signatures.
Do you imply that google can prove such a thing or it's just a security theater for (((compliance)))? AFAIK attestation attests hardware, not software, but hardware attestation is self contained and doesn't require any remote cartel permission, cf yubikey attestation.
1 reply →