> Desktop support is not currently within the project's scope.
What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?
One can dream perhaps. Until then adults who are willing to 'do what they're told' will be the ones who are inconvenienced by this constantly.
Edit: Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
No. It's still required by law, which means that your desktop application will require some interaction with your smartphone.
One day, there will be a knock on your door.
"Good morning, this is the police. Is there something wrong with your phone? Is your phone broken? Can we provide you with a charge?"
"No, I must have turned it off accidentally."
"Can we assist you with an upgrade? The newer models don't have power buttons."
Tell somebody you use your phone less than 10 minutes a day and look at their face change.
While not less than 10 minutes per day for me, but I was having this argument on reddit over the iPhone Air - people couldn't fathom that there's someone out there that is not on their phone 24/7, and doesn't use their phone as their main computing device.
I clock in at under an hour screen time most days. It's the least ergonomic device for me to do anything remotely serious. Can't even stand typing on a virtual keyboard. My laptop is, and will remain, my main interface to the net and communication with others.
You'd think I was some kind of weird hermit luddite because of it.
Nobody is coding or writing anything longer than an email or social media post on a virtual keyboard.
The average screen time for younger people borders on 7 hours. It's almost a third of the day or 40% of the woken day for most people. I still can't wrap my head around how that can even be possible, but then I see in public most people you look at in any given moment are reading, watching or sending/sharing something.
If the conspiracy theorists are right, the tech industry created a surveillance system beyond their wildest dreams.
Since children are universally not considered real people with real rights schools requiring them to have the right apps to perform their schoolwork are to be expected.
Mother Russia: we'll take care about security, comrade, you just shut up and use a phone from this here list of approved models. And GrapheneOS? squinting suspiciously that's what extremists use to watch gay pornography; are you an extremist, then? No? Let's see if officer Rubber Hosesky here believes you...
https://en.wikipedia.org/wiki/The_Age_of_the_Pussyfoot#Joyma...
"The remote-access computer transponder called the "joymaker" is your most valuable single possession in your new life. If you can imagine a combination of telephone, credit card, alarm clock, pocket bar, reference library, and full-time secretary, you will have sketched some of the functions provided by your joymaker."
Just about the only thing today that's meaningfully different from the novel is that our devices are smaller and have screens instead of using voice as the primary input/output method. Well, and they don't have a "medical" module that can dispense drugs (yet?).
Interestingly enough, in the setting of that book, possession of a joymaker is a marker of good standing, and lack of one (e.g. because one cannot afford to pay for service) basically makes one homeless and a target for all kinds of nastiness including from the cops.
If the actual implementations do copy the dependency on Play Integrity and other such APIs, that does become a problem (getting past that is a major annoyance on amd64 computers because there are so few real amd64 Android devices that can be spoofed).
However, the law regarding these apps specifically states that the use of this app must be optional. I'm not sure websites and services will implement other solutions, but in theory you should not need a phone unless you want the convenience and privacy factor of app verification. I expect alternatives (such as 1 cent payments with credit cards in your name) to stick around, at least until we get a better idea about how this thing will work out in practice.
Wait a minute, while writing this comment, I realized that there was a guy who sort of packaged waydroid into flatpak-ish to run android apps in flatpak.
https://flathub.org/en/apps/net.newpipe.NewPipe
(It uses android translation layer??)
I am not an EU citizen but if somebody is & they want this age verification app on desktop, maybe the best way might be to support this android translation layer to convert this EU app into something that can run through flatpak and then use linux I suppose.
I mean, some of y'all are so talented that I feel like surely someone would do it if things do go this way! So not too much to be worried about I suppose :>
That requires an AppleID, i.e. an account with a foreign corporation.
Edit: Sorry that reference was a deep cut, I was quoting the devs of that awful Diablo mobile game way back.
I used to use the messaging app through SMS tho, the people that knew me (that 1 friend gets a shoutout here who used to msg me through SMS in the world of whatsapp and my mom!!)
Most phones are used for two things that my father used to quote: Whatsapp (messaging app) and youtube(social media)
Entertainment could somewhat be offloaded via music player etc. into dumb phones and to be really honest, I think that even things like hackernews could be operated on those dumb phones if given the ability to.
https://www.youtube.com/watch?v=QdYrBpBJRI4 : this is the dumbphone which supports signal btw. Wish there was a way to make app for dumbphones like these just as how we can make apps for androids.
I was shocked by how much feature packed my chinese dumb phone was for 11.27$ lol. It just didn't have internet & yeah games as well.
Idk I created this just right now lol.
But on a serious note, Maybe check out my comment on something known as the android_translation_layer with flatpak to see if that might help to run that app atleast in linux.
Linking it here : https://news.ycombinator.com/item?id=45361397
Don't let perfect be the enemy of good.
Not only that, but having this locked behind something that works for 95% of users means the other 5% will never have enough leverage for any other implementations to be approved. Which is absolutely unacceptable for such an essential feature like age verification.
The target, which are the children who access "forbidden" websites without authorization is likely to be lower than amount of people who won't be able to access due to those narrow specs.
This is a general computing crisis.
The EU wallet does use an open standard, and the wallet app itself is developed in public as open source.
I see this as a huge stepback to be fair.
Why wouldn't that be sufficient?
Every new secure government identification/authentication/verification thing will try to 'just' use Android/IOS, because 'everyone' has one those smartphones.
It sucks, yes, but that's probably how these people think.
the main reason is that this is not a reference implementations or "this is the app everyone must use" case but a "to see what is technical possible/practical" "research/POV" project
this also makes the "EU age verification app" title quite misleading
Which is a joke when you know that most phones in the wild are using an obsolete OS version (most of the time due to lack of software support from the manufacturer, but sometimes because some people just refuse to update because updates are in fact downgrades — looking at you iOS).
