We don't need the governments to mass surveil us to protect us. We need them to sort the economy and stop invading countries and being deferential to corporate interests instead of the people they represent.
It's such an obvious push that If you don't want to see it, it makes me think you're shielding yourself to avoid contending with the reality: These politicians and govs all around, including the countries you claim "work" are absolutely power hungry and beholden to interests other than yours and will push for as much total surveillance as they can, including as much curtailment of freedoms as they can.
Obviously that won't mean elites will actually face justice or crimes will actually be solved because more surveillance is not accompanied with more government transparency, quite the opposite and bigger and more powerful burocracies, with more authoritarianism, allow for easy hidden exceptions that you can't question.
It's nothing new. Corruption is common. It's just mediocre to see "hackers" pushing for it just because the government and corporations tell them to, because foreign country bad, bad social media influences kids, drugs, word-ism, etc.
You say “so many people are advocating for this in HN” but this thread was empty except for one other comment (which was also critical of this) at the time you posted your comment.
HN and even the GitHub comments mostly start with the assumption that of course we should do this. Of course we should restrict social media to under 16/18s and either are in favor of ID to access the Internet or pretend it won't happen by consequence of this.
Now try to address what I said instead of poorly calling me out.
Please tell me exactly what you think and I can nitpick it vaguely instead of putting forth mine. Heh.
In any case, just look at the comments under my comment. You'll see them.
- https://news.ycombinator.com/item?id=44705630 (this is good, we need this). - https://news.ycombinator.com/item?id=44705597 (are you a conservative?! Anonymity should be reduced.)
Don't be disingenuous with your proof demands and tell us what you think and then we can discuss the merits of your argument.
The case that "so many" people are advocating this on HN. Sounds like a significant percentage!
> What's YOUR case. Assert a position
Their case is that you should give evidence.
> and provide proof in triplicate please. Please tell me exactly what you think and I can nitpick it vaguely instead of putting forth mine. Heh.
"you should give evidence" doesn't need its own proof. And nitpicking such a simple idea would be a waste of everyone's time.
"So many" means "so many". You're creating a straw man in bad faith.
What's your take on digital Age verification. Either provide useful commentary or stop trolling. Address the existence of the other comments I linked.
Or at the very least, many here support the goal of keeping children and/or teenagers off of social media entirely, while disliking the means of ID verification. But it's not like there's any other obvious means.
If you stretch the definition of "recent" to ~ 60d then you can also search for the pornhub/France thing. Quick google nets this thread: https://news.ycombinator.com/item?id=44210557. There are likely others, too... but I'm lazy :).
Age verification is already a thing IRL, there is no reason to not extend it online considering so much of our lives is digital. Overall I think anonymity should be reduced on the internet in general - a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.
See, I wouldn't have as much of an issue if you were honest about this real intention, because of how on the nose it is to reasonable people.
The idea that I will have to upload 3D models of my face and ID, or get permission from Google, just to go online because you don't like the idea of someone else's kids using the internet is absurd.
Please stop using appeals to children in your quest to "stop ideas from growing".
Ah yes. Anonymity is the only thing that enables dishonesty and of course it's the government's moral duty to regulate it.
Once anonymity is banned, the world will be honest and good and True and we'll all look back on the Bad times thinking how silly we all were.
The best part of minority report was the way everything constantly tracked identity through retinal scans; i can't wait for the future!
It's a privacy preserving over 18 check.
Is it a "slope"? Sure, you can imagine an extension to the system that is "worse".
Is it "slippery"? This thing isn't draconian enough to be effective. It will be a minor speedbump that prevents exactly zero determined under-18's from accessing anything that they'd want to. So then the question is, does the government react by trying something more draconian, or does it give up?
The internet used to be a bastion of freedom. That era ended around 2005.
The operating system was licensed by Google
The app was downloaded from the Play Store (thus requiring a Google account)
Device security checks have passed
The issue is being raised here: https://github.com/eu-digital-identity-wallet/av-app-android...
I would like to strongly urge to abandon this plan.
Requiring a dependency on American tech giants for age verification
further deepens the EU's dependency on America and the USA's
control over the internet.
