> Unless their governments start issuing Android devices to all of their citizens, I don't understand how they can require use of this app for anything official.

Not sure who you mean by "they" but you already cannot use a lot of governmental services unless you have an Android or iOS device (at least in Austria). At least in practice that is almost impossible.

They will support iOS and Android which covers 99.9% of the population.

They don't require the app for anything official. Uploading (partially redacted) scans of your ID like you would be obligated to today, or physically verifying your age for things like alcohol delivery, should also suffice.

At the time this comment was posted there was only one other comment in this entire thread.

You say “so many people are advocating for this in HN” but this thread was empty except for one other comment (which was also critical of this) at the time you posted your comment.

I don't think you are fully wrong, but the issue is your rhetoric is very much used by conservatives or "both sides are bad" which are just mask-on conservatives who end up voting the same way. And the problem with conservatives is not really the ideals and ideas, but the fact that they vote Republican (or whatever the equivalent party is in other countries), that all pretty much are the exact opposite of those ideals.

Age verification is already a thing IRL, there is no reason to not extend it online considering so much of our lives is digital. Overall I think anonymity should be reduced on the internet in general - a big reason of the world issues, especially in USA is that ideas can grow in forums where people under etherial identities can tell lie after lie without any repercussion.

> it's so clearly a draconian slippery slope for invasive surveillance and choice restriction

It's a privacy preserving over 18 check.

Is it a "slope"? Sure, you can imagine an extension to the system that is "worse".

Is it "slippery"? This thing isn't draconian enough to be effective. It will be a minor speedbump that prevents exactly zero determined under-18's from accessing anything that they'd want to. So then the question is, does the government react by trying something more draconian, or does it give up?

It's just information. Data. Bytes. We need a proper George Orwell for the digital age.

The internet used to be a bastion of freedom. That era ended around 2005.

> As a resident of the aforementioned political climate, I find their concerns to be reasonable.

No. The lesson is that stuff like this is concerning what ever the "political climate".

Anyway, you mainly don't want the gov in your vicinity to snoop. Non-local OS:es is probably advantageous in that regard if you choose to run proprietary code...

From the telegraph.co.uk: "Elite police unit to monitor online critics of migrants" and there are people worried about the "political climate" in the US lmao

"Device security checks" is the most horrifying aspect as it basically means "officially sanctioned hardware and software", and leads straight into the dystopia that Stallman warned us about in Right to Read.

There is some amusing irony in the EU relying on the US for furthering its own authoritarianism. It's unfortunate that freedom (in the classic rebellious, American sense) never became that popular in the EU, or for that matter, the UK.

  Stage 1: It's not happening, you're just imagining it

  Stage 2: OK, it's happening but only a little bit no need to exaggerate

  Stage 3: OK it's happening a lot but here's why it's a good thing that it's happening

>Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.

this is not the way to make a point that the other party will find persuasive.

You don't even need to consider politics to acknowledge this is dangerous, wildly irresponsible of a government to tie internet access to a foreign corporate entity's control. The privacy concerns of not being able to use a device free from Google services, may only be second to the sovereignty issues it introduces.

Whoops, Google have delisted your government app from the Play Store, how quickly can you de-couple your citizens internet access from the corptocracy?

So remote attestation?

so what option is??? do you rely on third party store to do check??? I bet its more secure than google has verify it for you

So we wouldn't be real EU citizens, unless Google says so? Can we get rid of passports then? /s

Someone opened an issue about changing the wording https://github.com/eu-digital-identity-wallet/eudi-doc-archi...

Guardians of minors are responsible for what they view, as well as what they drink or breathe. So they should make sure their devices are configured properly, same way they make sure there is no alcohol or tobacco intake.

Then we have systems like:

PICS https://en.wikipedia.org/wiki/Platform_for_Internet_Content_...

POWDER https://en.wikipedia.org/wiki/Protocol_for_Web_Description_R...

ASACP/RTA https://en.wikipedia.org/wiki/Association_of_Sites_Advocatin...

Proving we do not need a system prone to PII leaks, just collaboration between content providers and guardians, helped by OS & browser vendors.

But it seems restricting minors is a side effect, at best, of the on going theatre.

Why is it I can use my German national ID online without these Google requirements, but age verification suddenly requires dependency on Google?

> Especially in the current political climate

I am forever thankful that Trump won the last election. If it were a Democrat party at the helm it would be practically impossible to have opposition to this, as most of the left would simply fall in line and cancel anyone daring to oppose the party. Look at how Obama strengthened the Patriot Act and carried out mass deportations with but a tiny grumble from the press.

    Protecting Kids from Social Media Act (Tennessee HB 1891)
    Sponsors Representative William Lamberth (R‑TN) 
    Requires: Social media platforms to verify users’ ages and obtain parental consent for under‑18 users; restricts retention of verification data; allows parental monitoring & time limits. Went into effect January 1, 2025.