There's a much bigger likelihood of me going back to a feature-phone, compared to me starting to use my phone for anything but the absolute basics.
my commute is a really long ride and I just don't like using my phone in it.
My dumb phone had music system and sd card (I finally managed to have that sd card fixed after an year of using that dumbphone without even an sd card for music)
I just used to stare into nothingness / surrounding and think. (Yes I have edited it because I didn't used to think, I used to overthink just as I am doing right now lol)
Not that productive, but my current phone is so slow that I can't even tell you guys or start telling you. It takes me 1/2 a minute just to unlock it and the only thing its truly good at is having a music player run and some occasional hackernews or pokemon showdown or youtube scrolling.
But tbh, I don't have any banking apps etc. so to me there isn't thaaat much of a difference. I feel like a macbook is genuinely nice as it has that less friction and a pc is great too as compared to a phone for the most part when I am at home.
My screentime is usually just some shorts that I occassionaly watch on phone when I am extremelyyy bored.
I am sad that my dumb phone was in my bag one day and then it just stopped (working??) , I swear I kinda regret having my dad's old phone. I am not sure how he was even using it.
The only eventuality where this is acceptable is when desktop computers won't even be gated, and then if anyone can circumvent the problem with a computer, why is anyone even bothering with the whole thing...
That doesn't surprise me at all. Principles in a government body don't exist. They are all crooks.
> combat social exclusion and discrimination
[1] https://european-union.europa.eu/principles-countries-histor...
I take your argument at face value (in that I take it that you believe the EU has that goal at some level). I just to not expect it, as an organisation, to consistently promote that goal (for much the same reasons lots of countries fail to serve their citizens).
Profit making businesses have the explicit goal of making shareholders better off. Management usually choose to balance this against other goals (ethics, the good of wider society, their own interests...), just as the EU has the explicit aim you state, but, similarly, has other conflicting aims.
Every time someone says “they’re all crooks” they are the enablers of crooks. The crooks couldn’t do it without people like that.
Again - this is only just one of the possible implementations of https://ageverification.dev/Technical%20Specification/archit...
It's possible to have others but as POC they are focusing on covering the biggest chunk of the population…
The "war on general purpose computing" need only be the waiting-out for those of us who remember actually owning a computer to die.
A desktop computer doesn't necessarily have a microphone or camera, and doesn't necessarily have to be connected to the internet. I'd wager most crime, including that which affects children is done on "disconnected devices" in this sense.
Even though it sounds like _you_ probably know this, Cory Doctorow has been sounding this alarm for years. As usual, it seems he was right about the possibility of this being a legitimate battlefront in the (actual, non-hyperbolic) war on freedom.
I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
If something doesn't work without your phone, report it being broken. If they tell you to use your phone, tell them you don't have one. If possible, leave their service, if they don't care.
We have to make it their issue as much as possible, when they try to push their shit onto us.
Surprisingly often there is a workable alternative to using ones smart phone. We have to make use of those as much as possible, so that the cost for them to get rid of those options will be high and they think twice before doing that and offending us.
That only works in a world in which the government provides speedometers, which restrict the vehicle automatically, and in this case they refuse to provide them at all for blue cars.
This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
I can log in to my bank account using my desktop PC
> government eID apps
I can sign into government websites using my desktop PC and its smart card reader and my government-issued eID smartcard. No smartphone needed.
ING in Germany forces you to either have a single Google approved smartphone or a single authenticator, not both.
DKB requires a paid Girocard to use the authenticator or a Google approved smartphone.
N26 requires a single phone but they are a bit lenient. However they have way too many incidents reported where they closed people's accounts without a reason.
The traditional banks have high fees. One pays upwards 10 - 15 Euros a month for Sparkasse or Commerzbank for a simple checking account. Using Sparkasse means you cannot deposit money outside county (yes county and country) borders. Many traditional banks have high fees for withdrawing outside the network.
So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
[0] https://www.1822direkt.de/service/fragen-und-antworten/detai...
Absurd thing is that 1822 claims to make things much more secure but their 2FA reset with a single phone PIN is a joke.
I do not understand how you are coming to that conclusion regarding modern banks. You can use the authentication device, which is completely independent of Google or Apple.
TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.
Regulations are written (at EU level) to allow X, Y and Z; somehow by the time it's implemented at member state level it miraculously only allows only X or Y, and once it gets to actual service providers (who've presumably been advised by their in-house lawyers that 'Y is bad') we end up with a choice of X or nothing.
Then if you ask anyone at EU level what's going on, they point to what the regulation says, and everyone shrugs.
Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.
The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.
>SafetyNet or Play Integrity
A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.
I might take a look at it again tomorrow.
I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.
If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers
Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.
>Last I checked Huawei was persona non grata in the west
Isn't it only in USA?
Most banks? Do you have evidence? AFAIK many (and certainly the most used) German banks (Sparkasse, Commerzbank, Hypovereinsbank) allow chiptan which does not require a smartphone.
Hungary is in EU and the most popular bank sends a one-time code (with expiry) via SMS for logging in, making a transaction, for the mere displaying of "Telecode", and so on.
There is no TOTP, only this one-time code sent via SMS.
I do not use their apps on any platform. I login via their website when I need to which is rare. When I make a payment via card, I have to provide the provided 3-digit "Telecode" and the one-time code sent via SMS. There is an option "What if I do not have access to that phone number?" or whatever the literal translation is, but I have not checked that out yet.
