See: >>44704645
CoPilot+ PCs even require the same security chip as XBox and Azure Sphere IoT board (Pluton), in addition to TPM 2.0.
https://learn.microsoft.com/en-us/windows/security/hardware-...
- Recital 71, which vaguely suggests minors' privacy and security should be extra-protected, but says that services shouldn't process extra personal data to identify them.
- Article 28, which says that platforms should provide a high level of "privacy, safety, and security of minors", again without processing extra personal data to identify them. It also says that the Commision may "issue guidelines", but says nothing suggesting age verification should be implemented.
- Article 35, which says that "large online platforms" should maybe implement age verification.
Furthermore, recital 57 says that the regulations for online platforms shouldn't apply to micro/small enterprises (which has a definition somewhere). All together, I don't see anything suggesting that anyone but the largest online services is being forced to implement age verification right now.
Judging by various posts by the Commision I've seen online, they're certainly pushing for the situation to be seen this way, but de iure, that's currently not happening.
EDIT: I found the guidelines mentioned [0], and a nice commentary on the age verification parts [1].
[0]: https://digital-strategy.ec.europa.eu/en/library/commission-... [1]: https://dsa-observatory.eu/2025/07/31/do-the-dsa-guidelines-...
If implemented according to plan, things like ID cards, drivers' licenses, diplomas, train tickets, and even payment control can be handled within such apps entirely digitally. Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
A healthy dose of cynicism would make clear that the moment such optional infrastructure is rolled out, new legislation can be drafted to "save on expenses" by enforcing this digital model and "protect the kids/fight the terrorists" by forcing age verification on more businesses.
Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.
Wait a minute, while writing this comment, I realized that there was a guy who sort of packaged waydroid into flatpak-ish to run android apps in flatpak.
https://flathub.org/en/apps/net.newpipe.NewPipe
(It uses android translation layer??)
I am not an EU citizen but if somebody is & they want this age verification app on desktop, maybe the best way might be to support this android translation layer to convert this EU app into something that can run through flatpak and then use linux I suppose.
I mean, some of y'all are so talented that I feel like surely someone would do it if things do go this way! So not too much to be worried about I suppose :>
Idk I created this just right now lol.
But on a serious note, Maybe check out my comment on something known as the android_translation_layer with flatpak to see if that might help to run that app atleast in linux.
Linking it here : >>45361397
I used to use the messaging app through SMS tho, the people that knew me (that 1 friend gets a shoutout here who used to msg me through SMS in the world of whatsapp and my mom!!)
Most phones are used for two things that my father used to quote: Whatsapp (messaging app) and youtube(social media)
Entertainment could somewhat be offloaded via music player etc. into dumb phones and to be really honest, I think that even things like hackernews could be operated on those dumb phones if given the ability to.
https://www.youtube.com/watch?v=QdYrBpBJRI4 : this is the dumbphone which supports signal btw. Wish there was a way to make app for dumbphones like these just as how we can make apps for androids.
I was shocked by how much feature packed my chinese dumb phone was for 11.27$ lol. It just didn't have internet & yeah games as well.
Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0
Actual Demo: https://app.hornpub.click
How it works:
1) Go to app.horpub.click
2) Create an ephemeral passkey
3) Extract its public-key and id (this binds the credential you're creating to your device)
4) The user copies this data to their bank's Age-Verification-Section
5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key
6) The user copies this back to app.hornpub.click
7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.
8) The user's age has been verified by their bank without the bank knowing who is asking for verification
* This method is more private than anything requiring sharing your photo-id online
* This method doesn't trigger GLBA or GDPR (user copies data themselves)
* This method is free to the merchant (hornpub)
Again - this is only just one of the possible implementations of https://ageverification.dev/Technical%20Specification/archit...
It's possible to have others but as POC they are focusing on covering the biggest chunk of the population…
I believe it's still possible to use the physical card with a reader for many things.
I think some services still don't work with the CMD. Recently, I had to ask for changes to my car's document, and it seems it's only possible with the card itself. (https://www.automovelonline.mj.pt/AutoOnlineProd/)
> combat social exclusion and discrimination
[1] https://european-union.europa.eu/principles-countries-histor...
This is the equivalent of a "Do you guys not have phones??"[1] but on a way larger scale.
At least where i live i am able to use the bare minimum of phones, even working with tech. The friction is increasing though, which worries me a lot, and day after day there is a new attempt to shove it down your throat if you want to be considered a member of society. Seeing that a lot of countries (including mine) are pushing for age verification, and the whole thing about Android blocking 'sideload', by the end of 2026 you won't be considered a human being without a government certified smartphone.
They faced the same question. Here is their answer: https://github.com/orgs/swiyu-admin-ch/discussions/20
The tldr is that they have a legal requirement to bind "verifiable credential shares" with the same human who got the e-ID originally, up to the current best practical technology. On Android, they judge that to be "keep the private key in the HSM and require a local biometric (or PIN) unlock to use it". This is why they argue that proving your age will not be possible without a mobile device.
You can prove your age anonymously, for anonymous account, which can be used on a non-mobile device. It's just that the proving the age part must happen from a mobile device.
À propos of more or less nothing: in the Swiss context, websites requesting the proof will be required to request the least information necessary for their need. They must NOT ask for your name, ID number, or birthdate if the question they are trying to answer is, "is this person old enough for our service?"