    Utah Social Media Regulation Act (SB 152 & HB 311)
    Sponsors: Sen. Michael McKell (R) , Rep. Jordan Teuscher (R-District 44)
    Requires: Mandatory age verification for all users; parental consent and oversight for under‑18s; bans algorithmic targeting to minors; curfews; data‑privacy protections. (As of mid‑2025, enforcement blocked by litigation.) 

    The Walker Montgomery Protecting Children Online Act (Mississippi HB 1126)
    Sponsors: Walker Montgomery (R‑MS)
    Requires: Digital service platforms to verify age using "commercially reasonable" methods, obtain parental consent for users under 18, limit collection/use of minor’s data, moderate harmful content (self‑harm, grooming, etc.)

    Texas SCOPE Act (HB 18, “Securing Children Online Through Parental Empowerment”)
    Sponsors: Bryan Hughes (R-District 5)
    Requires: Platforms to verify the parent/guardian age if the account is for a minor; parental consent before collecting data for users under 18; content filtering for self‑harm, etc. Enforcement partially blocked by lawsuit. 

    Kids Online Safety & Privacy Act (S. 2073 – pending)
    Sponsors: Sen. Jon Ossoff (D-GA)
    Requires: Commission study into age‑verification technologies; does not mandate verification itself

    Utah Social Media Regulation Act S.B. 152
    Sponsors: Sen. Todd Weiler (R)
    Requires: Mandatory age verification, parental consent, time‑bed restrictions, limits on algorithmic recommendations; currently blocked in court 

    Mississippi Walker Montgomery Protecting Children Online Act (HB 1126)
    Sponsors: Representative Walker Montgomery (R‑MS)
    Requires: Age verification for digital services, parental consent, limits on data collection and harmful content moderation

    Georgia Protecting Georgia’s Children on Social Media Act (SB 351 / Act 463)
    Sponsors: State Senator Brandon Beach (R)
    Requires: Platforms verify age of new users; under‑16 require parental consent; schools to ban social media access 

    Virginia Amendment to VA Consumer Data Protection Act (SB 854)
    Sponsors: Sen. Schuyler VanValkenburg (D) , Sen. Lashrecse Aird (D)
    Requires: Requires age determination, parental consent for under‑16, limits usage to 1 hour/day unless overridden by parent, fines up to $7,500 per violation

    Louisiana HB 142 (and HB 570) Online Age Verification for Adult Content
    Sponsors: Representative Laurie Schlegel (R)
    Requires: Websites where ≥ 33% of content is adult must verify users are 18+ via IDs or transaction data; private causes of action allowed

    Ohio HB 96 (2025 law)
    Sponsors: Bryan Stewart (R-Ashville)
    Requires: Criminal penalties for commercial sites failing to verify adult content users 

    Iowa SF 207 / HF 864
    Sponsors: Kevin Alons (R-Disctrict 7)

    Texas SB 2420 (App-Store Age Verification)
    Sponsors: Angela Paxton (R)

    South Carolina HB 3405
    Sponsors: Representative Brandon Guffey (R‑SC) prefiled Jan 2025
    Proposed: Require app stores to verify age and obtain parental consent for minors; still pending


    Protecting Kids on Social Media Act (S. 1291 federal bill)
    Sponsored by: Senator Brian Schatz (D‑HI), Senators Tom Cotton (R‑AR), Chris Murphy (D‑CT), Katie Britt (R‑AL) 
    Requires: Social media platforms to verify user ages, prohibit access to under‑13s, block algorithmic feeds to users under 18, require parental consent for minors

    App Store Accountability Act (H.R. 10364 / companion Senate bill)
    Sponsored by: Rep. John James (R‑MI‑10); Senate version by Sen. Mike Lee (R‑UT) with Sen. Richard Blumenthal (D‑CT) 
    Requires: App store operators verify ages and obtain parental consent before minors download apps or make in‑app purchases; federal preemption and FTC enforcement

Europeans are completely domesticated and servile to America, this is to be expected. Germans even let them spy on their government!

We don't even need this google layer. There already is a digital EU ID.

https://commission.europa.eu/strategy-and-policy/priorities-...

The technical specification can be found here[1], with further details here[2].

Well, it's more like a framework, so not a ton of details. I've just glossed over it, but from what I can gather they have thought about it:

No personal data, especially no information from personal identification documents such as national ID card, is stored within an [Age Verification App Instance]. Only the Proof of Age attestation, specifically indicating "older than 18", is utilized for age verification purposes

Stored Verification(8b): [Relying Parties] may optionally store information derived from the Proof of Age attestation in the User's account, allowing the User to bypass repeated verification for future visits or purchases, streamlining the User experience. In this case, authentication methods such as WebAuthN should be utilised to ensure secure access while enabling the User to choose a pseudonym, preserving privacy. Risks in case of the device sharing should be considered.

[1]: https://ageverification.dev/Technical%20Specification/archit...

[2]: https://ageverification.dev/Technical%20Specification/annexe...

This is the pr on it [0]. It was linked on hn at the time too [1]

For all the shit Google deservedly gets they seem to be genuinely trying to implement good and privacy preserving solutions to a lot of these problems.