... which is why I left a comment asking you about the details. You telling me SMS is banned and referring to EU regulations just left me more confused given the above.
https://old.reddit.com/r/portugal/comments/1msc886/obriga%C3...
Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.
The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.
Edit: This is the landing page (one login left, oh dear...) https://files.catbox.moe/x117iy.png
rsync, here you go:
"It has interesting permissions as well ..." ?
I assume a banking app needs (temporary) permission to use the camera for check photos or things of that nature ... and possibly (temporary) use of location data.
I would be alarmed if it requested microphone or access to either contacts or photo storage ...
As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.
I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.
This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].
Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.
Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.
They mitigate the obvious security thread with mandatory 2fa (actually mandated by regulation). Some use this as an opportunity to push their apps: no separate 2fa method, but only integrated in their bloated app, that checks for rooted devices and only supports the newest OS.
It’s quite hard to find out in advance, what 2fa methods with which fees each bank actually requires. I remember that some of them had funny ideas, what a customer should be billed for 2fa SMS. I think it was 50 cents per SMS.
Well yeah but that's what you get when you make overly broad statements like "not in the EU".
Please stop spreading disinformation. I live in the EU and my EU bank supports desktop browsers + Card reader matching everything the mobile app can do.
That's especially crazy. With Trump's/USA's belligerence, why on earth would EU companies/banks/governments want to require that you have an Apple/Google account, it makes them totally dependant on foreigners!
Fairphone 6 with e/OS begs to differ. Dutch phone with a French OS. No issues.
I doubt it unless something odd happens like triggering some reaction. They’ve looked at the data and see the majority of society using “phones”, which are really just increasingly small computers that happen to have a feature to also make calls; and they’ve decided that this trap they’re leading us all into can and may even need to stay open and inviting for a while anyways until the older people die off and desktop form factors kind of fall by the wayside, before the trap is even ready to be sprung. In the mean time they’ll just gaslight and lie about what they’re doing, to save and protect the children of course, until the day that you tune around from a distraction and the trap door is shut behind you.
It’s the same MO as always, with the gullible and naive enablers being essentially the worse threat than the actual perpetrators.
I think this is more an example of you misunderstanding the desires of the people pushing for this.
They want to actually ban this content, they just know that is a harder sell than restricting to adults. So for them, making it harder or impossible to access the content is a feature, not a bug.
The biggest issue is that the attestation hardware and the application client is the same device with the same manufacturer, who also happens to have a slight conflict of interest between monetizing customers and preserving any sort of privacy.
IMHO the pro-attestation forces are so overwhelming that we should all cherish the moment while we have anything open left.
That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".
This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.
This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.
Because the EU doesn't actually care about privacy, otherwise they wouldn't be trying to do this and ChatControl. They care about being the main ones to spy on you, and maybe using fines as additional "taxes" on rich foreign companies. That's it.
Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.
Google's ad business model should never be mandated by law, unfortunately lawmakers seem to be unaware that this is what requiring Play Integrity effectively means.
Because this is being pushed by lobbyists to use hardware attestation to make it piratically mandatory for every citizen in the EU to be registered to either Apple or Google with a real id for all non-trivial online interactions at all times. The people behind this push neither have the technical knowledge nor care in the slightest that this is the consequence.
I am stealing this typo.
It's not an insane question, it just doesn't get asked.
Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.
Since Apple and Google are public companies I guess we should all buy stock and reap the financial rewards of destroying computing freedom. >sigh<
CoPilot+ PCs even require the same security chip as XBox and Azure Sphere IoT board (Pluton), in addition to TPM 2.0.
https://learn.microsoft.com/en-us/windows/security/hardware-...
It’s not the sole reason, but it’s a solid one.
For example, it would be completely fine to implement remote attestation where devices issued by companies to employees verify their TPM values with company's servers when connecting via VPN.
All other such activities directly infringe on ownership rights.
Yeah sure it's guarantees that the device is more or less similar as from the factory... and then what? What am I supposed to do with that information?
You can get PCR values and decide if the device you are talking to is tampered with. That way, you can set a higher bar for hackers.
This is completely different to what this topic is about, I'm just saying that there is a case where it can be useful.
If they accept us, of course. Not everyone is Snowden.
Russia is a one way step ahead here, with mandatory pre-installed apps, full-scale internet censorship (still catching up with China, though), mandatory DPI, etc.
And what gets me is that it's not just 'you need a phone', it's 'you need a Google or Apple account'.
The account would be easy enough with fake data and a 10€ prepaid one-time-use phone number. Finding an exploit in Android such that you can turn off Google's tracking but not trigger their "you modified your device" scans (that are to be tied to your government identity verification continuing to work) is a game I'm not looking forward to playing.
not your linux phone with waydroid or fairphone with lineageos
In anycase we all know ways of bypassing this age verification will be found, probably by the kids themselves. But all this will do is enable US big tech, killing the very EU based companies the EU has been crying about for years.
Meta, Twitter, Google and M/S could not have created a better law to protect them then this law.
Hell the crazy things I used to do to connect to the internet after my mother went to sleep. She didn't wanted me using the internet because of phone charges so I secretly got into the roof to strip the phone wire bare and connect my own hidden cable that I would unroll and route it to my room to connect to my modem at night. YES part of it was to watch porn and download mp3s and roms. No I wasn't of legal age. Did my life got ruined by this? Well I'm an IT engineer now so arrive at your own conclusion.
I think this current hysteric moral panic is definitely being pushed by a lobby of a nascent AI industry that wants to create a problem for their surveillance tech solution.
Seeing you were on dialup, how board where you on dec 31, 1999?
