So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
It's also the fact that it forces each citizen to pay a few hundred Euros to companies which then campaign against their very rights.
Citizens get no support of any kind in case of issues, and has to enter a contractual agreement which is ridiculously asymmetrical, where the company has little to no responsibility of any kind, but has very ample rights to track the other party in extremely creepy ways.
But ... the alternative is that the government actually pays a bit of money to fix the situation! To support their solutions. To actually develop them for enough devices. To secure them ... Plus the services the government made are way more invasive than the Google/Apple ones.
In addition to the money, actually using them would be hundreds of times more complex, and they don't have the provisions Google has, for example accessibility and security services (like actually stopping people stealing accounts on a large scale). All of this can be done, easily even, but it isn't. Politicians don't want to.
Special-casing support for GrapheneOS would be a band-aid, they should find a way to avoid requiring remote attestation in the first place, so anyone can use whatever OS they like on whatever hardware they like.
I think there are two fights that are both worth fighting:
1. Completely outlawing remote attestation.
2. In a world where remote attestation is given, let it be controlled in a fair way and not just by Google and Apple.
The risk is that only fighting for (1) leaves you in a world with remote attestation, where only Google and Apple can decide who gets to pass and who not. In fact, that is pretty much the world we are in already.
I agree that they are both worth fighting for, but I think (2) is much easier to accomplish, simply because Play Integrity is probably a DMA violation. (IANAL blah blah)
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (for example The Current National ID)
The lawsuits, sadly, won't matter. "Security" (or, rather, totalitarian control!) is more important than the 1% of nerds who care enough to tinker with their phone.
People keep framing these sorts of debates in terms of tinkering.
It's about ownership, not tinkering. It's about preventing megacorporations from having the last word about how government services can function and how people can interact with them.
It's not 1% here though... Graphene has 300k users worldwide. There's 8 million absolutely illiterate and 150 million functionally illiterate people in Europe for comparison on scale here.
First, GrapheneOS supports remote attestation. So if they want their security, they can have it. Second, the current focus of the EU on sovereignty is a window of opportunity and there are better opportunities to fight this than two years ago.
Lobbyists do not sleep. It's easy to recall how those two, especially apple, tried to sabotage FIDO2 trying to capture webauthn standards, fortunately failed.
EU also has to learn their inside traitors who sabotage their great efforts in decentralization of identity, and learn to avoid those incredible situations like happens right now with chat control directly lobbied by silicon valley surveillance vendors
GrapheneOS supports attestation too, so even if they succeed it will likely just turn into a gift to Google, Apple and GrapheneOS. It's hardware attestation that needs to be opposed as it's inherently user hostile, allowing a single popular Android distro doesn't do much in the grand scheme of things.
Every Android system support remote attestation. It's part of AOSP. Google just decided not to use it, because Play Integrity allows them to lock in phone manufacturers and force them (per leaked agreements) to preinstall a bunch of Google apps and require to run Play Services and some other components privileged on the system.
The more the better - being forced to maintain an up-to-date list of Google competitors (including some that don't keep attestation keys secure, so the bad guys will pretend to be those and you'll be forced to allow it anyway) may make some reconsider whether the feature actually brings any value.
As a technical point, note that however there is no legal requirement to follow this reference. Wallet providers can choose a different implementation.
There is too much corruption, nothing can be done at this point.
Atleast CIE app works on graphene for now so I can do everything else on the web.
If they block that idk what I would even do.
Also, as the article says, Play Integrity is most likely a violation of the DMA. Send a message to the EU DMA Team if you live in the EU and are affected by this (or affected by this in the future, if you plan to switch to an alternative):
The more examples they get of actual citizens that get hit by this, the better. I have recently sent messages when Google introduced their new device-based recaptcha and when Volkswagen started blocking GrapheneOS. Of course, do not yell, explain patiently and with good argumentation why you are affected by Play Integrity and how you believe Play Integrity is used to enforce the duopoly + goes counter EU sovereignty.
Also, for apps that use Play Integrity, e-mail the company. React to their boilerplate replies with follow-ups (this slowly seems to get some headway with VW). Also leave a one-star review on their app, explaining in the review that they broke support for your system.
I know that this can all seem hopeless. But especially GrapheneOS is getting a lot of momentum now, rapidly gaining more users. It feels like it is a moment in time where we can seriously influence things for the better. There are ~500,000s users now. If everyone actively participates, we can move the needle.
Honestly, as long as the architectures is fatally flawed (Even if convenient) it's just bandaids over a larger issue.
These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Germany was going in the right direction imho, they NFC enabled their ID cards (Sweden has info on them but no enablement procedures) that is then paired with the app, so the card acts as a 2nd factor that makes the app itself less of a security issue since a user will be required to physically enable it (sadly the NFC pairings are kinda fiddly.. but I'd take that as a security option for all non-trivial transfers).
> These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Many countries in the EU already have all of that just done though some national equilevant system (for example here in Finland mainly with bank credentials).
And in fact additonal checks are done when enough money is moving. For example when I signed my bank loan for an apartment I had to sign it again after 24 hours just to be really really sure that I wanted to sign it.
For smaller (but still big enough) stuff a second "second factor" usually kicks in usually in the form of a sms verification after the actual proper login with bank credentials (which has a proper 2 factor auth in itself too)
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.