Especially in the current political climate I hope I do not have
to explain how undesirable and dangerous that is.
There are a number of comments in that same thread that indicate a mandate to utilize Google services may run afoul of EU member nations' integrity and privacy laws.
No. The lesson is that stuff like this is concerning what ever the "political climate".
Anyway, you mainly don't want the gov in your vicinity to snoop. Non-local OS:es is probably advantageous in that regard if you choose to run proprietary code...
We say this, but many also want to entrust all our PC games to one closed source launcher. Or have videos/TV all on one subscription service. There's definitely a spectrum of benevolent and greedy dictators people draw lines on.
And obviously it is not just one arena, because it seems to be one glaring issue with human beings: they do not want to see the road ahead. And the ones they do are, at best, ignored.
I think that is far more that people like the other closed source launchers less, and each launcher potentially adds it's own stream of notifications and adverts to their system so there is a cost to having multiple active even if the PC resource cost is practically undetectable.
Furthermore if comparing game launches and related issues to political climates, I'd consider all the current closed source ones to be the same in those respects. Also we are not subject to several local political climates at any one time in that way (though we are when looking at a wider scale, of course).
> Or have videos/TV all on one subscription service
While there are other issues (each service tracking you etc.) this is more due to the fact that each service charges what we used to pay (in fact more, as in some cases prices have gone up by more than general inflation) for a single service that provided the same amount of content that they cared about. This doesn't really equate to trust on political climates (except where commercial greed is considered a political matter).
That is because the introductory prices were not 1 to 1 to the business’ existing revenue streams from cable and satellite transmission fees. Especially considering that before, there was a very limited supply of content restricted by time slots, and now you are buying far, far more on demand content without advertising breaks. And without contracts with a cable or satellite company.
People are spoiled, and don’t appreciate how much easier and cheaper it is to watch or listen to most content than it was pre streaming services.
One only needs to look at market cap graphs of the various media companies to see that streaming isn’t the cash cow people think it is.
There is some amusing irony in the EU relying on the US for furthering its own authoritarianism. It's unfortunate that freedom (in the classic rebellious, American sense) never became that popular in the EU, or for that matter, the UK.
IMHO, the push for age verification is just a stepping stone towards requiring a mandatory ID for all social media posts made from EU. Given the current trends against freedom of speech, it's not unreasonable to think that by the end of the decade any site, including HN, might need to link usernames with their respective eIDs in case posts come from EU IP addresses.
> officially sanctioned hardware and software
Right now, if you want to run an alternative OS, it's already an uphill battle to use tons of member state services, as well as to do banking. Even if you have microG available, the situation is terrible. I imagine it's going to become harder. I cannot understand why the European Commission wants to reduce our reliance on FAANG services, and at the same time they make Google Play a de facto standard, reinforcing the mobile duopoly. In this context, free alternative mobile platforms, such as Sailfish, cannot flourish.
this is not the way to make a point that the other party will find persuasive.
Whoops, Google have delisted your government app from the Play Store, how quickly can you de-couple your citizens internet access from the corptocracy?
If the proof can not be traced back to your identity, then what stops a person from creating large amounts of proofs and distributing them?
If the proof can be traced back to your identity, then... that would suck.
Well, it's more like a framework, so not a ton of details. I've just glossed over it, but from what I can gather they have thought about it:
No personal data, especially no information from personal identification documents such as national ID card, is stored within an [Age Verification App Instance]. Only the Proof of Age attestation, specifically indicating "older than 18", is utilized for age verification purposes
Stored Verification(8b): [Relying Parties] may optionally store information derived from the Proof of Age attestation in the User's account, allowing the User to bypass repeated verification for future visits or purchases, streamlining the User experience. In this case, authentication methods such as WebAuthN should be utilised to ensure secure access while enabling the User to choose a pseudonym, preserving privacy. Risks in case of the device sharing should be considered.
[1]: https://ageverification.dev/Technical%20Specification/archit...
[2]: https://ageverification.dev/Technical%20Specification/annexe...
