VollaficationistFeb 25

RE: https://mastodon.social/@fsfe/116131145887510612

@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity. That will be a game-changer. All major European OS producers are joining. We have a golden opportunity now to boot out Google.

Show threadGrapheneOS1d ago

@vollaficationist @volla Unified Attestation is the direct opposite of keeping Android open. It's an anti-competitive centralized system putting Volla and other companies selling devices working with them in control of which devices and operating systems people are allowed to use. It's the direct opposite of open. There's nothing neutral or fair about companies approving using their products while disallowing others. Unified Attestation needs to be stopped.

https://grapheneos.social/@GrapheneOS/116239523775374959

Show threadVollaficationist1d ago
@GrapheneOS Which companies are "disallowed" to partake in #UnifiedAttestation? You have formally and informally been cordially invited. As are any and all other OS manufacturers. Please, let's ease the tone. What about a constructive talk? I believe we should support one another wherever possible and meaningful. Considering the vast market potential, we have all much to gain. Some will choose GOS, some VOS, etc. It's a big cake. Let's ditch Google - unified. Good day!
Show threadGrapheneOS1d ago
@vollaficationist Unified Attestation includes multiple companies hostile towards GrapheneOS. They've spent years misleading people about GrapheneOS and making attacks on our team. Unified Attestation gives them veto power over app compatibility on GrapheneOS. It puts them in a position where they can harm GrapheneOS with unreasonable requirements and disingenuous concerns to reduce app compatibility. It's also clearly an illegal anti-competitive cartel and participating wouldn't be legal.
Show threadGrapheneOS1d ago
@vollaficationist Unified Attestation is nothing more than an anti-competitive power grab via a centralized service sitting on top of Android hardware attestation. There has yet to be any valid explanation for why this has been created. It would be entirely possible to have neutral organizations certifying devices and publishing those certificates as signed data usable with Android hardware attestation. There's no valid reason to have a centralized service under the control of these companies.
Show threadVollaficationist1d ago
@GrapheneOS This is currently being discussed. Nothing is written in stone. One way is to have an independent third-party highly renowned institution do test and certification. Please consider that UA is still very much "under construction." Please also note that we respect GOS' work, which is why we reached out to you half a year ago.
Show threadGrapheneOS1d ago
@vollaficationist GrapheneOS won't participate in any system which requires us to delay our releases while waiting for certification. That's inherently anti-security and is completely unacceptable. We also won't give any companies or organizations veto power over app compatibility on GrapheneOS. It's a horrible idea and we're not going to let it happen. We won't participate and we'll file a lawsuit over the fact GrapheneOS is being banned by companies selling products threatened by GrapheneOS.
Show threadVollaficationist1d ago
@GrapheneOS Will you really? And you didn't Google? Now I'm actually really getting worried about the status of GOS. Well, I wish you the best.
Show threadGrapheneOS1d ago
@vollaficationist Yes, we'll file a lawsuit against each company involved in Unified Attestation for the damages done by their anti-competitive cartel to GrapheneOS. It's likely not only going to be us filing this lawsuit. We can work with many other stakeholders interested in stopping creeping authoritarianism in Europe eroding people's right to use whatever hardware and software they want to use. You're working alongside politicians pushing expanded Chat Control. This is perfect for them.
Show threadGuillaume1d ago
@GrapheneOS @vollaficationist Funny how you don't answer on the Google-part. Why don't you attack them since they control the whole Android ecosystem, making it a mess to anyone to do things different and are pushing to close it even more. Last time you replied you just said Google has more money for lawyers...
Show threadGrapheneOS1d ago
@guilg @vollaficationist We've been actively fighting against the Play Integrity API for years. We were making substantial progress in both Europe and India. We've also been coordinating with multiple other companies towards filing a lawsuit against Google. Unified Attestation is an enormous gift to Google helping to legitimize what they're doing with the Play Integrity API. Volla is playing into the hands of authoritarians who want systems disallowing people using arbitrary hardware/software.
Show threadChuckles1d ago
@GrapheneOS @guilg @vollaficationist it's an ugly deal that the @EUCommission has made with the tech giants in exchange for #ChatControl and #DigitalOmnibus
Show threadVollaficationist1d ago
@celeduc @GrapheneOS @guilg @EUCommission Volla develops not only devices or OS, or AI and more. It's also developing a new ecosystem as well as an infrastructure. Full decoupling. A fully, autonomous communications system. GOS is a hundred thousand miles from this, right. They do googlag-ware and now even Moto, lol.
Show threadDaniël de Kok1d ago

@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission And the Volla Phone Quintus is the Daria Bond 5G from an Emirates company (marked up by 560 Euro). Given that Eurowashing, maybe attacking GrapheneOS for using Pixel hardware is a bit rich? At least Pixel has proper device security.

