So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
It's also the fact that it forces each citizen to pay a few hundred Euros to companies which then campaign against their very rights.
Citizens get no support of any kind in case of issues, and has to enter a contractual agreement which is ridiculously asymmetrical, where the company has little to no responsibility of any kind, but has very ample rights to track the other party in extremely creepy ways.
But ... the alternative is that the government actually pays a bit of money to fix the situation! To support their solutions. To actually develop them for enough devices. To secure them ... Plus the services the government made are way more invasive than the Google/Apple ones.
In addition to the money, actually using them would be hundreds of times more complex, and they don't have the provisions Google has, for example accessibility and security services (like actually stopping people stealing accounts on a large scale). All of this can be done, easily even, but it isn't. Politicians don't want to.
I just dont buy the argument that it would be that expensive for the governments to provide certified keychain fobs that provide hardware based identification.
That was an option for the past 15+ tears at least in some EU countries. Its just not very convenient (garbage tier software they bought didnāt help either).
It's pretty expensive to deal with all of the technical support and identity verification work when people lose their devices and need to have credentials reset.
How do the apps bootstrap identity? Do they just use Apple/google (that seems really bad), or do they have you do some verification and input a token into the app somehow?
Special-casing support for GrapheneOS would be a band-aid, they should find a way to avoid requiring remote attestation in the first place, so anyone can use whatever OS they like on whatever hardware they like.
I think there are two fights that are both worth fighting:
1. Completely outlawing remote attestation.
2. In a world where remote attestation is given, let it be controlled in a fair way and not just by Google and Apple.
The risk is that only fighting for (1) leaves you in a world with remote attestation, where only Google and Apple can decide who gets to pass and who not. In fact, that is pretty much the world we are in already.
I agree that they are both worth fighting for, but I think (2) is much easier to accomplish, simply because Play Integrity is probably a DMA violation. (IANAL blah blah)
Why is attestation always bad, all the time? When two people interact thereās a trust/risk calculation on both sides. Isnāt attestation just a means of reducing risk for both parties? (We can debate who should control the attestation process and how it should work but your point 1 suggests that there is never a good form of attestation.) What would we do instead?
I cannot think of any company that has appropriately used attestation as a trust/risk calculation. I work in major game studio; there is never calculation only a binary.
It never ālet`s check if the mobile user has purchased in-game content server side to prevent pirating itā, its āsuspend any account that has signed in with a device that fails safetynet, permanently ban any account that has failed a jailbreak or root checksā
It never ālet`s check and calculate statistically cheating probability and move damage calculation server-side so that player cannot godmode or modify their APKā, its āall non-stock phones are cheaters and fraudsters, ban all of them, use invasive anti-cheat, while continuing to have client sided damage and health and energy because it is easierā
Something else has to change first otherwise the only option for businsinses do will be, after 2 is implemented : āwhile yes it is now possible to allow a neutral third party to control attestation, someone higher-up such as legal has said ONLY google can and we will ban everyone elseā
As long as it is easier to don't give a fuck, that is the option that will be taken. z.B. the only reason our publisher allow the removal of play services was finding out that chinese players on definitely not google certified phone spends the most by orders of magnitude and even then it is only relaxing the check for specific region, forcing all EU players to continue to have this checking.
I would be wholly unsurprised if the result was to continue to require attestation but allow GrapheneOS f.e. only in Motorola factory shiped phones and disallow it if the user was involved in any way in the installation of it.
Definitely not bad all the time. For instance, GrapheneOS provides the Auditor app, with which you can verify from another phone or from a server that the OS is not tampered with. It also uses remote attestation.
I question the usefulness of Auditor. It can flag if a modified version of GrapheneOS has been booted, for example. But flashing a modified version of GrapheneOS requires erasing userdata, which you'd notice the moment all your data isn't there. Unless someone uses an exploit, but Key Attestation cannot detect exploits.
I suppose if you've bought a device with GrapheneOS already installed, you can use it to verify the installation. But that could also be achieved by reflashing a known-good image yourself.
A hypothetical useful use of attestation is that a company promising to process personal data securely could actually prove it to end-users, by open-sourcing their server-side code and using reproducible builds combined with remote attestation, to prove to the client that the server-side is running unmodified within a secure enclave.
I struggle to think of a useful use for it on the end-user client side, though.
Isnāt the client-side case something like āthe banking app youāre entering your account password into is the binary the bank created and not a compromised binary that will drain your bank accountā?
No, this would just require a publicly verifyable signature of the software, and the user would just choose to have their operating system verify it. No remote attestation or other hand-over-your-controls necessary.
Android Key Attestation produces attestations that are signed with a certificate chain rooted in the hardware vendor's CA. If you use Key Attestation on GrapheneOS on a Pixel device for example, it attests that you're using GrapheneOS's AVB keys, but that attestation is still signed by a Google certificate chain.
"Adding support for GrapheneOS" means allowlisting their AVB keys specifically, it does not open a door for 3rd party implementations in general.
If you run GrapheneOS on a different device of your choosing, attestation would fail.
If you run a non-GrapheneOS custom ROM of your choosing, attestation would fail.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (for example The Current National ID)
The lawsuits, sadly, won't matter. "Security" (or, rather, totalitarian control!) is more important than the 1% of nerds who care enough to tinker with their phone.
People keep framing these sorts of debates in terms of tinkering.
It's about ownership, not tinkering. It's about preventing megacorporations from having the last word about how government services can function and how people can interact with them.
It's not 1% here though... Graphene has 300k users worldwide. There's 8 million absolutely illiterate and 150 million functionally illiterate people in Europe for comparison on scale here.
"functionally illiterate" means that while you can read your native language, you will not correctly understand what you have just read.
Rates seem to vary state by state, from as low as 8% (denmark) to 43% (romania).
It's also not a clearly defined target, since it would be better to have rates based on the reading comprehension of the average school at year X or something similar.
I'm curious about this definition, just because it's not something I've ever considered before and googling seems to muddy the water even more.
Is it "functionally illiterate" if you can read the language aloud and not understand it, if you also wouldn't have understood the same thing spoken to you? That seems like it's about comprehension ability, not literacy.
Although one thing that just occurred to me is that if your reading level is low, you might be using all your cognition on reading so that you don't have spare capacity to understand as well - that's frequently the case for me with e.g. Chinese where I can read an entire passage out and then the teacher asks what the passage was about and I'm just thinking "I dunno, I wasn't thinking about that but I think I understood everything".
And that's definitely a different problem to being able to sound out the words, but just having no idea what those words mean, whether you read them or heard them.
And does it have to be your native language, or in any language? Not trying to nitpick, it just feels like the phrase can be usefully applied to a foreign language too.
posters upthread are talking about comprehension and value systems, not literacy.
"functionally illiterate" is the brush that one paints with when describing people of opposing political viewpoint or lower socioeconomic status, for example.
> Guidance tells us the average reading age in the North East is lower than the national average at between 9 to 11 years. To put that into context The Guardian Newspaper has a reading age of 14 and the Sun Newspaper has a reading age of 8.
Health literacy specifically is a major problem in healthcare
> 1 in 4 (26.7% / 931,000 people) adults in Scotland experience challenges due to their lack of literacy skills.
I find that page somewhat ironic as they claim 18% is one in six, but 17.4% is one in five. Seems numeracy is as big a challenge.
The US is no better according to wikipedia
> In 2023, 28% of adults scored at or below Level 1, 29% at Level 2, and 44% at Level 3 or above
> Adults scoring below Level 1 can comprehend simple sentences and short paragraphs with minimal structure but will struggle with multi-step instructions or complex sentences
> Adults scoring at Level 3 or above are considered "proficient at working with information and ideas in texts
Why are you surprised? Europe has 700 million people. Think of the average construction worker you know, do you think they could read and correctly summarize any moderately complex article? Think an article about inflation or evolution or heat pumps or investment funds, etc.
Fairly sure that in most countries the average person reads less than 1 book per year, so half of the population reads less than that. I know people who haven't read a book since highschool, when they were forced to.
The Average Briton allegedly reads 15 books per year. I assume its self reported and poorly sampled. Otherwise its very hard to believe (and variance between countries seems way too high) but stats like this (especially more subjective ones like functional literacy) are usually not very useful on their own.
First, GrapheneOS supports remote attestation. So if they want their security, they can have it. Second, the current focus of the EU on sovereignty is a window of opportunity and there are better opportunities to fight this than two years ago.
GrapheneOS supports attestation too, so even if they succeed it will likely just turn into a gift to Google, Apple and GrapheneOS. It's hardware attestation that needs to be opposed as it's inherently user hostile, allowing a single popular Android distro doesn't do much in the grand scheme of things.
Every Android system support remote attestation. It's part of AOSP. Google just decided not to use it, because Play Integrity allows them to lock in phone manufacturers and force them (per leaked agreements) to preinstall a bunch of Google apps and require to run Play Services and some other components privileged on the system.
I specifically referred to the remote attestation functionality in Play Integrity and that that can be replaced by AOSPs APIs, since the linked post is about remote attestation.
Play Integrity actually does both and passing remote attestation is necessary to pass Play Integrity at the strong level. Remote attestation is used for this level, since a modified OS could fool DroidGuard.
I'm sorry if my comment was not clear in what I was referring to.
The more the better - being forced to maintain an up-to-date list of Google competitors (including some that don't keep attestation keys secure, so the bad guys will pretend to be those and you'll be forced to allow it anyway) may make some reconsider whether the feature actually brings any value.
As a technical point, note that however there is no legal requirement to follow this reference. Wallet providers can choose a different implementation.
Maybe they should just publish the spec, and then providers can offer ID as a service? I.e as a Proton user, Proton Pass currently supplies my ID everywhere, including for government services.
Android and Apple devices let the remote server verify whether the local application and the system it runs on haven't been modified by the user and refuse providing services if they were. That's what makes them special, it's hard to imagine how a, say, generic installation of Debian could do that without severely restricting the user.
It's an ill-defined "security" measure that should be viciously opposed anywhere it shows up.
Lobbyists do not sleep. It's easy to recall how those two, especially apple, tried to sabotage FIDO2 trying to capture webauthn standards, fortunately failed.
EU also has to learn their inside traitors who sabotage their great efforts in decentralization of identity, and learn to avoid those incredible situations like happens right now with chat control directly lobbied by silicon valley surveillance vendors
There is too much corruption, nothing can be done at this point.
Atleast CIE app works on graphene for now so I can do everything else on the web.
If they block that idk what I would even do.
I do occasionally suspect corruption, but neither Google nor Apple have any incentive to pay off officials to get this passed. They can't beat each other, and the rest of the mobile OS'es is no threat to their revenue.
Google and Apple's odds of being caught are too high to expect they would risk it. They have more to lose if caught than they have to gain.
Obviously some companies do despite the risks, I wouldn't expect this of any individual company, but as a whole some company will once in a while anyway. So stay vigilant.
Also, as the article says, Play Integrity is most likely a violation of the DMA. Send a message to the EU DMA Team if you live in the EU and are affected by this (or affected by this in the future, if you plan to switch to an alternative):
The more examples they get of actual citizens that get hit by this, the better. I have recently sent messages when Google introduced their new device-based recaptcha and when Volkswagen started blocking GrapheneOS. Of course, do not yell, explain patiently and with good argumentation why you are affected by Play Integrity and how you believe Play Integrity is used to enforce the duopoly + goes counter EU sovereignty.