It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.
So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).
Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.
Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.
I think the reason these systems require device bound keys is because the government is concerned with easily mass-produced forged age certificates. With software keys you can get an age certificate which can be copied instantly to a large number of devices, with hardware keys the government knows that the certificate is tied to a single physical unit.
I'm sorry but clearly the introduction of these apps with these requirements in the near past and near future represent regression over time rather than improvement.
I think it was last year that there was a good presentation from them about how they were going to use ZKP and it was indeed very trust inspiring. But do you think the latest digital wallet solution from eg Danish government uses ZKP? Of course not!
I have to say that the tune they play at FOSDEM and what we see put into production are just two different things.
Yes, and there is an open source spec [0] that doesn’t require Google/iOS Attestation but “preferably” providers will make their wallet app available on App Stores [1]:
> To ensure that the User can trust the Wallet Solution, Wallet Providers preferably make their certified Wallet Solutions available for installation via the official app store of the relevant operating system (e.g., Android, iOS). This allows the operating system of the device to perform relevant checks regarding the authenticity of the app.
Of course the chances of any important business implementing a side channel option is effectively zero. Maybe some government agencies will offer the option though.
Not really. EU is actually trying to decouple. But in many cases there are not any homegrown alternatives to support. There is not a single company in EU that could replace, even a considerable part, of software stack provided by Google and Apple.
And, unless the regulatory environment changes., there probably never will be.
Thr answer to US tech giants are not homegrown EU tech giants, but international free software (Free as in Freedom). We already have free operating systems: Linux, BSD. Office software: LibreOffice, etc.
EU regulators have stop listening to tech company lobbyists.
Understandable. However every new solution should be built from the ground up and be fully decoupled even if the migration of old services might take a while.
For this specifically EU could surely (only in theory since statistically the average EU bureaucrat is a pompous idiot to whom the word “accountability” is an entirely inconceivable concept) have something developed for a sane price in a reasonable amount of time.
> But in many cases there are not any homegrown alternatives to support
There shouldn't need to be. Realistically for something like this an EU backed highly-audited non-profit should be in place for permanent highly controlled services like this that do not rely on any non-EU entities for it to function.
The US can call Austria in 5 minutes and with no burden of proof get the airspace permit for a head of sovereign state revoked and the plane swatted instantly upon landing, because someone might have been on board (he wasn’t) whose only real crime was embarrassing the USA by exposing their fundamentally unconstitutional lawbreaking.
Same goes with the prosecutors in Sweden; a phone call and the US got, not charges (as that would actually be official misconduct in Sweden), but enough of an official statement from a prosecutor to get the words “Assange” and “rape” in headlines together around the world by that evening.
European countries are, by and large, lapdogs of the USA. It’s sad. And then the US president turns around and stabs them in the back by threatening invasion and annexation, or complete disregard for the fundamental obligations of NATO members.
I really don’t know what the fuck the Europeans are thinking by playing the US’s stupid games. As we see time and time again, it won’t be repaid in kind.
Unfortunately the big game is opaque it's close to impossible to understand for the common folk. So many questions, so tough to grasp answers. Sickening. The enemy is hiding. One could say that paying the taxes in some form is a path toward a destruction. Phrases like "war economy" are lunatic. It all starts in your mind, and that's why it's the most important to protect your children from the propaganda. Take care!
Obviously, on both side (and beyond) they are nice people trying to plan good things without being too naive. But bragging all day through and destroy all that is in your power is both easier and more attention grabbing than discrete hard work at building better future for everybody.
> I really don’t know what the fuck the Europeans are thinking by playing the US’s stupid games. As we see time and time again, it won’t be repaid in kind.
I feel like the European relationship with the US can really be summed up by the 30 permanent military bases and 84,000 military personnel stationed in their borders and the underlying faith that it's for their own protection, except we better never ask them to leave just in case. Everything else sort of follows from that point.
Europe will never have digital sovereignty from the US.
It will take 100 years and an extremely expensive, government-mandated reimplementation of every critical US tech service and company.
No EU country is putting up budget for this, and no private enterprise is going to do it because building a worse version of AWS just so that it is "European" makes no financial sense and would most likely just fail anyway.
I agree with the premise but have the feeling that it’s less about the money. People here in Germany use WhatsApp and Instagram and Gmail and MS Office and Windows not because there are no alternatives but because they either don’t know or don’t care to switch. People are notoriously difficult to convince to switch platforms even if they‘d get more benefits on the other side. My mom does not want to touch any email client besides outlook and she does nothing but read and very occasionally reply to singular emails and she requires only the barest functionality of an email client. Half of my family gets a panic attack when the windows interface changes again. The idea of switching messengers recently in my rather tech sawy circle of friends has resulted in a multi day discussion with no real outcome mainly because some just don’t want to deal with two messengers while their friends and family remain unconvinced. We already have social media, hosting, email, operating systems, messengers and the likes from European providers. People just don’t want to switch.
Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
> Aren't monopolies is what we end up by default if have no regulation at all?
No. Monopolies are only inevitable if the goods aren't elastic, if there is a large cost of entry into the market, or if its a market you can create a moat that is unsurmountable.
Many markets don't have that even with 0 regulation, but might have second order problems like firms creating unsafe products for example.
