VollaficationistFeb 25

RE: https://mastodon.social/@fsfe/116131145887510612

@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity. That will be a game-changer. All major European OS producers are joining. We have a golden opportunity now to boot out Google.

Show threadGrapheneOSMar 18

@vollaficationist @volla Unified Attestation is the direct opposite of keeping Android open. It's an anti-competitive centralized system putting Volla and other companies selling devices working with them in control of which devices and operating systems people are allowed to use. It's the direct opposite of open. There's nothing neutral or fair about companies approving using their products while disallowing others. Unified Attestation needs to be stopped.

https://grapheneos.social/@GrapheneOS/116239523775374959

Show threadVollaficationistMar 18
@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!
Show threadGrapheneOSMar 18
@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.
Show threadGrapheneOSMar 18
@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.
Show threadVollaficationistMar 18
@GrapheneOS This is currently being discussed. Nothing is written in stone. One way is to have an independent third-party highly renowned institution do test and certification. Please consider that UA is still very much "under construction." Please also note that we respect GOS' work, which is why we reached out to you half a year ago.
Show threadGrapheneOSMar 18
@vollaficationist GrapheneOS won't participate in any system which requires us to delay our releases while waiting for certification. That's inherently anti-security and is completely unacceptable. We also won't give any companies or organizations veto power over app compatibility on GrapheneOS. It's a horrible idea and we're not going to let it happen. We won't participate and we'll file a lawsuit over the fact GrapheneOS is being banned by companies selling products threatened by GrapheneOS.
Show threadGrapheneOSMar 18
@vollaficationist The EU has been passing laws working towards banning end-to-end encryption and secure devices. It's completely unacceptable to have an EU-based system controlling which hardware and software is allowed to be used. GrapheneOS is not going to participate in bringing about our own downfall through helping to build or legitimize a system which could be used by EU governments to ban GrapheneOS. Play Integrity API should be banned rather than giving it legitimacy making another one.
Show threadGrapheneOSMar 18

@vollaficationist Android hardware attestation can already be used to permit arbitrary roots of trust and arbitrary operating systems. There's no need for a centralized system based in Europe built on top of it.

It would be better if root-based attestation didn't exist because it's fundamentally insecure for anything serious and primarily useful for anti-competitive and authoritarian purposes. Pinning-based attestation is what's useful for protecting users rather than controlling people.

Show threadGrapheneOSMar 18
@vollaficationist We've been actively fighting against the Play Integrity API for years and now. Unified Attestation is another anti-competitive system very similar to it. We're absolutely going to fight against it as much as we have been against the Play Integrity API. Android hardware attestation is an issue itself due to being primarily designed around root-based attestation. We convinced them to add proper pinning-based verification support to make it a real security feature for our usage.
Show threadGrapheneOSMar 18

@vollaficationist In Operation Trojan Shield, a bunch of European states worked with the FBI to sell backdoored devices to organized crime. They marketed these devices as being based on GrapheneOS or as running GrapheneOS. They harmed the reputation of GrapheneOS by marketing it to criminals and put us at high risk of physical harm by violent criminals. More recently, multiple European states are attacking actual GrapheneOS falsely claiming it's mainly used by criminals.

https://darknetdiaries.com/episode/146/

ANOM – Darknet Diaries

In this episode, Joseph Cox tells us the story of ANOM. A secure phone made by criminals, for criminals.

Show threadGrapheneOSMar 18
@vollaficationist Europe passed Chat Control and it's clear many of the countries involved are going to be pushing additional laws to further crack down on end-to-end encryption and secure devices. France has come out as by far the strongest opponent of privacy technology among European countries and is where both iodé and Murena are based. Why would we want to participate in a system where the EU can ban GrapheneOS if we don't comply with authoritarian laws cracking down on secure devices?
Show threadTuxOnBikeMar 18

@GrapheneOS

On a positive note, the EU ends “Voluntary Chat Control” in April (at least for now) and many Europeans are working on “Chat Control” to never get passed. And for “Voluntary Chat Control” to not come back.
The EU stands for freedom, democracy, and peace and, while it’s not perfect, we EU-citizens fight for it to get better.

@vollaficationist

Show threadGrapheneOS
@TuxOnBike @vollaficationist Volla is working on building a future where people can only use devices and software approved by governments. Building a European system for controlling which hardware and operating systems are allowed to be used which they're going to heavily push apps to adopt isn't a good thing. Play Integrity API being controlled by a single US company makes it much easier to fight against in Europe right now. Building a European system for doing the same thing isn't positive.
Mar 18 at 4:46pmWeb