Javier de la CuevaFeb 20

Actions speak louder than words.

I am unable to install EU Login app in my phone because I use LineageOS and not the Google Spy Android.

Thus, I cannot use the double factor authentication, mandatory from the 25-02-2026 on unless I tell Google.

A frontal attack to our #privacy.

Stupid, no?

@EUCommission

Show threadIván Sánchez OrtegaFeb 20
@jdelacueva @EUCommission So in the hypothetical case I'd like to see the source code of that application to see why and how it uses google services, what would be the appropriate bureaucratic way to request it?
Show threadGreatLakeTroutFeb 20

@IvanSanchez @jdelacueva @EUCommission

Wait I thought the EU was trying to separate itself from US tech, that is what all their politicians are saying……….oh wait I see My error now.

Show thread🍐 Perivi Yohanesburgo 🍐 Feb 20

@greatlaketrout @IvanSanchez @jdelacueva @EUCommission The European Digital Identity Wallet app for Android will require Play Integrity as well.

https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/issues/287

Please remove the requirement for Google Play Integrity · Issue #287 · eu-digital-identity-wallet/eudi-app-android-wallet-ui

The developers of the digital wallet of some member countries such as Italy and France have created the app by implementing the check of the Play Integrity. Probably following the directive contain...

GitHub
Show thread🌸 Ⓐnarkitty lumi-nhac  Feb 21
@fruitchypear @greatlaketrout @IvanSanchez @jdelacueva @EUCommission requiring drm for a digital identity wallet... yikes

apps attesting the hardware and software they run on is fundamentally drm and is awful. it's also just completely backwards, apps shouldn't even have the capability to do that

the os should be attesting this, not the apps
Show threadAndréFeb 22

@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout thas has nothing to do with "drm"

It is there because remote service needs assertion, your generated private key is bound to your device and can't be copied to another phone.

And to assert that, a trusted party (google/Apple) asserts the complete chain from hardware up to the os it is ronning on - so no MITM sits within.

Currently there is no other way, other than not using mobile os's
https://berlin.social/@asltf/116104851486148728

Show thread🌸 Ⓐnarkitty lumi-nhac  Feb 22
@asltf @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout it prevents people from taking control of their own systems and tinkering. it fundamentally restricts user freedom. how is that not drm?

there shouldn't be anyone else telling someone what they can or can't do with their device
Show threadAndréFeb 22
@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout that's how you frame it.
Now change your pov, be the company that needs technical measurements to bind your login to your device without having any means to detect, if it's your device through which a login request comes - or it is a MITM.
Many companies may take that risk for for financial gains - or get sued.
But other companies are legally bound to not take that risk
Show threadwitch_t *naviFeb 22
@asltf @lumi

why does the needs of a company dictate restrictions on *all* users?

the platform/os is the source of truth, the way we prevent an unauthorized party of cloning or infecting your device, is by encrypting and verifying the disk, and by not installing malware, by running trusted code only and sandboxing any untrusted code

if the user willingly wants to clone their data to another device, to build and run their own platform, or simply modify/replace parts of their current platform, their "wallet" app must not have any say in it, that *is* drm and the want of control that corporations have must not impede user freedom

play integrity is google's way of exploiting fear in order to gain control
Show threadAndréFeb 22

@navi @lumi you obviously didn't get the point.
this is mandated by national restraints on what "securely" technically means.

It is not about that you want to clone it, it is about national law requiring the company to make sure, you are not able to make a copy of thing that is meant to be singleton, because the whole verification process is based around this assumption.

Otherwise you would be required to authenticate way more than you are willing to do

Show threadwitch_t *naviFeb 22
@asltf @lumi if something should not be copiable, it should not be in the user's device

private keys are copiable, user data is copiable, if a user copied their auth tokens to another system, that system is their system, any system that breaks because two machines copied the same id, is a broken system and needs to be fixed

there's no national "security" law that mandates this kind of thing, they want to do it because it is labeled as "standard security" by google
Show threadAndréFeb 22
@navi @lumi stop wasting my time, if you don't have any clue what regulations are mandated by "state of the art" security on national bodies (like Germany BSI TR's and european etsi requirements)
Show thread🌸 Ⓐnarkitty lumi-nhac  
@asltf @navi if they infringe on user freedom, they must be repealed. simple as that
Feb 22 at 5:07pmWeb
Show threadAndréFeb 22
@lumi @navi it's as infringing as you aren't permitted to extract key material from your national id and banking cards. It never was your freedom from the start.
Show threadDmitry TantsurFeb 25
@asltf @lumi @navi speaking of which, we already have national IDs as singletons in your sense, so the phone does not have to become one. You behave very arrogantly in this thread, although you're not even aware how this problem was solved before smartphones. I still used an old Nokia back in the days when my account was already authorized by a smart card connected to my (Linux) laptop.
Show threadAndréFeb 25
@creepy_owlet @lumi @navi If adhominem is all you have, try arguing that way with national regulation bodies, It suerly will help...
Time has changed, requirements have changed. Back in my days examples won't hold for todays standards.