zlacker

[return to "EU age verification app not planning desktop support"]
1. baq+ac[view] [source] 2025-09-24 13:11:33
>>sschue+(OP)
This is hardware attestation in a nutshell: a double edged sword, and a sharp one at that.

The biggest issue is that the attestation hardware and the application client is the same device with the same manufacturer, who also happens to have a slight conflict of interest between monetizing customers and preserving any sort of privacy.

IMHO the pro-attestation forces are so overwhelming that we should all cherish the moment while we have anything open left.

◧◩
2. disrup+Jj[view] [source] 2025-09-24 13:45:45
>>baq+ac
The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?

That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".

This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.

This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.

◧◩◪
3. jeroen+oo[view] [source] 2025-09-24 14:03:55
>>disrup+Jj
The app this discussion is about is a reference implementation that is part of a long-term process for building a digital identity app. Specifically, this discussion is about the age verification part of the app, which is the first part expected to be finished but is also only a small part of a much wider ideal.

Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.

https://github.com/eu-digital-identity-wallet

◧◩◪◨
4. zb3+gO[view] [source] 2025-09-24 15:59:51
>>jeroen+oo
But you could do attestation on GrapheneOS, no need to require the users to have Google spyware preinstalled. Google is abusing its position here, attestation should be to verify the security model, not Google's business model..
◧◩◪◨⬒
5. codedo+hS[view] [source] 2025-09-24 16:14:20
>>zb3+gO
Attestation is fundamentally incompatible with software freedom.
◧◩◪◨⬒⬓
6. ulrikr+NX[view] [source] 2025-09-24 16:37:59
>>codedo+hS
When scoped to attest the full software stack down to the kernel, yes, because it takes control away from the general purpose computing device that the user supposedly owns. I don't however have a problem with attestation scoped to dedicated hardware security devices such as Yubi Keys.
◧◩◪◨⬒⬓⬔
7. zb3+L01[view] [source] 2025-09-24 16:51:56
>>ulrikr+NX
And if such dedicated hardware is ever required by the law, the manufacturer should be prohibited from bundling any business-related functionality there (such as displaying ads) that can't be turned off without breaking the certification.

Google's ad business model should never be mandated by law, unfortunately lawmakers seem to be unaware that this is what requiring Play Integrity effectively means.

[go to top]