Mastodawn

Iván Sánchez Ortega Feb 20

@jdelacueva @EUCommission So in the hypothetical case I'd like to see the source code of that application to see why and how it uses google services, what would be the appropriate bureaucratic way to request it?

Javier de la Cueva Feb 20

@IvanSanchez
Freedom of Information. Access to documentation of the Commission.

@EUCommission

@IvanSanchez @jdelacueva @EUCommission

GreatLakeTrout Feb 20

Wait I thought the EU was trying to separate itself from US tech, that is what all their politicians are saying……….oh wait I see My error now.

https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/issues/287

🍐 Perivi Yohanesburgo 🍐

Feb 20

@greatlaketrout @IvanSanchez @jdelacueva @EUCommission The European Digital Identity Wallet app for Android will require Play Integrity as well.

Please remove the requirement for Google Play Integrity · Issue #287 · eu-digital-identity-wallet/eudi-app-android-wallet-ui

The developers of the digital wallet of some member countries such as Italy and France have created the app by implementing the check of the Play Integrity. Probably following the directive contain...

GitHub

Feb 21

@fruitchypear @greatlaketrout @IvanSanchez @jdelacueva @EUCommission requiring drm for a digital identity wallet... yikes

apps attesting the hardware and software they run on is fundamentally drm and is awful. it's also just completely backwards, apps shouldn't even have the capability to do that

the os should be attesting this, not the apps

https://web.archive.org/web/20141129042827/https://www-03.ibm.com/press/us/en/pressrelease/2016.wss

Riley S. Faelan Feb 21

@lumi Pretending that this is a good use for DRM has been a grift thirty years in the making.

@jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout

Compaq, Hewlett Packard, IBM, Intel, and Microsoft Announce Open Alliance to Build Trust and Security into PCs for e-business

-- Compaq, Hewlett Packard, IBM, Intel, and Microsoft today announced the formation of the Trusted Computing Platform Alliance (TCPA), an industry group focused on building confidence and trust of computing platforms in e-business transactions by creating an industry standard for security technologies in personal computing environments.

@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout thas has nothing to do with "drm"

It is there because remote service needs assertion, your generated private key is bound to your device and can't be copied to another phone.

And to assert that, a trusted party (google/Apple) asserts the complete chain from hardware up to the os it is ronning on - so no MITM sits within.

Currently there is no other way, other than not using mobile os's
https://berlin.social/@asltf/116104851486148728

@asltf @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout it prevents people from taking control of their own systems and tinkering. it fundamentally restricts user freedom. how is that not drm?

there shouldn't be anyone else telling someone what they can or can't do with their device

@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout that's how you frame it.
Now change your pov, be the company that needs technical measurements to bind your login to your device without having any means to detect, if it's your device through which a login request comes - or it is a MITM.
Many companies may take that risk for for financial gains - or get sued.
But other companies are legally bound to not take that risk

@asltf @lumi

why does the needs of a company dictate restrictions on *all* users?

the platform/os is the source of truth, the way we prevent an unauthorized party of cloning or infecting your device, is by encrypting and verifying the disk, and by not installing malware, by running trusted code only and sandboxing any untrusted code

if the user willingly wants to clone their data to another device, to build and run their own platform, or simply modify/replace parts of their current platform, their "wallet" app must not have any say in it, that *is* drm and the want of control that corporations have must not impede user freedom

play integrity is google's way of exploiting fear in order to gain control

@navi @lumi you obviously didn't get the point.
this is mandated by national restraints on what "securely" technically means.

It is not about that you want to clone it, it is about national law requiring the company to make sure, you are not able to make a copy of thing that is meant to be singleton, because the whole verification process is based around this assumption.

Otherwise you would be required to authenticate way more than you are willing to do

@asltf @lumi if something should not be copiable, it should not be in the user's device

private keys are copiable, user data is copiable, if a user copied their auth tokens to another system, that system is their system, any system that breaks because two machines copied the same id, is a broken system and needs to be fixed

there's no national "security" law that mandates this kind of thing, they want to do it because it is labeled as "standard security" by google

@navi @asltf in addition to this, if there were laws like this, they should be repealed

it being my device means i should have full control, no one should be able to restrict that

@navi @lumi stop wasting my time, if you don't have any clue what regulations are mandated by "state of the art" security on national bodies (like Germany BSI TR's and european etsi requirements)

@asltf @navi if they infringe on user freedom, they must be repealed. simple as that

@lumi @navi it's as infringing as you aren't permitted to extract key material from your national id and banking cards. It never was your freedom from the start.