Me, I was up watching the systems work great, missing all the cool parties guzzling caffeine for 3 days. But it made managers happy for me to be there. If I tried that now, I would end up in the grave.
By the way I got hit by a considerable electric shock from that. By that time I had no idea phones carried enough tension to actually shock me.
Card payments and digital banking have closed most bank offices outside the larger cities. Mail dropoff boxes are slowly dying out. Paper bank invoices now cost extra (an unreasonable amount extra).
Granny may be able to verify her age, but the service desk won't necessarily be local.
The discussion has been shifted from "whether age verification should be a thing" to "how to implement a more convenient age verification system."
Most people don't care about this. They spend hours per day on a surveillance device, willingly contributing their data, personal information and media to monopolistic companies, including putting it into the public online sphere for the world to see. Many people are genuinely convinced this is about the safety of kids, even though the same workarounds slightly competent users know how to implement (VPNs) are the exact same tool the supposed evil-doers know how to use.
This has always been a "best effort" initiative that is unlikely to stop "dedicated" users.
This enforced loss of fidelity is among the primary problems for online communications.
I don't subscribe to the idea that we should ban knives because someone can use them to stab someone.
Maybe the internet was a mistake.
This is because words actually don't carry much meaning, they invoke something that the other side understands already. For example, it's very hard to have a conversation about some aspects of a relation of 40 y/o people if the other party is in their 20s. You need to relate with something of their age and build it up and even then its likely they will understand it completely the wrong way. Over the years people evolve, they go over stuff and when you meet someone who hasn't been through the process you need to be aware of that otherwise you will mistake them for stupid(because, not everyone who ages ends up going through the transformation the same way. You better know if you are speaking to such a person or a younger person who has the chance).
What I don't understand is, why people assume that everything you know about someone is supposed to be used against them. Why everything needs to be malicious?
I don't remember caring that someone took a picture of me with their Nokia when I know that they'll at worst share it to a handful of people via Bluetooth or try to upload it to a friend's MSN channel via GPRS. It won't be uploaded to Facebook, facial-recognized, and stuffed into a global database. Or visiting websites: I operate a website and I know you can parse which pages I viewed straight from the access logs. I don't mind, you can see what paths I took through the website and you might learn how to make a better flow. But technically, drilling down to such an individual user level is tracking based on personal identifiers and so would require consent under 2018's GDPR. I'm happy that it now does because I don't want Google to track every page I visit, and ~everyone uses Google Analytics because then you get perks like knowing what search queries you are doing well on (how convenient that google removed referrers for privacy)
I don't really have a solid answer -- why do I care about Facebook and Google but not about John "Malicious Sysadmin" Doe? -- but maybe it makes sense on some level. I need to think about it more still
As a result, real people are having real talk in the safety group chats where they know the members to som degree, IIUC.
Its useful to have an outsider to look at this thing from a different perspective but they still need to be at about same level. It's extremely rare to have an unrelated genius, %99.9 of the time the the outsiders are people who didn't go through the basics that a homogeneous group went through and they just do a speed run on the basic ideas that everybody first though but didn't work. Still shouldn't be dismissive, has its place when the established understanding strayed away from reality but its not possible to base all the discussion on such a composition.
What happens if something goes wrong and you have to rely on contacting a human in Google of all places? Sorry, you have a copyright strike on your YouTube account, now you can't file taxes! Hopefully you have enough followers on Twitter than you can get them to pay attention.
- Recital 71, which vaguely suggests minors' privacy and security should be extra-protected, but says that services shouldn't process extra personal data to identify them.
- Article 28, which says that platforms should provide a high level of "privacy, safety, and security of minors", again without processing extra personal data to identify them. It also says that the Commision may "issue guidelines", but says nothing suggesting age verification should be implemented.
- Article 35, which says that "large online platforms" should maybe implement age verification.
Furthermore, recital 57 says that the regulations for online platforms shouldn't apply to micro/small enterprises (which has a definition somewhere). All together, I don't see anything suggesting that anyone but the largest online services is being forced to implement age verification right now.
Judging by various posts by the Commision I've seen online, they're certainly pushing for the situation to be seen this way, but de iure, that's currently not happening.
EDIT: I found the guidelines mentioned [0], and a nice commentary on the age verification parts [1].
[0]: https://digital-strategy.ec.europa.eu/en/library/commission-... [1]: https://dsa-observatory.eu/2025/07/31/do-the-dsa-guidelines-...
If implemented according to plan, things like ID cards, drivers' licenses, diplomas, train tickets, and even payment control can be handled within such apps entirely digitally. Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
A healthy dose of cynicism would make clear that the moment such optional infrastructure is rolled out, new legislation can be drafted to "save on expenses" by enforcing this digital model and "protect the kids/fight the terrorists" by forcing age verification on more businesses.
I'm certainly not against vigilance and making sure no new laws mandating the use of either this or the full digital wallet sneak through, but my point is that, despite the Commision's misleading public stance, age verification is (mostly) not mandatory today.
The README for the age verification spec specifically calls out article 28 of the DSA and the Louvain-la-Neuve Declaration. Neither is aiming to be the mandated age verification mechanism for every single website, but rather a specific tool to solve a specific problem: age limits on social media and big tech websites.
If, or, seeing Denmark's recent bullshit: when, we do get mandatory age requirements, it'll be part of new legislation that will likely take years to go into effect, and, seeing how long it took websites to comply with the GDPR, will start affecting most websites even later. This isn't the doomsday law that I would've expected to come from the US if they were to write something like this, and using privacy-first cryptography does give me some faint hope that this isn't just a big performance to hide malicious intent. This could've been as bad as eIDAS 2.0 with the QACs and other unreasonable technical requirements.