For all the shit Google deservedly gets they seem to be genuinely trying to implement good and privacy preserving solutions to a lot of these problems.
The issue of course is that there's essentially no way to do all this stuff with software and hardware the user actually controls themselves, so you end up with hard requirements that you use big tech as gatekeepers.
This is the slippery slope that IMO eventually ends the open web.
If you take that outcome as inevitable, which at this point I basically do given all the forces lined up to restrict access to information, I suppose Google is about the best steward you could hope for.
[0] https://blog.google/products/google-pay/google-wallet-age-id...
I don't and I wish Google et al would take a god damned stand against it. All it takes is 2 or 3 big companies to just not play along with the destruction of the open internet (the very same responsible for their genesis and incredible success), and the bureaucrats will eventually relent. Unfortunately they've chosen the path of least resistance, which also is the path of regulatory capture to their sole benefit. Sad to see that win over the ideals of the early net.
I went on youtube in bed last night to watch a 10 minute video (that I knew I had to search for to find - it was a specific one), but the app opens to shorts and they're so damn stimulating that it was 30 minutes before I finally got to the vid I wanted. I started with pure agency and was immediately thrown off course. Say what you will about my discipline or habits, but imagine the affect this has on less... aware individuals such as children.
Walking around the world you see everyone buried in their phones.
There are aspects of this initiative that I totally welcome, if it has the result of some level of de-interneting. The argument is always "they do it to protect children first, then it comes for everyone". I hope they increase resistance for the end user. I agree its sad, but what we have currently is truly awful, and less of it is a good thing.
I understand that it may not have that effect and end up in the "worst of both worlds" situation. But I don't wan't google fighting any battles for me anymore. They might try on occasion to be respectful but their bottom line is to own my attention.
If a user can only make one then they'll have to use that identity with that service forever. That's a nightmare for privacy. Sometimes people need another account, unknown to their employer/family/friends. People should be able to make multiple accounts without those being tied together through a common "age check" identifier. But, of course, there is no way to prevent those from being distributed.
At some level I believe that's the purpose behind some of this. If someone can only have one proof, then someone can only have one account to speak with. They'll be easier to monitor, easier to identify, easier to silence. That's why I think these types of laws and behaviors should be resisted and protested.
I've mentioned in a previous comment that it's telling that big tech isn't resisting these totally-just-coincidental ID laws coming from western countries. It supercharges their surveillance and tracking abilities, and widens their moats.
Also, porn is a smokescreen. The definition of "adult" content will rapidly expand, and these put the ID issuers in censorious a position of control over people and services. Nothing stops a government attestation server from rejecting a request because someone is blacklisted from "mass communication services" because they're a felon, protestor, LGBT activist, etc... or because a service has fallen out of favor.
Seriously you can't make this stuff up.
It may be that the people in charge in the EU don't really care about the market dominance as long as they can collect enough extra money from them...
https://ageverification.dev/Technical%20Specification/media/...
Essentially, the core user journey is a privacy preserving "over 18" check. I suppose this prevents under 18's from accessing porn, in the same way that most blocking technologies impose an expense on everyone but fail to block tech-savvy children.
Doesn't seem like it could ever stop someone with a bittorrent client, unless you have to attest you are over 18 to even use bittorrent.
If I were a kid, I could see myself downloading Opera GX and enabling the free VPN. It's probably not "tech-savvy" because the browser gets a lot of ad views on YouTube; it would be pretty obvious.
Basically anything other than going to a legally compliant website and trying to attach your mom's passport to the age verification app and doing the challenge.
I would want to sit in on this audit.
I think I have become far too cynical.
But this still wouldn't stop determined kids from VPNing to another country to make their account, and wouldn't stop peer pressure on kids from bleeding to parents to help them.
Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is *other people.* Other addictions still exist. Removing one vice without solving the underlying systemic problem merely shifts the goalposts, and everyone is up in arms about what a slippery slope that is for good reason.
EDIT: Clarity here because I phrased that badly in a hurry: I'm in disfavor of internet access being a requirement for schoolwork, but I failed to set that context initially. If parents trust their kids enough with access, once they've reached a certain point of maturity, that's fine. I'm against technological age gates and I'm against removal of bad content from the net at large. Parents should decide when their kids are ready, and guide them appropriately.