Dmitry Tantsur Feb 25

@asltf @lumi @navi speaking of which, we already have national IDs as singletons in your sense, so the phone does not have to become one. You behave very arrogantly in this thread, although you're not even aware how this problem was solved before smartphones. I still used an old Nokia back in the days when my account was already authorized by a smart card connected to my (Linux) laptop.

André Feb 25

@creepy_owlet @lumi @navi If adhominem is all you have, try arguing that way with national regulation bodies, It suerly will help...
Time has changed, requirements have changed. Back in my days examples won't hold for todays standards.

@asltf @lumi it is not a regulation because

a) the issue itself mentions it's not required, just recommended,

b) my bank app has worked for years, and continues to, without attestation,

c) if it really is a regulation, link me, i've read through eu legal memos before to know what is and isn't required, and i can do it again,

d) and even if it was, that means it's a bad regulation, just because something is a law, doesn't mean the law is good, but again, link it

also you're the one insisting forced remote attestation it's not drm, then yelling "but you don't understand law!", if anything, you're the one wasting people's time while refusing to properly explain or back your claims

@navi @lumi pleas read my responses or stop wasting my time.

Recommendations almost have to be read as "have to unless impossible (with permitted reason)" for national bodies.

And I've already wrote some words about companies willing to take the risk *on them* - i.e. they calculate in fraud, which you as customer pays - that doesn't work for national ID systems

@asltf @lumi you know what, fuck your high and mighty "my time is so precious" attitude

@navi @lumi And to your last point: I've already answered that.

Runtime assertion is required to attest, the attestation from hardware key store is from within their untampered app, otherwise MITM could relay to any other device.

One could work around this by paper verificaton process (i.e. the bank print our revceived public key fingerprint and sens it back to you with a verification password, you have to type in to complete key binding)

@navi @asltf @lumi

💯

@navi @asltf @lumi

And they are in bed with google and corrupt as hell.

@asltf @navi @lumi nation states should not have that power and they certainly should not be limiting the choices of their constituents or violating their own “supposed” privacy policies. There is simply no excuse for this level of duplicity

@navi @asltf @lumi

Google is a horrible company with zero credibility. They are nothing more than spyware.

🍐 Perivi Yohanesburgo 🍐

https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/issues/287#issuecomment-3015811262
https://grapheneos.org/articles/attestation-compatibility-guide

@asltf @lumi @jdelacueva @IvanSanchez @EUCommission @greatlaketrout At the very least the app could support GrapheneOS via the hardware-attestation API included in AOSP.

This could be used for other non-certified Android OSs as well.

@fruitchypear @asltf @jdelacueva @IvanSanchez @EUCommission @greatlaketrout that still restricts what i can do with my device, that's still drm. things like this should just not exist

Dmitry Tantsur Feb 25

@asltf @lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout companies that can't conduct their business without selling their users to American tech giants must cease to exist.

Paul L Mar 2

@asltf @lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout
Exactly. Only after such a step is done and acted by European certifiers should such an app ever exist.

Mar 2

@polx @asltf @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout i would argue that we should push back to such a thing ever existing, as it is backwards to how security is done

apps should just do their thing, they should not be checking what they're running on and artificially restricting the user. this is drm

it is the operating systems job to verify the security meets the standards of the user (of course this must be completely under the users control!)

there is no security without freedom, after all

@lumi @jdelacueva @IvanSanchez @asltf @EUCommission @fruitchypear @greatlaketrout

Paul L Mar 2

I think the problem is that there is this belief that big big players will be the best to notice security breaches and thus protect we, the poor users. Once the OS is delivered, it should do its job and anyone should be allowed to decide in good faith what verification should be done, with or without big players.

Crypto-chains are a simple math steps. No big platform needed!

Andreas K Mar 1

@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout If it was the apps it would okay, but it is literally the hardware & OS in cooperation with a 3rd party that is doing the attestation, on behalf of the app.

And you cannot even argue that PCs are “less safe”; Microsoft & Apple have quietly added game console-level security to their ecosystems in the past decade.

Victoria🏳️‍⚧️Feb 21

@fruitchypear @greatlaketrout @IvanSanchez @jdelacueva this being hosted on github is cherry on top

thofu Feb 22

@fruitchypear @greatlaketrout @IvanSanchez @jdelacueva @EUCommission eudi have to have free of big tech

Paul L Mar 2

@fruitchypear @greatlaketrout @IvanSanchez @jdelacueva @EUCommission this is such a perfect example of the "job not done" syndrome because, at start, this appeared to be the right way.
Now that we know that sovereignty is crucial, I do not think that there is any excuse to leave this open.