_Can_ be handled? So you could still just use traditional physical, paper IDs?
That doesn't make sense because the government knows about every vehicle and its owner and his social security number and there is no point to hide it. I think you misunderstood something or I misunderstood your comment.
The goal of "bringing identity to your phone" is making identification easier to require it in more cases so that the government knows better what its citizens do. One thing if you are required to fill a 20 fields form to buy a bicycle and another thing if you need just to tap your phone at the cash register.
- this project is just one implementation (POC if you want) - they simply state the current scope of the project
For anyone sane managing projects it makes sense to correctly allocate resources that would cover the most people.
and to all those whining butthurt individuals here - reality check is that it's way more probable that someone has and uses a smartphone than a computer. go out of your tiny bubbles...
And plenty of people, including myself, thought "this is so dystopian it couldn't possibly happen".
It did happen, and it's as bad as the doomsayers said it would be.
If you want to watch porn or view anything NSFW with websites that complied, I suppose you just start up NordVPN and select Chicago or something like that. Brits who watch porn are probably just watching more American themed porn now.
Otherwise, (some of) these websites are supposed to show you a digital verification screen with third party gateways. Usually using an ID card. I'd guess most people just installed VPNs.
At this point I don't find it impossible that critics or other "enemies" of US (or Israel) in Europe will get their phones bricked as sanctions, and as a result become second class citizens.
I don't even see the necessity for having hardware attestation. We've had for decades online ID systems that can you can run on any device with an internet connection.
But think of the children, right?
I have very little hope, that the common user will make use of their own agency avoiding a dystopia, or even think about issues associated with their behavior. We can see this everywhere even today. The majority of people are clueless and just accept whatever bone is thrown their way. Need to buy a new phone every year now? OK. Pressured to accept digital surveillance by not even state agencies but private profit oriented companies, that want to sell your data or use it for nefarious purposes? OK. Giving all your communication data to big tech? OK. ... It is all just a big "auto-accept any digital rape" for most people, as they don't even want to think about the technical implications and implications for society. It's all so far above their technological understanding, that they just exit the bus, when it comes to discussing these things. That is the problem we face. How to make the normal person aware and interested in their own digital rights.
My optimistic brain is hopeful for federated services to become the norm and stand up to this kind of crap.
Start a revolutionary, reactionary movement. Many people wonder how the current US president was elected. Regardless what your political stance is, it's good evidence that if you can recruit a huge number of followers in your agenda (and in the process, likely make nearly as many opponents), and have them repeat your "propaganda" as much as possible, you can do anything. That's how you can defeat Big Tech.
If you so much as began talking about something like digital sovereignty, they'd bunch you with the fake moon landing and flat Earthers.
I have no hope in them.
This is addressed in the comments:
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
So I think a better title might be "EU age verification example app not planning desktop support"
(don't get me wrong, I'm not a fan of how this is implemented, but it's important to be accurate in our critique)
Are you forced into a wechat situation or something?
A phone should not be a requirement to partake in society, and I´d even argue the same for a bank account. But I see this month another strong push towards a digital Euro. Is that the true purpose behind this push for .eu ID Apps?
I believe it's still possible to use the physical card with a reader for many things.
I think some services still don't work with the CMD. Recently, I had to ask for changes to my car's document, and it seems it's only possible with the card itself. (https://www.automovelonline.mj.pt/AutoOnlineProd/)
Notably not the Netherlands. They've got the ID card chip (as required internationally iirc) but I emailed them once to get the public key so I can verify signatures (this was like 2016, I was still in school) and they said it was for governmental use only. It's not meant to be used by commercial entities
Why the EU decides to go with the bad example rather than the good example, I have no idea. Both ways achieve the stated goal of age verification and even the possible goal of universal ID tracking, without disallowing you to do whatever you want with your phone's privacy settings
Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0
Actual Demo: https://app.hornpub.click
How it works:
1) Go to app.horpub.click
2) Create an ephemeral passkey
3) Extract its public-key and id (this binds the credential you're creating to your device)
4) The user copies this data to their bank's Age-Verification-Section
5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key
6) The user copies this back to app.hornpub.click
7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.
8) The user's age has been verified by their bank without the bank knowing who is asking for verification
* This method is more private than anything requiring sharing your photo-id online
* This method doesn't trigger GLBA or GDPR (user copies data themselves)
* This method is free to the merchant (hornpub)
"Hey third fifth of Oregon! Do you want to triple your customer base in Oregon for the cost of a small dev team and 1 month of work?!"
> f*cking app on my phone
I need another app on my phone like I need another hole in my head...
If you're not familiar this would mean the verifier doesn't learns anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
What would need to happen in the United States to implement a reliable ZKP age verification system - and how long would it take to roll it out?
Asking because it feels like the Titanic has sunk, and we're eschewing a floating door because the coast guard has regulation conformant life rafts that would work better.
Realistically at least 3-4 years, assuming they want to keep the same goals as eIDAS. I think the (software) implementation will be the least costly part, time-wise; but it takes a long time before everyone adopts a new social system. Especially in the US where there has been no precedent for digital identification. Even with full control of your own ID & and solid implementation details, there will be push-back just for suggesting that people/companies should adopt it.
The ZKP approach aims to prevent this attack method.
mPulse
Google Marketing Platform Meta
LinkedIn Ads
Trade Desk
Aggregate Knowledge (Trans Union)
Adobe Audience Manger
Can you elaborate on how the risk of ironbank and hornpub colluding by de-anonymizing you via rainbow tables or IP forensics is substantially greater than Chase and PornHub using - Google Marketing?
Anyway I'm not advocating for this solution, just addressing the question directly.
