Javier de la CuevaFeb 20

Actions speak louder than words.

I am unable to install EU Login app in my phone because I use LineageOS and not the Google Spy Android.

Thus, I cannot use the double factor authentication, mandatory from the 25-02-2026 on unless I tell Google.

A frontal attack to our #privacy.

Stupid, no?

@EUCommission

Show threadIván Sánchez OrtegaFeb 20
@jdelacueva @EUCommission So in the hypothetical case I'd like to see the source code of that application to see why and how it uses google services, what would be the appropriate bureaucratic way to request it?
Show threadGreatLakeTroutFeb 20

@IvanSanchez @jdelacueva @EUCommission

Wait I thought the EU was trying to separate itself from US tech, that is what all their politicians are saying……….oh wait I see My error now.

Show thread🍐 Perivi Yohanesburgo 🍐 Feb 20

@greatlaketrout @IvanSanchez @jdelacueva @EUCommission The European Digital Identity Wallet app for Android will require Play Integrity as well.

https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/issues/287

Please remove the requirement for Google Play Integrity · Issue #287 · eu-digital-identity-wallet/eudi-app-android-wallet-ui

The developers of the digital wallet of some member countries such as Italy and France have created the app by implementing the check of the Play Integrity. Probably following the directive contain...

GitHub
Show thread🌸 Ⓐnarkitty lumi-nhac  Feb 21
@fruitchypear @greatlaketrout @IvanSanchez @jdelacueva @EUCommission requiring drm for a digital identity wallet... yikes

apps attesting the hardware and software they run on is fundamentally drm and is awful. it's also just completely backwards, apps shouldn't even have the capability to do that

the os should be attesting this, not the apps
Show threadAndréFeb 22

@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout thas has nothing to do with "drm"

It is there because remote service needs assertion, your generated private key is bound to your device and can't be copied to another phone.

And to assert that, a trusted party (google/Apple) asserts the complete chain from hardware up to the os it is ronning on - so no MITM sits within.

Currently there is no other way, other than not using mobile os's
https://berlin.social/@asltf/116104851486148728

Show thread🌸 Ⓐnarkitty lumi-nhac  Feb 22
@asltf @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout it prevents people from taking control of their own systems and tinkering. it fundamentally restricts user freedom. how is that not drm?

there shouldn't be anyone else telling someone what they can or can't do with their device
Show threadAndréFeb 22
@lumi @jdelacueva @IvanSanchez @EUCommission @fruitchypear @greatlaketrout that's how you frame it.
Now change your pov, be the company that needs technical measurements to bind your login to your device without having any means to detect, if it's your device through which a login request comes - or it is a MITM.
Many companies may take that risk for for financial gains - or get sued.
But other companies are legally bound to not take that risk
Show threadwitch_t *naviFeb 22
@asltf @lumi

why does the needs of a company dictate restrictions on *all* users?

the platform/os is the source of truth, the way we prevent an unauthorized party of cloning or infecting your device, is by encrypting and verifying the disk, and by not installing malware, by running trusted code only and sandboxing any untrusted code

if the user willingly wants to clone their data to another device, to build and run their own platform, or simply modify/replace parts of their current platform, their "wallet" app must not have any say in it, that *is* drm and the want of control that corporations have must not impede user freedom

play integrity is google's way of exploiting fear in order to gain control
Show threadAndréFeb 22

@navi @lumi you obviously didn't get the point.
this is mandated by national restraints on what "securely" technically means.

It is not about that you want to clone it, it is about national law requiring the company to make sure, you are not able to make a copy of thing that is meant to be singleton, because the whole verification process is based around this assumption.

Otherwise you would be required to authenticate way more than you are willing to do

Show threadwitch_t *naviFeb 22
@asltf @lumi if something should not be copiable, it should not be in the user's device

private keys are copiable, user data is copiable, if a user copied their auth tokens to another system, that system is their system, any system that breaks because two machines copied the same id, is a broken system and needs to be fixed

there's no national "security" law that mandates this kind of thing, they want to do it because it is labeled as "standard security" by google
Show threadAndréFeb 22
@navi @lumi stop wasting my time, if you don't have any clue what regulations are mandated by "state of the art" security on national bodies (like Germany BSI TR's and european etsi requirements)
Show threadwitch_t *naviFeb 22
@asltf @lumi it is not a regulation because

a) the issue itself mentions it's not required, just recommended,

b) my bank app has worked for years, and continues to, without attestation,

c) if it really is a regulation, link me, i've read through eu legal memos before to know what is and isn't required, and i can do it again,

d) and even if it was, that means it's a bad regulation, just because something is a law, doesn't mean the law is good, but again, link it

also you're the one insisting forced remote attestation it's not drm, then yelling "but you don't understand law!", if anything, you're the one wasting people's time while refusing to properly explain or back your claims
Show threadAndréFeb 22

@navi @lumi pleas read my responses or stop wasting my time.

Recommendations almost have to be read as "have to unless impossible (with permitted reason)" for national bodies.

And I've already wrote some words about companies willing to take the risk *on them* - i.e. they calculate in fraud, which you as customer pays - that doesn't work for national ID systems

Show threadAndré

@navi @lumi And to your last point: I've already answered that.

Runtime assertion is required to attest, the attestation from hardware key store is from within their untampered app, otherwise MITM could relay to any other device.

One could work around this by paper verificaton process (i.e. the bank print our revceived public key fingerprint and sens it back to you with a verification password, you have to type in to complete key binding)

Feb 22 at 5:19pmWeb