Also, for apps that use Play Integrity, e-mail the company. React to their boilerplate replies with follow-ups (this slowly seems to get some headway with VW). Also leave a one-star review on their app, explaining in the review that they broke support for your system.
I know that this can all seem hopeless. But especially GrapheneOS is getting a lot of momentum now, rapidly gaining more users. It feels like it is a moment in time where we can seriously influence things for the better. There are ~500,000s users now. If everyone actively participates, we can move the needle.
Honestly, as long as the architectures is fatally flawed (Even if convenient) it's just bandaids over a larger issue.
These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Germany was going in the right direction imho, they NFC enabled their ID cards (Sweden has info on them but no enablement procedures) that is then paired with the app, so the card acts as a 2nd factor that makes the app itself less of a security issue since a user will be required to physically enable it (sadly the NFC pairings are kinda fiddly.. but I'd take that as a security option for all non-trivial transfers).
> These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Many countries in the EU already have all of that just done though some national equilevant system (for example here in Finland mainly with bank credentials).
And in fact additonal checks are done when enough money is moving. For example when I signed my bank loan for an apartment I had to sign it again after 24 hours just to be really really sure that I wanted to sign it.
For smaller (but still big enough) stuff a second "second factor" usually kicks in usually in the form of a sms verification after the actual proper login with bank credentials (which has a proper 2 factor auth in itself too)
It's great you do have a bank-bound system in Finland.
I hope their implementation is not as bad as e.g. the Swedish BankID.
BankID is _in theory_ a nice technology. However, it is only handed out to people registered with the Swedish tax authorities holding a Swedish bank account.
All daily activities are nowadays bound to BankID: need a doctor's appointment? -> needs BankID; Want to buy something on Blocket? -> needs BankID.
As an European frequently spending some time in Sweden not in possession of a Swedish tax #, I feel very much excluded from online and partially offline activities in this country.
Well that is the point of this entire digital wallet thingy, there's going to be a transition period since everything here is more or less hardcoded to bankid not to mention tons of code with presumptions about Swedish identity semantics (that do differ from other countries).
But on the plus-side the Swedish state-eID solutions is planned to be delivered by end of year and hopefully most organizations will start migrating or at least dual-supporting them and in doing so also fix their services to support foreign eID's in the process.
This is a problem I'm seeing a lot of countries rushing full steam ahead. The age of a single physical ID that's only rarely needed and ubiquitous cash payments seems to be coming to an end. For anyone who travels a lot, migrants first settling in a place, or citizens abroad, this makes things even harder than they already were.
The ability of the government(s) to exclude you from every day activities required for participation in society (or survival) if you run afoul of their edicts is a feature of digital ID/digital currency, not a bug.
Again, it's all still tied to that one device, the phone, if it's hacked it's really game over and with a big enough hole in the Android or iOS ecosystem that could be wormable a lot of people could be exploited en-masse.
Sure a 24h delay or SMS code are 2 way but they fully fall into the bandaid category.
In the past we used to have disconnected dongles for banking, the bank issued a one-time challange and you entered the response along with your username. Now there are disadvantages with those also but at least it was fully airgapped.
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
For all practical purposes it's possible to do this. The boot ROM only boots a vendor-signed bootloader, the bootloader verifies the OS kernel, etc., until you have a fully verified boot chain. A secure enclave, which is completely separated from the main CPU and OS performs the attestation using a private key in its tamper-resistant storage and embeds the results of verification by the bootloader. There may be some vulnerabilities, but most of them can be fixed in updates, with exception of the boot ROM.
The reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).
Nope. It is still not possible to give someone else (the government, or the bank) control over your phone while at the same time run software that you alone control with higher privileges.
Please don't mix that up with "is practically hard to implement because of sloppy code.
Also your attacker model is still "occasional evil government agency or evil private corporation wants to crack and read your messages", while what is discussed here is more fundamental "evil government or abusive corporation controls your phone in the first place, and can just remote control it you can't use really secure apps"
The software layer in age verification is not necessary to trust though. The worst that could happen is that a compromised software layer steals your age credential, but it is by design anonymous so you don't risk getting your money or account stolen or anything. This makes it a different threat model from the banking case.
You can store key material in hardware-backed enclaves without involving remote attestation. If someone has a modified device/client that stores the keys elsewhere, that's on them - they're only weakening their own security.
Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.
It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.
So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).
Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.
Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.
I think the reason these systems require device bound keys is because the government is concerned with easily mass-produced forged age certificates. With software keys you can get an age certificate which can be copied instantly to a large number of devices, with hardware keys the government knows that the certificate is tied to a single physical unit.
Again, at this point, they're taking things too far,age gates shouldn't need to be an impenetrable fortress (notwithstanding the question of whether they should exist in the first place).
It should simply be the adult account on the device is notified if the device is rooted, effectively no longer in child mode. Go crazy with the warnings on both devices if you want as they've opted in at that point.
You can't really prevent that unless you design a system which is inherently designed to track people, e.g. by phoning home to the issuer on each credential verification. The system being deployed right now is based on the issuer issuing batches of single-use credential tokens to device-bound single-use keys, which on the plus side means that colluding verifiers cannot use age credentials as cookies to track people. It is still vulnerable to colluding verifiers and issuers though, because the issuer can de-anonymize the tokens (it knows them and their linking to the identity of the user). This scheme also means that if the keys that the tokens are issued to are not device bound, then it is trivial to copy the age credentials to someone else.
To my knowledge, even more sophisticated ZKP schemes still rely on device bound keys to protect against duplication.
I'm sorry but clearly the introduction of these apps with these requirements in the near past and near future represent regression over time rather than improvement.
I think it was last year that there was a good presentation from them about how they were going to use ZKP and it was indeed very trust inspiring. But do you think the latest digital wallet solution from eg Danish government uses ZKP? Of course not!
I have to say that the tune they play at FOSDEM and what we see put into production are just two different things.
I see your point about the disconnect between the rhetoric and what we actually see in production. Perhaps "regression" is a strong word, though, IMHO I tend to see it as a very slow and uneven evolution.
Even if the pace is frustrating, there are still pockets of genuine open-source adoption in the European public sector. For example, we're seeing projects like Germany's OpenDesk or various municipalities moving toward Nextcloud and other sovereign cloud solutions.
The EU Open Source Strategy[0] was announced just under a month ago and it specifically mentions the EU Digital Identity ecosystem, including the European Digital Identity Wallet (EUDI Wallet) mentioned in the article. I agree with OOP that the requirement of an Apple or Google phone goes against these ambitions, and I will contact my elected representatives.
Yes, and there is an open source spec [0] that doesnāt require Google/iOS Attestation but āpreferablyā providers will make their wallet app available on App Stores [1]:
> To ensure that the User can trust the Wallet Solution, Wallet Providers preferably make their certified Wallet Solutions available for installation via the official app store of the relevant operating system (e.g., Android, iOS). This allows the operating system of the device to perform relevant checks regarding the authenticity of the app.
Of course the chances of any important business implementing a side channel option is effectively zero. Maybe some government agencies will offer the option though.
Not really. EU is actually trying to decouple. But in many cases there are not any homegrown alternatives to support. There is not a single company in EU that could replace, even a considerable part, of software stack provided by Google and Apple.
And, unless the regulatory environment changes., there probably never will be.
Thr answer to US tech giants are not homegrown EU tech giants, but international free software (Free as in Freedom). We already have free operating systems: Linux, BSD. Office software: LibreOffice, etc.
EU regulators have stop listening to tech company lobbyists.
Clearly it isnāt. This is what techies forget: The mass amount of Europeans donāt give 2 shits about digital sovereignty or open source. Christ, people go to mobile operator shops and give their unlocked phones to consultants to install or remove software for them. You want them to install GrapheneOS or manage a rooted device? That aināt even funny.
The only short-term solution is more regulation and more EU-centralized solutions, but of course this is only ok until the next chat-control drama.
Long term, in practice we need single European stock market and a way to provide funding to European companies from any member state, so to be competitive globally without being constantly restricted by every member stateās bureaucracy.
New York alone has 2 stock exchanges. I donāt think that companies being listed in London, Paris and Frankfurt (they generally are listed on several anyway) is the actual issue.
Especially these days the stock market is the very final stage anyway, most funding for growing tech companies is private funds, vc etc.
Understandable. However every new solution should be built from the ground up and be fully decoupled even if the migration of old services might take a while.
For this specifically EU could surely (only in theory since statistically the average EU bureaucrat is a pompous idiot to whom the word āaccountabilityā is an entirely inconceivable concept) have something developed for a sane price in a reasonable amount of time.
The money can't all come from the state. If the EU wants to compete, it should create a common market worth its name where EU companies can raise billions like American ones. If that doesn't happen but we instead pat ourselves on the back for setting aside a pithy 5 million Euros in some EU budget to support open source, it's never going to happen.
> it should create a common market worth its name where EU
There is no reason to believe that the EU (rather than the market participants in the EU) is in any way capable of that regardless of the amount of political will.
Spending massive amounts of money without knowing what you are trying to do or how will just result in a massive amount of grift and corruption
EU has no issues with wasting and burning large amounts of money for no particular reason. The issue is that the people there are incapable (or donāt want to) make the right decisions for any of this to happen.
> But in many cases there are not any homegrown alternatives to support
There shouldn't need to be. Realistically for something like this an EU backed highly-audited non-profit should be in place for permanent highly controlled services like this that do not rely on any non-EU entities for it to function.
For context, as yearly spending of 285 million ā¬, that compares to building roughly 20 km of motorway, or 0.5% of EU's agriculture subsidies, or half what the German federal government pays Microsoft per year.
I'll believe it when I'll see it, for now I haven't seen any of the Android forks (LineageOS, EOS, GrapheneOS...) or Linux OS (Phosh, Plasma mobile, Ubports, ...) get any funds from the EU.
The US can call Austria in 5 minutes and with no burden of proof get the airspace permit for a head of sovereign state revoked and the plane swatted instantly upon landing, because someone might have been on board (he wasnāt) whose only real crime was embarrassing the USA by exposing their fundamentally unconstitutional lawbreaking.
Same goes with the prosecutors in Sweden; a phone call and the US got, not charges (as that would actually be official misconduct in Sweden), but enough of an official statement from a prosecutor to get the words āAssangeā and ārapeā in headlines together around the world by that evening.
European countries are, by and large, lapdogs of the USA. Itās sad. And then the US president turns around and stabs them in the back by threatening invasion and annexation, or complete disregard for the fundamental obligations of NATO members.
I really donāt know what the fuck the Europeans are thinking by playing the USās stupid games. As we see time and time again, it wonāt be repaid in kind.
Unfortunately the big game is opaque it's close to impossible to understand for the common folk. So many questions, so tough to grasp answers. Sickening. The enemy is hiding. One could say that paying the taxes in some form is a path toward a destruction. Phrases like "war economy" are lunatic. It all starts in your mind, and that's why it's the most important to protect your children from the propaganda. Take care!
