Taxpayer money project being tied to a dependency on Apple google is 100% counter what that money should be used for.

You are copy pasting a “correct” argument against eu bureaucracy in the absolute wrong space

But things not in the launch can easily be deprioritized as budget issues indefinitely. “Oh why spend the money adding support for just a few people??” will be the line moving forward.

A 10% goal would be a good first step. Now excuse me while I read some tea leaves to find out if my trains will be on time tomorrow ( spoiler: they wont).

It's just a matter of creating a web app.

> Do all German hospitals serve vegan food?

Can't speak for Germany, but they do in the UK. It would be illegal discrimination against a belief for them not to.

While the example your provide is reasonable fair, the comparison is not.

For it to be fair comparison, the carrots would have to be grown by a foreign company, known for using unsafe growing practices, causing contamination. Eg, poison carrots. This same company would have to be under the control of a very hostile, very actively aggressive and threatening nation.

Such as one currently threatening to annex allies, among other things.

With the US literally tapping and spying on heads of foreign states:

https://en.wikipedia.org/wiki/German_Parliamentary_Committee...

and there being lots of ways to spy, such as push notifications:

https://www.reuters.com/technology/cybersecurity/governments...

Only insane people would objectively decide to use Google or Apple anything for any form of ID. Those platforms should literally be outlawed. Any use of push notifications or identity attention should be looked at as utter fantasy.

Here's a secret for you. There really isn't any urgent requirement to have an electronic identification method. It can wait. Supporting legislation can be passed first. There are lots of ways to do so.

For example, the entire EU could pass legislation stating that all cell phones have open source code available, including all binary blobs for drivers. And that all phones are unlockable, and that (for example) the phone has a version of the rom you can download without any Google services.

(If Apple isn't able to compete here, well... too bad)

The phones would not be legal to sell, unless the open source firmware was compiled in front of regulators. The point of this is another pet-peeve of mine, it would allow people to support their own phones, for that source code would be released the day that phone was no longer supported.

And yes, it's trivial to have open source firmware blobs. There just isn't a market for it. Pass a law, and sellers of SoC and other ICs will capitulate, or maybe more punitive laws will be passed against them. As someone once said, yes companies can have a lot of sway.

But governments have police, courts, and armies.

Right now, Android and Apple devices are a literal arm of the US government's spying apparatus, even if those two companies actively work against it.

Do not trust Google Play. Do not trust Firebase. Do not trust Google. At all.

Are Germans just too trusting? I remember 15 years ago, when nuclear power plants were closing, concerns were raised about the reliance on Russian natural gas. These were waved away. Russia? What's wrong with Russia! They're almost allies, they're capitalists now!

Don't do this again.

Do NOT trust Google. Don't. Don't make it a core part of any identity management.

Imagine, needing an active Google account to even bank! Or to file your taxes, or even to prove who you are!? Google cancels accounts with no recourse, no reason why, won't help anyone, and this is to be the core of identity management for Germany?

The average person won't even be able to install any German Government designed apps, unless they are on the Play store! Are you going to teach Grandma how to use ADB to install an app? Without an active Google Account, will you even be able to use push notifications?

Why would a government even allow ID to be blocked by the requirement that a company with terrible, horrible, inane customer service, which just kills accounts without recourse, be a gatekeeper?

No Google account, no ID! Wha!?

It's literally not sane.

Nah, I'm that one idiot who uses alternative open software and just accepts when services aren't offered to me. The older I get, the easier it feels to not give a fuck anymore.

Can't buy any single fare public transport tickets online here in Stuttgart? Sure, I'll use the DeutschlandTicket NFC card. Can't view the EPA? Fine then I don't. Can't pay with Wero? Fine, I don't actually need to use shops that don't offer SEPA Vorkasse or Lastschrift (only without a dodgy "identity verification" fintech startup of course.

Then maybe it shouldn't be done? What??

Yeah, let's burn the witches who care about privacy! Jokes aside, in a democracy, the systems must be designed so that everyone can participate. We manage to do it with voting, with income tax declaration, but for some strange reason, with ID we want to achieve 1984 nirvana, and crush the voices who tell us that the surveilance society we are building is just setting us up for the next Hitler.

> There are still people using old Nokia phones

No one wants support for toasters and washing machines. We're talking general purpose compute hardware. TCP is also supported on all these devices. Quite frankly, it's probably easier to implement, if you are not fighting a locked-down OS like iOS.

Sure, let's just arbitrarily exclude ~1million people because they're not running the government's preferred American spyware.

In fact „all“ citizens who are willing to be surveilled by Google and Apple, unless German government provides each citizen with similar eID hardware there won't be any digital equality any time soon. Maybe they should pay to some subsidiary company of IBM (like RedHat) to do this, they already have such a good track record of storing nationality on their machines /s

https://en.wikipedia.org/wiki/Dehomag#Holocaust

His wife and kids are sanctioned too. Sometimes it isn't even anything you did.