But in general regulations almost always even unindentedly raise the cost to enter the market. If you make a new regulation that food needs to be safe, then the company needs to pay a safety inspection that a small home-made recipe might not be able to afford (to give a simple example).
At the same time, we now have uber large corporations due to non elastic parts of supply chain (like land) or moats that are insurmountable (like access to US capital). In which case, the FCC should break up monopolies as the current market is not catering to end users and consumers but to owners, which is why the Stock market has been in a never ending bull run.
Unless regulations explicitely incorporate how to handle incumbents & newcomers. One instance of that is MMTIS (multi modal passenger information), which explicitly states innovation and new players as a goal. There are other similar examples.
My intuition is that this is not necessarily true, but probably often true in practice but perhaps someone more educated on the matter can speak on that. It must also depend on the expensiveness of the regulation in question. Since in tons of areas regulations are absolutely vital so that for example our buildings don’t collapse, our food remains non-toxic and the medicine we buy is not the pharmacological equivalent to russian roulette the goal should then be to optimise the cost performance of regulations.
> Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost
(nit: I assume you meant "marketshare becomes unavailable")
So you mean that regulations that are created based on lobbying by corporations help them become monopolies? Sure, that makes sense. But thats different from a blanket "Regulations create monopolies".
Because the smaller players can't afford to implement the new regulations they lose their marketshare and it now becomes available for the bigger competitors to absorb.
> Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
The only way to guarantee a monopoly is to have a total lack of regulation. It's known that every "free" market will tend towards monopoly due the 1% law. Regulations are the only way to actually guarantee free markets because perfect free markets only exists in abstract, not in reality. Sometimes, a free market is the wrong solution and you need a regulated monopoly instead and with identity that's the best solution. Why? Because identity is unique to the individual. A individual must (in theory) only have one identity and with very extreme and usually well documented exceptions, such identity doesn't change. The state is the one that must provide a good way for identity and if smaller countries doesn't have the resources, then big countries should provide for all. Also, it removes incompatibility inter-countries while keeping private interests out.
The state should have the sole monopoly on attesting to anyone identity. Because they are the only ones that are not affected by market conditions. This is how countries that have advanced in this topic actually work. If individual states can't reach a common solution, then the collective must do so. The collective failed here because it recommended a private solution rather than mandated a european one. Private sector must not dictate what or how identity is attested, because the private sector has it's profit pursuing agenda, state must evaluate solutions but it's up to the states to run them and implement them.
Market solutions are good for several things, this isn't one of them.
DMA seems explicitly written to only target monopolies, though (and seems like a surrender from the EU, since monopolies should be broken up and not get laws codifying their business models IMHO).
Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Apple’s app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
So when Google bans someone, that person also loses access to all services that require digital ID, forever?
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
There are AFAIK no plans to completely remove the offline ID everyone is currently required to carry, so I doubt there will be similar rulings for EUDI as long as it remains an optional alternative for people who want to use online services.
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
A few years ago as I was working for a local government, a similar discussion started, but quickly finished after the project owner valiantly displayed her dumbphone.
Only months later did I learn that her husband was investigated for misappropriation of funds, so keeping a minimal digital footprint was important for her.
So, if the majority chose to get microchipped, you believe either we should force the minority to get microchipped against their will, or just exclude them from society?
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
In the last 5 years so much of the legislative pressure is coming down to remove anonymous Internet access to save the children or protect us from some harm.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
A little off topic, but does anybody else think that all these attacks on personal freedoms across the western world are very coordinated? Suddenly all countries are making social media ban under 16 laws. Same goes for centralized digital currency push.
Europeans do a lot of stupid things, but I believe in light of all the scandals we saw in recent times, you can't explain EU behavior and choices without accounting for corruption. EU division and different level among the different countries of wealth, integrity of political sphere, and different cultural biases make us the perfect target for bribes in order to control votes and choices. Not just promoted by external actors. The Chat Control is a great example: everybody understands how bad this is, the arguments are mostly a shield to avoid revealing the real agenda.
It's honestly quite baffling that the EU would want to put any more power in the hands of any US controlled company at this point. The US is a borderline hostile state, only recently threatening to invade Greenland among numerous other examples. The situation with Anthropic has illustrated that the US government will not hesitate to leverage power over US companies when it feels its interests are advantaged by doing so. If anything, the EU should be banning use of Google or Apple dependent architectures, not pseudo mandating them.
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
I like how we quickly moved past the fact that the government wants to know who we are, what we visit, what we say, what we buy, and has explicitly said that they want to control what we buy, where we go, and what we are allowed to say. But we are focused on what specific mega-corporation those systems will use to function.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
> I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens.
The irony in this as a European is that in the US people don’t even need national ID in the sense we got in Europe. They travel using driving license or library card. We got mandatory passports with biometric data - refusal to provide that data is practically impossible.
There seems to be no awareness from EU govenments about how much power we're handing over to two large outside companies. This incompetence in the leadership will cause a lot of harm over the years. This has been going on for a long time.
Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.
The corporations have the tech and network effects on their side.
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
This quite literally validates those "tinhat conspiracy" folks, honestly the EU are not doing us or themselves any favours here. If it is intended to replace cash then it should function like cash. This limitation is draconian.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
> Governments are cementing a monopoly they claim to oppose
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
There are viable third alternatives which do not require building a full smartphone stack. The national eID in Denmark, MitID, is an app "protected by" Play Integrity, but at least there are two non-smartphone alternatives available in the form of either a TOTP code generator or a FIDO2 chip which you can get for free if you can't or won't buy a smartphone.
