Please don’t link to Reddit. Context below:
The EU is currently developing a whitelabel app to perform privacy-preserving (at least in theory) age verification to be adopted and personalized in the coming months by member states. The app is open source and available here: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui.
Problem is, the app is planning to include remote attestation feature to verify the integrity of the app: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui?tab=readme-ov-file#disclaimer. This is supposed to provide assurance to the age verification service that the app being used is authentic and running on a genuine operating system. Genuine in the case of Android means:
-
The operating system was licensed by Google
-
The app was downloaded from the Play Store (thus requiring a Google account)
-
Device security checks have passed
While there is value to verify device security, this strongly ties the app to many Google properties and services, because those checks won’t pass on an aftermarket Android OS, even those which increase security significantly like GrapheneOS, because the app plans to use Google “Play Integrity”, which only allows Google licensed systems instead of the standard Android attestation feature to verify systems.
This also means that even though you can compile the app, you won’t be able to use it, because it won’t come from the Play Store and thus the age verification service will reject it.
The issue has been raised here https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/10 but no response from team members as of now.
So is there a way to apply pressure on the EU to think this through first? Surely they could have different ways that doesn’t lock them in to google services.
According to the users in that issue, the mere application of the API is illegal, as is the dependency. Sooo I dunno what kind of PACs there are in the EU but I would be leaning on and contributing to those.
To avoid people from simply copying the “age proof” and having others reuse it, a nonce/private key combo is needed. To protect that key a DRM style locked down device is necessary. Conveniently removing your ability to know what your device is doing, just a “trust us”.
Seeing the EU doesn’t make any popular hardware, their plan will always rely on either Asian or US manufacturers implementing the black-box “safety” chip.
The key doesn’t have to be on your phone. You can just send it to some service to sign it, identifying yourself to that service in whatever way.
It’s that “whatever way” that is difficult. This proposal merely shifts the problem: now the login to that 3rd party can be shared, and age verification subverted.
A phone can also be shared. If it happens at scale, it will be flagged pretty quickly. It’s not a real problem.
The only real problem is the very intention of such laws.
If it happens at scale, it will be flagged pretty quickly.
How? In a correct implementation, the 3rd parties only receive proof-of-age, no identity. How will re-use and sharing be detected?
There are 3 parties:
- the user
- the age-gated site
- the age verification service
The site (2) sends the request to the user (1), who passes it on to the service (3) where it is signed and returned the same way. The request comes with a nonce and a time stamp, making reuse difficult. An unusual volume of requests from a single user will be detected by the service.
-
What’s going on with Europe lately? You all really want GOOGLE of all mega corps in control of your identity?
You’re going the opposite way, it should be your right to install an alternate OS on your phone. If anything they should be banning Google licensed Android.
Its not the populace, our politicians just like in the US have gone rogue. People are voting for the nutters due to anti immigration propaganda and so increasingly getting far right. Its happening across the entire western world and its bad news for everyone.
Except this isn’t even the right wing nutters doing it. These are mainstream politicians executing their power grabbing neolib agenda, with very little democratic oversight or public debate.
At least in the UK it has been the Labor party doing it, they all want control.
I just wanted the EU to fork lineageOS and provide it as an alternative in major chains.
I miss LineageOS so much, my last couple of phones haven’t had a build of it and my asshole banking apps wont work on it now.
For my next phone i’m just not going to buy one unless it’s already supported and if I have to skip online banking I’ll do it.
I use the banks webpage. Still works on LineageOS even when the app doesn’t
one advantage of cards over banking apps
I use cards, I don’t even have NFC on my phone, but it is nice to be able to check my bank account, lock/unlock the card, deposit checks, etc.
I may be able to do most of that on the website, idk. Guess I’m probably going to find out :)
I can just text bal to my bank to get my balance
Use the old phone w generic android for banking apps. Most banking websites will still have app functionality too
Fwiw there’s fairphone with eOS
They get their tech advice for laws from big tech.
to hear it from any non-Americans on lemmy they’re better than America.
looks like they’re just as susceptible to this fascist bullshit to me though…
We invented this bullshit, of course we’re susceptible.
Still better than America, though ;P XD
We’re sneaky. I call it effective authoritarianism, it’s a sugar coated baton
Hey Google, where was the origin of fascism?
Fuck the play integrity API, Play Store and Google play services
And the EU for their stupid fucking censorship
Sure, but it has some good sides as well
It’s just a shame that they aren’t just made of the good sides
Excuse me, censorship is not good in any way. The people should have the power to decide what they want to see, and what they want to say. Not government officials nor private platform owners.