Sanctions are a bonus point argument, but shouldn't be a factor either. No citizen should be subjected to this, whether the company running it is American or German. Can you imagine if the Nazis had this level of control in the 1930s? Imagine having your ID digitally revoked, effectively cutting you out of society completely, without so much as an attic to hide in before it can happen. This is a completely dystopian legislation from start to finish. There is no possible way this can ever provide a benefit to the German people, it exists only to control them.

That's crazy.

Imagine cheering for the company that will block the criminal prosecutors investigating war crimes and genocide from having the ID at all(1) once the supporter of the investigated sanctions the law-abiding persons: https://www.whitehouse.gov/presidential-actions/2025/02/impo...

But anyway - why the requirement in the first place?

(1) because sanctioned person must not be allowed to create another account.

Agree on Smart-ID but the answer is to fix those flaws, not to replace the entire approach with one that depends on Google Play Integrity verdicts that even the German architects admit they can’t fully trust.

SIM-based solutions on their way out is a non-issue. For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.

There is mothing to be gained politically by doing this. You think you look good if you say “hey, the Poles had this really good idea, how about we do the same”?

Plus, the process is something like:

- we want to do $something

- hire consultants to help us define $something and produce a document

- hire other consultants to write the specs for the project

- launch an RFP

- select a winner

- wait for the implementation to finish

All the proposed solutions will be something paid, ideally made by a really large company to lend it credibility, and with maintenance costs that justify hiring dedicated people for it.

In the end no one gets what they want.

You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?

It is, mandated by the EU commission.

Instead they could have mandated the use of eIDAS 1 to all countries + extend it with attribute/credential support, and let countries choose their implementation (cards, SIM, server-side).

Instead we’re back to the drawing board with the big shortcomings highlighted in this thread.

Mobile Google account based is even weaker than hardware tokens used by banks. Make of that what you will.

Please give some evidence that this is due to hardware tokens failing where a smartphone based solution would have prevented it

If they use SSN as a password, it doesn't mean you can't have something slightly more reasonable without going full cyberpunk dystopia.

Okay, but Google certifies phones which are not updates for the last several years.

They can be trivially rooted, then they spoof the signature and get a pass in Integrity while being wide open for malware (or cooying the ID, ID presume).

> The less stupid variant is, of course, to get mobile operators to issue SIM cards with e-sign capabilities. Estonia has that, for example: https://www.id.ee/en/mobile-id/

It works great. Just keep in mind that newer phones are starting to deprecate physical SIM slots. At the same time certifying eSIM implementations to the same EAL level is an absolutely crazy task.

> You could run a modified client that lets you assume any identity you choose

Provided you know the secret key to a government-issued certificate. Making it impossible to copy said certificate is not really a requirement for identity verification.

But you can run modified client already.

Rooted, wildly insecure devices can pass the attestation easily: https://magisk.dev/modules/play-integrity-fix-inject/

Safe, updated devices cannot unless they permit Google to run their surveillance services in the privileged, unconstrained mode.

Who wrote that law and why, this is the question.

I think we need some fingerpointing that EU officials strive to avoid.

It will likely display something like a QR Code with signature anyways, otherwise it's just a glorified passport picture?

Authorities/anyone could verify that it's not counterfeit. And photo should be checked anyways to match the person.

So I also don't see the need for attestation. For ID check it should be ok without. For signing stuff ofc it is not resistant to copying. But EID smartcard function already exists.

What do you mean "shifting to smartphone"? It's not a natural process - it's a technical decision to shift them to the smartphone, and a really bad one. We already have smart cards, they work and do not depend on any corporations, even less foreign corporations.

OK, but Google will happily confirm android device running Oreo is safe.

While it's dramatically worse than devices Google refuses to certify (ie these not running their spyware as privileged services).

Oof, that's disappointing to hear. Thanks though, that's actually quite interesting.

I'm also thinking of keeping an android phone purely for auth purposes, separate from my main one. The world's most overengineered (and probably also less safe) Yubikey.

> If you read French

Let's see how far my five years of French at school will get me. I'm not getting my hopes up ;)

The nfc chips in identity documents

Germany is just part of EU - as many other people pointed out, there is no requirement from the EU to implement it this way. Same as California or New York making extremely Draconian laws around 3D printing doesn't represent all of US.

You are not required to accept anything other than digital ids. So from experience, whatever demands euid has will be what is required to identify you.

If they have to support something that most everybody has they will soon stop supporting alternatives that are not required by law. What then?

If it can go online, I'd prefer to use an android work (or user) profile with only auth apps in it, and nothing else.

As a separate device, it should be offline always IMO, and perhaps the size of a passkey. Or one of those banking devices with a display that show an authenticated text saying what you are confirming.

What if it was the size of a credit card and it had stuff like your name, date of birth and even a picture of your face. I want to name this invention an ID card…

Essential services (banks, government services, public transport) generally still support SMS as an alternative to their mobile apps when there's no completely offline process.

If you can't exist in society without a smart phone already, how is it going to get worse?

...without a smartphone that is surveilling you 24/7.

Private smartphones are excluded already.