Age verification solutions could also be built on dedicated hardware tokens, even though the tokens required to build a ZKP or blind signature based solution may not be available off the shelf right now.
Big facepalm... EU had really only one job with the EU wallet... And missed the point completely. GrapheneOS is probably closer to EU data security and privacy standards than Android or iOS.
Its simply unreal that the EU is pushing that in order to participate in society that I must accept the TOS of Google or Apple.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
The problem was always that the government could ban you from society via the banks banning you, and you having no recourse because it was a business exercising its right to not do business with you.
Without the proper laws and proper leaders of law enforcement that protect an individuals’ right to transact, one’s rights were always just a technological advance away from being taken away.
5 years ago, some smarty pants would've worked out how to implement digital ID wallets on the block-chain, and there would've been some uptake for it in the European environment .. these days however, it appears everyone has given up on that idea and defaulted back to the fascist approach (corporations doing government work).
Because Apple has always been a closed platform whereas Android started out being relatively open. For Android there is an alternative to Play Integrity which would enable governments to get remote attestation assurance on non-Google Android based operating systems like GrapheneOS, but that alternative does not even exist in the Apple ecosystem.
The EU reference for wallets strictly required google play services https://github.com/eu-digital-identity-wallet/eudi-app-andro...
So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
The issue isn't just the technical dependency.
It's also the fact that it forces each citizen to pay a few hundred Euros to companies which then campaign against their very rights.
Citizens get no support of any kind in case of issues, and has to enter a contractual agreement which is ridiculously asymmetrical, where the company has little to no responsibility of any kind, but has very ample rights to track the other party in extremely creepy ways.
It doesn't force them to, strictly speaking - they also have the choice to sue the government
But ... the alternative is that the government actually pays a bit of money to fix the situation! To support their solutions. To actually develop them for enough devices. To secure them ... Plus the services the government made are way more invasive than the Google/Apple ones.
In addition to the money, actually using them would be hundreds of times more complex, and they don't have the provisions Google has, for example accessibility and security services (like actually stopping people stealing accounts on a large scale). All of this can be done, easily even, but it isn't. Politicians don't want to.
https://www.itsme-id.com/business/platform/identification
https://france-identite.gouv.fr/
https://english.rekenkamer.nl/latest/news/2023/03/29/digital...
5 replies →
Special-casing support for GrapheneOS would be a band-aid, they should find a way to avoid requiring remote attestation in the first place, so anyone can use whatever OS they like on whatever hardware they like.
I think there are two fights that are both worth fighting:
1. Completely outlawing remote attestation.
2. In a world where remote attestation is given, let it be controlled in a fair way and not just by Google and Apple.
The risk is that only fighting for (1) leaves you in a world with remote attestation, where only Google and Apple can decide who gets to pass and who not. In fact, that is pretty much the world we are in already.
I agree that they are both worth fighting for, but I think (2) is much easier to accomplish, simply because Play Integrity is probably a DMA violation. (IANAL blah blah)
6 replies →
As outlined here: https://grapheneos.org/articles/attestation-compatibility-gu..., GrapheneOS isn't implementing something unique, it's implementing Android Hardware Attestation: https://developer.android.com/privacy-and-security/security-...
2 replies →
Agreed, it should be open standards only.
1 reply →
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (for example The Current National ID)
2. Standalone Hardware Tokens & USB Keys
The lawsuits, sadly, won't matter. "Security" (or, rather, totalitarian control!) is more important than the 1% of nerds who care enough to tinker with their phone.
People keep framing these sorts of debates in terms of tinkering.
It's about ownership, not tinkering. It's about preventing megacorporations from having the last word about how government services can function and how people can interact with them.
It's not 1% here though... Graphene has 300k users worldwide. There's 8 million absolutely illiterate and 150 million functionally illiterate people in Europe for comparison on scale here.
14 replies →
First, GrapheneOS supports remote attestation. So if they want their security, they can have it. Second, the current focus of the EU on sovereignty is a window of opportunity and there are better opportunities to fight this than two years ago.
I think it does if enough people try this. I will.
Lobbyists do not sleep. It's easy to recall how those two, especially apple, tried to sabotage FIDO2 trying to capture webauthn standards, fortunately failed. EU also has to learn their inside traitors who sabotage their great efforts in decentralization of identity, and learn to avoid those incredible situations like happens right now with chat control directly lobbied by silicon valley surveillance vendors
GrapheneOS supports attestation too, so even if they succeed it will likely just turn into a gift to Google, Apple and GrapheneOS. It's hardware attestation that needs to be opposed as it's inherently user hostile, allowing a single popular Android distro doesn't do much in the grand scheme of things.
Every Android system support remote attestation. It's part of AOSP. Google just decided not to use it, because Play Integrity allows them to lock in phone manufacturers and force them (per leaked agreements) to preinstall a bunch of Google apps and require to run Play Services and some other components privileged on the system.
2 replies →
The more the better - being forced to maintain an up-to-date list of Google competitors (including some that don't keep attestation keys secure, so the bad guys will pretend to be those and you'll be forced to allow it anyway) may make some reconsider whether the feature actually brings any value.