I don't see this as the end all ultimate solution for age verification. I see it more as a tourniquet; imperfect - but better than bleeding to death.
This is called "linkability" and ideally should be avoided so anonymous age verification can be safe.
Further, if you put on an adblocker and I get access to the logs at ironbank and hornpub; I could just query them for your IP address.
Collusion to this degree is possible, but doesn't seem worth worrying about if the aforementioned attack vectors still exist. My $0.02.
The project is just an example.
It does not mean there will not be support for other ways of verification.
I said what I said, do not @ me.
Not even hardware attestation?
This is not an accident. This is intent. Look at the arrests for social media posts in the UK and Germany.
This project is not THE digital wallet, it is an early prototype of the wallet (which can be criticized for what it is, but the issue is somewhat orthogonal).
The actual infrastructure is not based on attenstation, if you read the guidelines (or the readme) they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy as some suggested. And allows for cross-platform (and in theory hardware) support.
If you're not familiar this would mean the verifier doesn't learn anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
...what?
There are some choices that are debatable (more on the issuer side iirc), but imho for the goals it has it's a competently made architecture.
This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).
The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.
It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.
The repository we're commenting on has the following in the spec[0]: "A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP)". So given that the current spec is not in use, this seems incorrect.
> It will also be trivial to circumvent
If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug. The statement required should be scaled to the application it's used for; this is "over-asking" is considered in the law[1].
> The project is supposed to prove that age verification is viable, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better.
I agree that in it's current state it is effectively unusable due to the ZKPs being omitted.
[0]: https://github.com/eu-digital-identity-wallet/av-doc-technic... [1]: https://youtu.be/PKtklN8mOo0?si=bbqtzMhIK7cFLh6S&t=375
No, that's not what they mean. They just mean that the spec (and for now only the spec, not the implementation) will be amended with an experimental feature, while the implementation will not (yet).
I understand (?) that you are interpreting this as: "we'll later document something that we've already implemented", but this is not the case. That isn't how this project operates, and I'm intimately familiar with the codebase so I'm completely certain they haven't implemented this at all. There is no beginning or even a stub for this feature to land, which is problematic, as an unlinkable signature scheme isn't just a drop-in replacement, but requires careful design. Hence privacy by design.
> If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug.
Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.
So as we already know that the solution will be trivial to circumvent, it shouldn't be released without at least very clearly and publicly announcing it's limitations. Only if such expectations are correctly set, we have a chance not to end up in a cycle where the open source and privacy story will be abandoned in the name of security.
[1] Because of the linkable signature scheme in principle misuse can be detected by issuers, but this would be in direct contradiction with their privacy claims (namely that the issuer pinky promises not to record any issued credentials or signatures).
I can see this argument, but it has a few caveats:
- The 'faucet', providing infinite key material in an open proxy is also very vulnerable
- If the only attribute is age verification then uniqueness is not required; i.e. you can borrow the key of someone you trust and that should be fine.
- The unlinkability is a requirement from the law itself, i.e. the current implementation cannot be executed upon assuming rule of law holds
Even if it is ZKP still… whole idea is just bad. I mean whole age-veryfication done by gov is bad.
And forcing one to use smartphone is even worse.
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
Is anyone building that service?
This is the equivalent of a "Do you guys not have phones??"[1] but on a way larger scale.
At least where i live i am able to use the bare minimum of phones, even working with tech. The friction is increasing though, which worries me a lot, and day after day there is a new attempt to shove it down your throat if you want to be considered a member of society. Seeing that a lot of countries (including mine) are pushing for age verification, and the whole thing about Android blocking 'sideload', by the end of 2026 you won't be considered a human being without a government certified smartphone.
My brother hates tech more than me, and only has an old flip phone. I'm always surprised by the random problems he runs into as a result. Unresponsive desktop sites that beg you to download apps are the worst.
https://www.msn.com/en-ie/travel/news/ryanair-s-new-check-in...
Also, I'm not too worried about the airport usecase as we're already being tracked and surveilled and inspected there as much as possible.
But it's another step to normalize and mandate phone and app use. The puzzle pieces are falling in place. Soon, AI could screen-capture your phone screen to detect suspicious activity, and track every tap you do, also taking pictures with the front-facing camera without you knowing, listening on the mic, etc. etc., connecting it all to your real identity. Because why not? If it's done step by step, nobody will care at all. Maybe that sounds pessimistic, but it looks like the end game and I see no principled political stance against it, nor any insurmountable technical hurdles.
That's an insinuation with some vague truth to it, but not much. Budget airlines are not government departments, and competition between them isn't phony.
"The sky is blue" "I feel that it is increasingly yellow"
The former happening would make so many things easier.
This isn't a serious argument.
Ex - we already have plenty of cases where the government outsources payment processing to 3rd parties. What happens when that private 3rd party declares it's not accepting payments through anything except a mobile app?
Or maybe not. I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?
https://www.youtube.com/watch?v=0QwwPmHyuEA
Again, being argumentative like this never helps, but it will be you either go along with it, get escorted out or not fly in the first place.
I know that his behavior was not a rational pursuit, since in practice humans are too skittish about standing up for themselves and too skittish against anyone whom they see as abnormal/not complying with social norms. But, this does not change the fact that he's completely in the right. I'd love to know a more effective strategy to deal with this shit from companies, if anyone knows one. What should he do instead in this situation where it is simply too unjust to him to be acceptable to give in?
Also, I'm offended at this cop for telling the guy to "be cordial". NO. The airline's behavior is not cordial! They do NOT deserve it back! Freedom of speech means freedom to get mad at someone, possibly REALLY mad, when they try to be unreasonable. Being angry is different from being violent, and the government shouldn't shield people and companies from this consequence (angry people) of their actions.