Obviously, on both side (and beyond) they are nice people trying to plan good things without being too naive. But bragging all day through and destroy all that is in your power is both easier and more attention grabbing than discrete hard work at building better future for everybody.
> I really donāt know what the fuck the Europeans are thinking by playing the USās stupid games. As we see time and time again, it wonāt be repaid in kind.
I feel like the European relationship with the US can really be summed up by the 30 permanent military bases and 84,000 military personnel stationed in their borders and the underlying faith that it's for their own protection, except we better never ask them to leave just in case. Everything else sort of follows from that point.
84 thousand personnel (of which maybe 20 per cent are actual combat troops, given the standard tooth-to-tail ratios of modern mechanized armies) could perhaps occupy Denmark on a good day. For a continent the size and population of Europe, this is not a dominant force by any means.
Putin has about 700 000 personnel in Ukraine right now and isn't making any progress. Barbarossa took about 3 million personnel to start.
Speaking of, my favourite Denmark story was probably Greenland when the US abandoned their cold-war era bases they just buried all their highly toxic trash in the ice. That ice is now melting and Denmark has to clean it all up. In the agreement with the US they excluded the US from any responsibility so they have to pay for it themselves. They also got really mad when the Greenlanders went behind the back of Denmark to complain at the UN about it.
Then Trump threatened to invade Greenland. And now the US is in negotiation with NATO (yeah lol) to build 3 new bases there that would be designated as US territory (bwahaha). One thing I like about Trump he drags all the Europeans through the mud so publicly it makes the contradictions impossible to miss, that's why they all hate him but still have to kiss his feet it's awesome. Like Obama made their groveling seem less suspect.
But yeah people are fucking clueless about everything. At least our media is free and not state controlled propaganda right?
Europe will never have digital sovereignty from the US.
It will take 100 years and an extremely expensive, government-mandated reimplementation of every critical US tech service and company.
No EU country is putting up budget for this, and no private enterprise is going to do it because building a worse version of AWS just so that it is "European" makes no financial sense and would most likely just fail anyway.
Hopefully not. This hate towards good technology and innovation because you donāt like the current president is ridiculous. Heāll be gone in two years or so and then weāll get back to normal.
> This hate towards good technology and innovation
Mine is to a collective people that vote in these people. I get that people can change, grow, evolve etc but I didnt trust a german for 60 years, I wont trust an american for at least a generation.
It isn't just Trump. The CLOUD Act basically gives Washington the power and ability to turn off any server operated by any US company at will/whim.
The Wikipedia page only talks about stored data on (optionally foreign) servers without any sort of regard for the laws of the country where that server is located. It ignores the part of the statute where the feds can basically "turn off" that server. And that is the part that the EU is panicking over.
And they already did that. The chief prosecutor of the International Criminal Court in The Hague was cut off Office 365 (and e-mail hosted through that), as well as credit cards and bank cards. This did send a shockwave through Europe.
To be fair, the ICC should not have existed in the first place. It was created to persecute the Serbs and then other people that were not liked by Europe mostly.
and Africans predominantly that's why the AES withdrew from it too. But the Europeans were under the impression their vassal status would always be benefitting them against their former colonies in their neocolonial efforts.
Trump made that whole arrangement cracking a little bit, but I still think it's mostly just the optics of it all they are still loyal servants. Nobody in Europe that matters gives a shit about Karim Khan or Francesca Albanese getting debanked and sanctioned, they would and love to do it themselves.
Hetzner seems to be a pretty good example. It wasn't solely because of EU regulation, but once GDPR made it a worthwhile investment to companies to segregate their data, European data centers have been growing steadily.
I agree with the premise but have the feeling that itās less about the money. People here in Germany use WhatsApp and Instagram and Gmail and MS Office and Windows not because there are no alternatives but because they either donāt know or donāt care to switch. People are notoriously difficult to convince to switch platforms even if theyād get more benefits on the other side. My mom does not want to touch any email client besides outlook and she does nothing but read and very occasionally reply to singular emails and she requires only the barest functionality of an email client. Half of my family gets a panic attack when the windows interface changes again. The idea of switching messengers recently in my rather tech sawy circle of friends has resulted in a multi day discussion with no real outcome mainly because some just donāt want to deal with two messengers while their friends and family remain unconvinced. We already have social media, hosting, email, operating systems, messengers and the likes from European providers. People just donāt want to switch.
If there is a higher level mandate or incentive to switch, people absolutely will - for example, if a government decides en masse to switch away from one OS or platform. [0]. This will likely be hugely influential, as then everyone who wants to communicate effectively with that government needs to make sure that they are compatible - which will likely drive adoption of the alternate technologies over time.
However, IMO the big challenge is MS Office - as much as people like to mention the FOSS Office alternatives, there's still a huge gap to cross before mainstream companies will adopt them. (To paraphrase, no-one gets fired for choosing Microsoft Office.)
Beyond this, on the more 'personal' level you discuss, the picture is more varied than you describe. Some people's elderly parents absolutely can and do switch to different email clients or browsers. Some groups of friends can and do switch messenger platforms - my personal comms are now split roughly 80:20 between Whatsapp (the default) and Signal. (It just took a determined minority deciding to switch, and the others followed.)
> We already have social media, hosting, email, operating systems, messengers and the likes from European providers.
Yes, but they aren't really competitive, as they currently aren't the easy/free/well-marketed/popular options that everyone defaults to when they first get a computer, or that their friends are already using. It's just network effect and inertia.
This can and will change if the need for a reduced dependence on the US continues to be front and center of people's minds. (Note this is mostly driven by the Trump administration's behaviour; the next president could probably heal many of these wounds and our European politicians will move one to caring about something else.)
Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
> Aren't monopolies is what we end up by default if have no regulation at all?
No. Monopolies are only inevitable if the goods aren't elastic, if there is a large cost of entry into the market, or if its a market you can create a moat that is unsurmountable.
Many markets don't have that even with 0 regulation, but might have second order problems like firms creating unsafe products for example.
But in general regulations almost always even unindentedly raise the cost to enter the market. If you make a new regulation that food needs to be safe, then the company needs to pay a safety inspection that a small home-made recipe might not be able to afford (to give a simple example).
At the same time, we now have uber large corporations due to non elastic parts of supply chain (like land) or moats that are insurmountable (like access to US capital). In which case, the FCC should break up monopolies as the current market is not catering to end users and consumers but to owners, which is why the Stock market has been in a never ending bull run.
Don't bigger companies also often benefit from scale in multiple ways so it gets harder and harder for newcomers to compete? And if a newcomer does manage to get a foothold, it might get bought.
> Don't bigger companies also often benefit from scale in multiple ways so it gets harder and harder for newcomers to compete?
That is one of the ways a Moat can happen and a monopoly can occur. For example if you were the only person with a loom and everyone else had to make jumpers by hand, you could make them so cheap they would have to close down.
In some markets those ways you can benefit from scale exist, in others there are drawbacks. In many cases those advantages only exist due to either regulation or lac thereof.
For example ways companies might have an advantage is by manufacturing in cheaper countries, but that only works because those workers have less rights and the cost of transporting is not properly taxed. Carbon taxes on shipping would make manufacturing in China pretty comparatively priced to many european countries. But if you let them contaminate the ocean with crude oil boats, then their manufacturing prowess and cheaper labour cost will offset the shipping cost and destroy a newcomer.
These are very basic examples and they all require nuance but hope it helps to explain it a bit more.
Another example is restaurants, you used to have some advantages from being a chain, but you would still constantly see mom and pop joints compete and even win. But as rent prices keep increasing (the non elastic market of the ground under the lease), suddenly the advantages of scale start beating the disadvantages of worse food and service.
MS did a lot of lobbying to prevent European governments from trying to migrate to Linux and/or OpenDocument.
Groklaw was a website that was started by a paralegal to try to understand, explain and report on the SCO lawsuit - who benefited and how they benefited. It ended up expanding into the EU anti-trust action against Microsoft and OpenDocument (and how OpenOffice was created as a trojan horse to defang OpenDocument).
There is always imperfect information, there is no such thing as a perfect market and as a result regulation will always be needed to curb the excesses such as monopoly. Even if we had perfect information, humans remain irrational. This is a simple fact of life and the universe.
The European Steel and Coal Community (precursor of the EU) was also involved in the effort to stop these. In general this has been something the EU has been involved in since its inception and the best action against monopolies is to not let them form in the first place (why there is so few of them in general in most developed countries. Though that is now slowly changing it seems)
The proposed regulations forcing everybody to use google or apple are ridiculous and very much the opposite of the kind of regulations we need though...
Unless regulations explicitely incorporate how to handle incumbents & newcomers. One instance of that is MMTIS (multi modal passenger information), which explicitly states innovation and new players as a goal. There are other similar examples.
My intuition is that this is not necessarily true, but probably often true in practice but perhaps someone more educated on the matter can speak on that. It must also depend on the expensiveness of the regulation in question. Since in tons of areas regulations are absolutely vital so that for example our buildings donāt collapse, our food remains non-toxic and the medicine we buy is not the pharmacological equivalent to russian roulette the goal should then be to optimise the cost performance of regulations.
> Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost
(nit: I assume you meant "marketshare becomes unavailable")
So you mean that regulations that are created based on lobbying by corporations help them become monopolies? Sure, that makes sense. But thats different from a blanket "Regulations create monopolies".
Because the smaller players can't afford to implement the new regulations they lose their marketshare and it now becomes available for the bigger competitors to absorb.
> Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
The only way to guarantee a monopoly is to have a total lack of regulation. It's known that every "free" market will tend towards monopoly due the 1% law. Regulations are the only way to actually guarantee free markets because perfect free markets only exists in abstract, not in reality. Sometimes, a free market is the wrong solution and you need a regulated monopoly instead and with identity that's the best solution. Why? Because identity is unique to the individual. A individual must (in theory) only have one identity and with very extreme and usually well documented exceptions, such identity doesn't change. The state is the one that must provide a good way for identity and if smaller countries doesn't have the resources, then big countries should provide for all. Also, it removes incompatibility inter-countries while keeping private interests out.
The state should have the sole monopoly on attesting to anyone identity. Because they are the only ones that are not affected by market conditions. This is how countries that have advanced in this topic actually work. If individual states can't reach a common solution, then the collective must do so. The collective failed here because it recommended a private solution rather than mandated a european one. Private sector must not dictate what or how identity is attested, because the private sector has it's profit pursuing agenda, state must evaluate solutions but it's up to the states to run them and implement them.
Market solutions are good for several things, this isn't one of them.
DMA seems explicitly written to only target monopolies, though (and seems like a surrender from the EU, since monopolies should be broken up and not get laws codifying their business models IMHO).
Can you imagine the collective screeching, across the White house, HN and Apple reality distortion field, that'd happen if EU attempted to breakup the American monopolies?
Electing to not do something impossible and framing it as a surrender is strange to me.
Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Appleās app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
But if the EU cements their citizens' dependency on Google/Apple even further by effectively mandating the use of these devices, it gives Google/Apple more leverage. Imagine if them pulling out of the EU meant nobody could use their digital wallet? What if the use of digital wallets has become more mandatory by then?