The issue of course is that there's essentially no way to do all this stuff with software and hardware the user actually controls themselves, so you end up with hard requirements that you use big tech as gatekeepers.

This is the slippery slope that IMO eventually ends the open web.

If you take that outcome as inevitable, which at this point I basically do given all the forces lined up to restrict access to information, I suppose Google is about the best steward you could hope for.

[0] https://blog.google/products/google-pay/google-wallet-age-id...

[1] https://news.ycombinator.com/item?id=43863672

Even if they can't be traced back to a name/photo identity, it would still be a privacy disaster if you could only make one proof per service.

If a user can only make one then they'll have to use that identity with that service forever. That's a nightmare for privacy. Sometimes people need another account, unknown to their employer/family/friends. People should be able to make multiple accounts without those being tied together through a common "age check" identifier. But, of course, there is no way to prevent those from being distributed.

At some level I believe that's the purpose behind some of this. If someone can only have one proof, then someone can only have one account to speak with. They'll be easier to monitor, easier to identify, easier to silence. That's why I think these types of laws and behaviors should be resisted and protested.

I've mentioned in a previous comment that it's telling that big tech isn't resisting these totally-just-coincidental ID laws coming from western countries. It supercharges their surveillance and tracking abilities, and widens their moats.

Also, porn is a smokescreen. The definition of "adult" content will rapidly expand, and these put the ID issuers in censorious a position of control over people and services. Nothing stops a government attestation server from rejecting a request because someone is blacklisted from "mass communication services" because they're a felon, protestor, LGBT activist, etc... or because a service has fallen out of favor.

The idea is, that you have a 'digital ID' on your phone, tied to your real identity, that will today be used to prove you're 18, but when the infrastructure exists, it will be used for other stuff too... like needing to attach your real name to any social media account (you already have an app that does that on your phone for the 18+ thing, so adding real name is easy to implement), and that will greatly affect freedom of speech.

They use attribute based attestation which should be mostly anonymous. The long term goal was also to implement zero knowledge proofs which would make things like age verification fully anonymous, but because of technical reasons and development constraints that idea seems to have been postponed.

The reason you can't distribute a huge amount of proofs is that the app won't let you. To make sure the app won't let you, the app tries to verify that you're not running a modified app or a modified system environment. That's the remote attestation that "bans any android system not licensed by Google".

These tokens are signed and only usable for a limited amount of time so you can't just generate a million of them and sell them for others to use.

If the app can't rely on the system working as it should, it'll need to contain less privacy-friendly measures for limiting large scale token abuse.

For the proof to be traced back to your identity, you'd need to be tracked consistently across websites, possibly with the aid of the government itself. If ZKPs make it into the app, tracking you is basically impossible.

Of course, if you're authenticating with your full name and birth date, when opening a bank account for instance, you're not going to get the anonimity benefits. Still, you do get to see what party you've authenticated with and get a button in the app to request deletion or report suspicious behaviour if you think it was a scam.

Yeah, EU byrocrats love corporate overlords in real life

I mean there's a perfectly rational possible explanation for this - if the fines are actually just an extra targeted tax on these companies (but it's politically inconvenient to just do it honestly by levying a tax), and they would therefore adjust the laws to make sure they could still fine them if they had already complied...

It may be that the people in charge in the EU don't really care about the market dominance as long as they can collect enough extra money from them...

>but fail to block tech-savvy children.

If I were a kid, I could see myself downloading Opera GX and enabling the free VPN. It's probably not "tech-savvy" because the browser gets a lot of ad views on YouTube; it would be pretty obvious.

I think social media does more damage than porn. We should just instead legislate that all social media has to shutdown and just let everyone watch porn and be done with it. Sure, you wind up with ED if you watch that stuff since you were a kid, but hey, if birth rates around the world are anything to go by, no one seems to really want to bring children into this world anymore anyway, so it's not as if that actually matters anymore.

I think I have become far too cynical.

I keep coming back to the actual solution being to keep kids off the internet period. If you are under 18, and online without some sort of adult supervision, we have failed you. Maybe that ship has sailed with so much coursework requiring online access, but I maintain that perhaps we should declare it lost at sea and try again.

Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is *other people.* Other addictions still exist. Removing one vice without solving the underlying systemic problem merely shifts the goalposts, and everyone is up in arms about what a slippery slope that is for good reason.

EDIT: Clarity here because I phrased that badly in a hurry: I'm in disfavor of internet access being a requirement for schoolwork, but I failed to set that context initially. If parents trust their kids enough with access, once they've reached a certain point of maturity, that's fine. I'm against technological age gates and I'm against removal of bad content from the net at large. Parents should decide when their kids are ready, and guide them appropriately.

I will leave my original remarks unedited so the remaining discussion is sensible. (Sorry!)

It seems reversed, that the default is legal eligibility, and that minors should need to prove their status. They're the ones who need policing, after all, not us.

