Mastodawn

RE: https://mastodon.social/@fsfe/116131145887510612

@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity. That will be a game-changer. All major European OS producers are joining. We have a golden opportunity now to boot out Google.

Show thread

GrapheneOS Mar 18

@vollaficationist @volla Unified Attestation is the direct opposite of keeping Android open. It's an anti-competitive centralized system putting Volla and other companies selling devices working with them in control of which devices and operating systems people are allowed to use. It's the direct opposite of open. There's nothing neutral or fair about companies approving using their products while disallowing others. Unified Attestation needs to be stopped.

https://grapheneos.social/@GrapheneOS/116239523775374959

Show thread

Vollaficationist Mar 18

@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!

Show thread

GrapheneOS Mar 18

@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.

Show thread

GrapheneOS Mar 18

@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.

Show thread

Vollaficationist Mar 18

@GrapheneOS This is currently being discussed. Nothing is written in stone. One way is to have an independent third-party highly renowned institution do test and certification. Please consider that UA is still very much "under construction." Please also note that we respect GOS' work, which is why we reached out to you half a year ago.

Show thread

GrapheneOS Mar 18

@vollaficationist GrapheneOS won't participate in any system which requires us to delay our releases while waiting for certification. That's inherently anti-security and is completely unacceptable. We also won't give any companies or organizations veto power over app compatibility on GrapheneOS. It's a horrible idea and we're not going to let it happen. We won't participate and we'll file a lawsuit over the fact GrapheneOS is being banned by companies selling products threatened by GrapheneOS.

Show thread

GrapheneOS Mar 18

@vollaficationist The EU has been passing laws working towards banning end-to-end encryption and secure devices. It's completely unacceptable to have an EU-based system controlling which hardware and software is allowed to be used. GrapheneOS is not going to participate in bringing about our own downfall through helping to build or legitimize a system which could be used by EU governments to ban GrapheneOS. Play Integrity API should be banned rather than giving it legitimacy making another one.

Show thread

GrapheneOS Mar 18

@vollaficationist Android hardware attestation can already be used to permit arbitrary roots of trust and arbitrary operating systems. There's no need for a centralized system based in Europe built on top of it.

It would be better if root-based attestation didn't exist because it's fundamentally insecure for anything serious and primarily useful for anti-competitive and authoritarian purposes. Pinning-based attestation is what's useful for protecting users rather than controlling people.

Show thread

GrapheneOS Mar 18

@vollaficationist We've been actively fighting against the Play Integrity API for years and now. Unified Attestation is another anti-competitive system very similar to it. We're absolutely going to fight against it as much as we have been against the Play Integrity API. Android hardware attestation is an issue itself due to being primarily designed around root-based attestation. We convinced them to add proper pinning-based verification support to make it a real security feature for our usage.

Show thread

GrapheneOS Mar 18

@vollaficationist In Operation Trojan Shield, a bunch of European states worked with the FBI to sell backdoored devices to organized crime. They marketed these devices as being based on GrapheneOS or as running GrapheneOS. They harmed the reputation of GrapheneOS by marketing it to criminals and put us at high risk of physical harm by violent criminals. More recently, multiple European states are attacking actual GrapheneOS falsely claiming it's mainly used by criminals.

https://darknetdiaries.com/episode/146/

ANOM – Darknet Diaries

In this episode, Joseph Cox tells us the story of ANOM. A secure phone made by criminals, for criminals.

Show thread

anon_4601

@GrapheneOS @vollaficationist

True.
I’ve read articles in Italian & Dutch outlets talking about the ‘danger’ of GrapheneOS, falsely claiming it's a phone for criminals. Some articles mentioned the new European Digital Wallet for storing IDs and payment cards; countries like Italy announced it wouldn't work on non-standard operating systems, only stock Android, iOS and GarminOS (all American companies). Some banks have lobbied against GrapheneOS and rushed to publish articles taking a similarly accusatory tone.

In fact, these are campaigns led by the far right. They are the same people pushing for age checks on all OSs in the U.S., the same Nazis who pushed in the EU for ‘Chat Control’—who, in the name of combating pedophilia, were prepared to launch a ‘Stasi 2.0’ rather than look at those Epstein files...

This just goes to show that I made the right choice in opting for GrapheneOS... the day I’m forced to use something else will be the last day I’ll ever own a phone.