Really? Google to this day refuses to do business in China, and Apple at this very moment excludes the EU from multiple new iOS 27 features that launch in the rest of the world. And with the current direction the EU is taking (e. g. even more regulation, more economic recession, even fewer competitive tech businesses), I wouldnāt bet on US companies getting "more favorable" towards the EU.
So when Google bans someone, that person also loses access to all services that require digital ID, forever?
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
There are AFAIK no plans to completely remove the offline ID everyone is currently required to carry, so I doubt there will be similar rulings for EUDI as long as it remains an optional alternative for people who want to use online services.
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
The software running on the smartcard? You write that yourself, and hopefully your security processes are good. The nice thing about smartcards is that the trusted computing base is massively smaller than that of a regular operating system.
If you disallow installing applications post-issuance (which is probably a good idea for ID cards), you don't even have to worry about VM runtime integrity either, as there will be only your application running on the card.
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
A few years ago as I was working for a local government, a similar discussion started, but quickly finished after the project owner valiantly displayed her dumbphone.
Only months later did I learn that her husband was investigated for misappropriation of funds, so keeping a minimal digital footprint was important for her.
So, if the majority chose to get microchipped, you believe either we should force the minority to get microchipped against their will, or just exclude them from society?
In the last 5 years so much of the legislative pressure is coming down to remove anonymous Internet access to save the children or protect us from some harm.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
A little off topic, but does anybody else think that all these attacks on personal freedoms across the western world are very coordinated? Suddenly all countries are making social media ban under 16 laws. Same goes for centralized digital currency push.
Europeans do a lot of stupid things, but I believe in light of all the scandals we saw in recent times, you can't explain EU behavior and choices without accounting for corruption. EU division and different level among the different countries of wealth, integrity of political sphere, and different cultural biases make us the perfect target for bribes in order to control votes and choices. Not just promoted by external actors. The Chat Control is a great example: everybody understands how bad this is, the arguments are mostly a shield to avoid revealing the real agenda.
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
It's honestly quite baffling that the EU would want to put any more power in the hands of any US controlled company at this point. The US is a borderline hostile state, only recently threatening to invade Greenland among numerous other examples. The situation with Anthropic has illustrated that the US government will not hesitate to leverage power over US companies when it feels its interests are advantaged by doing so. If anything, the EU should be banning use of Google or Apple dependent architectures, not pseudo mandating them.
There seems to be no awareness from EU govenments about how much power we're handing over to two large outside companies. This incompetence in the leadership will cause a lot of harm over the years. This has been going on for a long time.
I like how we quickly moved past the fact that the government wants to know who we are, what we visit, what we say, what we buy, and has explicitly said that they want to control what we buy, where we go, and what we are allowed to say. But we are focused on what specific mega-corporation those systems will use to function.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
> I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens.
The irony in this as a European is that in the US people donāt even need national ID in the sense we got in Europe. They travel using driving license or library card. We got mandatory passports with biometric data - refusal to provide that data is practically impossible.
Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.
The corporations have the tech and network effects on their side.
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
This quite literally validates those "tinhat conspiracy" folks, honestly the EU are not doing us or themselves any favours here. If it is intended to replace cash then it should function like cash. This limitation is draconian.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
> Governments are cementing a monopoly they claim to oppose
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
There are viable third alternatives which do not require building a full smartphone stack. The national eID in Denmark, MitID, is an app "protected by" Play Integrity, but at least there are two non-smartphone alternatives available in the form of either a TOTP code generator or a FIDO2 chip which you can get for free if you can't or won't buy a smartphone.
Age verification solutions could also be built on dedicated hardware tokens, even though the tokens required to build a ZKP or blind signature based solution may not be available off the shelf right now.
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
Big facepalm... EU had really only one job with the EU wallet... And missed the point completely. GrapheneOS is probably closer to EU data security and privacy standards than Android or iOS.
The problem was always that the government could ban you from society via the banks banning you, and you having no recourse because it was a business exercising its right to not do business with you.
Without the proper laws and proper leaders of law enforcement that protect an individualsā right to transact, oneās rights were always just a technological advance away from being taken away.
Its simply unreal that the EU is pushing that in order to participate in society that I must accept the TOS of Google or Apple.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
5 years ago, some smarty pants would've worked out how to implement digital ID wallets on the block-chain, and there would've been some uptake for it in the European environment .. these days however, it appears everyone has given up on that idea and defaulted back to the fascist approach (corporations doing government work).
Because Apple has always been a closed platform whereas Android started out being relatively open. For Android there is an alternative to Play Integrity which would enable governments to get remote attestation assurance on non-Google Android based operating systems like GrapheneOS, but that alternative does not even exist in the Apple ecosystem.
The EU reference for wallets strictly required google play services https://github.com/eu-digital-identity-wallet/eudi-app-andro...
So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
The issue isn't just the technical dependency.
It's also the fact that it forces each citizen to pay a few hundred Euros to companies which then campaign against their very rights.
Citizens get no support of any kind in case of issues, and has to enter a contractual agreement which is ridiculously asymmetrical, where the company has little to no responsibility of any kind, but has very ample rights to track the other party in extremely creepy ways.
It doesn't force them to, strictly speaking - they also have the choice to sue the government
But ... the alternative is that the government actually pays a bit of money to fix the situation! To support their solutions. To actually develop them for enough devices. To secure them ... Plus the services the government made are way more invasive than the Google/Apple ones.
In addition to the money, actually using them would be hundreds of times more complex, and they don't have the provisions Google has, for example accessibility and security services (like actually stopping people stealing accounts on a large scale). All of this can be done, easily even, but it isn't. Politicians don't want to.
https://www.itsme-id.com/business/platform/identification
https://france-identite.gouv.fr/
https://english.rekenkamer.nl/latest/news/2023/03/29/digital...
I just dont buy the argument that it would be that expensive for the governments to provide certified keychain fobs that provide hardware based identification.
That was an option for the past 15+ tears at least in some EU countries. Its just not very convenient (garbage tier software they bought didnāt help either).
It's pretty expensive to deal with all of the technical support and identity verification work when people lose their devices and need to have credentials reset.
How do the apps bootstrap identity? Do they just use Apple/google (that seems really bad), or do they have you do some verification and input a token into the app somehow?
or, not force people into mandatory digital ID wallets at all.
Special-casing support for GrapheneOS would be a band-aid, they should find a way to avoid requiring remote attestation in the first place, so anyone can use whatever OS they like on whatever hardware they like.
I think there are two fights that are both worth fighting:
1. Completely outlawing remote attestation.
2. In a world where remote attestation is given, let it be controlled in a fair way and not just by Google and Apple.
The risk is that only fighting for (1) leaves you in a world with remote attestation, where only Google and Apple can decide who gets to pass and who not. In fact, that is pretty much the world we are in already.
I agree that they are both worth fighting for, but I think (2) is much easier to accomplish, simply because Play Integrity is probably a DMA violation. (IANAL blah blah)
Allowlisting GrapheneOS's AVB keys does not meaningfully achieve 2, see https://news.ycombinator.com/item?id=48732675
It would be a win for GrapeheneOS users though, so I hope they do get support.
Why is attestation always bad, all the time? When two people interact thereās a trust/risk calculation on both sides. Isnāt attestation just a means of reducing risk for both parties? (We can debate who should control the attestation process and how it should work but your point 1 suggests that there is never a good form of attestation.) What would we do instead?
I cannot think of any company that has appropriately used attestation as a trust/risk calculation. I work in major game studio; there is never calculation only a binary.
It never ālet`s check if the mobile user has purchased in-game content server side to prevent pirating itā, its āsuspend any account that has signed in with a device that fails safetynet, permanently ban any account that has failed a jailbreak or root checksā
It never ālet`s check and calculate statistically cheating probability and move damage calculation server-side so that player cannot godmode or modify their APKā, its āall non-stock phones are cheaters and fraudsters, ban all of them, use invasive anti-cheat, while continuing to have client sided damage and health and energy because it is easierā
Something else has to change first otherwise the only option for businsinses do will be, after 2 is implemented : āwhile yes it is now possible to allow a neutral third party to control attestation, someone higher-up such as legal has said ONLY google can and we will ban everyone elseā
As long as it is easier to don't give a fuck, that is the option that will be taken. z.B. the only reason our publisher allow the removal of play services was finding out that chinese players on definitely not google certified phone spends the most by orders of magnitude and even then it is only relaxing the check for specific region, forcing all EU players to continue to have this checking.
I would be wholly unsurprised if the result was to continue to require attestation but allow GrapheneOS f.e. only in Motorola factory shiped phones and disallow it if the user was involved in any way in the installation of it.
> permanently ban any account that has failed a jailbreak or root checks
Nice
Suspending accounts of people who used Grapheme and not refunding them would lose you a lawsuit if you're in Europe
Definitely not bad all the time. For instance, GrapheneOS provides the Auditor app, with which you can verify from another phone or from a server that the OS is not tampered with. It also uses remote attestation.
So, there are certainly useful applications.
I question the usefulness of Auditor. It can flag if a modified version of GrapheneOS has been booted, for example. But flashing a modified version of GrapheneOS requires erasing userdata, which you'd notice the moment all your data isn't there. Unless someone uses an exploit, but Key Attestation cannot detect exploits.
I suppose if you've bought a device with GrapheneOS already installed, you can use it to verify the installation. But that could also be achieved by reflashing a known-good image yourself.
A hypothetical useful use of attestation is that a company promising to process personal data securely could actually prove it to end-users, by open-sourcing their server-side code and using reproducible builds combined with remote attestation, to prove to the client that the server-side is running unmodified within a secure enclave.
I struggle to think of a useful use for it on the end-user client side, though.
Isnāt the client-side case something like āthe banking app youāre entering your account password into is the binary the bank created and not a compromised binary that will drain your bank accountā?
No, this would just require a publicly verifyable signature of the software, and the user would just choose to have their operating system verify it. No remote attestation or other hand-over-your-controls necessary.
As outlined here: https://grapheneos.org/articles/attestation-compatibility-gu..., GrapheneOS isn't implementing something unique, it's implementing Android Hardware Attestation: https://developer.android.com/privacy-and-security/security-...
Android Key Attestation produces attestations that are signed with a certificate chain rooted in the hardware vendor's CA. If you use Key Attestation on GrapheneOS on a Pixel device for example, it attests that you're using GrapheneOS's AVB keys, but that attestation is still signed by a Google certificate chain.
"Adding support for GrapheneOS" means allowlisting their AVB keys specifically, it does not open a door for 3rd party implementations in general.
If you run GrapheneOS on a different device of your choosing, attestation would fail.
If you run a non-GrapheneOS custom ROM of your choosing, attestation would fail.
Not to mention self-signed custom builds of GrapheneOS.
Agreed, it should be open standards only.
No! An open standard for remote attestation would still be remote attestation.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (for example The Current National ID)
2. Standalone Hardware Tokens & USB Keys
The lawsuits, sadly, won't matter. "Security" (or, rather, totalitarian control!) is more important than the 1% of nerds who care enough to tinker with their phone.
People keep framing these sorts of debates in terms of tinkering.
It's about ownership, not tinkering. It's about preventing megacorporations from having the last word about how government services can function and how people can interact with them.