As a technical point, note that however there is no legal requirement to follow this reference. Wallet providers can choose a different implementation.
Motorola/GrapheneOS, and FairPhone/e/OS.
Fairphone/e/OS is Dutch and French respectively. It'd be funny if the EU forgot to permit the use of a pure european system.
2 replies →
Yes
4 replies →
There is too much corruption, nothing can be done at this point. Atleast CIE app works on graphene for now so I can do everything else on the web. If they block that idk what I would even do.
Don't assume corruption for something that can be attributed to not giving a fuck.
5 replies →
Also, as the article says, Play Integrity is most likely a violation of the DMA. Send a message to the EU DMA Team if you live in the EU and are affected by this (or affected by this in the future, if you plan to switch to an alternative):
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
The more examples they get of actual citizens that get hit by this, the better. I have recently sent messages when Google introduced their new device-based recaptcha and when Volkswagen started blocking GrapheneOS. Of course, do not yell, explain patiently and with good argumentation why you are affected by Play Integrity and how you believe Play Integrity is used to enforce the duopoly + goes counter EU sovereignty.
Also, for apps that use Play Integrity, e-mail the company. React to their boilerplate replies with follow-ups (this slowly seems to get some headway with VW). Also leave a one-star review on their app, explaining in the review that they broke support for your system.
I know that this can all seem hopeless. But especially GrapheneOS is getting a lot of momentum now, rapidly gaining more users. It feels like it is a moment in time where we can seriously influence things for the better. There are ~500,000s users now. If everyone actively participates, we can move the needle.
Honestly, as long as the architectures is fatally flawed (Even if convenient) it's just bandaids over a larger issue.
These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Germany was going in the right direction imho, they NFC enabled their ID cards (Sweden has info on them but no enablement procedures) that is then paired with the app, so the card acts as a 2nd factor that makes the app itself less of a security issue since a user will be required to physically enable it (sadly the NFC pairings are kinda fiddly.. but I'd take that as a security option for all non-trivial transfers).
> These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Many countries in the EU already have all of that just done though some national equilevant system (for example here in Finland mainly with bank credentials).
And in fact additonal checks are done when enough money is moving. For example when I signed my bank loan for an apartment I had to sign it again after 24 hours just to be really really sure that I wanted to sign it.
For smaller (but still big enough) stuff a second "second factor" usually kicks in usually in the form of a sms verification after the actual proper login with bank credentials (which has a proper 2 factor auth in itself too)
4 replies →
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
I'm ok with enforcing hardware security. Both for banks and governments.
But it must not limit the ability of running custom software on a phone. And especially not enforcing every person to get a Google/Apple signed phone.
Like if I get GrapheneOS on my phone. Banking/gov apps should work. But I believe this could be possible with enforcing hardware security as well.
The chain of trust always has a software layer. I don’t believe what you want is possible.
I find the bank talking point strange, why are they special, are they even targeted more. It just feels like a boogeyman “think of your money!”
3 replies →
You can't have both. "Hardware security" means the manufacturer decides which OS can run and you can't override it.
> it just requires a few cryptographic primitives and a set of device-bound keys
Question: how do you make sure the keys are device-bound if you have no attestation about the hardware or operating environment?
Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.
It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.
So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).
Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.
Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.
I think the reason these systems require device bound keys is because the government is concerned with easily mass-produced forged age certificates. With software keys you can get an age certificate which can be copied instantly to a large number of devices, with hardware keys the government knows that the certificate is tied to a single physical unit.
2 replies →
A European digital ID system that is entirely dependent on 2 US companies.
Wasn't there some talk about the pressing need for European digital sovereignty recently? Or was that just performative nonsense?
> Wasn't there some talk about the pressing need for European digital sovereignty recently?
At FOSDEM, we discuss this at great length. There has been some movement, and I am optimistic that it is improving year on year.
I'm sorry but clearly the introduction of these apps with these requirements in the near past and near future represent regression over time rather than improvement.
I think it was last year that there was a good presentation from them about how they were going to use ZKP and it was indeed very trust inspiring. But do you think the latest digital wallet solution from eg Danish government uses ZKP? Of course not!
I have to say that the tune they play at FOSDEM and what we see put into production are just two different things.
1 reply →
Yes, and there is an open source spec [0] that doesn’t require Google/iOS Attestation but “preferably” providers will make their wallet app available on App Stores [1]:
> To ensure that the User can trust the Wallet Solution, Wallet Providers preferably make their certified Wallet Solutions available for installation via the official app store of the relevant operating system (e.g., Android, iOS). This allows the operating system of the device to perform relevant checks regarding the authenticity of the app.
Of course the chances of any important business implementing a side channel option is effectively zero. Maybe some government agencies will offer the option though.
[0] https://github.com/eu-digital-identity-wallet
[1] https://eudi.dev/latest/architecture-and-reference-framework...
Not really. EU is actually trying to decouple. But in many cases there are not any homegrown alternatives to support. There is not a single company in EU that could replace, even a considerable part, of software stack provided by Google and Apple.
And, unless the regulatory environment changes., there probably never will be.
Thr answer to US tech giants are not homegrown EU tech giants, but international free software (Free as in Freedom). We already have free operating systems: Linux, BSD. Office software: LibreOffice, etc.
EU regulators have stop listening to tech company lobbyists.
