· 282 comments · 325 replies
In the README, the following is listed:
App and device verification based on Google Play Integrity API and Apple App Attestation
I would like to strongly urge to abandon this plan. Requiring a dependency on American tech giants for age verification further deepens the EU's dependency on America and the USA's control over the internet. Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.
Furthermore I am surprised this is considered an important next step, given apps like the Dutch identity app Yivi (who has no such dependency) already exist and can be used for age verification by the government just fine (on the few select platforms that work with it). Yivi is even available on Open Source app stores like F-Droid.
I think Yivi's existence should be sufficient proof that Google Play Integrity integration is unnecessary.
Yivi (formerly IRMA) homepage: https://yivi.app/en/
0 replies
0 replies
In addition, tying age verification to specific operating systems and their vendors (large American tech companies) violates two of the three principles listed elsewhere in this org:
0 replies
0 replies
Digital sovereignty is a necessary step to reduce the risks of data processing. There should be no dependencies for external services from third parties at all since each one adds a whole ecosystem of potential security issues.
0 replies
This is insane, what's the threat model? Someone remotely exploiting a device to steal proof of age of majority just to watch p__n (most common use case)? Is it even realistic? Why does this service need an app at all? Just create a modern web app, maybe even leveraging Digital Credentials API. I'm tired of app-for-everything.
0 replies
This happens because those who draft the technical specifications don't know how the technologies they propose work.
As I've explained elsewhere, this is ridiculous. Here's a brief excerpt from one of my posts elsewhere:
It's incredible that the European Commission sanctions Google for abuse of dominant position and asks to open the operating system to other stores to allow "free" competition and you [the writer of technical specifications] impose the use of tools that exclude the free choice of the user and give to Google all the power of choice, that's really INCREDIBLE...
There are dozens of ways to secure these apps' certificates without using proprietary systems.
0 replies
There are dozens of ways to secure these apps' certificates without using proprietary systems.
Does it need to protect those certificates at all? Maybe I'm too naive, but couldn't this simply be implemented by verifying random challenge signed by a national identity provider?
Avoids having to protect the signed challenge at all since it's single use, scheme is similar to authenticating with SSH or WebAuthn. I haven't checked the architecture thorough, perhaps does something similar in the end with more bloat in between.
9 replies
Perhaps the logical conclusion would be that strict age verification just isn't a useful thing to try, and instead parents should be encouraged to actually make use of the client-side filters that pretty much all smartphones have. I've made that argument here.
I agree, however given the people* currently see the internet helped by certain incidences (*cough* Roblox *cough*) I'm not very hopeful that this view will change in the near future. Maybe it could change once the system is implemented and fails horribly but that will take time.
* Note: With "people" I don't just mean politicians. I've heard this from clueless parents as well as people from the "I've nothing to hide"-crowd that truly believe there is no way this could ever go wrong.
Please listen the ongoing issues with the Italian Wallet related to Play Integrity:
mega thread:
Duplicates:
0 replies
0 replies
Getting access to a website as a EU citizen by accepting the TOS of EU-penalized American megacorp is peak 1984.
0 replies
Besides the privacy issues, this feels like South Korea's IE6 problem back in the days, everything was so tied and dependent on it, that they couldn't get rid of it. But I guess we are just humans repeating mistakes, getting influenced by lobbyists, uninformed people, people who can't imagine how things will look like in 10 or more years
0 replies
This would be massive hinderance to all South EU states, where adoption of non google phones is large.
This would be also massive dependency on google.
Furthermore, why on earth are you building digital ids but then not doing IDPs, then forcing users to use some extra app for agecheck... they and their OS maintains...
It is bad UX, it causes issues, not sure if adds any security.
0 replies
I work in cybersecurity and this is a privacy and security nightmare. Just stop.
Using a EU-controlled website with national credentials like it is proposed here #18 is the only reasonable solution.
Or maybe just do not implement this at all. People are going to go to p*** websites a way or another anyway.
1 reply
Let's be honest.... Normal people who root their devices won't try to crack or tamper the app or bypass protections. Also.... If you care about the files of the app in /data/data/com.package.name you could just encrypt the most important ones even with a key generated during the first open of the app which will use entropy. What can do root now? Is the problem stuff like http toolkit? Detect it and in case block it or block adb, but even if someone can know what calls the app does, the app is opensource anyway so there is no point in doing it... You see? What is the point of fighting root? Are you scared that someone could replace the ID or values used during verification process? Don't store them but use identifiers and immediately drop them after verification is successful. This way unless the person provides a valid ID immediately they will fail to verify. Play integrity is unnecessary, are you scared of people tampering the apk itself? Add signature verification to the apk, if that's tampered app will fail to start displaying signature doesn't match. Are you scared someone will anyway beat the app internal signature system? Verify it as well by a server check. Again, play integrity being useless.