It's not 1% here though... Graphene has 300k users worldwide. There's 8 million absolutely illiterate and 150 million functionally illiterate people in Europe for comparison on scale here.
>150 million functionally illiterate people in Europe
1/3 of the population functionally illiterate in Europe seems beyond wild to me.
Are you talking about technical illiteracy? security illiteracy?
Or do you mean they can't read english, which is a very different thing.
Functionally illiterate means that they can read in their own language, but they cannot understand the meaning, a part from very simple things.
And we're heading to giving better quality feedback loops to AI models than people. Put this together with ignorance being the mother of evil and...
How good this can become?
50% of the population are below average intelligence.
"functionally illiterate" means that while you can read your native language, you will not correctly understand what you have just read.
Rates seem to vary state by state, from as low as 8% (denmark) to 43% (romania).
It's also not a clearly defined target, since it would be better to have rates based on the reading comprehension of the average school at year X or something similar.
I'm curious about this definition, just because it's not something I've ever considered before and googling seems to muddy the water even more.
Is it "functionally illiterate" if you can read the language aloud and not understand it, if you also wouldn't have understood the same thing spoken to you? That seems like it's about comprehension ability, not literacy.
Although one thing that just occurred to me is that if your reading level is low, you might be using all your cognition on reading so that you don't have spare capacity to understand as well - that's frequently the case for me with e.g. Chinese where I can read an entire passage out and then the teacher asks what the passage was about and I'm just thinking "I dunno, I wasn't thinking about that but I think I understood everything".
And that's definitely a different problem to being able to sound out the words, but just having no idea what those words mean, whether you read them or heard them.
And does it have to be your native language, or in any language? Not trying to nitpick, it just feels like the phrase can be usefully applied to a foreign language too.
posters upthread are talking about comprehension and value systems, not literacy.
"functionally illiterate" is the brush that one paints with when describing people of opposing political viewpoint or lower socioeconomic status, for example.
I must be illiterate because this doesnāt make any sense to me
Being kinda dumb and graduating school without reading a book is not a socioeconomic status
The point: you call them "functionally illiterate" when you don't like them. Otherwise, you call them something else.
Dunno what the OP meant, but in the UK
https://www.southtyneside.gov.uk/article/16247/Public-Health...
> Guidance tells us the average reading age in the North East is lower than the national average at between 9 to 11 years. To put that into context The Guardian Newspaper has a reading age of 14 and the Sun Newspaper has a reading age of 8.
Health literacy specifically is a major problem in healthcare
https://literacytrust.org.uk/parents-and-families/adult-lite...
> 1 in 4 (26.7% / 931,000 people) adults in Scotland experience challenges due to their lack of literacy skills.
I find that page somewhat ironic as they claim 18% is one in six, but 17.4% is one in five. Seems numeracy is as big a challenge.
The US is no better according to wikipedia
> In 2023, 28% of adults scored at or below Level 1, 29% at Level 2, and 44% at Level 3 or above
> Adults scoring below Level 1 can comprehend simple sentences and short paragraphs with minimal structure but will struggle with multi-step instructions or complex sentences
> Adults scoring at Level 3 or above are considered "proficient at working with information and ideas in texts
https://en.wikipedia.org/wiki/Literacy_in_the_United_States
150 million functionally illiterate people in Europe? Just how is that defined?
Why are you surprised? Europe has 700 million people. Think of the average construction worker you know, do you think they could read and correctly summarize any moderately complex article? Think an article about inflation or evolution or heat pumps or investment funds, etc.
Fairly sure that in most countries the average person reads less than 1 book per year, so half of the population reads less than that. I know people who haven't read a book since highschool, when they were forced to.
https://worldpopulationreview.com/country-rankings/average-b...
The Average Briton allegedly reads 15 books per year. I assume its self reported and poorly sampled. Otherwise its very hard to believe (and variance between countries seems way too high) but stats like this (especially more subjective ones like functional literacy) are usually not very useful on their own.
Especially as it's claimed to be only 50 Million in the US hahahahahaha
Whoever believes those statistics I have a strait to sell to
First, GrapheneOS supports remote attestation. So if they want their security, they can have it. Second, the current focus of the EU on sovereignty is a window of opportunity and there are better opportunities to fight this than two years ago.
I think it does if enough people try this. I will.
GrapheneOS supports attestation too, so even if they succeed it will likely just turn into a gift to Google, Apple and GrapheneOS. It's hardware attestation that needs to be opposed as it's inherently user hostile, allowing a single popular Android distro doesn't do much in the grand scheme of things.
Every Android system support remote attestation. It's part of AOSP. Google just decided not to use it, because Play Integrity allows them to lock in phone manufacturers and force them (per leaked agreements) to preinstall a bunch of Google apps and require to run Play Services and some other components privileged on the system.
Play Integrity checks if app was tampered with. Hardware attestations can only guarantee key's source and cannot be used to check app integrity.
I specifically referred to the remote attestation functionality in Play Integrity and that that can be replaced by AOSPs APIs, since the linked post is about remote attestation.
Play Integrity actually does both and passing remote attestation is necessary to pass Play Integrity at the strong level. Remote attestation is used for this level, since a modified OS could fool DroidGuard.
I'm sorry if my comment was not clear in what I was referring to.
Something being in AOSP doesn't mean your distro has to retain it. Besides, the world doesn't end on Android systems.
The more the better - being forced to maintain an up-to-date list of Google competitors (including some that don't keep attestation keys secure, so the bad guys will pretend to be those and you'll be forced to allow it anyway) may make some reconsider whether the feature actually brings any value.
As a technical point, note that however there is no legal requirement to follow this reference. Wallet providers can choose a different implementation.
Motorola/GrapheneOS, and FairPhone/e/OS.
Fairphone/e/OS is Dutch and French respectively. It'd be funny if the EU forgot to permit the use of a pure european system.
Prepare to laugh then. Most EU politicians don't have a clue that these systems exist.
Sounds like an outreach opportunity!
Yes
Oh and Sailfish OS [0], Postmarket OS [1], and whatever Purism runs [2].
[0] https://sailfishos.org/
[1] https://postmarketos.org/
[2] https://puri.sm/products/librem-5/
...and Debian, PureOS, Fedora, Arch, NixOS...
Maybe they should just publish the spec, and then providers can offer ID as a service? I.e as a Proton user, Proton Pass currently supplies my ID everywhere, including for government services.
What makes Android and Apple devices special?
Android and Apple devices let the remote server verify whether the local application and the system it runs on haven't been modified by the user and refuse providing services if they were. That's what makes them special, it's hard to imagine how a, say, generic installation of Debian could do that without severely restricting the user.
It's an ill-defined "security" measure that should be viciously opposed anywhere it shows up.
Lobbyists do not sleep. It's easy to recall how those two, especially apple, tried to sabotage FIDO2 trying to capture webauthn standards, fortunately failed. EU also has to learn their inside traitors who sabotage their great efforts in decentralization of identity, and learn to avoid those incredible situations like happens right now with chat control directly lobbied by silicon valley surveillance vendors
There is too much corruption, nothing can be done at this point. Atleast CIE app works on graphene for now so I can do everything else on the web. If they block that idk what I would even do.
Don't assume corruption for something that can be attributed to not giving a fuck.
I do occasionally suspect corruption, but neither Google nor Apple have any incentive to pay off officials to get this passed. They can't beat each other, and the rest of the mobile OS'es is no threat to their revenue.
Google and Apple's odds of being caught are too high to expect they would risk it. They have more to lose if caught than they have to gain.
Obviously some companies do despite the risks, I wouldn't expect this of any individual company, but as a whole some company will once in a while anyway. So stay vigilant.
I do assume corruption, All this random "compliance laws" are not made to help the people but to preserve corporate interest.
One set of people might not give a fuck.
Other interested parties can still be trying to steer the ship.
Corruption to push it through, not giving a fuck to keep it that way.
Also, as the article says, Play Integrity is most likely a violation of the DMA. Send a message to the EU DMA Team if you live in the EU and are affected by this (or affected by this in the future, if you plan to switch to an alternative):
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
The more examples they get of actual citizens that get hit by this, the better. I have recently sent messages when Google introduced their new device-based recaptcha and when Volkswagen started blocking GrapheneOS. Of course, do not yell, explain patiently and with good argumentation why you are affected by Play Integrity and how you believe Play Integrity is used to enforce the duopoly + goes counter EU sovereignty.
Also, for apps that use Play Integrity, e-mail the company. React to their boilerplate replies with follow-ups (this slowly seems to get some headway with VW). Also leave a one-star review on their app, explaining in the review that they broke support for your system.
I know that this can all seem hopeless. But especially GrapheneOS is getting a lot of momentum now, rapidly gaining more users. It feels like it is a moment in time where we can seriously influence things for the better. There are ~500,000s users now. If everyone actively participates, we can move the needle.
Honestly, as long as the architectures is fatally flawed (Even if convenient) it's just bandaids over a larger issue.
These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Germany was going in the right direction imho, they NFC enabled their ID cards (Sweden has info on them but no enablement procedures) that is then paired with the app, so the card acts as a 2nd factor that makes the app itself less of a security issue since a user will be required to physically enable it (sadly the NFC pairings are kinda fiddly.. but I'd take that as a security option for all non-trivial transfers).
> These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Many countries in the EU already have all of that just done though some national equilevant system (for example here in Finland mainly with bank credentials).
And in fact additonal checks are done when enough money is moving. For example when I signed my bank loan for an apartment I had to sign it again after 24 hours just to be really really sure that I wanted to sign it.
For smaller (but still big enough) stuff a second "second factor" usually kicks in usually in the form of a sms verification after the actual proper login with bank credentials (which has a proper 2 factor auth in itself too)
It's great you do have a bank-bound system in Finland. I hope their implementation is not as bad as e.g. the Swedish BankID.
BankID is _in theory_ a nice technology. However, it is only handed out to people registered with the Swedish tax authorities holding a Swedish bank account.
All daily activities are nowadays bound to BankID: need a doctor's appointment? -> needs BankID; Want to buy something on Blocket? -> needs BankID.
As an European frequently spending some time in Sweden not in possession of a Swedish tax #, I feel very much excluded from online and partially offline activities in this country.
Well that is the point of this entire digital wallet thingy, there's going to be a transition period since everything here is more or less hardcoded to bankid not to mention tons of code with presumptions about Swedish identity semantics (that do differ from other countries).
But on the plus-side the Swedish state-eID solutions is planned to be delivered by end of year and hopefully most organizations will start migrating or at least dual-supporting them and in doing so also fix their services to support foreign eID's in the process.
This is a problem I'm seeing a lot of countries rushing full steam ahead. The age of a single physical ID that's only rarely needed and ubiquitous cash payments seems to be coming to an end. For anyone who travels a lot, migrants first settling in a place, or citizens abroad, this makes things even harder than they already were.
The ability of the government(s) to exclude you from every day activities required for participation in society (or survival) if you run afoul of their edicts is a feature of digital ID/digital currency, not a bug.
Again, it's all still tied to that one device, the phone, if it's hacked it's really game over and with a big enough hole in the Android or iOS ecosystem that could be wormable a lot of people could be exploited en-masse.
