Felicitas Pojtinger 🌅So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
nasd1066If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
I've said it before an I'll say it again: This entire project of identity verification with Apple/Google-account bound mobile devices is going to lead the continent down a dark, dark path into full technological submission to the US
https://mastodon.social/@pojntfx/116345725515845020
A bit of an explanation
Tom@pojntfx that Google dependency is unacceptable. That said, there is no reason (other than "they want to") to require a Google account to use the Play store (to download free apps). From a GDPR perspective, that is already a breach of the law, and already should have been fixed.
@tdelmas The whole remote attestation thing should be dropped from the proposal. The rest of it is unfortunate (no ZKs at all, just signed credentials), but the remote attestation part is truly asinine. I have no idea how and why that decision was made. The people behind this are adding a path dependency on Google/Apple on something as simple as showing your ID to buy alcohol.
Luna Dragofelis ΘΔ🏳️⚧️🐱
Bas Schouten@LunaDragofelis @tdelmas @pojntfx My bank dropped this years ago, I don't know any security researcher that actually believes this either. They probably just haven't had anyone competent look at it yet.
Hopefully this will be fixed, I'm not in Germany, but as someone who doesn't have a Google or Apple account, I'd be pretty annoyed if I couldn't use eIDAS. (Although I'll happily waste public money by doing paper tax filings if it'd get there :P)
Benedikt Wi@LunaDragofelis @tdelmas @pojntfx this issue was addressed eight months ago via their GitLab repo, so hopefully they've thought about it, but still they didn't change anything: https://gitlab.opencode.de/bmi/eudi-wallet/wallet-development-documentation-public/-/issues/2
EloPup
Marcel Geveler
Hanno Rein
theHastyOne@hannorein @unnon89 @EloPup @pojntfx @tdelmas never attribute malice to that which can be adequately explained by stupidity.
Lea
zombiecide 馬雄@ahasty any reasonably advanced stupidity is indistinguishable from malice
@zombiecide the real malice is how society seems to give the most power to the stupidest people
@ahasty I gave you a light-hearted way out of that direction, would've been nice if you took it
Hanlon's razor, while considered philosophical, is basically an emotional coping skill used to counteract certain types of rumination (caused by seeing current negative interaction as threat because of past trauma or learned behaviour)
emotional coping on its own, however, is of little use when dealing with current threats
and Hanlon's razor is not actually a very good emotional coping skill either
@ahasty so while I empathize with the resignation and despair I would feel if I said what you said (and I might've said at one time), I also think society isn't in itself an entity that can think and give power to anybody, it's people who looked at the laws and the media and who decided to play as dirty as they could to gain power, and they're self-serving and some, actively malicious, and I need to do what I can to counteract this - in this case, help ensure access to services without eIDAS
algol
Lillian Violet
higgins@hannorein @unnon89 @EloPup @pojntfx @tdelmas There were several comments from the public to the EU about requiring google "phone home" APIs when the EU Commission published a reference implementation for digital wallets. Met with shoulder shrugs about "it's only a reference implementation, no state is forced to use it". Which is an astoundingly strange comment about a _reference_ implementation. So they knew and were told repeatedly. Either they are criminally incompetent, corrupt, or both.
Mark Koek@higgins @hannorein @unnon89 @EloPup @pojntfx @tdelmas I don’t think it works to cry “corruption” any time there is a proposal you disagree with. In a democracy there are always proposals you disagree with. Argue against them. Forcefully if you have to. You will find that often, your opponents will take the opportunity to improve based on what you are saying. Unless of course you start out by calling them criminals.
Krzysztof Sakrejda
Nicole ParsonsTech companies writing their own rules is a "regulatory hijack"
What happens if their age verification app is hacked?
Or if these corporations are sold, bankrupt, amalgamated, or nationalized by the state?
Privatization or financialization of the means for assuring identification is a very bad idea.