I see this a lot on reddit and youtube. I tend to think that it's bots paid for by the company.
There's always just too much unanimous agreement in favor of the corporation.
Maybe I just don't want to believe that people are that homogenized.
No TLS certificate (which will expire soon), no boarding. /s
> I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?
Yes, typically there's a fee for getting it printed at the check-in counter.
They still let me fly from UK to USA and back.
This was 1997. Wild times.
Ryanair? I would expect them to offer you their boarding pass printing service for only $99.99 (you missed the $49.99 special that was only available until 4 hours before boarding, silly you).
Your average phone user is already hostage to 7 hours of screentime daily. They don't mind installing more apps. The average person has hundreds of apps on their phone, many of which are never even used.
Nothing much has changed since the times when you had to "fix" your aunt's computer in 2003 because it's "slow" and found a zillion toolbars and cleanup/speedup utilities.
More to the point, the app isn't for my convenience. It doesn't do anything to make my experience better.
There's a line item which basically said "mobile web" and they wanted it gone to save some number of dollars per year.
It's all about better tracking. I'm not quite sure what additional info they get exactly, but tons and tons of mobile websites (that work and don't get deleted) are close to unusable due to a barrage of popups telling you to use the app (e.g. Reddit and other socials).
Also there is no indication they will stop the mobile web version. Already today the mobile web version is there but it explicitly refuses to show the boarding pass QR code: https://i.redd.it/lj3wdnfp9mq91.jpg
But they refuse to do so in order to get all that data which they can sell. In a mobile app it's way harder to run ad blockers and much easier to sneakily collect information on the user. Especially on android which is by far the biggest OS in the countries where Ryanair operates.
I'd think it's only maybe 5-10% of customers at most who both use desktop over mobile to get their boarding pass and use an ad-blocker on desktop. And honestly I don't remember ever seeing an ad (even on Ryanair) when getting my boarding pass on mobile. OTOH I distinctly remember seeing many giant ads on printed boarding passes, most often on printed boarding passes brandished by other customers (usually printed in full color!). I'd think that's hugely more valuable as advertising real estate than the iota of additional data they get to collect on a few adblock users who have been forced to use mobile.
And even without adblockers a mobile app can gather much more data on you than a website can.
probably more guaranteed location tracking - hey this guy is buying tickets from the expensive part of town on the newest model iPhone! Chance we can jack up the price, 99% good!
It definitely reduces costs to swap 3 platform support to 2, but it still came as a kind of surprise to me. They (customer) poured years and seven digit figures into the web-based version which is now effectively going to be trashed. The current prod metrics are not supporting the 90% mobile thesis... I guess they just have high confidence that it will become true soon.
I'm wondering if these are the first signs of an age-based bias I have and the next generation just can't really imagine a majority of users using desktop PCs.
Internal job tracking metrics would have to answer why any time is going to running this thing, and god help us if there's a security breach via this endpoint we were supposed to have eliminated N time ago.
An unsupported internal API is one thing - and they're generally a huge timesink anyway. An unsupported external user interface is a cost center which I can't justify, and impacts numerous other parts of the business.
You can always spot them by the first word being “No” or “False” followed by a confidently asserted yet hilariously incorrect statement.
I suggest reading this [0] and approaching these discussions with more humility in the future. As you yourself stated, you’re an SRE, not a security expert, yet this forum is full of them.
0: https://peabee.substack.com/p/everyone-knows-what-apps-you-u...
Only marketed as such. Selling user data generates revenue. Win-win
Fingers crossed the Russians figure this out and help remind these businesses why lacking paper alternatives is NOT a cost-saving measure. The group that can take down that API endpoint can pretty much name their price to Ryanair and the C-suite will effectively have a fiduciary duty to shareholders to pay it if there's truly zero alternative and that starts disrupting revenue indefinitely.
Ryanair has always been an horrible corporation in the business of shipping drunk and old people for £5 with the help of public subsidies. They also largely abused their staff to enable that business model.
They are like many other corporations creating more and more fragile systems and I bet one of those days something is gonna go wrong and nobody will board their plane for a day or two.
Just stop feeding the beast...
to quote Gilles Deleuze's Postscript on Societies of Control(1992):
>The conception of a control mechanism, giving the position of any element within an open environment at any given instant (whether animal in a reserve or human in a corporation, as with an electronic collar), is not necessarily one of science fiction. Felix Guattari has imagined a city where one would be able to leave one's apartment, one's street, one's neighborhood, thanks to one's...electronic card that raises a given barrier; but the card could just as easily be rejected on a given day or between certain hours; what counts is not the barrier but the computer that tracks each person's position-licit or illicit...
https://faculty.umb.edu/gary_zabel/Courses/Spinoza/Texts/Pos...
Not going to use the app of course. If that restricts me I will seek to route around this censorship and share with others. This crap has to be resisted.
Stupid project, stupid design, stupid continent.
Fast forward a few decades and now the old users are on desktop and we’re worried about services only being available for smartphones.
Remotely related: https://ottawacitizen.com/news/manor-park-ottawa-sidewalk-re... there are dozens of us, dozens.
Mobile phones are the only platform at the moment that can reasonably be used to enforce mandatory software installs and remote attestation. Removing sideloading can down the road leading to Google (or Apple for IOS) forcing all app store provided apps/browsers to support government authentication APIs like this.
Having said that I like how in PL we have very nice auth to all government services that finally works well (it's like 5th implementation of this system). It makes it very easy to use gov services and before had to login with bank accounts or create some crappy accounts. Now it just works with faceID and done.