I will leave my original remarks unedited so the remaining discussion is sensible. (Sorry!)
As for other people being the danger, there’s some truth to that for women. I have a daughter, so this will be a concern. But you know, she won’t die. Everyone goes through trauma. The key here is to make sure she feels comfortable enough to talk to me and to my wife before doing anything (too) stupid.
I snuck out of my parents’ house to go see a girl when I was 16. Took my dad’s station wagon. On the way, some car tried to pass me and ended up hitting a big truck on the side. Truck was fine, I was fine, that fella was not. He ended up on the side of the road. Me and trucker just kept going. I still think about that guy a lot, because obviously the correct thing to do would have been to call 911, but I was a dumb 16yo who was out past midnight to go see a girl.
Point is, if things went a little differently, I could have been the one who crashed, or even dead. But that doesn’t mean that the girl I was going to go see was somehow a threat to me. It means I was doing something dangerous.
Again, this is easy to say as a man. The threat model for women is different. But prohibiting minors from the internet without supervision is totally absurd, and I feel bad for any parent who helicopters their kids like that.
Ultimately your kid will grow up and have their own life. Do you want to be remembered as the parent who had them under lock and key in the name of safety, or as a parent who monitored from a distance and occasionally let them do stupid things so that they could learn from it? For me, the latter is far more preferable.
I was not clear enough, so I will try again. If parents do not want their kids to access "bad content", whatever that means to them, then they need to supervise the access. If parents are okay with their kids accessing bad content, then that choice is theirs to make. The internet itself should not be the gatekeeper here, neither should the government, but the parents do need to actually parent. I do not believe technology should be doing the parenting. And BECAUSE I believe this is a choice the PARENT should make, I also do not believe unfettered access to the internet should be a requirement for students. As long as that is a requirement, the parents aren't in control, and we get draconian laws trying to "fix the internet."
You have wildly misinterpreted my intent, and admittedly it is because my opening sentence was poorly phrased.
As far as the beheading video, why be offended? Yes, I think teenagers will be naturally curious, and that gore videos will be on their watch list along with porn. It was true for most of my friends, and admitting this truth rather than running from it is how you deal with it. It’s not "defending" when it happens as a matter of course.
Again, you’re basically arguing for draconian powers not for the government but for the parents. To me, this is two sides of the same coin; whether the jailer is the government or the parent, when I was a teen both would have been the enemy. I personally don’t want my child to think of me as the enemy. Other parents can make different choices.
And yes, I think it was fine for me to watch that video when I was 13.
You're trying to logically and emotionally appeal to people whose amygdala have been hijacked by a moral panic.
I agree with you, but good luck.
W T F ? ? ?
> Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is other people.
Bad news, Champ. Other people also exist off of the Internet. They always have. The world is not entirely safe. And that does not mean children shouldn't get to be part of the world.
The main problem here is panicky idiocy.
That idea has never really been realistic short of keeping them isolated from society until 16-18 (which most would consider abuse), but it’s not even slightly possible today with how readily available information has become. It’s an inevitability that they will learn about the topics you’ve been avoiding and take on external influences you may not approve of.
Now to be clear, I’m not advocating for letting kids run wild on the internet with no guardrails, especially earlier on. Guardrails are important, but it’s even more important in my opinion to try to stay ahead of what they may encounter by talking with them about those things so when they eventually run across it, they’re not flying blind and might even seek your guidance about the incident since they know you’re not going to get angry about it. That’s much more likely to bring positive outcomes than if they ran into these things without parental support.
The point I was actually trying to make is just this: if the parent's goal is to block content, then the simplest thing to do is to be there when the child is surfing the net. That shouldn't take crazy technological measures. At some point, most parents realize their kids are mature enough to handle things and back off, but the parent should be making that call for their own kid. I don't think the government should be doing it on their behalf. If the government believes the internet is dangerous for young minds, then it should focus on the thing it can control: educational curriculum, primarily. Trying to "fix the internet" is a fool's errand.
