| ▲ | makerofthings 8 hours ago |
| Requiring people to use products from one of two private American companies with a bad track record of locking people out of their accounts is more than “not great”. Some things are better not done if they can’t be done well. |
|
| ▲ | spwa4 6 hours ago | parent | next [-] |
| So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away. Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ... |
| |
| ▲ | miki123211 5 hours ago | parent | next [-] | | I'm not sure I want my government to develop that technology. Government software is usually low-quality, expensive procurement crap, often riddled with security holes, and an exercise in checkbox checking. UX and user friction can't be expressed as a verifiable clause in a procurement contract, so they're ignored. Besides, every time EU governments tried to force smartphone manufacturers to pre-install government apps, the population freaked out over (unwarranted) surveillance concerns. This isn't something you can do without pre-installing apps (you don't want these APIs opened up because then attestation loses all meaning). | | | |
| ▲ | subscribed 4 hours ago | parent | prev | next [-] | | In case of Android - AOSP attestation. Not necessarily the company that locks out entire family because one of the family member jacked off on the chat with Gemini model. | |
| ▲ | xorcist 5 hours ago | parent | prev [-] | | That seems like a weak argument to require attestation? What would attestation prevent that scenario, specifically? | | |
| ▲ | spwa4 3 hours ago | parent [-] | | Oh I see your confusion. It is not trying to prove it's not cheating with the UI (or remote control, or ...) to the owner of the phone. It's proving to the owner of the website (or app, or SIM, or ...) that it's really the user agreeing to the contract on the screen. Or, more to the point, it's proving it to courts after the fact so they'll convict the owner of the phone rather than the business or government. The scenario it would prevent is that a government gets a filled in form with someone requesting unemployment benefits, or reimbursement for a medical procedure on account X ... and then government finds out after payment, later, in court, that the owner of the phone never agreed to it and it needs to pay it out again (because the claim, true or not, that a scammer initiated the payment agreement in some way rather than the owner). Same for business and agreeing to a loan and ... It is NOT to protect you, the owner of the phone, against scammers (it does not really do that at all), it is to protect companies and especially governments AGAINST the owner of the phone. It is a way to fire most EU government employees by allowing automation that currently can't work because you can't legally trust phone and internet automation to be binding in court. | | |
| ▲ | GoblinSlayer 2 hours ago | parent [-] | | Do you imply that google can prove such a thing or it's just a security theater for (((compliance)))? AFAIK attestation attests hardware, not software, but hardware attestation is self contained and doesn't require any remote cartel permission, cf yubikey attestation. | | |
| ▲ | spwa4 11 minutes ago | parent [-] | | The EU is trying to make a standard that courts will enforce because EU politicians (the commission, not parliament) really want that. But all EU countries are trying to save cash without touching what's causing the money problem (that would be pensions, there is no way in hell EU governments can spend what's required to keep pensions going as is even in 2026. In the past they spent all the pension money instead of investing and now they have to start paying it back, except they can't. And if they touch pensions ... well there's a French joke. It goes something like this "One of the greatest accomplishments of the 20th century is that you can see Paris from space. Look there it is, that flame right there ...") So they're just going to use the Apple/Google standards and declare the job done. So it's theater from all sides. Politicians will pretend this is a good solution because they don't want to spend real money, and they really want to tempt EU kids to get loans on their smartphones because, you know, in the EU you're protected from companies exploiting you. Of course, that just means governments will have to do it instead. |
|
|
|
|
|
| ▲ | ExoticPearTree 5 hours ago | parent | prev | next [-] |
| There are no alternatives. I mean you could use Huawei and others, but the FUD campaigns against chinese manufacturers was pretty agressive in the EU. |
|
| ▲ | mytailorisrich 7 hours ago | parent | prev | next [-] |