Sure a 24h delay or SMS code are 2 way but they fully fall into the bandaid category.
In the past we used to have disconnected dongles for banking, the bank issued a one-time challange and you entered the response along with your username. Now there are disadvantages with those also but at least it was fully airgapped.
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
I'm ok with enforcing hardware security. Both for banks and governments.
But it must not limit the ability of running custom software on a phone. And especially not enforcing every person to get a Google/Apple signed phone.
Like if I get GrapheneOS on my phone. Banking/gov apps should work. But I believe this could be possible with enforcing hardware security as well.
The chain of trust always has a software layer. I donāt believe what you want is possible.
I find the bank talking point strange, why are they special, are they even targeted more. It just feels like a boogeyman āthink of your money!ā
For all practical purposes it's possible to do this. The boot ROM only boots a vendor-signed bootloader, the bootloader verifies the OS kernel, etc., until you have a fully verified boot chain. A secure enclave, which is completely separated from the main CPU and OS performs the attestation using a private key in its tamper-resistant storage and embeds the results of verification by the bootloader. There may be some vulnerabilities, but most of them can be fixed in updates, with exception of the boot ROM.
The reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).
[1] https://www.malwarebytes.com/blog/news/2026/03/this-android-...
Nope. It is still not possible to give someone else (the government, or the bank) control over your phone while at the same time run software that you alone control with higher privileges. Please don't mix that up with "is practically hard to implement because of sloppy code. Also your attacker model is still "occasional evil government agency or evil private corporation wants to crack and read your messages", while what is discussed here is more fundamental "evil government or abusive corporation controls your phone in the first place, and can just remote control it you can't use really secure apps"
The software layer in age verification is not necessary to trust though. The worst that could happen is that a compromised software layer steals your age credential, but it is by design anonymous so you don't risk getting your money or account stolen or anything. This makes it a different threat model from the banking case.
You can store key material in hardware-backed enclaves without involving remote attestation. If someone has a modified device/client that stores the keys elsewhere, that's on them - they're only weakening their own security.
You can't have both. "Hardware security" means the manufacturer decides which OS can run and you can't override it.
Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.
It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.
So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).
Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.
Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.
I think the reason these systems require device bound keys is because the government is concerned with easily mass-produced forged age certificates. With software keys you can get an age certificate which can be copied instantly to a large number of devices, with hardware keys the government knows that the certificate is tied to a single physical unit.
Again, at this point, they're taking things too far,age gates shouldn't need to be an impenetrable fortress (notwithstanding the question of whether they should exist in the first place).
It should simply be the adult account on the device is notified if the device is rooted, effectively no longer in child mode. Go crazy with the warnings on both devices if you want as they've opted in at that point.
Is this EU protocol so weak that it cannot withstand this attack, i.e. is duplicate age certificate use not detected or prevented?
You can't really prevent that unless you design a system which is inherently designed to track people, e.g. by phoning home to the issuer on each credential verification. The system being deployed right now is based on the issuer issuing batches of single-use credential tokens to device-bound single-use keys, which on the plus side means that colluding verifiers cannot use age credentials as cookies to track people. It is still vulnerable to colluding verifiers and issuers though, because the issuer can de-anonymize the tokens (it knows them and their linking to the identity of the user). This scheme also means that if the keys that the tokens are issued to are not device bound, then it is trivial to copy the age credentials to someone else.
To my knowledge, even more sophisticated ZKP schemes still rely on device bound keys to protect against duplication.
> it just requires a few cryptographic primitives and a set of device-bound keys
Question: how do you make sure the keys are device-bound if you have no attestation about the hardware or operating environment?
A European digital ID system that is entirely dependent on 2 US companies.
Wasn't there some talk about the pressing need for European digital sovereignty recently? Or was that just performative nonsense?
> Wasn't there some talk about the pressing need for European digital sovereignty recently?
At FOSDEM, we discuss this at great length. There has been some movement, and I am optimistic that it is improving year on year.
I'm sorry but clearly the introduction of these apps with these requirements in the near past and near future represent regression over time rather than improvement.
I think it was last year that there was a good presentation from them about how they were going to use ZKP and it was indeed very trust inspiring. But do you think the latest digital wallet solution from eg Danish government uses ZKP? Of course not!
I have to say that the tune they play at FOSDEM and what we see put into production are just two different things.
I see your point about the disconnect between the rhetoric and what we actually see in production. Perhaps "regression" is a strong word, though, IMHO I tend to see it as a very slow and uneven evolution.
Even if the pace is frustrating, there are still pockets of genuine open-source adoption in the European public sector. For example, we're seeing projects like Germany's OpenDesk or various municipalities moving toward Nextcloud and other sovereign cloud solutions.
The EU Open Source Strategy[0] was announced just under a month ago and it specifically mentions the EU Digital Identity ecosystem, including the European Digital Identity Wallet (EUDI Wallet) mentioned in the article. I agree with OOP that the requirement of an Apple or Google phone goes against these ambitions, and I will contact my elected representatives.
[0]: https://digital-strategy.ec.europa.eu/en/policies/open-sourc...
Yes, and there is an open source spec [0] that doesnāt require Google/iOS Attestation but āpreferablyā providers will make their wallet app available on App Stores [1]:
> To ensure that the User can trust the Wallet Solution, Wallet Providers preferably make their certified Wallet Solutions available for installation via the official app store of the relevant operating system (e.g., Android, iOS). This allows the operating system of the device to perform relevant checks regarding the authenticity of the app.
Of course the chances of any important business implementing a side channel option is effectively zero. Maybe some government agencies will offer the option though.
[0] https://github.com/eu-digital-identity-wallet
[1] https://eudi.dev/latest/architecture-and-reference-framework...
Not really. EU is actually trying to decouple. But in many cases there are not any homegrown alternatives to support. There is not a single company in EU that could replace, even a considerable part, of software stack provided by Google and Apple.
And, unless the regulatory environment changes., there probably never will be.
Thr answer to US tech giants are not homegrown EU tech giants, but international free software (Free as in Freedom). We already have free operating systems: Linux, BSD. Office software: LibreOffice, etc.
EU regulators have stop listening to tech company lobbyists.
Is any of that capable of replacing google and apple on mobile?
Clearly it isnāt. This is what techies forget: The mass amount of Europeans donāt give 2 shits about digital sovereignty or open source. Christ, people go to mobile operator shops and give their unlocked phones to consultants to install or remove software for them. You want them to install GrapheneOS or manage a rooted device? That aināt even funny.
The only short-term solution is more regulation and more EU-centralized solutions, but of course this is only ok until the next chat-control drama.
Long term, in practice we need single European stock market and a way to provide funding to European companies from any member state, so to be competitive globally without being constantly restricted by every member stateās bureaucracy.
> we need single European stock market
New York alone has 2 stock exchanges. I donāt think that companies being listed in London, Paris and Frankfurt (they generally are listed on several anyway) is the actual issue.
Especially these days the stock market is the very final stage anyway, most funding for growing tech companies is private funds, vc etc.
Understandable. However every new solution should be built from the ground up and be fully decoupled even if the migration of old services might take a while.
For this specifically EU could surely (only in theory since statistically the average EU bureaucrat is a pompous idiot to whom the word āaccountabilityā is an entirely inconceivable concept) have something developed for a sane price in a reasonable amount of time.
This is simply untrue. The tech is there, the will (money) isn't.
The money can't all come from the state. If the EU wants to compete, it should create a common market worth its name where EU companies can raise billions like American ones. If that doesn't happen but we instead pat ourselves on the back for setting aside a pithy 5 million Euros in some EU budget to support open source, it's never going to happen.
Already in flight with EU-INC
https://www.youtube.com/shorts/DgUXH14By0w
> it should create a common market worth its name where EU
There is no reason to believe that the EU (rather than the market participants in the EU) is in any way capable of that regardless of the amount of political will.
Spending massive amounts of money without knowing what you are trying to do or how will just result in a massive amount of grift and corruption
EU has no issues with wasting and burning large amounts of money for no particular reason. The issue is that the people there are incapable (or donāt want to) make the right decisions for any of this to happen.
> But in many cases there are not any homegrown alternatives to support
There shouldn't need to be. Realistically for something like this an EU backed highly-audited non-profit should be in place for permanent highly controlled services like this that do not rely on any non-EU entities for it to function.
How much money did the EU finance towards alternatives last year then?
I hear them complaining but for now, the alternatives are mostly run by hobbyists.
We're starting from so low that even a few dozen millions would help a lot.
> ā¬2 billion over seven years to fund alternatives to proprietary software
For context, as yearly spending of 285 million ā¬, that compares to building roughly 20 km of motorway, or 0.5% of EU's agriculture subsidies, or half what the German federal government pays Microsoft per year.
Edit: 2000m/7 is 285m, not 466m.
> if they just spent a little, maybe as much as a couple of million it would make a huge difference, but they refuse to ...
they do.
> 250 million isn't much ...
sigh.
I'll believe it when I'll see it, for now I haven't seen any of the Android forks (LineageOS, EOS, GrapheneOS...) or Linux OS (Phosh, Plasma mobile, Ubports, ...) get any funds from the EU.
You will see it when you look.
Jolla?
> Or was that just performative nonsense?
Yes? Wake up, it is 2026.
The US can call Austria in 5 minutes and with no burden of proof get the airspace permit for a head of sovereign state revoked and the plane swatted instantly upon landing, because someone might have been on board (he wasnāt) whose only real crime was embarrassing the USA by exposing their fundamentally unconstitutional lawbreaking.
Same goes with the prosecutors in Sweden; a phone call and the US got, not charges (as that would actually be official misconduct in Sweden), but enough of an official statement from a prosecutor to get the words āAssangeā and ārapeā in headlines together around the world by that evening.
European countries are, by and large, lapdogs of the USA. Itās sad. And then the US president turns around and stabs them in the back by threatening invasion and annexation, or complete disregard for the fundamental obligations of NATO members.
I really donāt know what the fuck the Europeans are thinking by playing the USās stupid games. As we see time and time again, it wonāt be repaid in kind.
Unfortunately the big game is opaque it's close to impossible to understand for the common folk. So many questions, so tough to grasp answers. Sickening. The enemy is hiding. One could say that paying the taxes in some form is a path toward a destruction. Phrases like "war economy" are lunatic. It all starts in your mind, and that's why it's the most important to protect your children from the propaganda. Take care!
Neither US or EU are monoblocks though.
Obviously, on both side (and beyond) they are nice people trying to plan good things without being too naive. But bragging all day through and destroy all that is in your power is both easier and more attention grabbing than discrete hard work at building better future for everybody.
What they're thinking is that they really don't want to be playing Russia's stupid games.
> I really donāt know what the fuck the Europeans are thinking by playing the USās stupid games. As we see time and time again, it wonāt be repaid in kind.
I feel like the European relationship with the US can really be summed up by the 30 permanent military bases and 84,000 military personnel stationed in their borders and the underlying faith that it's for their own protection, except we better never ask them to leave just in case. Everything else sort of follows from that point.
84 thousand personnel (of which maybe 20 per cent are actual combat troops, given the standard tooth-to-tail ratios of modern mechanized armies) could perhaps occupy Denmark on a good day. For a continent the size and population of Europe, this is not a dominant force by any means.