This is excellent technology, and the Swiss law on it that we are voting for next weekend is an excellent law, so I urge a OUI/JA/SI vote on it, if you're a Swiss citizen.
There are some choices that are debatable (more on the issuer side iirc), but imho for the goals it has it's a competently made architecture.
TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.
This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).
The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.
It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.
[1] >>44458323
https://old.reddit.com/r/portugal/comments/1msc886/obriga%C3...
Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.
The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.
Edit: This is the landing page (one login left, oh dear...) https://files.catbox.moe/x117iy.png
rsync, here you go:
The repository we're commenting on has the following in the spec[0]: "A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP)". So given that the current spec is not in use, this seems incorrect.
> It will also be trivial to circumvent
If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug. The statement required should be scaled to the application it's used for; this is "over-asking" is considered in the law[1].
> The project is supposed to prove that age verification is viable, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better.
I agree that in it's current state it is effectively unusable due to the ZKPs being omitted.
[0]: https://github.com/eu-digital-identity-wallet/av-doc-technic... [1]: https://youtu.be/PKtklN8mOo0?si=bbqtzMhIK7cFLh6S&t=375
Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.
[0] https://www.1822direkt.de/service/fragen-und-antworten/detai...
https://www.msn.com/en-ie/travel/news/ryanair-s-new-check-in...
As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.
I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.
This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].
Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.
Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.
https://www.youtube.com/watch?v=0QwwPmHyuEA
Again, being argumentative like this never helps, but it will be you either go along with it, get escorted out or not fly in the first place.
It's all about better tracking. I'm not quite sure what additional info they get exactly, but tons and tons of mobile websites (that work and don't get deleted) are close to unusable due to a barrage of popups telling you to use the app (e.g. Reddit and other socials).
Also there is no indication they will stop the mobile web version. Already today the mobile web version is there but it explicitly refuses to show the boarding pass QR code: https://i.redd.it/lj3wdnfp9mq91.jpg
Glancing at the thread, I don't see that conclusion. User 'sideeffect42' cites some laws and says
>> As I read this it nowhere says that the e-ID has to be bound to a device. It only speaks about binding it to its owner which (IANAL) could be implemented by password protection (like KeePass) as well, since only the owner knows the password.
Nobody seems to have replied to that
Alternatively, the software could just scan your ID card's chip when you need it, or whatever it is that it does for first-time-use verification anyway. It needs not require your phone is locked down, locking you out of any control over tracking, installed apps, or reading the phone's storage and network traffic to merely see what it tracks about you. The phone can simply act as an NFC reader so that your ID can sign a challenge with an "over 18" flag included within the signed data
And that's if you want ubiquitous age verification in the first place. I find that u/raincole made a good point here that outlandish implementations have successfully shifted the discussion away from the aspect of whether ID-based checks must be widely performed: >>45361883
> so I urge [to vote a certain way], if you're a Swiss citizen
Is this post genuinely trying to add something to the thread, or a way to promote your agenda?
to quote Gilles Deleuze's Postscript on Societies of Control(1992):
>The conception of a control mechanism, giving the position of any element within an open environment at any given instant (whether animal in a reserve or human in a corporation, as with an electronic collar), is not necessarily one of science fiction. Felix Guattari has imagined a city where one would be able to leave one's apartment, one's street, one's neighborhood, thanks to one's...electronic card that raises a given barrier; but the card could just as easily be rejected on a given day or between certain hours; what counts is not the barrier but the computer that tracks each person's position-licit or illicit...
https://faculty.umb.edu/gary_zabel/Courses/Spinoza/Texts/Pos...
You can always spot them by the first word being “No” or “False” followed by a confidently asserted yet hilariously incorrect statement.
I suggest reading this [0] and approaching these discussions with more humility in the future. As you yourself stated, you’re an SRE, not a security expert, yet this forum is full of them.
0: https://peabee.substack.com/p/everyone-knows-what-apps-you-u...
[1] https://github.com/eu-digital-identity-wallet/av-doc-technic...
Remotely related: https://ottawacitizen.com/news/manor-park-ottawa-sidewalk-re... there are dozens of us, dozens.
The current design and usage of cryptographic primitives does not allow for unlikability (it is actually quite easy to for verifiers and relying parties to collude) and it certainly is not state-of-the-art. BBS signatures would achieve actual unlinkability, but those have been outright rejected by the designers.
Current implementation is poised to not comply with the regulation that established the mandate for the wallet and it violates GDPR. The best one could hope for is for CJEU to strike down the whole project.
The GitHub organization of the OP's post has various issues that discuss these ills. Here is a position of several cryptographers against the current design: https://github.com/eu-digital-identity-wallet/eudi-doc-archi...
https://en.wikipedia.org/wiki/The_Age_of_the_Pussyfoot#Joyma...
"The remote-access computer transponder called the "joymaker" is your most valuable single possession in your new life. If you can imagine a combination of telephone, credit card, alarm clock, pocket bar, reference library, and full-time secretary, you will have sketched some of the functions provided by your joymaker."
Just about the only thing today that's meaningfully different from the novel is that our devices are smaller and have screens instead of using voice as the primary input/output method. Well, and they don't have a "medical" module that can dispense drugs (yet?).
Interestingly enough, in the setting of that book, possession of a joymaker is a marker of good standing, and lack of one (e.g. because one cannot afford to pay for service) basically makes one homeless and a target for all kinds of nastiness including from the cops.