For instance, it's not illegal for me to be served alcohol. If I'm not carded when being sold a drink, nothing illegal has taken place.

If the lawmakers are being cowards and not saying they want to round up and ID all the children from birth until they are eligible to participate in the adult world, that's their battle to fight and not our burden.

If they could have stopped BitTorrent they would have long ago.

So no, this is totally ineffective. And it's not like there's actually a problem. There's no crisis of messed up kids or young adults. We all had access to porn in some form and we all turned out fine. I used to watch the late night pay tv which was just 'scrambled' by removing the sync signal. It was easy to put that back with some electronics chops. I saw my share of gangbangs and cumshots and I did not get messed up or get weird ideas. In fact I often get compliments I'm a sensitive and caring lover. I never do or push for the dirty porn tropes (unless she asks for them :)

So did most of my school friends. Also video tapes got passed on at school and later CDroms (when the writable DVD came I was already an adult). We all had plenty.

This is all to mitigate a "crisis" which doesn't actually exist.

So they are doing this to block the children that are able to “hack” their phones, from watching porn.

Don’t know how to describe how insane this is

> Essentially, the core user journey is a privacy preserving "over 18" check.

You can not check the age without breaking the privacy, technically it is Not possible; this is like a religious faith exercise, not science.

What one read in the specification is, firstly you install an official software in your device, the device becomes identified "as you" the first time you verify your ID and receive your unique internet ID hash, linked to your personal data at the identifier platform.

In addition, your unique internet ID hash will become you, and each time a Non-porn-related platform ask for it, you will leave track of who are you -as internet ID- to the platform (finger printing), and also what you visit to the identifier platform.

Yeah, I said Non-porn-related platform, literally, because what we are reading here is about an Internet digital ID hash for each EU citizen,

Lets be clear, if it were to protect the children from porn, it would say "verify with the personal internet ID only for porn sites", in company with all the adjectives derived from porn, exclusively, with specificity, nothing more.

But what we are seeing here about this matter is deliberately open to interpretation, they say "platform that can be considered to be accessible to minors"... boom, What does this mean, News for adults? Criticise a corrupt government for adults? In my village this is called a back door trojan, because when they want they redact the directives, laws, with precision.

Anyway, I invite the reader to take a look to the Digital ID directive on its own,

https://eur-lex.europa.eu/eli/reg/2024/1183/ (2024)

https://eur-lex.europa.eu/eli/reg/2022/2065/ (2022)

After this, they only have to define progressively, frog cooking time, and increase the affected Internet platforms with obligatory identification, and then we will think that the Great Chinese Firewall was a children game compared with this.

The "it's to protect the children" political tactic to break privacy is quite old. In addition we should remember the other EU law about breaking the encryptions.

My humble opinion.

PS: Ironically no more of two months ago I was saying that as I was European I have freedom and I didn't need a tooling for circumvent something like the Russian and Chinese censure. Oh my... If I were know this, I was absolutely blind about what someones try to cook.

What if the data stays on the phone?

The GDPR data locality requirement is that personal data must remain in the European Economic Area (unless an exception applies.) It has no requirement that data remains local to each state.

That's easy for a company like Google to comply with. In fact the company I work for uses Google European data centers to comply with GDPR.

It's more likely to be laziness by the developers.

You need a pile of money first. And that works differently in the EU.

It is amazing. All the US companies have to do is dangle a “free” solution and the EU will go for it, and then be all surprised pikachu at the terms they agreed to.

Where do you get from that we are capable of doing it ourselves? All EU-made software I've used was terrible, and the one that was a bit better than terrible was bought by a US company.

Because national interests always end up trumping the EU in it's current form.

American companies like Google [0][1], Amazon [2][7], and Microsoft [3][4][5][6] have spent billions in FDI and hiring, thus building strong relationships with EU states like Ireland, Romania, Poland, Finland, Sweden, and others, but French and German competitors haven't (or don't exist depending on the service or SLA).

This means a significant portion of EU member states have an incentive to maintain the relationship, because the alternative means significant capital outflows. A Polish legislator doesn't have to answer to French voters, so they will incentivize the relationship with BigTech. Thus, these nations will lobby tooth and nail against destroying the relationship.

It's the same reason Hungary courts Chinese FDI [8] and enhancing the Sino-Chinese relationship as leverage against the EU pushing too hard [9].

[0] - https://www.gov.pl/web/primeminister/google-invests-billions...

[1] - https://www.gov.ie/ga/an-roinn-fiontar-turas%C3%B3ireachta-a...

[2] - https://www.aboutamazon.eu/news/job-creation-and-investment/...

[3] - https://centraleuropeantimes.com/microsoft-google-invest-big...

[4] - https://www.reuters.com/technology/nordics-efficient-energy-...

[5] - https://www.idaireland.com/latest-news/press-release/an-taoi...

[6] - https://www.government.se/articles/2024/06/prime-minister-to...

[7] - https://aws.amazon.com/blogs/industries/cloud-technology-emp...

