So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
show comments
ulrikrasmussen
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
show comments
petcat
A European digital ID system that is entirely dependent on 2 US companies.
Wasn't there some talk about the pressing need for European digital sovereignty recently? Or was that just performative nonsense?
show comments
phyzix5761
Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
show comments
nickslaughter02
Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Apple’s app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
So when Google bans someone, that person also loses access to all services that require digital ID, forever?
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
show comments
lxgr
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
show comments
robalni
Just a general rule of thumb:
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
sam_lowry_
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
show comments
uyzstvqs
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
show comments
peterspath
They should not make it mandatory for or expect people to have a smartphone.
In the last 5 years so much of the legislative pressure is coming down to remove anonymous Internet access to save the children or protect us from some harm.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
u1hcw9nx
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (The Current National ID)
2. Standalone Hardware Tokens & USB Keys
earth_tattoo
A little off topic, but does anybody else think that all these attacks on personal freedoms across the western world are very coordinated? Suddenly all countries are making social media ban under 16 laws. Same goes for centralized digital currency push.
antirez
Europeans do a lot of stupid things, but I believe in light of all the scandals we saw in recent times, you can't explain EU behavior and choices without accounting for corruption. EU division and different level among the different countries of wealth, integrity of political sphere, and different cultural biases make us the perfect target for bribes in order to control votes and choices. Not just promoted by external actors. The Chat Control is a great example: everybody understands how bad this is, the arguments are mostly a shield to avoid revealing the real agenda.
MyMemoryfails
Everytime EUID mentioned, people forget that EUID is not anonymous!
EUID has "provider/verifier" endpoint which communicates with your website to inform you are indeed 18+ age.
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
show comments
edukite
So as an EU citizen and owner of Fairphone 6 with e/OS I'm banned from using apps I should be allowed to use?
welhoilija
Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
They to frame this so politicians care is: we are giving monetary policies power to a foreign corporation.
zmmmmm
It's honestly quite baffling that the EU would want to put any more power in the hands of any US controlled company at this point. The US is a borderline hostile state, only recently threatening to invade Greenland among numerous other examples. The situation with Anthropic has illustrated that the US government will not hesitate to leverage power over US companies when it feels its interests are advantaged by doing so. If anything, the EU should be banning use of Google or Apple dependent architectures, not pseudo mandating them.
edg5000
There seems to be no awareness from EU govenments about how much power we're handing over to two large outside companies. This incompetence in the leadership will cause a lot of harm over the years. This has been going on for a long time.
greenleafone7
I like how we quickly moved past the fact that the government wants to know who we are, what we visit, what we say, what we buy, and has explicitly said that they want to control what we buy, where we go, and what we are allowed to say. But we are focused on what specific mega-corporation those systems will use to function.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
show comments
J-Kuhn
Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
show comments
hoppp
Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.
The corporations have the tech and network effects on their side.
dariosalvi78
Digital single market, digital sovereignty and all those nice words...
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
santiagobasulto
I think we're missing the important point here.
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
We're becoming much worse than that now.
everdrive
Absolutely baffling why the EU would be doing this.
romx
The entire software even free one is. We need to exclude them all.
KoolKat23
This quite literally validates those "tinhat conspiracy" folks, honestly the EU are not doing us or themselves any favours here. If it is intended to replace cash then it should function like cash. This limitation is draconian.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
boxed
> Governments are cementing a monopoly they claim to oppose
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
show comments
hsuduebc2
We just can't help it. Can we.
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
amlord
Seif-Sovereign Identity wallets that are cross-device are the way around this, but relies on institutions following this path.
Vendor lock-in is real
stronglikedan
And when the safety services of Google and Apple fail, the citizens will be the only ones to pay a price. This is madness.
fithisux
So, we have safety services owned by a country with nuclear weapons, while Europe is regressing in all domains.
This is not safe.
realusername
I don't know who thought that national ids should be vetted by two private companies, not even European!
No thanks, I don't want any of that for obvious security reasons
Big facepalm... EU had really only one job with the EU wallet... And missed the point completely. GrapheneOS is probably closer to EU data security and privacy standards than Android or iOS.
buffer_overlord
I use coinpay’s DID it is simple anonymous and works it’s open source too
show comments
Devasta
Its simply unreal that the EU is pushing that in order to participate in society that I must accept the TOS of Google or Apple.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
newsclues
In general government policy for technology and communications, is a regulatory capture gift to big corporations.
The government gets data to “manage” the citizens and the companies get data to “manage” consumer and the power structure is protected.
aa-jv
5 years ago, some smarty pants would've worked out how to implement digital ID wallets on the block-chain, and there would've been some uptake for it in the European environment .. these days however, it appears everyone has given up on that idea and defaulted back to the fascist approach (corporations doing government work).
poulpy123
LMAO of course
LoganDark
Huh. This article lumps Apple in with Google when its only qualms seem to be with Google's terrible behavior. The entire article is about Google Play.
The EU reference for wallets strictly required google play services https://github.com/eu-digital-identity-wallet/eudi-app-andro...
So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
A European digital ID system that is entirely dependent on 2 US companies.
Wasn't there some talk about the pressing need for European digital sovereignty recently? Or was that just performative nonsense?
Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.
Working as intended. EU wants you to use a device and OS they can fully control. Don't comply with some new ridiculous regulation? Your app will be banned.
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Apple’s app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
https://www.techrepublic.com/article/eu-app-store-apple-digi...
You think apps which wouldn't want to implement Chat Control will remain on the app store?
EU to legislate about Chat Control behind closed doors (https://news.ycombinator.com/item?id=48707719)
So when Google bans someone, that person also loses access to all services that require digital ID, forever?
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
[1] https://www.engadget.com/2019-11-10-youtube-reinstates-banne...
