Alexander Fadeev
Felicitas Pojtinger 🌅So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
I've said it before an I'll say it again: This entire project of identity verification with Apple/Google-account bound mobile devices is going to lead the continent down a dark, dark path into full technological submission to the US
https://mastodon.social/@pojntfx/116345725515845020
A bit of an explanation
Tom@pojntfx that Google dependency is unacceptable. That said, there is no reason (other than "they want to") to require a Google account to use the Play store (to download free apps). From a GDPR perspective, that is already a breach of the law, and already should have been fixed.
@tdelmas The whole remote attestation thing should be dropped from the proposal. The rest of it is unfortunate (no ZKs at all, just signed credentials), but the remote attestation part is truly asinine. I have no idea how and why that decision was made. The people behind this are adding a path dependency on Google/Apple on something as simple as showing your ID to buy alcohol.
Luna Dragofelis ΘΔ🏳️⚧️🐱
Bas Schouten@LunaDragofelis @tdelmas @pojntfx My bank dropped this years ago, I don't know any security researcher that actually believes this either. They probably just haven't had anyone competent look at it yet.
Hopefully this will be fixed, I'm not in Germany, but as someone who doesn't have a Google or Apple account, I'd be pretty annoyed if I couldn't use eIDAS. (Although I'll happily waste public money by doing paper tax filings if it'd get there :P)
Benedikt Wi@LunaDragofelis @tdelmas @pojntfx this issue was addressed eight months ago via their GitLab repo, so hopefully they've thought about it, but still they didn't change anything: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-development-documentation-public/-/issues/2
EloPup
Marcel Geveler
Hanno Rein
theHastyOne@hannorein @unnon89 @EloPup @pojntfx @tdelmas never attribute malice to that which can be adequately explained by stupidity.
Lea
zombiecide 馬雄@ahasty any reasonably advanced stupidity is indistinguishable from malice
@zombiecide the real malice is how society seems to give the most power to the stupidest people
@ahasty I gave you a light-hearted way out of that direction, would've been nice if you took it
Hanlon's razor, while considered philosophical, is basically an emotional coping skill used to counteract certain types of rumination (caused by seeing current negative interaction as threat because of past trauma or learned behaviour)
emotional coping on its own, however, is of little use when dealing with current threats
and Hanlon's razor is not actually a very good emotional coping skill either
@ahasty so while I empathize with the resignation and despair I would feel if I said what you said (and I might've said at one time), I also think society isn't in itself an entity that can think and give power to anybody, it's people who looked at the laws and the media and who decided to play as dirty as they could to gain power, and they're self-serving and some, actively malicious, and I need to do what I can to counteract this - in this case, help ensure access to services without eIDAS
algol
Lillian Violet@GLaDTheresCake @hannorein @unnon89 @EloPup @pojntfx @tdelmas
By stating that the requirement to have a google/icloud address is not malice, I am not condoning the actions. Stupid decisions by those in power are harmful. Those in power making stupid decisions are at best negligent. But i also believe that many in power simply do not grasp the technology they regulate.
To be clear, I am an American, currently living through a fascist take over powered by techno-oligarchy, due to the fact that my countries elected officials failed to create laws that govern technology appropriately
higgins@hannorein @unnon89 @EloPup @pojntfx @tdelmas There were several comments from the public to the EU about requiring google "phone home" APIs when the EU Commission published a reference implementation for digital wallets. Met with shoulder shrugs about "it's only a reference implementation, no state is forced to use it". Which is an astoundingly strange comment about a _reference_ implementation. So they knew and were told repeatedly. Either they are criminally incompetent, corrupt, or both.
Mark Koek@higgins @hannorein @unnon89 @EloPup @pojntfx @tdelmas I don’t think it works to cry “corruption” any time there is a proposal you disagree with. In a democracy there are always proposals you disagree with. Argue against them. Forcefully if you have to. You will find that often, your opponents will take the opportunity to improve based on what you are saying. Unless of course you start out by calling them criminals.
Hannah@higgins @hannorein @unnon89 @EloPup @pojntfx @tdelmas @mkoek people might be mixing up lobbyism and outright corruption. But your generalisation is still flawed. If there is a huge power imbalance between the access different sides of a position (like let's say big tech and privacy activists) have to politicians and people complain about that, that's not just "crying out corruption on every proposal you disagree with". Such power imbalances destroy the intended democratic process.