[8] - https://hungarytoday.hu/hungary-seeks-to-stay-leading-europe...

[9] - https://theloop.ecpr.eu/hungary-and-the-future-of-europe/

It's largely a political issue. At this stage you can't create alternatives to Google and other U.S. tech giants without removing them from the market (so essentially the Chinese approach, which has allowed them to build their own massive tech giants). But that path is nearly impossible for the EU due to the risk of U.S. retaliation. The EU can't even implement a digital tax.

You also can't just say, "Here's a few hundred billion in public support to create alternatives to U.S. tech giants", because the U.S. would argue that it's unfair state aid and retaliate.

There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.

We also lack a reserve currency like the USD, so we can't print $2 trillion a year, much of which ultimately flows into the U.S. stock market and further boosts U.S. tech companies, making competition even harder.

EU markets are already fully penetrated by U.S. behemoths that can either withstand or acquire any privately funded competitor, thanks to their massive cash flows and valuations.

For all these reasons, the outlook isn't very promising.

Because politicians are corrupt

Lack of capital. Fear of consequences.

Google rolls into town and wants to spend half a billion euro on a datacenter? Sure thing. They'll say that it'll boost the local economy while being built - by creating a couple of thousand jobs for the contractors that are going to build and maintain it, and then some onsite jobs for the next decade or two, creating a couple of hundred jobs for techs / engineers.

And as long as they keep playing ball with google, projects like that will pop up once in a while. If you're difficult, there's also a risk of the rich tech companies taking their business some other place.

With that said, I've recently noticed more voices for building our own stuff - as there's a real risk that US tech companies will simply comply if pushed enough, say, by a POTUS that's out for blood and wants to hurt certain foreign users. Ban/lock out certain users from gaining access to software, turn off their infrastructure, etc. who knows.

But, alas, there just isn't the same willingness to pour in capital on the important things. For private investors it doesn't make much sense, unless they have a bulletproof contract with domestic users willing buy their service - and using state funds isn't too popular, either.

Truth be told, any of the big tech businesses can undercut any competition, and probably build better and faster. If anything, it could be the case for tariffs - outsourcing critical infrastructure will leave you very exposed. If European countries all over the board started to abandon US tech companies, they'd cry to Trump, who in turn would probably start a trade-war.

The only will you get from EU is to protect incumbents and the only plan is to make another centrally planned fund that distributes money to chosen entities. EU is very good at removing the carrot while wielding a big stick for would be entrepreneurs.

EU isn't at all capable of doing that because it's not a hegemonic state, it's just bunch of a countries coming together to coordinate on doing stuff.

My guess on what happened this time is, people were tasked to implement a way to verify age anonymously and this was the only feasible way to do it because of their constraints that don't allow them to do bigger stuff that China or USA will able to do through having the budget and enforcement power.

Regulation and lack of capital. Just read the report from Mario Draghi if you don't believe me.

We have EU regulations, those are much tighter than in US, on practically every front. Labor, finance, environment, data, AI, you name it, we have it regulated. And then you have the country level regulations on top. That's right, EU sets the floor, not the ceiling.

Suppose you have a start up in Poland, you have managed to get funding and you are offering services in your country. You want to do that in Germany? Get ready for complying with new set of regulations. And you better hope that individual German states don't have something extra on top of those.

All of those regulations have purpose, it is possible that they were designed by well meaning people and bring some benefit. But their compound effect is catastrophic. It is not that you can't push trough, you can, just look at Kiwi or Mikrotik. But it's an uphill battle and your competition from overseas has it so much easier, that they can end up outgrowing you, and eventually buying you out.

Because most politicians in most countries (even most dictatorships) feel that interfering with the free market is too radical. They feel it's fickle and too risky to upset.

Anyway, if a government tried to make a European smartphone design, it would be treated as any other government supply contract, resulting in a terrible design-by-committee. So in the end, all politicians are willing to do is wait around and say "someone should do something".

It's actually a little better than that. One thing they can do, and have done, is make funds available for individuals and small groups who want to have a go themselves. Notably NLnet funds a lot of projects. They're all small projects though so they're not really capable of displacing megacorps in the free market. Stuff like MNT hardware remains niche hacker stuff.

No it doesn't work that way. That's a lot of political will for little monetary gain. Don't forget that countries in EU are still quite capitalist and many of the bigger companies have huge investments in the US. EU itself is a quite neoliberal org too. It has all sorts of forced privatization laws.

The post WWII doctrine of US that's applied in Europe is strengthening the bigger businesses. Those businesses use US tech since investing in an actual European tech sector is expensive. Especially after all the first players took critical positions.

The time to invest in that sector was in the 80s and 90s. Europe had a different relationship with the US and it was trying to encite small ex-Soviet states to join, so they can exploit the cheap labor. So nobody actually invested in local tech sector.

It is now an uphill battle that'll cost more than the original investment. Only countries with strong independence urge like France is willing to fight it. Most of the EU countries are not.