3 replies →
Understandable. However every new solution should be built from the ground up and be fully decoupled even if the migration of old services might take a while.
For this specifically EU could surely (only in theory since statistically the average EU bureaucrat is a pompous idiot to whom the word “accountability” is an entirely inconceivable concept) have something developed for a sane price in a reasonable amount of time.
This is simply untrue. The tech is there, the will (money) isn't.
4 replies →
> But in many cases there are not any homegrown alternatives to support
There shouldn't need to be. Realistically for something like this an EU backed highly-audited non-profit should be in place for permanent highly controlled services like this that do not rely on any non-EU entities for it to function.
How much money did the EU finance towards alternatives last year then?
I hear them complaining but for now, the alternatives are mostly run by hobbyists.
We're starting from so low that even a few dozen millions would help a lot.
5 replies →
Jolla?
[dead]
> Or was that just performative nonsense?
Yes? Wake up, it is 2026.
The US can call Austria in 5 minutes and with no burden of proof get the airspace permit for a head of sovereign state revoked and the plane swatted instantly upon landing, because someone might have been on board (he wasn’t) whose only real crime was embarrassing the USA by exposing their fundamentally unconstitutional lawbreaking.
Same goes with the prosecutors in Sweden; a phone call and the US got, not charges (as that would actually be official misconduct in Sweden), but enough of an official statement from a prosecutor to get the words “Assange” and “rape” in headlines together around the world by that evening.
European countries are, by and large, lapdogs of the USA. It’s sad. And then the US president turns around and stabs them in the back by threatening invasion and annexation, or complete disregard for the fundamental obligations of NATO members.
I really don’t know what the fuck the Europeans are thinking by playing the US’s stupid games. As we see time and time again, it won’t be repaid in kind.
Unfortunately the big game is opaque it's close to impossible to understand for the common folk. So many questions, so tough to grasp answers. Sickening. The enemy is hiding. One could say that paying the taxes in some form is a path toward a destruction. Phrases like "war economy" are lunatic. It all starts in your mind, and that's why it's the most important to protect your children from the propaganda. Take care!
Neither US or EU are monoblocks though.
Obviously, on both side (and beyond) they are nice people trying to plan good things without being too naive. But bragging all day through and destroy all that is in your power is both easier and more attention grabbing than discrete hard work at building better future for everybody.
What they're thinking is that they really don't want to be playing Russia's stupid games.
> I really don’t know what the fuck the Europeans are thinking by playing the US’s stupid games. As we see time and time again, it won’t be repaid in kind.
I feel like the European relationship with the US can really be summed up by the 30 permanent military bases and 84,000 military personnel stationed in their borders and the underlying faith that it's for their own protection, except we better never ask them to leave just in case. Everything else sort of follows from that point.
2 replies →
Europe will never have digital sovereignty from the US.
It will take 100 years and an extremely expensive, government-mandated reimplementation of every critical US tech service and company.
No EU country is putting up budget for this, and no private enterprise is going to do it because building a worse version of AWS just so that it is "European" makes no financial sense and would most likely just fail anyway.
> building a worse version of AWS just so that it is "European" makes no financial sense
Unless it becomes necessary because of EU regulation?
16 replies →
I agree with the premise but have the feeling that it’s less about the money. People here in Germany use WhatsApp and Instagram and Gmail and MS Office and Windows not because there are no alternatives but because they either don’t know or don’t care to switch. People are notoriously difficult to convince to switch platforms even if they‘d get more benefits on the other side. My mom does not want to touch any email client besides outlook and she does nothing but read and very occasionally reply to singular emails and she requires only the barest functionality of an email client. Half of my family gets a panic attack when the windows interface changes again. The idea of switching messengers recently in my rather tech sawy circle of friends has resulted in a multi day discussion with no real outcome mainly because some just don’t want to deal with two messengers while their friends and family remain unconvinced. We already have social media, hosting, email, operating systems, messengers and the likes from European providers. People just don’t want to switch.
1 reply →
Mostly true, until reality forces otherwise, e.g. Huawei.
Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
Aren't monopolies is what we end up by default if have no regulation at all?
And yes, not every regulation destroys monopoly, but regulation is the only thing that could break one.
> Aren't monopolies is what we end up by default if have no regulation at all?
No. Monopolies are only inevitable if the goods aren't elastic, if there is a large cost of entry into the market, or if its a market you can create a moat that is unsurmountable.
Many markets don't have that even with 0 regulation, but might have second order problems like firms creating unsafe products for example.
But in general regulations almost always even unindentedly raise the cost to enter the market. If you make a new regulation that food needs to be safe, then the company needs to pay a safety inspection that a small home-made recipe might not be able to afford (to give a simple example).
At the same time, we now have uber large corporations due to non elastic parts of supply chain (like land) or moats that are insurmountable (like access to US capital). In which case, the FCC should break up monopolies as the current market is not catering to end users and consumers but to owners, which is why the Stock market has been in a never ending bull run.
15 replies →
Are there any examples of monopolies being (successfully) broken up in Europe? Or do you posit that regulation stop them from forming?
2 replies →
> Aren't monopolies is what we end up by default if have no regulation at all?
No.
2 replies →
Unless regulations explicitely incorporate how to handle incumbents & newcomers. One instance of that is MMTIS (multi modal passenger information), which explicitly states innovation and new players as a goal. There are other similar examples.