I was saying the EU has done some great things, not that censorship has good sides
Ah, my apologies. It was unclear
My bad
My instance could also hint at it ;)
Yeah no. Requiring anything Google for something as basic as this violates the GDPR. If they go through with this, it’s one legal case until they have to revise it.
Edit: German eID works on any Android btw., flawless actually. I sure hope I can use that for verification
Edit: German eID works on any Android btw., flawless actually. I sure hope I can use that for verification
Same in Italy… I mean, I can pay taxes with that application but I cannot be verified for my age ? Seriously EU ?
deleted by creator
EID and equivalents are great for a lot of things, but do you want your porn site to know who you are? The new app is supposed to verify your age but not give out your PII. Not sure eID can do that?
EID can be used for anonymous age verification. It doesn’t even need to give out your birthday and can attest to any “over the age of X” requirement.
Ah, better than what we have in Estonia then
violates the GDPR.
I wouldn’t be too sure. Data protection mainly binds private actors. Any data processing demanded by law is legal. You’d really have to know the finer points of the law to judge if this is ok.
The GDPR also applies to public institutions as far as I’m aware - but most importantly the concern here is Google and data collected by Google. This data collection is in no way necessary to provide the age verification service. Most of it is not even related to it. The state legally cannot force you to agree to some corporations (i.e. Google’s) terms, even if we completely ignore the GDPR.
Data processing mandated by law is legal. Governments can pass laws, unlike private actors. Public institutions are bound by GDPR, but can also rely on provisions that give them greater leeway.
I don’t see how that this is in any way necessary, either. But a judge may be convinced by the claim that this is industry standard best practice to keep the app safe. In any case, there may be some finer points to the law.
The state legally cannot force you to agree to some corporations (i.e. Google’s) terms,
I’m not too sure about that, either. For example, when you are out of work, the state will cause you trouble if you do not find offered jobs acceptable.
It’s another question, if not having access to age-gated content is so bad as to force you to do anything. Minors nominally have the same rights as full citizens, and they are to be denied access, too.
European Digital identity
looks inside:
Hosted on GitHub in the US 👏
That’s ironic
Why is the EU licking america’s asshole?
'Cos it’s been turning (far-)right as well in the last few years.
Which is why Europeans shouldn’t be too eager to laugh about the US being a fascist hellhole. It could happen there again if they’re not vigilant.
Dude, I keep telling my possibly AfD voting cousin we’re just a few years behind the US if things continue as they do. Our politicians aren’t better people, they’re just sneakier for now.
The way that the EU has been bending over for Trump is worrying.
No one is laughing… We’re horrified how the people who have been screaming “freedom” and being obnoxious about how much more free they are than anyone else in the entire universe, seem to love getting enslaved while being obnoxious about how cool it is to be enslaved.
Europe has its problems. We’ve had them for generations, and right now they’re getting worse. But at least we have a culture of fighting back, something americans don’t.
But at least we have a culture of fighting back, something americans don’t.
Talk is cheap. Prove it in the coming years. I really hope you’re right, because I want SOMEWHERE to not be either a coporate fascist hellholle or a collapsed country in the future…
In Hungary, we still have people who think fascism is when “evil people do evil things for the sake of evil”, so when fascists want to hurt Roma, LGBTQIA+, etc. people, no one dares to call them fascists as long as said people have “receipts” in the form of cobbled together statistics, and have a not too cruel solution.
So, darkweb sites it is.
And then EU politicians will be surprised Pikachu, when CSAM (actual CSAM) will be popular…
The US might have shot itself in the foot by electing Trump, but the EU is really going to shoot itself in the head if that continue in the same trajectory.
deleted by creator
Sorry to horrify you but we are definitely worse.
You should read more international news if you think either the EU or US is “the worst place”. Somalia for example has been in civil war since the 1980s.
So VPN on the router permanently set to Singapore it is.
so if I use graphene os then I can’t look at porn in the eu
Just use a VPN then.
Wait till they put up a EU Great Firewall and ban VPNs
While this will happen eventually, and circumvention takes skills, it is fundamentally possible, for motivated individuals.
Wut?!?!
They killed the old net and are in the middle of murdering the new one too.
It hurt itself in its confusion!
Google Pain Services
Well, I hope they’ll pay for my “EU age verification” phone, since my own won’t work. I’ll gladly buy one and not use it either.
How long before that extends to PCs and non-Windows OSes are blocked? Also, add non-Chrome browsers to that as well (that includes Edge, Chromium, Brave, etc. as well as Firefox and its forks).