Back to to the original topic. I only have a stake in this as an EU citizen, but having a small set of companies decide who can run what is bad, it's another attack on the freedom of EU citizens.

Show threadKarsten1d ago
@danieldk
I would agree to the lower paragraph and add the following thought:
Maybe it would be wise to not let the only companies with privacy in the mind get divided. Arguments ad hominem are not very convincing.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission @GrapheneOS
Andromxda 🇺🇦🇵🇸🇹🇼1d ago
Show threadDaniël de Kok

@khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission Centralized remote attestation is diametrically opposed to privacy, since it makes projects vulnerable to pressure to weaken security & privacy, delay updates, etc.

AFAIK the support for remote attestation that is already provided in AOSP does not suffer from this issue, because there is not a single entity that enforces it (banks can whitelist signing key fingerprints).

So the only reason I can think of is control.

Mar 18 at 7:20pmWeb
Show threadDaniël de Kok1d ago

@khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission This is not just a theoretical concern.

Some European countries border on autocracy. Imagine that this initiative is successful. An autocrat could pressure Volla et al. to only attest phones that have a chat backdoor under the thread of banning them from the market.

It is anti-privacy, anti-security, and anti-freedom.

Show threadKarsten1d ago
@danieldk
But that has nothing to do, whatsoever, with the attestation. That said state could pressure volla et al that only phones with backdoor are allowed in the EU.
@vollaficationist @celeduc @GrapheneOS @guilg @EUCommission
Show threadGrapheneOS1d ago
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission It has everything to do with a centralized attestation system. Once this system starts being adopted, the EU can require it for banking/government apps as they began the process of doing with the Play Integrity API. They can then hijack it and begin enforcing their own requirements such including disallowing encryption without backdoors. There should be no organization in charge of which devices and operating systems are allowed.
Show threadGrapheneOS1d ago
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission If companies insist on permitting only certain devices and operating to be used then the system should be one that's distributed around the world with multiple neutral organizations not tied to the companies making devices or governments. However, delaying updates for certification is inherently anti-security. It would be impossible to quickly ship security patches without breaking compatibility with many important apps.
Show threadKarsten1d ago
@GrapheneOS
But they, the EU, can do this all along. No matter if there is something like attestation or not.
@danieldk @vollaficationist @celeduc @guilg @EUCommission
Show threadGrapheneOS1d ago
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Attestation enables them to enforce it. Otherwise, people can import devices not complying with the rules they place on devices sold within Europe. Banning people from using devices from elsewhere is far more extreme and oppressive so that's a lot less likely. It's also far harder to enforce and if things have gotten that bad then many people are going to be unintentionally breaking oppressive laws regardless.
Show threadGrapheneOS1d ago
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Being able to take away compatibility with banking and government apps based on a system imposing arbitrary rules with certification required for each release is authoritarian. Regardless of the motivation for building this kind of system, the end result is a powerful tool for a police state. Root-based attestation is inherently anti-competitive and primarily useful for controlling people rather than protecting people.
Show threadGrapheneOS1d ago
@khw @danieldk @vollaficationist @celeduc @guilg @EUCommission Pinning-based attestation is a useful security feature for protecting users and has little potential for abuse to prevent competition and enforce authoritarian laws. Root-based attestation is what causes those problems. Root-based attestation has poor security since it depends on none of the TEE/SE implementations getting exploited with their keys extracted. Not much of a security feature when any leaked key can be used to bypass it.
Show threadKarsten1d ago
@GrapheneOS
I guess I don't know enough about THW difference. So you have a link to an explanation?
@danieldk @vollaficationist @celeduc @guilg @EUCommission
Show threadKarsten1d ago
@GrapheneOS
That's true but essentially they could forbid it, even with higher impact and less success
@danieldk @vollaficationist @celeduc @guilg @EUCommission
Show threadwod0bow21h ago

@khw @danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission
There was a time for Europe when every decision for half of current EU countries was dictated from centralized Gov in Moscow.

What is the difference where is placed centralized power? Centralization is a problem here.

Show threadSneezy1d ago

@danieldk @khw @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission

germany is particularly nasty regarding anyone speaking out against genocide and 80 years of war crimes by Israel

staatsrason they call it

Show threadKarsten1d ago
@rapsneezy
Not the topic
@danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission
Show threadSneezy1d ago

@khw @danieldk @vollaficationist @celeduc @GrapheneOS @guilg @EUCommission

1. yes it is, it was a reply to "Some European countries border on autocracy. "

2. fuck off with your policing

3. you sound like that 12 year old school prefect, fuck off

Show threadKarsten1d ago
@rapsneezy
Germany is indeed very nasty regarding denying the Holocaust or Antisemitism.
And that's Staatsräson.
Show threadVollaficationist1d ago
@rapsneezy @danieldk @khw @celeduc @GrapheneOS @guilg @EUCommission yes