Wolf90000 Feb 21

@greatlaketrout The EU is in bed with big tech despite them claiming otherwise (You probably know but this is for the people that don't)

🔶Mark Nicoll 3.5%🏴󠁧󠁢󠁥󠁮󠁧󠁿🇬🇧🇪🇺🇺🇳Feb 22

@greatlaketrout @IvanSanchez @jdelacueva @EUCommission
Come on, they only decided that last year! You can't expect them to have actually done anything about it yet.

@duckwhistle @IvanSanchez @jdelacueva @EUCommission

I never expect a politician to do anything about anything.

C'est con

@jdelacueva @EUCommission is Google Play really the only way to use two-factor authentication there? not even a FIDO token or some other alternative?

GuacamOlé 🥑Feb 20

@mira @EUCommission @jdelacueva i can even use 2FA in Microsoft Teams without Google vor MS apps.

Its just lazyness i guess

Morten Feb 22

@mira @EUCommission @jdelacueva Yeah, it doesn't make sense considering how many EU citizens don't have it can't use a smartphone. There must be a physical artifact.

Henrik Pauli Feb 20

@jdelacueva @EUCommission Similarly, that banks can deny you service because you're using a non-Google-approved system (instead of a wildly more insecure chinesium Android that was abandoned 5 years ago, which is magically still okay to use somehow), is an absolute disgrace and just really shouldn't be a thing.

DJDarren Feb 21

@phl @jdelacueva @EUCommission *nods in GrapheneOS*

Lauma Pret ♡ ᪲᪲᪲🌈Mar 5

@DJDarren @phl @jdelacueva @EUCommission
*nods in /e/OS*

These days staying away from Google also means decrease in adds, and that is actually a mental health issue.

Strange Quark Feb 20

@jdelacueva Besides the privacy risks, it seems reckless that a US Big Tech company should be gatekeeper on a European government website.

I did manage to register my Yubikey but still...

Additionally, when they become gatekeepers, they also have access to the saved data on servers independently where the servers are hosted.

Adelina Feb 20

@jdelacueva @EUCommission There should be other ways to login. I initially set up e-ID but my national agency did not let me use it, or said it shouldn't be used even though it was theoretically possible on the EU website. But i understand the trouble, when I have issues with some EU systems they tell me to use Google Chrome because that's what they optimise for, and I find that so frustrating.

LukefromDC Feb 20

@bluishgreen @jdelacueva @EUCommission What happens if you don't use any EU online portals at all? Can you still use an ATM wirh a bank issued card, and deal wirh bureaucratic things in person at a physical office?

Adelina Feb 20

@LukefromDC @jdelacueva @EUCommission It does not relate to that, using EU portals is mostly for applying for grants/research funding or some business services. I only really use to apply for funding. I don't have experience with other services but it is not related to banking or accessing basic services.

@jdelacueva @EUCommission
https://keepandroidopen.org/

zetabeta Feb 20

developer verification gives more central control to alphabet inc.

third party app installs are still possible in modified android systems.

relying on closed platforms is a bad idea.

Keep Android Open

Advocating for Android as a free, open platform for everyone to build apps on.

Yikes, @jdelacueva !

This has to stop.

DMTom Feb 20

@jdelacueva @EUCommission my knowledge is at least 10/15 years old, but this might be not your bank’s stupid requirement, it’s one of Visa’s or Mastercard’s. I had to be certified by Visa/Mastercad/Amex to do eft interfaces, not by banks. And when specific transactions were declined I had to contact specific departments and read pages of docs till I find the clause that says exactly the opposite than they were telling me for several days…

Jacobo Da Riva Muñoz Feb 20

@jdelacueva @EUCommission use this in other platforms such as Linux phones (PostmarketOS, UBTouch, SailfishOS...) is science fiction.

Marco Molteni Feb 20

from: https://trusted-digital-identity.europa.eu/creating-managing-and-using-your-eu-login-account/eu-login-mobile-application_en

Is this "EU Login app" the following:

> The EU Login app is developed by the European Commission to facilitate your day-to-day Multi-factor authentication for many EU applications and services.

EU Login Mobile Application

The EU Mobile application is a fast and secure way to authenticate you with EU Login and access your EU institution resources. Find out how to install and use it here.

EU Login Portal

Phil 📸Feb 20