zlacker

[parent] [thread] 19 comments
1. disrup+(OP)[view] [source] 2025-09-24 13:45:45
The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?

That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".

This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.

This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.

replies(7): >>ronsor+41 >>jeroen+F4 >>IlikeK+g7 >>Freak_+nb >>fithis+Ii >>Confik+wQ >>sudden+6V2
2. ronsor+41[view] [source] 2025-09-24 13:50:18
>>disrup+(OP)
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?

Because the EU doesn't actually care about privacy, otherwise they wouldn't be trying to do this and ChatControl. They care about being the main ones to spy on you, and maybe using fines as additional "taxes" on rich foreign companies. That's it.

replies(1): >>dzikim+hK2
3. jeroen+F4[view] [source] 2025-09-24 14:03:55
>>disrup+(OP)
The app this discussion is about is a reference implementation that is part of a long-term process for building a digital identity app. Specifically, this discussion is about the age verification part of the app, which is the first part expected to be finished but is also only a small part of a much wider ideal.

Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.

https://github.com/eu-digital-identity-wallet

replies(2): >>zb3+xu >>codedo+fy
4. IlikeK+g7[view] [source] 2025-09-24 14:16:05
>>disrup+(OP)
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?

Because this is being pushed by lobbyists to use hardware attestation to make it piratically mandatory for every citizen in the EU to be registered to either Apple or Google with a real id for all non-trivial online interactions at all times. The people behind this push neither have the technical knowledge nor care in the slightest that this is the consequence.

replies(1): >>ykonst+P9
◧◩
5. ykonst+P9[view] [source] [discussion] 2025-09-24 14:26:15
>>IlikeK+g7
>piratically mandatory

I am stealing this typo.

6. Freak_+nb[view] [source] 2025-09-24 14:33:18
>>disrup+(OP)
Take any group of a hundred tech people (devs, analysts, architects, etc.), and 95 of them will do everything with their stock Android or IOS smartphone. Maybe 3 will consciously limit their use of that device, and the remaining 2 reluctantly use something sane like GrapheneOS. Those two might pipe up and take a stand for people without smartphones (which includes a very varied swath of people, from Luddites to people with disabilities), but they'll get drowned out by sighs, sheepish looks, and the chorus of 'let's just start with those two smartphone OSes, and if after a year or two people still really need something else, a new project can be started to address that'.

It's not an insane question, it just doesn't get asked.

7. fithis+Ii[view] [source] 2025-09-24 15:08:04
>>disrup+(OP)
Do you believe they care for EU? The driving forces are other.
◧◩
8. zb3+xu[view] [source] [discussion] 2025-09-24 15:59:51
>>jeroen+F4
But you could do attestation on GrapheneOS, no need to require the users to have Google spyware preinstalled. Google is abusing its position here, attestation should be to verify the security model, not Google's business model..
replies(1): >>codedo+yy
◧◩
9. codedo+fy[view] [source] [discussion] 2025-09-24 16:13:41
>>jeroen+F4
This "identity wallet" is such a hostile idea, require identification for everything instead of thinking about how to remove identification (for example, allow anonymous banking, traveling).
replies(1): >>pelora+wt1
◧◩◪
10. codedo+yy[view] [source] [discussion] 2025-09-24 16:14:20
>>zb3+xu
Attestation is fundamentally incompatible with software freedom.
replies(1): >>ulrikr+4E
◧◩◪◨
11. ulrikr+4E[view] [source] [discussion] 2025-09-24 16:37:59
>>codedo+yy
When scoped to attest the full software stack down to the kernel, yes, because it takes control away from the general purpose computing device that the user supposedly owns. I don't however have a problem with attestation scoped to dedicated hardware security devices such as Yubi Keys.
replies(1): >>zb3+2H
◧◩◪◨⬒
12. zb3+2H[view] [source] [discussion] 2025-09-24 16:51:56
>>ulrikr+4E
And if such dedicated hardware is ever required by the law, the manufacturer should be prohibited from bundling any business-related functionality there (such as displaying ads) that can't be turned off without breaking the certification.

Google's ad business model should never be mandated by law, unfortunately lawmakers seem to be unaware that this is what requiring Play Integrity effectively means.

replies(1): >>ulrikr+d51
13. Confik+wQ[view] [source] 2025-09-24 17:39:34
>>disrup+(OP)
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?

Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.

[1] https://github.com/paolo-de-rosa

replies(1): >>argomo+Sh2
◧◩◪◨⬒⬓
14. ulrikr+d51[view] [source] [discussion] 2025-09-24 18:49:19
>>zb3+2H
Yes, and remote attestation should be illegal on any general purpose computing device, for some reasonable definition of what that is. General purpose computing should be a human right, in particular the right to change the software running on devices that you own.
◧◩◪
15. pelora+wt1[view] [source] [discussion] 2025-09-24 21:07:07
>>codedo+fy
Wait until you find out that in some places in the EU it's a crime to not carry a physical ID on your person when you leave the house.
replies(1): >>argomo+3i2
◧◩
16. argomo+Sh2[view] [source] [discussion] 2025-09-25 03:50:11
>>Confik+wQ
That's so dumb... Europe did it with Airbus and they did it with GNSS. Come on Europe, make a smartphone! The hardware's only getting cheaper.
◧◩◪◨
17. argomo+3i2[view] [source] [discussion] 2025-09-25 03:52:13
>>pelora+wt1
Is it just me, or are nation-states getting way too uppity?
replies(1): >>baq+wm2
◧◩◪◨⬒
18. baq+wm2[view] [source] [discussion] 2025-09-25 04:52:17
>>argomo+3i2
In post Soviet countries it’s a relic of the past, obviously still useful if you’re looking for a reason to arrest someone.
◧◩
19. dzikim+hK2[view] [source] [discussion] 2025-09-25 09:31:07
>>ronsor+41
Chat control is being pushed by anti-EU Danish representative. EU cannot help against extremists if people vote them into power in EU structures.
20. sudden+6V2[view] [source] 2025-09-25 11:14:44
>>disrup+(OP)
Because the EU is essentially designed to keep European countries weak and subservient to the United States.
[go to top]