Don't kid yourself, the US is going to war against anyone that tries to regulate big tech as we are seeing with the US government going against Brazil and the Pix payment system

The only winning move is not to play the game. One has to have a phone these days but you don't have to do your computing on it (during personal time). Use a real computer instead.

It's not a tech issue, it's a regulation issue.

EU wants to push more control on the internet, today it's "think of the children" but when the infrastructure is rolled out, it'll be "real name verifiction" on social media, chat control, etc.

Whoever is pushing this in EU has to be removed before things will get better.

By design, this app isn't mandatory. There should be an alternative way to do age verification. If you can't access a service because you can't run the app, the service fucked up.

Furthermore, there's nothing stopping the governments implementing these standards from permitting GrapheneOS' signature. It's one of the ROMs that actually has a reliable signature so unlike random images from XDA there's a case for it to be permitted. Google's integrity check isn't just a binary check, it's a combination of a hash and a pre-defined list of suggested acceptable hashes.

There are lots of them, you might want to complain to your competition authority.

https://grapheneos.org/articles/attestation-compatibility-gu...

I'm pretty sure all you need is the ability to login to a website and for that site to vouch for your age based on having examined your identification documents (or something like a network of PGP web-of-trust type notaries). I have a hunch that using a hardware token and biometrics is required to prevent fraud (FIDO and passkeys etc should work). The trick is preventing simulated tokens from existing/working which is where secure boot etc enter the picture.

You would need to release a kernel and OS that requires users who modify the attestation and hardware token components of it to provide their own signing key rather than your production EU-registered one, chained back to the HSM signature emitted by the phone’s HSM signed bootloader; and then you would simply let the app check that its secure boot attestations chain to a secure bootloader/image/OS triplet that’s on file with the EU. Mix in some tech spice for the EU to prohibit OS releases that are validly signed but whose specific instance of a signature is found to be exploitable to bypass age checks and you’re set. None of this would prevent users from modding their devices, any more than macOS prevents modifications today if you turn off the security protections; but once you turn off the security protections, it can no longer attest with Apple’s signature because your modifications don’t match the signature any longer, and so Apple Wallet is inaccessible.

None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.

The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.

It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.

The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.

> if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool?

Kinda, yes.

(slightly simplifying the mechanism here)

This seems to be based on the EU Wallet project, which is still work in progress. The EU wallet is based on OpenID (oidc4vci, oidc4vp). The wallet allows for selective disclosure of attributes. These attributes are signed by a issuing party (i.e. the government of a EU country). That way a RP (relying party) can verify that the data in the claim (e.g. this user is 18+) is valid.

However, this alone is not enough, because it could be a copy of that data. You can just query a wallet for that attribute, store it and replay it to some other website. This is obviously not wanted.

So the wallet also has a mechanism to bind the credential to a specific device. When issuing a credential the wallet provides a public key plus a proof of possession of the associated private key (e.g. a signature over an issuer-provided nonce) to the issuer. The issuer then includes that public key in the signed part of the credential. When the RP verifies the credential it also asks the wallet to sign part of the response using the private key associated with that public key. This is supposed to prove that the credential was sent by the device it was issued to.

Now this is where the draconian device requirements come in: the wallet is supposed to securely store the private key associated with the credential. For example in a Secure Enclave on the device. The big flaw here is that none of this binding stuff works if you can somehow get access to the private key, e.g. on a rooted phone if the wallet doesn't use a secure enclave or with a modified wallet app that doesn't use a secure enclave to store the private key. You could ask a friend who is 18+ to request the credential, copy it to your phone and use that to log in.

The tool could have a mode where it just reads the cryptographic chip in your ID card via NFC and passes on the information to the verifying party. This information is signed by your government and they could verify it with the public key

Instead, they're trying to shoehorn your device into providing the same safety level and, in doing so, making it by design impossible for you to control your own device. Obviously if the sites trust a device that you control, you can make it tell them anything. The ideological part is that it's not your device anymore then and imo we should oppose that. The technical solution is to use the hardware security chip you already have with a reading mechanism that (nearly?) every smartphone already has and even works on any OS that can run a USB NFC reader. It could be an entirely open standard

Yeah it’s sort of like all the apps that would refuse to run on a jailbroken iPhone.

Basically on such a system you can potentially manipulate the process. Here that would probably be to install the credentials of someone else on the device.

So they want a locked down OS environment where user does not have root privileges and software has to be verified (in this case by Google) to be installed.

No evidence is given they will.

> No evidence is given that they won't implement non-Google remote attestation solutions like https://attestation.app/about

Unfortunate that it doesn't matter, because they're not going to accept anything that's not attested by some authority.

Attestation in itself is a bad thing, guaranteed to be horrifically abused in ways far, far worse than any problem it could possibly solve. You do not need to know what software I am running, period.

> Who the hell wants this Internet...?

Scared rich people and bureaucrats

> Who the hell wants this Internet...?