It really seems like tying this to Google violates some key principles of the EU market.
Seriously. You don’t need Google. You just need a plan and a will to execute.
Everyone’s ready. The only reason US is wealthy is those subscription fees and vendor lock in we have.
Struggling to think of corporate produced software that doesn’t suck. iOS Safari is ok, I guess.
In America the least bad stuff eventually rises to the top. In Europe it feels like it's all just one shared pit.
The reason is because Americans buy the other tech firms, so its not because they don't make non-bad tech its because USA just monopolizes it via very aggressive acquisitions.
> and the one that was a bit better than terrible was bought by a US company
But here you say EU can make great software? Just that USA then buys it. So we should just ban USA from buying our great software companies, is that what you are saying?
American companies like Google [0][1], Amazon [2][7], and Microsoft [3][4][5][6] have spent billions in FDI and hiring, thus building strong relationships with EU states like Ireland, Romania, Poland, Finland, Sweden, and others, but French and German competitors haven't (or don't exist depending on the service or SLA).
This means a significant portion of EU member states have an incentive to maintain the relationship, because the alternative means significant capital outflows. A Polish legislator doesn't have to answer to French voters, so they will incentivize the relationship with BigTech. Thus, these nations will lobby tooth and nail against destroying the relationship.
It's the same reason Hungary courts Chinese FDI [8] and enhancing the Sino-Chinese relationship as leverage against the EU pushing too hard [9].
[0] - https://www.gov.pl/web/primeminister/google-invests-billions...
[1] - https://www.gov.ie/ga/an-roinn-fiontar-turas%C3%B3ireachta-a...
[2] - https://www.aboutamazon.eu/news/job-creation-and-investment/...
[3] - https://centraleuropeantimes.com/microsoft-google-invest-big...
[4] - https://www.reuters.com/technology/nordics-efficient-energy-...
[5] - https://www.idaireland.com/latest-news/press-release/an-taoi...
[6] - https://www.government.se/articles/2024/06/prime-minister-to...
[7] - https://aws.amazon.com/blogs/industries/cloud-technology-emp...
[8] - https://hungarytoday.hu/hungary-seeks-to-stay-leading-europe...
[9] - https://theloop.ecpr.eu/hungary-and-the-future-of-europe/
You also can't just say, "Here's a few hundred billion in public support to create alternatives to U.S. tech giants", because the U.S. would argue that it's unfair state aid and retaliate.
There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.
We also lack a reserve currency like the USD, so we can't print $2 trillion a year, much of which ultimately flows into the U.S. stock market and further boosts U.S. tech companies, making competition even harder.
EU markets are already fully penetrated by U.S. behemoths that can either withstand or acquire any privately funded competitor, thanks to their massive cash flows and valuations.
For all these reasons, the outlook isn't very promising.
Google rolls into town and wants to spend half a billion euro on a datacenter? Sure thing. They'll say that it'll boost the local economy while being built - by creating a couple of thousand jobs for the contractors that are going to build and maintain it, and then some onsite jobs for the next decade or two, creating a couple of hundred jobs for techs / engineers.
And as long as they keep playing ball with google, projects like that will pop up once in a while. If you're difficult, there's also a risk of the rich tech companies taking their business some other place.
With that said, I've recently noticed more voices for building our own stuff - as there's a real risk that US tech companies will simply comply if pushed enough, say, by a POTUS that's out for blood and wants to hurt certain foreign users. Ban/lock out certain users from gaining access to software, turn off their infrastructure, etc. who knows.
But, alas, there just isn't the same willingness to pour in capital on the important things. For private investors it doesn't make much sense, unless they have a bulletproof contract with domestic users willing buy their service - and using state funds isn't too popular, either.
Truth be told, any of the big tech businesses can undercut any competition, and probably build better and faster. If anything, it could be the case for tariffs - outsourcing critical infrastructure will leave you very exposed. If European countries all over the board started to abandon US tech companies, they'd cry to Trump, who in turn would probably start a trade-war.