My intuition is that this is not necessarily true, but probably often true in practice but perhaps someone more educated on the matter can speak on that. It must also depend on the expensiveness of the regulation in question. Since in tons of areas regulations are absolutely vital so that for example our buildings don’t collapse, our food remains non-toxic and the medicine we buy is not the pharmacological equivalent to russian roulette the goal should then be to optimise the cost performance of regulations.
> Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost
(nit: I assume you meant "marketshare becomes unavailable")
So you mean that regulations that are created based on lobbying by corporations help them become monopolies? Sure, that makes sense. But thats different from a blanket "Regulations create monopolies".
Because the smaller players can't afford to implement the new regulations they lose their marketshare and it now becomes available for the bigger competitors to absorb.
> Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
The only way to guarantee a monopoly is to have a total lack of regulation. It's known that every "free" market will tend towards monopoly due the 1% law. Regulations are the only way to actually guarantee free markets because perfect free markets only exists in abstract, not in reality. Sometimes, a free market is the wrong solution and you need a regulated monopoly instead and with identity that's the best solution. Why? Because identity is unique to the individual. A individual must (in theory) only have one identity and with very extreme and usually well documented exceptions, such identity doesn't change. The state is the one that must provide a good way for identity and if smaller countries doesn't have the resources, then big countries should provide for all. Also, it removes incompatibility inter-countries while keeping private interests out.
The state should have the sole monopoly on attesting to anyone identity. Because they are the only ones that are not affected by market conditions. This is how countries that have advanced in this topic actually work. If individual states can't reach a common solution, then the collective must do so. The collective failed here because it recommended a private solution rather than mandated a european one. Private sector must not dictate what or how identity is attested, because the private sector has it's profit pursuing agenda, state must evaluate solutions but it's up to the states to run them and implement them.
Market solutions are good for several things, this isn't one of them.
Regulations __can__ create monopolies. DMA is a regulation, but it does not have the shortcomings you mentioned.
DMA seems explicitly written to only target monopolies, though (and seems like a surrender from the EU, since monopolies should be broken up and not get laws codifying their business models IMHO).
2 replies →
Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Apple’s app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
https://news.ycombinator.com/item?id=48707719)
The only problem is, EU does not control these devices, Google and Apple and by extension the US government does.
Oh they sure do, because Google/Apple have to bend over backwards for the EU as they are not stupid enough to suddenly lose 500 million users.
2 replies →
So when Google bans someone, that person also loses access to all services that require digital ID, forever?
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
[1] https://www.engadget.com/2019-11-10-youtube-reinstates-banne...
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
My French ID card has the features, but also the French digital ID app also requires Play Integrity...
How can you have a secure enclave without hardware attestation? Processor root-key is the source for all.
Smartcards have attestation too.
1 reply →
Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
There are AFAIK no plans to completely remove the offline ID everyone is currently required to carry, so I doubt there will be similar rulings for EUDI as long as it remains an optional alternative for people who want to use online services.
Just a general rule of thumb:
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
But this does not allow tracking nor marketing, so why would they do that?
Because of Digital Sovereignty concerns?
5 replies →
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
help us help EU residents:
https://openwallet.foundation/
https://github.com/openwallet-foundation
https://github.com/openwallet-foundation-labs
Can you elaborate?
On the tech side, we are working closely with (for instance) Google: https://github.com/openwallet-foundation/multipaz-wallet
SPRIND: https://github.com/openwallet-foundation/eudiplo
Animo: https://github.com/openwallet-foundation-labs/mdoc-ts
and we do engage with NGOs and governments across the EU.
They should not make it mandatory for or expect people to have a smartphone.
A few years ago as I was working for a local government, a similar discussion started, but quickly finished after the project owner valiantly displayed her dumbphone.
Only months later did I learn that her husband was investigated for misappropriation of funds, so keeping a minimal digital footprint was important for her.
Moral of the story: everyone has a smartphone.
So, if the majority chose to get microchipped, you believe either we should force the minority to get microchipped against their will, or just exclude them from society?
"Your papers, please"
Everytime EUID mentioned, people forget that EUID is not anonymous!
EUID has "provider/verifier" endpoint which communicates with your website to inform you are indeed 18+ age.
Link: https://github.com/eu-digital-identity-wallet/eudi-srv-verif...
The github page has graph how it works.
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
In the last 5 years so much of the legislative pressure is coming down to remove anonymous Internet access to save the children or protect us from some harm.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (The Current National ID)
2. Standalone Hardware Tokens & USB Keys
A little off topic, but does anybody else think that all these attacks on personal freedoms across the western world are very coordinated? Suddenly all countries are making social media ban under 16 laws. Same goes for centralized digital currency push.
Europeans do a lot of stupid things, but I believe in light of all the scandals we saw in recent times, you can't explain EU behavior and choices without accounting for corruption. EU division and different level among the different countries of wealth, integrity of political sphere, and different cultural biases make us the perfect target for bribes in order to control votes and choices. Not just promoted by external actors. The Chat Control is a great example: everybody understands how bad this is, the arguments are mostly a shield to avoid revealing the real agenda.