The under educated, unthinking unwashed masses. Just look at the tea leak. The amount of people that do not care about freedom or privacy on the internet vastly outnumber those that do. And because they do democracy unmasks itself in the digital realm as the tyranny of the unthinking majority.

Weep for the future.

The lazy middle class who don't like to take the responsibility of actually contributing to their community and running their family.

ps: Had to add this post after the others identified the low class and the upper class as responsible for this ;). But depending on where you are, the low class might not be "the masses".

Well meaning nordic liberals? They have been pushing chat control, I assume this is their idea as well.

Politicians and their buddies scared of having lost control of mass media.

I don't know why people on here love the Government. They are probably advocating for a Government, but not this. A government that does its basic functions, without too much overreach, something like minarchism.

They always start with "think of the children", but that's just the opening salvo. The wild west days of the internet are definitely behind us. We'll be lucky if we still have private personal computing in the future, or any semblance of free speech.

I heard from a friend last night that they were unable to see posts on X about current protests in their country because those were considered "adult" content which can now only be viewed after submitting to an ID check. Not porn, video of a protest.

You're 100% right that it's happening today.

It's not accelerating, it's over. We lost.

There wont be any consequences if you expect them to legislate against themselves, or handcuff themselves and throw themselves into a cage.

Let's stop beating around the bush. We all know this doesn't make any sense.

We are approaching a time when most of that free flowing information is LLM generated propaganda and advertising. The average person can no longer go on the internet and trust any of the things they see or read, so what's the value of such information? I would prefer the free internet of the 90s and 00s, but we're losing it even without these laws.

I'm not sure this old horror story still works. The things to be afraid of have changed too much and at a far larger scale than people then could comprehend.

The "temporary anomaly" is one of perception. It was individuals talking to individuals. In terms of volume the world has never had this much free flow of information, and its never been easier to transmit encrypted data within a group.

At the same time the problem with letting the internet be without government means it pushes digital crack to all children, and an oligarchy of (natural) monopolies tightly control certain powers through systems like "sign in with Google".

The options for companies to instead use a government backed digital identity seems like an obvious step forward if designed carefully enough.

That requires the right mindfullness of people's rights, eg the right story. I just don't think the war on the free-internet narrative from 30 years ago is up for it.

It's in the UK, EU and soon to the US.

The west is going to be less and less free.

I'm sorry I feel the chill writing this, but I hope the hackers keep the flame alive.

Hackers: keep giving the finger to regulators when they overreach. They don't get to make the future.

It's not a war.

The population (especially the youth) is anesthetized by social media, shorts, fear-inducing news, economic hopelessness, climate extremes..

In the meantime, everything is getting integrated - banks, tax systems, tech platforms. Now this age verification.. And of course, AI is being implemented everywhere so that no one can evade the big brother.

As it stands now, this Internet is no longer salvageable imo.

> Without real push-back to these dystopian laws and consequences for the people proposing and lobbying for them

If anything, I’m seeing more calls for internet regulation on HN and other tech places than in the past.

Every time something is shared about topics like kids spending too much time on phones or LLMs producing incorrect output, the comments attract a lot of demands for government regulation as the solution. Regulation is viewed as the way to push back on technological and social problems.

The closer regulations come to reality, the less popular they are. Regulation seems most attractive in the abstract, before people have to consider the unintended consequences.

The most common example I can think of is age verification: Every thread about smartphone addiction come with calls for strict age-based regulation all over the place.

Yet the calls for strict age-based internet regulation generally fail to realize that you can’t only do age verifications on kids and you can’t do it anonymously. The only way to do age verification is to verify everyone, and the only way to verify that the age verification matches the user is to remove the possibility of anonymity.

The calls for regulation always imagine it happening to other people and other companies. Few people demanding internet age verification for things like social media seem to realize that it would also apply to sites like HN. Nobody likes the idea of having to prove your identity for an age check to sign up for HN, they just want to imagine Facebook users going through that trouble because they don’t use Facebook and therefore it’s not a problem.

> They flip flop on this stuff at least once a month

Because in the background it's a French vs German vs Irish vs Czech vs $insert_eu_state business interests competing with each other.

Notice how it's almost always French legislators and businesses that mention "domestic EU tech" and not Polish, Czech, Romanian, Dutch, or even German policymakers or businesses?

That's why.

National interests always end up trumping the EU in it's current form. And for a large portion of the EU, American BigTech represents the majority of FDI (tech and overall).

Japanese and Korean automotive players did the same thing with the US in the 1980s-90s in order to ensure their interests remained aligned (though the Plaza Accords did play a role)

Because of goomba fallacy.

The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.

Similar to recent discussions of self-hosting, it's a tradeoff of autonomy/control vs efficiency.

95% of Europeans are running American OSes today. Should age verification just wait 20 years for EurOS to be deployed?

EU is a great chihuahua, authoritarian laws get passed, national politicians say that there's nothing they can do, but they benefit greatly from all the new posibilities of control over the internet.

I mean.. great for the politicians, not for an average european.