I use GrapheneOS as a daily driver and I absolutely love it. It should be the default. There's already one app I use that must do something similar and absolutely just won't run on it, so I have an entirely separate phone running stock Android just for that one app. Still worth the hassle.
Glad I don't live in a place where all this madness is taking root, but still, the trend itself sucks.
> Very well sir, which digital payment service would you like to use?
> It doesn't matter they all force me to use my phone.
EU wants to push more control on the internet, today it's "think of the children" but when the infrastructure is rolled out, it'll be "real name verifiction" on social media, chat control, etc.
Whoever is pushing this in EU has to be removed before things will get better.
None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.
The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.
It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.
This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.
> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.
Governments have real and serious need for verifications that are backed by their force. They’re a government; they are wielding force upon citizens by doing this, knowingly and intentionally. That is a normal and widespread purpose of the State existing at all: to compel people to align with the goals of the State, whether members of the State like it or not, until such time as the State’s goals are changed by whatever means it permits or by its collapse.
If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.
Western sfbay-style tech was founded on the libertarian principle that one should be able to tell the government to fuck off and deny taxation, representation, blah blah etc. in favor of one’s armed enclave that does what it feels like. It’s fine to desire that, but it’s proven too radical to be compatible with the needs of nation-states or the needs they enforce satisfactions for on behalf of their citizens. Attacking attestation won’t solve the problem of the “State”, and has led us to a point where Google can claim truthfully to a “State” that the Android forks ecosystem isn’t competent enough to be trusted, because they can’t be bother to do attestations.
we've banned all graphic depictions from the internet, required a verified name attached to every blog post, and made sure to confirm everyone's digital passport before letting them resolve a DNS query, but at least now I can vote from me phone instead of having to go outside. The future is bright!
... unless they don't want to turn their device into a boat anchor that nothing else will talk to. It's not going to stop with age verification.
Counterproposal: fuck attestation, and fuck age verification. Individual users, not corporations, associations, or organizations, get to use any goddamned software they want any time they want for any purpose they want, and if you set up some system that can't deal with that, tough beans for you.
Kinda, yes.
(slightly simplifying the mechanism here)
This seems to be based on the EU Wallet project, which is still work in progress. The EU wallet is based on OpenID (oidc4vci, oidc4vp). The wallet allows for selective disclosure of attributes. These attributes are signed by a issuing party (i.e. the government of a EU country). That way a RP (relying party) can verify that the data in the claim (e.g. this user is 18+) is valid.
However, this alone is not enough, because it could be a copy of that data. You can just query a wallet for that attribute, store it and replay it to some other website. This is obviously not wanted.
So the wallet also has a mechanism to bind the credential to a specific device. When issuing a credential the wallet provides a public key plus a proof of possession of the associated private key (e.g. a signature over an issuer-provided nonce) to the issuer. The issuer then includes that public key in the signed part of the credential. When the RP verifies the credential it also asks the wallet to sign part of the response using the private key associated with that public key. This is supposed to prove that the credential was sent by the device it was issued to.
Now this is where the draconian device requirements come in: the wallet is supposed to securely store the private key associated with the credential. For example in a Secure Enclave on the device. The big flaw here is that none of this binding stuff works if you can somehow get access to the private key, e.g. on a rooted phone if the wallet doesn't use a secure enclave or with a modified wallet app that doesn't use a secure enclave to store the private key. You could ask a friend who is 18+ to request the credential, copy it to your phone and use that to log in.
Is the EU essentially foisting a someone-else-owns-your-keys regime onto their citizens?
The idea is that once you get used to that, you will get censored from all the internet.
> Is the EU essentially foisting a someone-else-owns-your-keys regime onto their citizens?
Not quite, it's the EU essentially foisting a don't-use-free-software regime onto their citizens
Indeed, the bug links to another bug where the author says that it isn't restricted to Play Services remote attestation and recently followed up with a documentation update making that clear. https://github.com/eu-digital-identity-wallet/eudi-app-andro...
Adding to what I said earlier, this isn't even an app that any EU member state will use. It's just a PoC, as it says in the README. https://github.com/eu-digital-identity-wallet/av-app-android...