Remember who invests in both Google & Apple.
https://www.businessinsider.com/saudi-arabia-crown-prince-visits-apple-google-2018-4
https://www.cnbc.com/2018/04/07/heres-a-look-at-who.html
This is just another effort by fossil fuel funded fascism.
oriYes, but the tech companies have the ability to pay the right experts to walk by them all day and provide explanations about how this is ok, really.
CC: @[email protected] @[email protected]
CC: @[email protected] @[email protected]
ww 🩶@pojntfx @tdelmas as long as age checks are anonymous and allow a generous ratelimit, remote attestation is required to maintain the integrity of the system, that's probably why
like, if i can make a custom android rom and automate issuing age proofs, then transmit them anywhere i want, then i can also create a fake miniwallet that would allow anyone to pass the age verification flow using my proofs. for a low price of 5 euros!
i personally don't think that age verification is a good idea, and even if it has to happen, remote attestation creates more problems than it solves. people will find ways to bypass age checks regardless, so this only closes one of the gaps, while excluding a fair amount of people. but i imagine this was one of the concerns that led to the decision to make it a requirement.
like, if i can make a custom android rom and automate issuing age proofs, then transmit them anywhere i want, then i can also create a fake miniwallet that would allow anyone to pass the age verification flow using my proofs. for a low price of 5 euros!
i personally don't think that age verification is a good idea, and even if it has to happen, remote attestation creates more problems than it solves. people will find ways to bypass age checks regardless, so this only closes one of the gaps, while excluding a fair amount of people. but i imagine this was one of the concerns that led to the decision to make it a requirement.
Li ~ Crystal System
Roxy ⭐ (she/her)
Diogo Constantino
Sjoerd Stendahl@pojntfx Honestly I will remain off the opinion the digital wallets are by itself a good idea, and could potentially be more privacy-friendly than traditional methods (thanks to granular sharing of information) and lessen dependence on big tech (the alternative is namely that the private market will do this).
Having said that, that’s only if implemented right. A dependency on Google Play services is worrying, and shows we still haven’t learned anything from the past years.
@sstendahl Yeah, if they used ZKs I can see a way to make it great. But nobody - not one single country, anywhere on earth - is doing that.
And it's not just Play Services here. Those we can emulate with e.g. the EU-funded microG. It's specifically SafetyNet/remote attestation. That one can't be swapped out in any way we currently know. It's a hard dependency on Google.
David Heijkamp@pojntfx @sstendahl not sure if this is what you meant, but in the Netherlands the municipality of Nijmegen introduced initial support for Yivi, also available on F-Droid. That seems close, or am I missing something? See: https://docs.yivi.app/
Yivi documentation | Yivi docs
Yivi is a privacy-first identity wallet solution designed to empower individuals with secure and seamless access to digital services. With Yivi, you are in full control of your personal information, sharing only what is necessary while safeguarding your privacy at every step.
@david @pojntfx I was mostly thinking of NLWallet, which is actually government backed/owned. As far as I know it’s ZKP, and it’s even open-ish (not GPL, but at least source-available). You can build it from source yourself.
But I’m not as knowledgeable on the matter as @pojntfx, so I could absolutely be missing something here on the implementation of zero knowledge here.
See their GitHub page here: https://github.com/MinBZK/nl-wallet
Patrick Zauner 
Misuse Case@pojntfx @sstendahl Part of the reason it’s being done like this, or at all, is that tech companies are lobbying for it!
Dagnabbit, Pascaline! 💥It's completely crazy to order the world to submit to Apple/Google.
But by now, America has been doing all sorts of things that were unheard of before. They just push to get their way, if necessary start with absurd demands that they will 'tone down' so the others think they reached a compromise but that really gives America what it really wanted.
I think most politicians by now turned into profit and ego-driven maniacs, real Wannahaves who adore the Haves.
Sepia Fan
Democracy Matters :verified: (@[email protected])
Attached: 1 image I just noticed that BOTH Apple and Google have capitulated to the fever dreams of a dictator who shits himself and rapes children.