Ineffective? Extremely so? From open borders to open roaming to the various legislation that my tiny country would never be able to force corporations into if we didn't have it at the EU level. Heck, the currency. There's so many aspects I take for granted in life and don't even think about anymore. I can just pay anywhere without thinking or conversion fees. Must have been amazing for trade though it's nearly as old as I am so I don't know how things were before. How in the world you come to a worldview of the EU being extremely ineffective, I cannot imagine. Are you from the EU?

You need to put yourself in the EU governing people shoes for a minute. Their predecessors, who were from the WW2 and Silent generations, did not care about the free Internet because they relied on the large mainstream media consuming baby boomers. They had a direct line to them. But the boomers are between 60 and 80 and vanishing. The following generations are in panic mode.

So until recently the "free" Internet did not matter politically in the EU. Tech was used to trigger color revolutions abroad where the demographics were younger.

But now the unelected EU commission inherited that Internet things and are on the wrong side of it. Worst almost everybody in the EU speaks English and listen to Joe Rogan & co. And while the US Gov might be able to control the Joe Rogan type the EU does not.

So their only move is to crack down on the Internet and limit it with a Chinese firewall type system. But they obviously do not have the ability to do so without the capabilities of an US tech giant (remember their own systems are on Office 365, every phone is Android or Apple). And this would also be in the interest of the US because it would give them a solid control over the EU.

Remember the first goal of a system is to survive and I do not see another realistic path.

On one hand, there is a will from some people to be less dependent.

On the other hand, the EU bodies as well as national reps are besieged by lobbyists and diplomats, and without much backlash from constituents, it's very hard not to find someone that will do what you want. Just look at this former EC commissioner [1] working for Uber.

Flip-floping happens occasionally when the public catches up.

[1]: https://www.ombudsman.europa.eu/en/opening-summary/en/181717

If nation states are dogs, then the EU is the parrot: loud, proud, and not a dog.

Trouble with your key strength being regulating is you need someone else to make stuff.

For Authy I don’t even feel sorry. Proprietary TOTP. sorry for off-topic

The Austrian ID App was also blocking GrapheneOS due to SafetyNet verification...

After a lot of angry emails towards the helpdesk, they at least changed it, so a failed check only shows a warning that you can accept.

The whole Chat Control crap is bullshit no one asked for, and unfortunately many countries in the EU are in favor of it. There is a map somewhere that shows the countries that are against it, I cannot find it right now.

Unfortunately many more people than you might think are in full support of this type of thing. The UK in particular is a very nanny state and this is sold as protecting children. You're not against protecting children, are you?

EU citizens voted for this. Unfortunately, EU citizens are too lazy to vote a lot of the times, and the ones that do vote are turning more and more right-wing authoritarian.

As much as the EU pretends there's some kind of united Europe, it covers different countries, with laws ranging from "sex work is just taxed work" to "all prostitution and porn is illegal". Even basic rights like gay marriage aren't consistent between member states.

Europeans were free to provide feedback to their representatives of course: https://ec.europa.eu/digital-building-blocks/sites/display/E...

However, everyone I've talked to about it said they don't care about it so they don't want to bother, which is probably what the people behind these laws are banking on.

It's called representative democracy and it's been in crisis for some years now.

> They can compell the providers of said services to give them access to how each, now identified, user is using the service.

The whole point of this is that they can't, which is unlike the systems they had used before. The only information that the service provider receives is that an age check has passed.

Neither cares about privacy, to be honest.

It's not. You can look at the Git history, it was added two months ago: https://github.com/eu-digital-identity-wallet/av-app-android...

iOS also be supported and will use Apple's remote attestation capabilities. But, as there are no real alternative ROMs for iOS devices, only Android users are really affected by this.

From a legal point of view, the app should be a reliable convenience feature and not replace traditional (physical) identity verification. How much your dad will be affected will depend on how shitty and lazy the services he uses are. If he doesn't use a phone or a computer, he probably won't notice the difference.

You can also buy an Apple device but that was never your device to begin with so nothing is lost when the EU requires Apple to be the only party with the capability to modify what your device can run

They're pushing for anything that makes their services essential and indispensable for every citizen, and thereby locks all future competition out.

Governments are reflection of their people, like it or not.

Politicians are all that stands between corporations and absolute corruption. It's why they're both their primary target and the ambition of greedy people.

> I'm getting pretty tired of the EU trying to shove internet-crippling regulations down my throat

And I'm getting tired of people pulling out pitchforks without reading anything. This is how democracies end up electing people like Trump. There are no regulations to require age verification here. The EU is simply giving guidelines for implementing harmonized age verification across the EU if any member states or companies that do business in the EU want to use it instead of making people scan ID cards like they currently do and making the receiver of said scans have to understand updates to the designs of the various ID cards used throughout the EU.

That is a different repo

That "someone" doesn't understand how hardware backed platform attestation works.

The wikipedia page does a pretty good job at explaining it: https://en.wikipedia.org/wiki/Trusted_Computing

It is to create an infrastructure for global surveillance and control of all citizens.