@higgins @hannorein @unnon89 @EloPup @pojntfx @tdelmas @mkoek Also I think most of those lobbyists walk a fine line where we would morally call it corruption but maybe not legally. There are many ways to corrupt people. (Use their ego against them, install ideas by repeated misinformation while inviting them to settings where they feel good and safe, etc.)
Krzysztof Sakrejda
Nicole ParsonsTech companies writing their own rules is a "regulatory hijack"
What happens if their age verification app is hacked?
Or if these corporations are sold, bankrupt, amalgamated, or nationalized by the state?
Privatization or financialization of the means for assuring identification is a very bad idea.
Remember who invests in both Google & Apple.
https://www.businessinsider.com/saudi-arabia-crown-prince-visits-apple-google-2018-4
https://www.cnbc.com/2018/04/07/heres-a-look-at-who.html
This is just another effort by fossil fuel funded fascism.
oriYes, but the tech companies have the ability to pay the right experts to walk by them all day and provide explanations about how this is ok, really.
CC: @[email protected] @[email protected]
CC: @[email protected] @[email protected]
ww 🩶@pojntfx @tdelmas as long as age checks are anonymous and allow a generous ratelimit, remote attestation is required to maintain the integrity of the system, that's probably why
like, if i can make a custom android rom and automate issuing age proofs, then transmit them anywhere i want, then i can also create a fake miniwallet that would allow anyone to pass the age verification flow using my proofs. for a low price of 5 euros!
i personally don't think that age verification is a good idea, and even if it has to happen, remote attestation creates more problems than it solves. people will find ways to bypass age checks regardless, so this only closes one of the gaps, while excluding a fair amount of people. but i imagine this was one of the concerns that led to the decision to make it a requirement.
like, if i can make a custom android rom and automate issuing age proofs, then transmit them anywhere i want, then i can also create a fake miniwallet that would allow anyone to pass the age verification flow using my proofs. for a low price of 5 euros!
i personally don't think that age verification is a good idea, and even if it has to happen, remote attestation creates more problems than it solves. people will find ways to bypass age checks regardless, so this only closes one of the gaps, while excluding a fair amount of people. but i imagine this was one of the concerns that led to the decision to make it a requirement.
Li ~ Crystal System
Roxy ⭐ (she/her)
Diogo Constantino
AnnaAntifa@AnnaAntifa @pojntfx that's a hack. It only works as long as Google doesn't block it. Even the "anonymous" mode uses a Google account (from a shared pool of dummy account) to connect to the Google servers.
It shouldn't be needed.
And how does it works for lambda users? How will it work after Google restrict side loading of apps? Only teck savvy users are and will be able to do it. Privacy and freedom should be the default, accessible to all, and not an option, reserved to some elites.
It shouldn't be needed.
And how does it works for lambda users? How will it work after Google restrict side loading of apps? Only teck savvy users are and will be able to do it. Privacy and freedom should be the default, accessible to all, and not an option, reserved to some elites.
@AnnaAntifa @pojntfx well, if they can't respect the EU law, they shouldn't be allowed in Europe.
Sjoerd Stendahl@pojntfx Honestly I will remain off the opinion the digital wallets are by itself a good idea, and could potentially be more privacy-friendly than traditional methods (thanks to granular sharing of information) and lessen dependence on big tech (the alternative is namely that the private market will do this).
Having said that, that’s only if implemented right. A dependency on Google Play services is worrying, and shows we still haven’t learned anything from the past years.
@sstendahl Yeah, if they used ZKs I can see a way to make it great. But nobody - not one single country, anywhere on earth - is doing that.
And it's not just Play Services here. Those we can emulate with e.g. the EU-funded microG. It's specifically SafetyNet/remote attestation. That one can't be swapped out in any way we currently know. It's a hard dependency on Google.
David Heijkamp@pojntfx @sstendahl not sure if this is what you meant, but in the Netherlands the municipality of Nijmegen introduced initial support for Yivi, also available on F-Droid. That seems close, or am I missing something? See: https://docs.yivi.app/
Yivi documentation | Yivi docs
Yivi is a privacy-first identity wallet solution designed to empower individuals with secure and seamless access to digital services. With Yivi, you are in full control of your personal information, sharing only what is necessary while safeguarding your privacy at every step.