Unfortunately for the authors, the pitch forks are already out, and the mob is on the march. It's too bad that HN is contributing to it.
Unfortunate that it doesn't matter, because they're not going to accept anything that's not attested by some authority.
Attestation in itself is a bad thing, guaranteed to be horrifically abused in ways far, far worse than any problem it could possibly solve. You do not need to know what software I am running, period.
Your employer needs to know if your devices connected to its network have been rooted without your knowledge.
In any case, this is a completely different discussion from what OP alleged, which I hope we can all agree is completely false.
Who the hell wants this Internet...?
Scared rich people and bureaucrats
If it's not unbelievably obvious, there's an entire class of people flying private jets to "world summits" where the transcripts aren't disclosed. What do you think is going on? Use your brain.
You're 100% right that it's happening today.
which is an unnecessary ideological divide if your concern is free speech and privacy; too bad the old guard of activists chose sides and alienated additional support for their cause.
Do not think for a moment that ID verification primarily protects children and only incidentally enables authoritarian restrictions on speech. Do not think for a second that verification initiatives are designed without anticipating this outcome.
https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_wha...
They flip flop on this stuff at least once a month, and the most annoying part is that they always herald everything they do as some new epoch-defining initiative only to quietly forget about it and do the opposite a few months later.
If nation states are dogs, then EU is the chihuahua: loud, proud and extremely ineffective.
Because in the background it's a French vs German vs Irish vs Czech vs $insert_eu_state business interests competing with each other.
Notice how it's almost always French legislators and businesses that mention "domestic EU tech" and not Polish, Czech, Romanian, Dutch, or even German policymakers or businesses?
That's why.
National interests always end up trumping the EU in it's current form. And for a large portion of the EU, American BigTech represents the majority of FDI (tech and overall).
Japanese and Korean automotive players did the same thing with the US in the 1980s-90s in order to ensure their interests remained aligned (though the Plaza Accords did play a role)
The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.
Similar to recent discussions of self-hosting, it's a tradeoff of autonomy/control vs efficiency.
Germany isn't doing this as much anymore, because Germany Inc has become increasingly dependent on their investments within the US [0], especially after the triple whammy of the Biden-era IRA [1], the sanctions on Russia sparking a domestic energy crisis [2], and Chinese players outcompeting German industry in China [3].
This can be seen with Germany purchasing American weapons for Ukraine over French objections [4]
[0] - https://flow.db.com/more/macro-and-markets/us-german-trade-r...
[1] - https://www.bloomberg.com/news/articles/2022-12-14/german-go...
[2] - https://oec.world/en/blog/bavarias-dependency-on-russian-gas...
[3] - https://www.reuters.com/business/majority-german-firms-feel-...
[4] - https://www.politico.eu/article/europe-donald-trump-weapons-...
I mean.. great for the politicians, not for an average european.
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
Who voted for this? Who asked for this?
these people are monsters. don't help them, and don't be complicit. working on digital ID tech, and even disclosing vulns in it is like helping Hollerith make faster and more efficient punch cards.
djrj477dhsnv•3h ago
Unless their governments start issuing Android devices to all of their citizens, I don't understand how they can require use of this app for anything official.
the_mitsuhiko•3h ago
Not sure who you mean by "they" but you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria). At least in practice that is almost impossible.
djrj477dhsnv•3h ago
> you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria).
That's terrible. They have official services that require an app and can't be used via a standard browser or even paper forms? What do elderly people without smartphones do?
homebrewer•3h ago
> What do elderly people without smartphones do?
They buy a smartphone and have their relatives set everything up for them. Not doing that isn't really an option because you can't even get your pension or planned (i.e. nonemergency) medical services anymore without going through the government mobile app.
If they don't have any relatives, they walk to the government building that used to solve these things for them using good old paper forms, and have officers there help them out. It's a completely braindead system that was envisioned by someone who has very little idea of how the common person lives.
Not that there are any channels to provide feedback, ironically enough. (Voting is a sham and has always been so here.)
wmf•1h ago
AAAAaccountAAAA•48m ago