Here in Germany we had court rulings saying the german railway (DB) must offer offline tickets that do not require a computer or smartphone to purchase to not discriminate against the elderly. I am pretty sure we will see similar rulings for EUDI wallet requiring Google/Apple.
There's a relatively simple and much more open and secure solution to this: Make physical EU ID cards the attestation source, and require users to tap them against their phone for critical operations (high-value signatures, login on a new device or after repeated authentication failures etc).
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
Just a general rule of thumb:
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
I really don't like how EUDI (OpenID4VP) works in the first place. IMO it should be scrapped and rebuilt from the ground up
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
They should not make it mandatory for or expect people to have a smartphone.
help us help EU residents:
https://openwallet.foundation/
https://github.com/openwallet-foundation
https://github.com/openwallet-foundation-labs
In the last 5 years so much of the legislative pressure is coming down to remove anonymous Internet access to save the children or protect us from some harm.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;
1. Smart Cards (The Current National ID)
2. Standalone Hardware Tokens & USB Keys
A little off topic, but does anybody else think that all these attacks on personal freedoms across the western world are very coordinated? Suddenly all countries are making social media ban under 16 laws. Same goes for centralized digital currency push.
Europeans do a lot of stupid things, but I believe in light of all the scandals we saw in recent times, you can't explain EU behavior and choices without accounting for corruption. EU division and different level among the different countries of wealth, integrity of political sphere, and different cultural biases make us the perfect target for bribes in order to control votes and choices. Not just promoted by external actors. The Chat Control is a great example: everybody understands how bad this is, the arguments are mostly a shield to avoid revealing the real agenda.
Everytime EUID mentioned, people forget that EUID is not anonymous!
EUID has "provider/verifier" endpoint which communicates with your website to inform you are indeed 18+ age.
Link: https://github.com/eu-digital-identity-wallet/eudi-srv-verif...
The github page has graph how it works.
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
Why cant EU have something like Adhar (ID-verification for Indians) https://uidai.gov.in/en/
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
So as an EU citizen and owner of Fairphone 6 with e/OS I'm banned from using apps I should be allowed to use?
Time to reach out to your MEP's! I would imagine the id could web-based for example which would make it much less dependent on the Google's or Apple's "SAFETY" services.
More about Waag: worth a read https://waag.org/en/about-waag/ - Marleen Stikker is a national treasure.
They to frame this so politicians care is: we are giving monetary policies power to a foreign corporation.
It's honestly quite baffling that the EU would want to put any more power in the hands of any US controlled company at this point. The US is a borderline hostile state, only recently threatening to invade Greenland among numerous other examples. The situation with Anthropic has illustrated that the US government will not hesitate to leverage power over US companies when it feels its interests are advantaged by doing so. If anything, the EU should be banning use of Google or Apple dependent architectures, not pseudo mandating them.
There seems to be no awareness from EU govenments about how much power we're handing over to two large outside companies. This incompetence in the leadership will cause a lot of harm over the years. This has been going on for a long time.
I like how we quickly moved past the fact that the government wants to know who we are, what we visit, what we say, what we buy, and has explicitly said that they want to control what we buy, where we go, and what we are allowed to say. But we are focused on what specific mega-corporation those systems will use to function.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
Sarcastic view: Doesn't matter - the EU wont listen, then pull a surprised pikachu and make laws to force googles play integrity to attest that other devices are genuine, because obviously, the problem is google, not stupid design decisions made while creating the app.
Its all lining corporate pockets but what can we do? Europe needs sovereign smartphone infra but even if that existed people would still prefer Iphones.
The corporations have the tech and network effects on their side.
Digital single market, digital sovereignty and all those nice words...
Previous discussion, related to grapheneos: https://grapheneos.org/articles/attestation-compatibility-gu...
Is it out of character for the EU to push a half baked solution out that covers most but a tiny fraction of the population only to get sued later on and rule against its own idea?
I think we're missing the important point here.
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
We're becoming much worse than that now.
Absolutely baffling why the EU would be doing this.
The entire software even free one is. We need to exclude them all.
This quite literally validates those "tinhat conspiracy" folks, honestly the EU are not doing us or themselves any favours here. If it is intended to replace cash then it should function like cash. This limitation is draconian.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
> Governments are cementing a monopoly they claim to oppose
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
We just can't help it. Can we.
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
Seif-Sovereign Identity wallets that are cross-device are the way around this, but relies on institutions following this path.
Vendor lock-in is real
And when the safety services of Google and Apple fail, the citizens will be the only ones to pay a price. This is madness.
So, we have safety services owned by a country with nuclear weapons, while Europe is regressing in all domains.
This is not safe.
I don't know who thought that national ids should be vetted by two private companies, not even European!
No thanks, I don't want any of that for obvious security reasons
OH FFS. "safety services". NO. It's monopolistic services.
Big facepalm... EU had really only one job with the EU wallet... And missed the point completely. GrapheneOS is probably closer to EU data security and privacy standards than Android or iOS.
I use coinpay’s DID it is simple anonymous and works it’s open source too
Its simply unreal that the EU is pushing that in order to participate in society that I must accept the TOS of Google or Apple.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
In general government policy for technology and communications, is a regulatory capture gift to big corporations.
The government gets data to “manage” the citizens and the companies get data to “manage” consumer and the power structure is protected.
5 years ago, some smarty pants would've worked out how to implement digital ID wallets on the block-chain, and there would've been some uptake for it in the European environment .. these days however, it appears everyone has given up on that idea and defaulted back to the fascist approach (corporations doing government work).
LMAO of course
Huh. This article lumps Apple in with Google when its only qualms seem to be with Google's terrible behavior. The entire article is about Google Play.