Martin
maya_b 🇨🇦
Gerard Cunningham ✒️@pojntfx All data eventually ends up with the palantir stasi
mjarteaga@pojntfx This scenario raises two main conflicts:
Availability and Access: The GDPR and EU principles require that access to fundamental rights not depend on third countries. Forcing a citizen to accept the terms and conditions of a private U.S. company in order to use their state-issued identity is viewed by many regulators as coercion that invalidates the “free consent” required by the GDPR. 1/2
Availability and Access: The GDPR and EU principles require that access to fundamental rights not depend on third countries. Forcing a citizen to accept the terms and conditions of a private U.S. company in order to use their state-issued identity is viewed by many regulators as coercion that invalidates the “free consent” required by the GDPR. 1/2
refraction 
@mjarteaga @pojntfx and who's gonna enforce the law of the state decides they won't? GDPR enforcement is already bad.
The Vampire Fish Queen@pojntfx Mitigation Measures in Germany and the EU 1/3
To prevent this technological “lock-in,” several measures are being implemented:
Alternatives Outside Official Stores: The EU is exerting pressure through the Digital Markets Act (DMA) to compel Apple and Google to allow the installation of apps from alternative sources (“sideloading”) and open access to their security chips without going through their accounts.
@pojntfx Mitigation Measures in Germany and the EU 2/3
Interoperability between Member States: According to the regulation, if the German wallet fails due to a lockout, citizens should be able to legally use any other certified wallet from another EU country to identify themselves for German services.
@pojntfx Mitigation Measures in Germany and the EU 3/3
Physical media as a backup: Germany maintains the physical ID card with a chip (nPA) as the primary “source of truth.” The wallet is only a digital representation; if the phone fails or is locked, the citizen can always use their physical card and a standard NFC reader to identify themselves. https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3433
https://www.vzbv.de/en/digital-markets-act-apple-and-google-fail-comply-certain-regulations
https://www.reddit.com/r/europrivacy/s/mgTR3gEoAr
@pojntfx Extraterritorial Surveillance:
There is a theoretical risk that, because it is integrated into the OS ecosystem, the manufacturer (under laws such as the U.S. Cloud Act) could be compelled to provide metadata on when and where the wallet is used, which conflicts with the GDPR’s prohibition on tracking. 2/2
Dźwiedziu@pojntfx
You don't need to wait, nor for the US to be involved.
Sassinake! ᑐ ∪ ∩ ⊂
Bebef 🦦🇪🇺🏴☠️🏳️🌈🏳️⚧️🚙🐼🥦🚩🏴@pojntfx As much as I am with you on the whole "account needed" thing, I think not being able to show a digital license on my phone will imepede my ability of being a functional member of society.
Or, to put it another way, you basically wrote "Everyone without a digital license no longer is a functioning member of society", which is just plain wrong.
@pojntfx Thing is: we must NEVER accept any digital-only solution for things like this (IDs, license etc.). Analouge/offline life must ALWAYS be possible!
...regardless of where it's hosted.
contranym@Bebef @pojntfx yeah, i know you can take a picture of your license here in the us and give your phone to a cop in some places, but i would never. rather just hand over my physical license card i paid way too much money for and always carry with me outside the house. just like my phone, but im not handing that to anyone, nor my physical wallet.
@makeitmythic @pojntfx "Too much money" is a funny thing to say for a US driving license. German prices are in the $4k ball park.
Not trying to diminish anything, just giving a point of reference.
Mr. Lance E Sloan (IRL) 👤@pojntfx
It seems like *compatibility* with Apple or Google services for the German electronic ID wallet would be fine, but *dependence* on them is a *huge* mistake.
It seems like *compatibility* with Apple or Google services for the German electronic ID wallet would be fine, but *dependence* on them is a *huge* mistake.
Flauschfläche 
@pojntfx the idea to show your unlocked phone for identification is flawed anyway. Anyone that ever had bad experience with cops would never do that.
Trolli Schmittlauch 🦥@pojntfx
Regarding the "not participating in society":
The eIDAS directive includes a guarantee that identification still needs to be possibly by analog means. So it's at least a loss of comfort, but alternatives must exist.
Still a bad move.