It's honestly quite baffling that the EU would want to put any more power in the hands of any US controlled company at this point. The US is a borderline hostile state, only recently threatening to invade Greenland among numerous other examples. The situation with Anthropic has illustrated that the US government will not hesitate to leverage power over US companies when it feels its interests are advantaged by doing so. If anything, the EU should be banning use of Google or Apple dependent architectures, not pseudo mandating them.
Why cant EU have something like Adhar (ID-verification for Indians) https://uidai.gov.in/en/
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
To paraphrase Napoleon - because India has the will to do it, and the EU does not.
So as an EU citizen and owner of Fairphone 6 with e/OS I'm banned from using apps I should be allowed to use?
More about Waag: worth a read https://waag.org/en/about-waag/ - Marleen Stikker is a national treasure.
Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
You can just continue using native apps, just dont include / depend on proprietary attestation APIs such as safetynet
They to frame this so politicians care is: we are giving monetary policies power to a foreign corporation.
I like how we quickly moved past the fact that the government wants to know who we are, what we visit, what we say, what we buy, and has explicitly said that they want to control what we buy, where we go, and what we are allowed to say. But we are focused on what specific mega-corporation those systems will use to function.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
> I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens.
The irony in this as a European is that in the US people don’t even need national ID in the sense we got in Europe. They travel using driving license or library card. We got mandatory passports with biometric data - refusal to provide that data is practically impossible.
There seems to be no awareness from EU govenments about how much power we're handing over to two large outside companies. This incompetence in the leadership will cause a lot of harm over the years. This has been going on for a long time.
Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
I think EU is warming up to the possibility that relying on US tech is has strategic consequences.
Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.
The corporations have the tech and network effects on their side.
Digital single market, digital sovereignty and all those nice words...
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
Previous discussion, related to grapheneos: https://grapheneos.org/articles/attestation-compatibility-gu...
I think we're missing the important point here.
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
We're becoming much worse than that now.
Absolutely baffling why the EU would be doing this.
We just can't help it. Can we.
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
The entire software even free one is. We need to exclude them all.
This quite literally validates those "tinhat conspiracy" folks, honestly the EU are not doing us or themselves any favours here. If it is intended to replace cash then it should function like cash. This limitation is draconian.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
> Governments are cementing a monopoly they claim to oppose
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
There are viable third alternatives which do not require building a full smartphone stack. The national eID in Denmark, MitID, is an app "protected by" Play Integrity, but at least there are two non-smartphone alternatives available in the form of either a TOTP code generator or a FIDO2 chip which you can get for free if you can't or won't buy a smartphone.
Age verification solutions could also be built on dedicated hardware tokens, even though the tokens required to build a ZKP or blind signature based solution may not be available off the shelf right now.
> but the systems needs to be built now anyway.
I question that premise.
They can't tackle issue oft establishing a 3rd popular mobile operating system, true. But they could support Desktop Linux or AOSP.
Last I checked Android was OSS and there's plenty of clones without any Google BS. Heck I'm using one now
1 reply →
Windows Phone wouldn't be much help here, still an US company.
And when the safety services of Google and Apple fail, the citizens will be the only ones to pay a price. This is madness.
Seif-Sovereign Identity wallets that are cross-device are the way around this, but relies on institutions following this path.
Vendor lock-in is real
So, we have safety services owned by a country with nuclear weapons, while Europe is regressing in all domains.
This is not safe.
OH FFS. "safety services". NO. It's monopolistic services.
I don't know who thought that national ids should be vetted by two private companies, not even European!
No thanks, I don't want any of that for obvious security reasons
Big facepalm... EU had really only one job with the EU wallet... And missed the point completely. GrapheneOS is probably closer to EU data security and privacy standards than Android or iOS.
Its simply unreal that the EU is pushing that in order to participate in society that I must accept the TOS of Google or Apple.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
I use coinpay’s DID it is simple anonymous and works it’s open source too
Yes, but you can't sign the device, that is what Google and Apple do.
From fingerprint/face id to digital id..
Like banking apps are now using play protect/depending on Google.
(Just a matter of time Google/Apple will be a banks themselves, as is the danger with governments)
Ofcourse the world could be a more open place, but constraint, rules and control are too pleasing to not implement, sadly.
The problem was always that the government could ban you from society via the banks banning you, and you having no recourse because it was a business exercising its right to not do business with you.
Without the proper laws and proper leaders of law enforcement that protect an individuals’ right to transact, one’s rights were always just a technological advance away from being taken away.
In general government policy for technology and communications, is a regulatory capture gift to big corporations.
The government gets data to “manage” the citizens and the companies get data to “manage” consumer and the power structure is protected.
5 years ago, some smarty pants would've worked out how to implement digital ID wallets on the block-chain, and there would've been some uptake for it in the European environment .. these days however, it appears everyone has given up on that idea and defaulted back to the fascist approach (corporations doing government work).
LMAO of course
[flagged]
[dead]
[dead]
[flagged]
[dead]
[dead]
[dead]
Huh. This article lumps Apple in with Google when its only qualms seem to be with Google's terrible behavior. The entire article is about Google Play.
Because Apple has always been a closed platform whereas Android started out being relatively open. For Android there is an alternative to Play Integrity which would enable governments to get remote attestation assurance on non-Google Android based operating systems like GrapheneOS, but that alternative does not even exist in the Apple ecosystem.
Yeah, what alternative is there for iOS except the framework that Apple supplies?