7 replies
If the key is on your smartphone, some people are going to manage to extract theirs at some point no matter what security through obscurity attestation stuff is in the way...
You see? What is the point of fighting root? Are you scared that someone could replace the ID or values used during verification process?
They don’t want people to pull the private key and host a fake age verification service where you can download or buy age attestation from a server.
As I said, if this key would be server side there would be no way of replacing it
At this point just make it server-side, instead of turning citizens' "phones" into your servers and sheep.
11 replies
I mean, the whole thing is public knowledge
"Star of That ‘70s Show and a host of Hollywood hits, 45-year-old Kutcher resigned as chairman of the Thorn board in mid-September amid uproar over a letter he wrote to a judge in support of convicted rapist and fellow That ‘70s Show actor Danny Masterson, prior to his sentencing."
2 replies
That's exactly it. Just in a frog boiling mode.
Do not let boil yourself. Age checks today, locked hardware tomorrow. Australia ALREADY INCREASED FINES for bypassing age checks, next step will be a mandatory "locked hardware" to stop bypassing age checks. The UK ALREADY EXPANDED age checks from porn to "harmful content".
THEY WILL NOT STOP.
If the concern is Russian farms offering automated ID verification for a cost, do note that this "security" can and will be spoofed, with a new method appearing almost a few days after the current one is patched. It will only hurt legitimate users.
24 replies
Remember the goold old days where biometrics and creepy surveillance were seen as dystopian? 😂
Talking about effectiveness: the only way to make sure someone does not kill someone else is to cut his arm and legs, remove his teeth too, so this is probably what nukeop wants too
My opinion is "fuck this shit"
A reason for that is "it will never work"
Another is "they're not doing it for "the kids""
No, the idea is that it only hurts legitimate users who simply do not want Android or iOS, and it's not even effective against the ones it attempts to block (and no sane system can be). So the best way is not to have it.
WHy not use something like this?
Unified Attestation is a free, open-source alternative to Google Play Integrity. It delivers short-lived integrity tokens signed by a single backend, verified offline by app servers, and issued via a privileged Android system service. It can live alongside Play Integrity, and it’s simple to integrate for app developers on both the app and server sides.
An initiative by Volla Systeme GmbH.
12 replies
Unified Attestation has the same problems. It just puts a different group of companies in charge doing the same bullshit that play integrity does.
there should be a fork that removes all Antifeatures like Play integirty and face scanning as that also requires api's that are only found in google play services or only work on vanilla play services device and don't or function worse on alternatives like microG.
There cannot be a fork. Paradoxically, the source is libre, but you can't modify it in practice, because it relies on some attestation to work and this is enforced by all parties.
The truth is that these people don't give a fuck about you and everything they do is for the single purpose of screwing you, and maybe make some profit along the way
Very true. Who gives a damn about user privacy, when they can make trillions and beyond fucking out of the data. Also, none of this is about helping a child stay away from p**n, rather, gaining full control over everything citizen does. Safety my foot.
Whatever the "security measures", if a child wishes to access a restricted website, they can just... bribe someone into scanning the QR code on their behalf. It is not more secure with the "attestation". It only hurts legitimate users who want freedom.
0 replies
Will it work on a Nokia 3310, or on my laptop? I don't own a smartphone.
0 replies
A big problem I see here is that the EU commission requires people
Trump merely amplifies and extends this problem here, but the
Also, this attempts to require of everyone to have a smartphone
6 replies
Also, this attempts to require of everyone to have a smartphone in the first place.
I'm not sure how this will work either. Perhaps a solution has been proposed and I just haven't seen anyone mention it? It also means they need a Google account (which I do not have...) and that the phone must be charged. Phone stipend I guess? Plus a yearly cheque from Google for all the data they harvest from me.
Actually those are public corporations, not private
In continental Europe, "public" means government-managed; "private" means non-government-managed. The English world considers everything from the monetary point of view. The rest of the world doesn't.
In the README, the following is listed:
App and device verification based on Google Play Integrity API and Apple App Attestation
No, there's not.
0 replies
Stop hardware attestation at all cost. This is the final warning, if you keep ignoring it, age verification will be a small inconvenience compared to the nightmare which any "attestation" brings.
WAKE UP PEOPLE BEFORE IT'S TOO LATE
You will literally destroy computing if you agree to any "attestation".
DO NOT AGREE TO THEIR DEMANDS, DO NOT NEGOTIATE WITH TERRORISTS. DO NOT USE HARDWARE ATTESTATION AND AGE CHECKS.
0 replies
I dont believe in age verification at all. Its some more east german stasi bs. Where is freedom? Every youngster will probably go to tor or whatever to access a social network is that what we want? While they are at it they might get up to slightly more nefarious dark web things like ordering a hit on their teach.
1 reply