| Yes but in the real world all smartphones are either Apple or Android. Europe has zero footprint in either software or hardware. It is not creating a requirement to use specific products, it is using the products people already have. So one may argue that the implementers are only taking the pragmatic approach regarding something that is out of their hands. |
| |
| ▲ | subscribed 4 hours ago | parent | next [-] | | It literały has created the dependency on google when thought Android offers the standard/generic AOSP attestation. Also you weirdly forget all the Chinese phones. There's also some tiny European brand which will have absolutely no way to limit their users dependency on the famously hostile and unconctactable provider. | | |
| ▲ | FabHK 3 hours ago | parent [-] | | Most Chinese smartphones run Android (Huawei uses HarmonyOS). |
| |
| ▲ | jonathanstrange 7 hours ago | parent | prev [-] | | We're talking about an essential government service, not just another weather app. You have to look at this through the lense of national security, the debate about EU digital sovereignty, and the requirements of the GDPR in light of the US CLOUD Act, as well as prior decisions of EU courts about these issues. | | |
| ▲ | mytailorisrich 7 hours ago | parent [-] | | Yes all that you wrote is true. But that does not magically change anything to what I previously stated: in the real world all smartphones are either Apple or Android... I don't know what the eIDAS 2.0 requires in term of security but it may make the choice the implementers made here unavoidable in practice, as hinted by @webhamster. If so, it seems that a solution, if technically possible, might be to mandate that OSes provide the required security features without tie-in. The outrage in the comments feels a bit like people yelling at clouds... | | |
| ▲ | Hackbraten 3 hours ago | parent | next [-] | | > in the real world all smartphones are either Apple or Android... So you're claiming that Mobian doesn't exist? PureOS doesn't exist? PostmarketOS doesn't exist? Ubuntu Touch doesn't exist? SailfishOS doesn't exist? | |
| ▲ | taotau 6 hours ago | parent | prev | next [-] | | correction. in the real world all smartphones are either apple, android or none/other. in terms of legals, you really do have to cater to all three, which is why we don't have one world government. | | |
| ▲ | mytailorisrich 3 hours ago | parent [-] | | This is about a digital wallet, so people who don't have a smartphone are out of scope. Now, "other" than Apple/Android is so small as to be negligible and governments also have a duty not to waste taxpayers' money, which means not spending hundreds of thousands to cater for an ultra small number of people who have an easy access to an alternative. To have government apps work only on iOS and Android is perfectly reasonable in the current state of the world where this covers 99% of smartphones. | | |
| ▲ | znort_ 2 hours ago | parent | next [-] | | > To have government apps work only on iOS and Android is perfectly reasonable in the current state of the world where this covers 99% of smartphones. the fundamental flaw with that approach is that it is totally unreasonable to have government apps in anything other than open source and fully public systems. nothing else can really be trusted, and any private/closed source option should be disqualified from the get go. the reason is simple: you can't trust private entities or opaque systems, and you can't trust government either, thus the solution has to be fully transparent or you're doing nothing. the problem with that is that it is hard, expensive and/or inconvenient. | |
| ▲ | limagnolia an hour ago | parent | prev [-] | | Why should I have to have a smartphone to have a digital wallet? Smart watches, tablets, laptops, portable game consoles, etc, are all perfectly cromulent hardware for running a digital wallet. |
|
| |
| ▲ | jonathanstrange 3 hours ago | parent | prev [-] | | Essential EU government services cannot be devised on the hope that US companies will invent something that - contrary to current US legislation - will somehow provide the attestation services needed in a GDPR-compliant way without forcing EU citizens to provide personal data to US companies. If it's not possible to create such a system for mobile phones because of legal issues (as you seem to acknowledge and judges have found in the past), then the focus would have to be on creating hardware devices in the EU, ideally with open source hardware and software. These can be made reasonably secure, have been used by banks for a long time, and would enhance digital sovereignty. What I find unacceptable is the attitude "well, it will violate the law but as a matter of practicality it's the only choice we have right now so we'll just do it." |
|
|
|
|
| ▲ | qwertox 7 hours ago | parent | prev [-] |
| Maybe that will force the companies to not be allowed to just lock you out of the account. |
| |
