Pinned
· 283 comments · 326 replies
In the README, the following is listed:
App and device verification based on Google Play Integrity API and Apple App Attestation
App and device verification based on Google Play Integrity API and Apple App Attestation
I would like to strongly urge to abandon this plan. Requiring a dependency on American tech giants for age verification further deepens the EU’s dependency on America and the USA’s control over the internet. Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.
Furthermore I am surprised this is considered an important next step, given apps like the Dutch identity app Yivi (who has no such dependency) already exist and can be used for age verification by the government just fine (on the few select platforms that work with it). Yivi is even available on Open Source app stores like F-Droid.
I think Yivi’s existence should be sufficient proof that Google Play Integrity integration is unnecessary.
Yivi (formerly IRMA) homepage: https://yivi.app/en/
0 replies
0 replies
In addition, tying age verification to specific operating systems and their vendors (large American tech companies) violates two of the three principles listed elsewhere in this org:
made available to anyone who wants to use it
controlled by users
0 replies
0 replies
Digital sovereignty is a necessary step to reduce the risks of data processing. There should be no dependencies for external services from third parties at all since each one adds a whole ecosystem of potential security issues.
0 replies
This is insane, what’s the threat model? Someone remotely exploiting a device to steal proof of age of majority just to watch p__n (most common use case)? Is it even realistic? Why does this service need an app at all? Just create a modern web app, maybe even leveraging Digital Credentials API. I’m tired of app-for-everything.
0 replies
This happens because those who draft the technical specifications don’t know how the technologies they propose work.
As I’ve explained elsewhere, this is ridiculous. Here’s a brief excerpt from one of my posts elsewhere:
It’s incredible that the European Commission sanctions Google for abuse of dominant position and asks to open the operating system to other stores to allow “free” competition and you [the writer of technical specifications] impose the use of tools that exclude the free choice of the user and give to Google all the power of choice, that’s really INCREDIBLE…
It’s incredible that the European Commission sanctions Google for abuse of dominant position and asks to open the operating system to other stores to allow “free” competition and you [the writer of technical specifications] impose the use of tools that exclude the free choice of the user and give to Google all the power of choice, that’s really INCREDIBLE…
There are dozens of ways to secure these apps’ certificates without using proprietary systems. Not to mention that Play Integrity systems are 100% illegal.
0 replies
There are dozens of ways to secure these apps’ certificates without using proprietary systems.
There are dozens of ways to secure these apps’ certificates without using proprietary systems.
Does it need to protect those certificates at all? Maybe I’m too naive, but couldn’t this simply be implemented by verifying random challenge signed by a national identity provider?
User goes to p__n website
Website detects user is visiting from Europe
Website downloads them a file containing a random string
Website tells them to visit verifyage.gov.example
User logs via identity provider and uploads the file
Challenge is signed and downloaded through the browser
User goes back to the p__n website and uploads the file
Website verifies the challenge is signed by a trusted entity
Avoids having to protect the signed challenge at all since it’s single use, scheme is similar to authenticating with SSH or WebAuthn. I haven’t checked the architecture thorough, perhaps does something similar in the end with more bloat in between.
9 replies
Perhaps the logical conclusion would be that strict age verification just isn’t a useful thing to try, and instead parents should be encouraged to actually make use of the client-side filters that pretty much all smartphones have. I’ve made that argument here.
Perhaps the logical conclusion would be that strict age verification just isn’t a useful thing to try, and instead parents should be encouraged to actually make use of the client-side filters that pretty much all smartphones have. I’ve made that argument here.
I agree, however given the people* currently see the internet helped by certain incidences (*cough* Roblox *cough*) I’m not very hopeful that this view will change in the near future. Maybe it could change once the system is implemented and fails horribly but that will take time.
* Note: With “people” I don’t just mean politicians. I’ve heard this from clueless parents as well as people from the “I’ve nothing to hide”-crowd that truly believe there is no way this could ever go wrong.
What the hell is a p__n website?
Porn, pornography. I see no reason fo the self-censorship here.
I was just following the format of the post I was originally responding to
0 replies
Fuck Google
0 replies
A mandatory Google account is unacceptable in a OSS Project
1 reply
*FOSS
Getting access to a website as a EU citizen by accepting the TOS of EU-penalized American megacorp is peak 1984.