Putin has about 700 000 personnel in Ukraine right now and isn't making any progress. Barbarossa took about 3 million personnel to start.
Speaking of, my favourite Denmark story was probably Greenland when the US abandoned their cold-war era bases they just buried all their highly toxic trash in the ice. That ice is now melting and Denmark has to clean it all up. In the agreement with the US they excluded the US from any responsibility so they have to pay for it themselves. They also got really mad when the Greenlanders went behind the back of Denmark to complain at the UN about it.
Then Trump threatened to invade Greenland. And now the US is in negotiation with NATO (yeah lol) to build 3 new bases there that would be designated as US territory (bwahaha). One thing I like about Trump he drags all the Europeans through the mud so publicly it makes the contradictions impossible to miss, that's why they all hate him but still have to kiss his feet it's awesome. Like Obama made their groveling seem less suspect.
But yeah people are fucking clueless about everything. At least our media is free and not state controlled propaganda right?
Europe will never have digital sovereignty from the US.
It will take 100 years and an extremely expensive, government-mandated reimplementation of every critical US tech service and company.
No EU country is putting up budget for this, and no private enterprise is going to do it because building a worse version of AWS just so that it is "European" makes no financial sense and would most likely just fail anyway.
> building a worse version of AWS just so that it is "European" makes no financial sense
Unless it becomes necessary because of EU regulation?
Hopefully not. This hate towards good technology and innovation because you donāt like the current president is ridiculous. Heāll be gone in two years or so and then weāll get back to normal.
Wishful thinking at the early days of any autocratic government, until reality kicks in elections are only a ritual to pretend otherwise.
> This hate towards good technology and innovation
Mine is to a collective people that vote in these people. I get that people can change, grow, evolve etc but I didnt trust a german for 60 years, I wont trust an american for at least a generation.
I heard this one a lot 6+ years ago
It isn't just Trump. The CLOUD Act basically gives Washington the power and ability to turn off any server operated by any US company at will/whim.
The Wikipedia page only talks about stored data on (optionally foreign) servers without any sort of regard for the laws of the country where that server is located. It ignores the part of the statute where the feds can basically "turn off" that server. And that is the part that the EU is panicking over.
https://en.wikipedia.org/wiki/CLOUD_Act
The same thing that any EU based company can be forced to by the country under which jurisdiction it operates.
I donāt see what the problem is. That they actually used it first?
And they already did that. The chief prosecutor of the International Criminal Court in The Hague was cut off Office 365 (and e-mail hosted through that), as well as credit cards and bank cards. This did send a shockwave through Europe.
To be fair, the ICC should not have existed in the first place. It was created to persecute the Serbs and then other people that were not liked by Europe mostly.
and Africans predominantly that's why the AES withdrew from it too. But the Europeans were under the impression their vassal status would always be benefitting them against their former colonies in their neocolonial efforts.
Trump made that whole arrangement cracking a little bit, but I still think it's mostly just the optics of it all they are still loyal servants. Nobody in Europe that matters gives a shit about Karim Khan or Francesca Albanese getting debanked and sanctioned, they would and love to do it themselves.
Has nothing to do with Trump. Trump just made the need more obvious but these talks are not new.
I don't thing things are going back to the previous state of affairs after this.
As things are moving, there's currently no garantee that Trump won't hold his promise US citizen will never have to vote again.
And even if the bipartisan system make a small turn over, the issue is systemic.
Can you mention a single decent product that came out "because of EU regulation"?
I didn't say it would be decent, just that it might make financial sense.
iPhone with USB-C
Hetzner seems to be a pretty good example. It wasn't solely because of EU regulation, but once GDPR made it a worthwhile investment to companies to segregate their data, European data centers have been growing steadily.
I agree with the premise but have the feeling that itās less about the money. People here in Germany use WhatsApp and Instagram and Gmail and MS Office and Windows not because there are no alternatives but because they either donāt know or donāt care to switch. People are notoriously difficult to convince to switch platforms even if theyād get more benefits on the other side. My mom does not want to touch any email client besides outlook and she does nothing but read and very occasionally reply to singular emails and she requires only the barest functionality of an email client. Half of my family gets a panic attack when the windows interface changes again. The idea of switching messengers recently in my rather tech sawy circle of friends has resulted in a multi day discussion with no real outcome mainly because some just donāt want to deal with two messengers while their friends and family remain unconvinced. We already have social media, hosting, email, operating systems, messengers and the likes from European providers. People just donāt want to switch.
Eh, it's less fixed than you describe.
If there is a higher level mandate or incentive to switch, people absolutely will - for example, if a government decides en masse to switch away from one OS or platform. [0]. This will likely be hugely influential, as then everyone who wants to communicate effectively with that government needs to make sure that they are compatible - which will likely drive adoption of the alternate technologies over time.
However, IMO the big challenge is MS Office - as much as people like to mention the FOSS Office alternatives, there's still a huge gap to cross before mainstream companies will adopt them. (To paraphrase, no-one gets fired for choosing Microsoft Office.)
Beyond this, on the more 'personal' level you discuss, the picture is more varied than you describe. Some people's elderly parents absolutely can and do switch to different email clients or browsers. Some groups of friends can and do switch messenger platforms - my personal comms are now split roughly 80:20 between Whatsapp (the default) and Signal. (It just took a determined minority deciding to switch, and the others followed.)
> We already have social media, hosting, email, operating systems, messengers and the likes from European providers.
Yes, but they aren't really competitive, as they currently aren't the easy/free/well-marketed/popular options that everyone defaults to when they first get a computer, or that their friends are already using. It's just network effect and inertia.
This can and will change if the need for a reduced dependence on the US continues to be front and center of people's minds. (Note this is mostly driven by the Trump administration's behaviour; the next president could probably heal many of these wounds and our European politicians will move one to caring about something else.)
[0] https://www.rfi.fr/en/france/20260417-france-to-remove-windo...
Mostly true, until reality forces otherwise, e.g. Huawei.
Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
Aren't monopolies is what we end up by default if have no regulation at all?
And yes, not every regulation destroys monopoly, but regulation is the only thing that could break one.
> Aren't monopolies is what we end up by default if have no regulation at all?
No. Monopolies are only inevitable if the goods aren't elastic, if there is a large cost of entry into the market, or if its a market you can create a moat that is unsurmountable.
Many markets don't have that even with 0 regulation, but might have second order problems like firms creating unsafe products for example.
But in general regulations almost always even unindentedly raise the cost to enter the market. If you make a new regulation that food needs to be safe, then the company needs to pay a safety inspection that a small home-made recipe might not be able to afford (to give a simple example).
At the same time, we now have uber large corporations due to non elastic parts of supply chain (like land) or moats that are insurmountable (like access to US capital). In which case, the FCC should break up monopolies as the current market is not catering to end users and consumers but to owners, which is why the Stock market has been in a never ending bull run.
Don't bigger companies also often benefit from scale in multiple ways so it gets harder and harder for newcomers to compete? And if a newcomer does manage to get a foothold, it might get bought.
> Don't bigger companies also often benefit from scale in multiple ways so it gets harder and harder for newcomers to compete?
That is one of the ways a Moat can happen and a monopoly can occur. For example if you were the only person with a loom and everyone else had to make jumpers by hand, you could make them so cheap they would have to close down.
In some markets those ways you can benefit from scale exist, in others there are drawbacks. In many cases those advantages only exist due to either regulation or lac thereof.
For example ways companies might have an advantage is by manufacturing in cheaper countries, but that only works because those workers have less rights and the cost of transporting is not properly taxed. Carbon taxes on shipping would make manufacturing in China pretty comparatively priced to many european countries. But if you let them contaminate the ocean with crude oil boats, then their manufacturing prowess and cheaper labour cost will offset the shipping cost and destroy a newcomer.
These are very basic examples and they all require nuance but hope it helps to explain it a bit more.
Another example is restaurants, you used to have some advantages from being a chain, but you would still constantly see mom and pop joints compete and even win. But as rent prices keep increasing (the non elastic market of the ground under the lease), suddenly the advantages of scale start beating the disadvantages of worse food and service.
MS did a lot of lobbying to prevent European governments from trying to migrate to Linux and/or OpenDocument.
Groklaw was a website that was started by a paralegal to try to understand, explain and report on the SCO lawsuit - who benefited and how they benefited. It ended up expanding into the EU anti-trust action against Microsoft and OpenDocument (and how OpenOffice was created as a trojan horse to defang OpenDocument).
https://en.wikipedia.org/wiki/Groklaw
There is always imperfect information, there is no such thing as a perfect market and as a result regulation will always be needed to curb the excesses such as monopoly. Even if we had perfect information, humans remain irrational. This is a simple fact of life and the universe.
No, in fact most monopolies occur in heavily regulated markets, where unregulated markets are virtually always free.
Keep in mind that just having a big market share isnāt a monopoly, being able to charge monopoly prices is.
Are there any examples of monopolies being (successfully) broken up in Europe? Or do you posit that regulation stop them from forming?
Pre WW2 Europe was full of (state backed) cartels and monopolies. These were dismantled for the most part.
A lot of these were international. Just read up on "Cartel capitalism".
https://www.cambridge.org/core/journals/enterprise-and-socie...
The European Steel and Coal Community (precursor of the EU) was also involved in the effort to stop these. In general this has been something the EU has been involved in since its inception and the best action against monopolies is to not let them form in the first place (why there is so few of them in general in most developed countries. Though that is now slowly changing it seems)
Look into the mechanisms being worked on to create competition in rail operators (which has been opening the markets to competitor rail operators)
> Aren't monopolies is what we end up by default if have no regulation at all?
No.
19th century begs to differ.
A better answer would be 'not always'.
The proposed regulations forcing everybody to use google or apple are ridiculous and very much the opposite of the kind of regulations we need though...
or āsometimes not, until more data arrivesā.
Unless regulations explicitely incorporate how to handle incumbents & newcomers. One instance of that is MMTIS (multi modal passenger information), which explicitly states innovation and new players as a goal. There are other similar examples.
My intuition is that this is not necessarily true, but probably often true in practice but perhaps someone more educated on the matter can speak on that. It must also depend on the expensiveness of the regulation in question. Since in tons of areas regulations are absolutely vital so that for example our buildings donāt collapse, our food remains non-toxic and the medicine we buy is not the pharmacological equivalent to russian roulette the goal should then be to optimise the cost performance of regulations.
> Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost
(nit: I assume you meant "marketshare becomes unavailable")
So you mean that regulations that are created based on lobbying by corporations help them become monopolies? Sure, that makes sense. But thats different from a blanket "Regulations create monopolies".
Because the smaller players can't afford to implement the new regulations they lose their marketshare and it now becomes available for the bigger competitors to absorb.
> Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
The only way to guarantee a monopoly is to have a total lack of regulation. It's known that every "free" market will tend towards monopoly due the 1% law. Regulations are the only way to actually guarantee free markets because perfect free markets only exists in abstract, not in reality. Sometimes, a free market is the wrong solution and you need a regulated monopoly instead and with identity that's the best solution. Why? Because identity is unique to the individual. A individual must (in theory) only have one identity and with very extreme and usually well documented exceptions, such identity doesn't change. The state is the one that must provide a good way for identity and if smaller countries doesn't have the resources, then big countries should provide for all. Also, it removes incompatibility inter-countries while keeping private interests out.