You can also login to 3rd parties as well. For example I was able to get my medical health results info from commercial provider by sharing basic info from this auth app without creating account or anything (they get access to Gov ID).
I would like to have ability to choose if I use new one for this provider or one that can be linked with other services. Kinda like with apple anonymising emails. Are there any efforts in this directions?
They faced the same question. Here is their answer: https://github.com/orgs/swiyu-admin-ch/discussions/20
The tldr is that they have a legal requirement to bind "verifiable credential shares" with the same human who got the e-ID originally, up to the current best practical technology. On Android, they judge that to be "keep the private key in the HSM and require a local biometric (or PIN) unlock to use it". This is why they argue that proving your age will not be possible without a mobile device.
You can prove your age anonymously, for anonymous account, which can be used on a non-mobile device. It's just that the proving the age part must happen from a mobile device.
À propos of more or less nothing: in the Swiss context, websites requesting the proof will be required to request the least information necessary for their need. They must NOT ask for your name, ID number, or birthdate if the question they are trying to answer is, "is this person old enough for our service?"
This is excellent technology, and the Swiss law on it that we are voting for next weekend is an excellent law, so I urge a OUI/JA/SI vote on it, if you're a Swiss citizen.
Glancing at the thread, I don't see that conclusion. User 'sideeffect42' cites some laws and says
>> As I read this it nowhere says that the e-ID has to be bound to a device. It only speaks about binding it to its owner which (IANAL) could be implemented by password protection (like KeePass) as well, since only the owner knows the password.
Nobody seems to have replied to that
Alternatively, the software could just scan your ID card's chip when you need it, or whatever it is that it does for first-time-use verification anyway. It needs not require your phone is locked down, locking you out of any control over tracking, installed apps, or reading the phone's storage and network traffic to merely see what it tracks about you. The phone can simply act as an NFC reader so that your ID can sign a challenge with an "over 18" flag included within the signed data
And that's if you want ubiquitous age verification in the first place. I find that u/raincole made a good point here that outlandish implementations have successfully shifted the discussion away from the aspect of whether ID-based checks must be widely performed: https://news.ycombinator.com/item?id=45361883
> so I urge [to vote a certain way], if you're a Swiss citizen
Is this post genuinely trying to add something to the thread, or a way to promote your agenda?
Easy battery and screen replacements, USB C on iPhones, 7 years of US updates, etc, all due to the EU.
In another couple of decades the EU will be an irrelevant market as their population becomes even poorer. Then we can finally be free of their nonsense. The only risk is that the Eastern European countries become more prosperous than the Western European ones and prop up their influence.
Oh, wait, you can already do that :-)
If it were only that. We could sandbox it, deny it permissions it doesn't need, or inspect what it does. All fine and dandy.
No, it's the first time a democratic government requires you to carry a 5G video recorder that you can't turn off short of smashing it to pieces if the manufacturer is ordered to make it so. But then you can't do half the things a normal person can do so you won't smash it to pieces if you don't have evidence it's currently acting as a bug.
The EU software tries to detect when you put it in a sandbox or when you merely try to inspect what it's doing. Attach a debugger and it'll refuse to verify your age to social media so you can't use that anymore. Install an open source OS on your phone and you can't so much as legally obtain your own government's software in the first place.
That's a large factor worse. The digital identity wallet has as one of its spear points privacy, but it forces you to have that big tech privacy slaying account.
It's a privacy tying sale.
Nah seriously this doesn't really apply to Git.
Beside that, as long as people do not realize that Desktops are for personal ownership and personal production while mobile are only for surveillance and consumption all digitization efforts will push those who knows toward something else, cryptos instead of legal tender money, self-hosted stuff and so on.
As a result at a given point in time population will be split in two main cohort: those who knows vs all the rest.
The system works really well and it’s very convenient.
So smart! (Sarcasm)
[1] https://github.com/eu-digital-identity-wallet/av-doc-technic...
1) so long as these age verification methods are for things at home, I think most people opposed to smartphones ("client devices" we have to pay for) will not be too inconvenienced. a few years ago, broker quit letting us use plastic code cards for 2FA and required we used an Android/iOS device, but I'm willing to tolerate having a single-purpose tablet in a drawer, though I'm still annoyed to essentially have a $100 undisclosed fee attached to service I have to pay every 3-4 years when they drop support for older versions of Android.
2) I've so far only been locked out of minor services like Anthropic by not having smartphone w/ mobile service, not because they require app use but because they ban VOIP numbers for registration. many businesses do charge me a little extra for not using a smartphone, but the cost is not too high, about on par with ignoring loyalty cards.
3) this cannot ever be required for something like onsite ID verification (e.g. at an airport) or I would be locked out of essential government processes. I'm willing to keep a device in a drawer, but will never carry a client device around with me.
4) this is not a problem exclusively for elderly grandma with satellite brick phones. I'm in my 30s with IT/developer background.
The current design and usage of cryptographic primitives does not allow for unlikability (it is actually quite easy to for verifiers and relying parties to collude) and it certainly is not state-of-the-art. BBS signatures would achieve actual unlinkability, but those have been outright rejected by the designers.
Current implementation is poised to not comply with the regulation that established the mandate for the wallet and it violates GDPR. The best one could hope for is for CJEU to strike down the whole project.
The GitHub organization of the OP's post has various issues that discuss these ills. Here is a position of several cryptographers against the current design: https://github.com/eu-digital-identity-wallet/eudi-doc-archi...
emigre•4mo ago
nicce•4mo ago
throw834920•4mo ago
See: https://news.ycombinator.com/item?id=44704645