0 replies
Besides the privacy issues, this feels like South Korea’s IE6 problem back in the days, everything was so tied and dependent on it, that they couldn’t get rid of it. But I guess we are just humans repeating mistakes, getting influenced by lobbyists, uninformed people, people who can’t imagine how things will look like in 10 or more years
0 replies
This would be massive hinderance to all South EU states, where adoption of non google phones is large.
This would be also massive dependency on google.
Furthermore, why on earth are you building digital ids but then not doing IDPs, then forcing users to use some extra app for agecheck… they and their OS maintains…
It is bad UX, it causes issues, not sure if adds any security.
0 replies
I work in cybersecurity and this is a privacy and security nightmare. Just stop.
Using a EU-controlled website with national credentials like it is proposed here #18 is the only reasonable solution.
Or maybe just do not implement this at all. People are going to go to p*** websites a way or another anyway.
1 reply
This is one sane response.
I will word it differently: if this cannot be implemented without hurting A LOT OF PEOPLE, then maybe it should not be implemented to solve just one problem. Their solution is simply dangerous and will hurt a lot of people, additionally will destroy computing by turning it into a closed cage.
Did my comment about my 1984 comment getting removed really get removed??
Damn.
Tells me all I need to know.
1 reply
see no evil, hear no evil, speak no evil 😂
This is a measure to ban general computers. We will all be made to give up real computers and own a locked phone with telescreen features and censorship.
2 replies
Waiting for the EU to do an “universal bootloader unlock” law….
That’s exactly it. Just in a frog boiling mode.
Do not let boil yourself. Age checks today, locked hardware tomorrow. Australia ALREADY INCREASED FINES for bypassing age checks, next step will be a mandatory “locked hardware” to stop bypassing age checks. The UK ALREADY EXPANDED age checks from porn to “harmful content”.
THEY WILL NOT STOP.
Remember that EU actions, for better or worse, are imitated all over the world.
1 reply
It’s more like all the politicians are corrupts and taking order from oligarchs and private lobbies
If the concern is Russian farms offering automated ID verification for a cost, do note that this “security” can and will be spoofed, with a new method appearing almost a few days after the current one is patched. It will only hurt legitimate users.
24 replies
Remember the goold old days where biometrics and creepy surveillance were seen as dystopian? 😂
Talking about effectiveness: the only way to make sure someone does not kill someone else is to cut his arm and legs, remove his teeth too, so this is probably what nukeop wants too
That’s actually what you want, you keep saying it’s not effective enough.
My opinion is “fuck this shit”
A reason for that is “it will never work”
Another is “they’re not doing it for “the kids”″
No, the idea is that it only hurts legitimate users who simply do not want Android or iOS, and it’s not even effective against the ones it attempts to block (and no sane system can be). So the best way is not to have it.
There will be more sale points of verified accounts than you could ever imagine. With or without any attestation. What is more, EU already CREATED underground money for that. Congrats EU! If you want to build the biggest underground our world has seen, then you are on a right path.
WHy not use something like this? Unified Attestation?? Single backend · Offline verification · No device IDs Attestation that feels boringly reliable.
Unified Attestation is a free, open-source alternative to Google Play Integrity. It delivers short-lived integrity tokens signed by a single backend, verified offline by app servers, and issued via a privileged Android system service. It can live alongside Play Integrity, and it’s simple to integrate for app developers on both the app and server sides.
An initiative by Volla Systeme GmbH. Volla Systeme GmbH is a Gemran based Company so European what means that this would make more sense as using a American controlled services that locks people into the Stock roms that can and will harvest data with no option to disable data harvesting, forced cloud account to install applications over the intended way and other anti features the EU doesn’t stand for based on the Privacy regulation (i am just assuming and hoping here).
12 replies
Unified Attestation has the same problems. It just puts a different group of companies in charge doing the same bullshit that play integrity does.
there should be a fork that removes all Antifeatures like Play integirty and face scanning as that also requires api’s that are only found in google play services or only work on vanilla play services device and don’t or function worse on alternatives like microG.
there should be a fork that removes all Antifeatures like Play integirty and face scanning as that also requires api’s that are only found in google play services or only work on vanilla play services device and don’t or function worse on alternatives like microG.
There cannot be a fork. Paradoxically, the source is libre, but you can’t modify it in practice, because it relies on some attestation to work and this is enforced by all parties.
The truth is that these people don’t give a fuck about you and everything they do is for the single purpose of screwing you, and maybe make some profit along the way