@david @pojntfx I was mostly thinking of NLWallet, which is actually government backed/owned. As far as I know it’s ZKP, and it’s even open-ish (not GPL, but at least source-available). You can build it from source yourself.
But I’m not as knowledgeable on the matter as @pojntfx, so I could absolutely be missing something here on the implementation of zero knowledge here.
See their GitHub page here: https://github.com/MinBZK/nl-wallet
Patrick Zauner 
Misuse Case@pojntfx @sstendahl Part of the reason it’s being done like this, or at all, is that tech companies are lobbying for it!
Dragon
Dagnabbit, Pascaline! 💥It's completely crazy to order the world to submit to Apple/Google.
But by now, America has been doing all sorts of things that were unheard of before. They just push to get their way, if necessary start with absurd demands that they will 'tone down' so the others think they reached a compromise but that really gives America what it really wanted.
I think most politicians by now turned into profit and ego-driven maniacs, real Wannahaves who adore the Haves.
Sepia Fan
Democracy Matters :verified: (@[email protected])
Attached: 1 image I just noticed that BOTH Apple and Google have capitulated to the fever dreams of a dictator who shits himself and rapes children.
Martin
maya_b 🇨🇦
Gerard Cunningham ✒️@pojntfx All data eventually ends up with the palantir stasi
Pino Carafa@pojntfx It's a logical extension of phones running Apple or Google Operating Systems.
To remove that dependency we need to foster the development of an independent EU focused OS that can be installed on existing hardware or even subsidise EU based hardware. Not sure whether that could be, say, Nokia or a new player.
@pojntfx PS - sorry I thought you were based in the EU; not sure how I got that impression.
craignicol@pojntfx you'd think they'd look at how Apple, Google, Meta have responded to EU demands in the past, restricting functionality, removing features. Why would anyone choose to hand them a killswitch for fundamental access to society?
mjarteaga@pojntfx This scenario raises two main conflicts:
Availability and Access: The GDPR and EU principles require that access to fundamental rights not depend on third countries. Forcing a citizen to accept the terms and conditions of a private U.S. company in order to use their state-issued identity is viewed by many regulators as coercion that invalidates the “free consent” required by the GDPR. 1/2
Availability and Access: The GDPR and EU principles require that access to fundamental rights not depend on third countries. Forcing a citizen to accept the terms and conditions of a private U.S. company in order to use their state-issued identity is viewed by many regulators as coercion that invalidates the “free consent” required by the GDPR. 1/2
refraction 
@mjarteaga @pojntfx and who's gonna enforce the law of the state decides they won't? GDPR enforcement is already bad.
The Vampire Fish Queen@pojntfx Mitigation Measures in Germany and the EU 1/3
To prevent this technological “lock-in,” several measures are being implemented:
Alternatives Outside Official Stores: The EU is exerting pressure through the Digital Markets Act (DMA) to compel Apple and Google to allow the installation of apps from alternative sources (“sideloading”) and open access to their security chips without going through their accounts.
@pojntfx Mitigation Measures in Germany and the EU 2/3
Interoperability between Member States: According to the regulation, if the German wallet fails due to a lockout, citizens should be able to legally use any other certified wallet from another EU country to identify themselves for German services.
@pojntfx Mitigation Measures in Germany and the EU 3/3
Physical media as a backup: Germany maintains the physical ID card with a chip (nPA) as the primary “source of truth.” The wallet is only a digital representation; if the phone fails or is locked, the citizen can always use their physical card and a standard NFC reader to identify themselves. https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3433
https://www.vzbv.de/en/digital-markets-act-apple-and-google-fail-comply-certain-regulations
https://www.reddit.com/r/europrivacy/s/mgTR3gEoAr
@pojntfx Extraterritorial Surveillance:
There is a theoretical risk that, because it is integrated into the OS ecosystem, the manufacturer (under laws such as the U.S. Cloud Act) could be compelled to provide metadata on when and where the wallet is used, which conflicts with the GDPR’s prohibition on tracking. 2/2