The state should have the sole monopoly on attesting to anyone identity. Because they are the only ones that are not affected by market conditions. This is how countries that have advanced in this topic actually work. If individual states can't reach a common solution, then the collective must do so. The collective failed here because it recommended a private solution rather than mandated a european one. Private sector must not dictate what or how identity is attested, because the private sector has it's profit pursuing agenda, state must evaluate solutions but it's up to the states to run them and implement them.
Market solutions are good for several things, this isn't one of them.
Regulations __can__ create monopolies. DMA is a regulation, but it does not have the shortcomings you mentioned.
DMA seems explicitly written to only target monopolies, though (and seems like a surrender from the EU, since monopolies should be broken up and not get laws codifying their business models IMHO).
Can you imagine the collective screeching, across the White house, HN and Apple reality distortion field, that'd happen if EU attempted to breakup the American monopolies?
Electing to not do something impossible and framing it as a surrender is strange to me.
The countries that let Donald Trump's screeching dictate their policies don't fare any better than those who ignore it.
Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Appleās app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
https://www.techrepublic.com/article/eu-app-store-apple-digi...
You think apps which wouldn't want to implement Chat Control will remain on the app store?
EU to legislate about Chat Control behind closed doors (https://news.ycombinator.com/item?id=48707719)
The only problem is, EU does not control these devices, Google and Apple and by extension the US government does.
Oh they sure do, because Google/Apple have to bend over backwards for the EU as they are not stupid enough to suddenly lose 500 million users.
But if the EU cements their citizens' dependency on Google/Apple even further by effectively mandating the use of these devices, it gives Google/Apple more leverage. Imagine if them pulling out of the EU meant nobody could use their digital wallet? What if the use of digital wallets has become more mandatory by then?
Really? Google to this day refuses to do business in China, and Apple at this very moment excludes the EU from multiple new iOS 27 features that launch in the rest of the world. And with the current direction the EU is taking (e. g. even more regulation, more economic recession, even fewer competitive tech businesses), I wouldnāt bet on US companies getting "more favorable" towards the EU.
So when Google bans someone, that person also loses access to all services that require digital ID, forever?
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
[1] https://www.engadget.com/2019-11-10-youtube-reinstates-banne...
Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
Ideally they should have also told all German banks distribute or offer non-App based accounts or 2FA? But they did not.
Also people are dependent on Play or App store. DB does not offer the app for direct download.
There are AFAIK no plans to completely remove the offline ID everyone is currently required to carry, so I doubt there will be similar rulings for EUDI as long as it remains an optional alternative for people who want to use online services.
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
My French ID card has the features, but also the French digital ID app also requires Play Integrity...
How can you have a secure enclave without hardware attestation? Processor root-key is the source for all.
Smartcards have attestation too.
But how can you verify that the processor's own software, which ultimately runs the application, has not been compromised?
The software running on the smartcard? You write that yourself, and hopefully your security processes are good. The nice thing about smartcards is that the trusted computing base is massively smaller than that of a regular operating system.
If you disallow installing applications post-issuance (which is probably a good idea for ID cards), you don't even have to worry about VM runtime integrity either, as there will be only your application running on the card.
Just a general rule of thumb:
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
But this does not allow tracking nor marketing, so why would they do that?
Because of Digital Sovereignty concerns?
...how does that align with what the EU government is doing? The whole point is for you NOT to be sovereign!!!
You don't think anyone in EU bureaucracy has any concerns regarding Digital Sovereignty, do you?
If this can win elections, then why not?
I doubt this can win elections.
They will frame it as "child porn trafficking patriot saving act" and majority will vote in favour without reading fineprint.
Ever heard of Nerd vote?
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
How exactly is OpenID4VP in your understanding different from what you describe?
They should not make it mandatory for or expect people to have a smartphone.
A few years ago as I was working for a local government, a similar discussion started, but quickly finished after the project owner valiantly displayed her dumbphone.
Only months later did I learn that her husband was investigated for misappropriation of funds, so keeping a minimal digital footprint was important for her.
Moral of the story: everyone has a smartphone.
So, if the majority chose to get microchipped, you believe either we should force the minority to get microchipped against their will, or just exclude them from society?
"Your papers, please"
help us help EU residents:
https://openwallet.foundation/
https://github.com/openwallet-foundation
https://github.com/openwallet-foundation-labs
Can you elaborate?
On the tech side, we are working closely with (for instance) Google: https://github.com/openwallet-foundation/multipaz-wallet
SPRIND: https://github.com/openwallet-foundation/eudiplo
Animo: https://github.com/openwallet-foundation-labs/mdoc-ts
and we do engage with NGOs and governments across the EU.
In the last 5 years so much of the legislative pressure is coming down to remove anonymous Internet access to save the children or protect us from some harm.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (The Current National ID)
2. Standalone Hardware Tokens & USB Keys
A little off topic, but does anybody else think that all these attacks on personal freedoms across the western world are very coordinated? Suddenly all countries are making social media ban under 16 laws. Same goes for centralized digital currency push.
Europeans do a lot of stupid things, but I believe in light of all the scandals we saw in recent times, you can't explain EU behavior and choices without accounting for corruption. EU division and different level among the different countries of wealth, integrity of political sphere, and different cultural biases make us the perfect target for bribes in order to control votes and choices. Not just promoted by external actors. The Chat Control is a great example: everybody understands how bad this is, the arguments are mostly a shield to avoid revealing the real agenda.
Everytime EUID mentioned, people forget that EUID is not anonymous!
EUID has "provider/verifier" endpoint which communicates with your website to inform you are indeed 18+ age.
Link: https://github.com/eu-digital-identity-wallet/eudi-srv-verif...
The github page has graph how it works.
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
Why cant EU have something like Adhar (ID-verification for Indians) https://uidai.gov.in/en/
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
To paraphrase Napoleon - because India has the will to do it, and the EU does not.
So as an EU citizen and owner of Fairphone 6 with e/OS I'm banned from using apps I should be allowed to use?
Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
You can just continue using native apps, just dont include / depend on proprietary attestation APIs such as safetynet
More about Waag: worth a read https://waag.org/en/about-waag/ - Marleen Stikker is a national treasure.
They to frame this so politicians care is: we are giving monetary policies power to a foreign corporation.
It's honestly quite baffling that the EU would want to put any more power in the hands of any US controlled company at this point. The US is a borderline hostile state, only recently threatening to invade Greenland among numerous other examples. The situation with Anthropic has illustrated that the US government will not hesitate to leverage power over US companies when it feels its interests are advantaged by doing so. If anything, the EU should be banning use of Google or Apple dependent architectures, not pseudo mandating them.
There seems to be no awareness from EU govenments about how much power we're handing over to two large outside companies. This incompetence in the leadership will cause a lot of harm over the years. This has been going on for a long time.
I like how we quickly moved past the fact that the government wants to know who we are, what we visit, what we say, what we buy, and has explicitly said that they want to control what we buy, where we go, and what we are allowed to say. But we are focused on what specific mega-corporation those systems will use to function.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
> I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens.
The irony in this as a European is that in the US people donāt even need national ID in the sense we got in Europe. They travel using driving license or library card. We got mandatory passports with biometric data - refusal to provide that data is practically impossible.
Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
I think EU is warming up to the possibility that relying on US tech is has strategic consequences.
Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.
The corporations have the tech and network effects on their side.
Digital single market, digital sovereignty and all those nice words...
Previous discussion, related to grapheneos: https://grapheneos.org/articles/attestation-compatibility-gu...
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
I think we're missing the important point here.
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
We're becoming much worse than that now.
Absolutely baffling why the EU would be doing this.
The entire software even free one is. We need to exclude them all.
This quite literally validates those "tinhat conspiracy" folks, honestly the EU are not doing us or themselves any favours here. If it is intended to replace cash then it should function like cash. This limitation is draconian.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
> Governments are cementing a monopoly they claim to oppose
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
There are viable third alternatives which do not require building a full smartphone stack. The national eID in Denmark, MitID, is an app "protected by" Play Integrity, but at least there are two non-smartphone alternatives available in the form of either a TOTP code generator or a FIDO2 chip which you can get for free if you can't or won't buy a smartphone.
Age verification solutions could also be built on dedicated hardware tokens, even though the tokens required to build a ZKP or blind signature based solution may not be available off the shelf right now.
> but the systems needs to be built now anyway.
I question that premise.
They can't tackle issue oft establishing a 3rd popular mobile operating system, true. But they could support Desktop Linux or AOSP.
Last I checked Android was OSS and there's plenty of clones without any Google BS. Heck I'm using one now
Yeah but if the wallet requires Google Pay Services attestation the AOSP based clones won't be able to run it unless they can spoof it somehow.
Windows Phone wouldn't be much help here, still an US company.
We just can't help it. Can we.
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
Seif-Sovereign Identity wallets that are cross-device are the way around this, but relies on institutions following this path.
Vendor lock-in is real
And when the safety services of Google and Apple fail, the citizens will be the only ones to pay a price. This is madness.
So, we have safety services owned by a country with nuclear weapons, while Europe is regressing in all domains.
This is not safe.
I don't know who thought that national ids should be vetted by two private companies, not even European!
No thanks, I don't want any of that for obvious security reasons
OH FFS. "safety services". NO. It's monopolistic services.
Big facepalm... EU had really only one job with the EU wallet... And missed the point completely. GrapheneOS is probably closer to EU data security and privacy standards than Android or iOS.
I use coinpayās DID it is simple anonymous and works itās open source too
Yes, but you can't sign the device, that is what Google and Apple do.
From fingerprint/face id to digital id..
Like banking apps are now using play protect/depending on Google.
(Just a matter of time Google/Apple will be a banks themselves, as is the danger with governments)
Ofcourse the world could be a more open place, but constraint, rules and control are too pleasing to not implement, sadly.
The problem was always that the government could ban you from society via the banks banning you, and you having no recourse because it was a business exercising its right to not do business with you.
Without the proper laws and proper leaders of law enforcement that protect an individualsā right to transact, oneās rights were always just a technological advance away from being taken away.
Its simply unreal that the EU is pushing that in order to participate in society that I must accept the TOS of Google or Apple.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
In general government policy for technology and communications, is a regulatory capture gift to big corporations.
The government gets data to āmanageā the citizens and the companies get data to āmanageā consumer and the power structure is protected.
5 years ago, some smarty pants would've worked out how to implement digital ID wallets on the block-chain, and there would've been some uptake for it in the European environment .. these days however, it appears everyone has given up on that idea and defaulted back to the fascist approach (corporations doing government work).
LMAO of course
Huh. This article lumps Apple in with Google when its only qualms seem to be with Google's terrible behavior. The entire article is about Google Play.
Because Apple has always been a closed platform whereas Android started out being relatively open. For Android there is an alternative to Play Integrity which would enable governments to get remote attestation assurance on non-Google Android based operating systems like GrapheneOS, but that alternative does not even exist in the Apple ecosystem.
Yeah, what alternative is there for iOS except the framework that Apple supplies?