That was an option for the past 15+ tears at least in some EU countries. Its just not very convenient (garbage tier software they bought didn’t help either).

It's pretty expensive to deal with all of the technical support and identity verification work when people lose their devices and need to have credentials reset.

> When two people interact there’s a trust/risk calculation on both sides.

You should never base your trust on the other party having a piece of hardware that has restrictions that you approve of. That is fragile, especially in a world where some people are better at making or modifying hardware than others. It is also a fundamental violation of basic freedoms to prevent people from modifying hardware that they own, and not something you can reliably police, and thus is a terrible way to establish trust from a technical perspective.

It's much better to base trust on established cryptographic methods on a protocol level. You treat them as a black box, and the trust is established by the inputs and outputs, not what's inside the box. An example of this would be handing them an image of a digital ID paired with a cryptographic signature that only the government holds the private keys to. They have no computationally viable way to edit the image and still have it match the paired signature. It's easily verified based on the government's public key, and they cannot re-sign it without the government's private key. It doesn't depend on hardware restrictions.

The fact that there is so much focus on hardware means there are likely deeper motives here, e.g. surveillence being dressed up as convenience.

Only acceptable use of attestation is when done on behalf of device owner. So if they let me submit list of keys allowed for my account, fine, but any other use is just evil restriction of what software I can run on my own devices.

It's an anti-competitive concern all the time.

If we gatekeep service access to specific implementation attestations, it becomes much harder for new implementations to emerge. It doesn't really matter who controls the process.

In that sense, it's always bad. In this specific scenario for example it directly blocks emergence of alternative Android ROMs and Android-mostly-compatible devices like the various Linux phones.

There may be times where that downside is worthwhile, but it's always a downside, and we should very strongly discourage attestation wherever possible on that basis for the health of both the tech ecosystem and the business market around it.

I cannot think of any company that has appropriately used attestation as a trust/risk calculation. I work in major game studio; there is never calculation only a binary.

It never „let`s check if the mobile user has purchased in-game content server side to prevent pirating it“, its „suspend any account that has signed in with a device that fails safetynet, permanently ban any account that has failed a jailbreak or root checks“

It never „let`s check and calculate statistically cheating probability and move damage calculation server-side so that player cannot godmode or modify their APK“, its „all non-stock phones are cheaters and fraudsters, ban all of them, use invasive anti-cheat, while continuing to have client sided damage and health and energy because it is easier“

Something else has to change first otherwise the only option for businsinses do will be, after 2 is implemented : „while yes it is now possible to allow a neutral third party to control attestation, someone higher-up such as legal has said ONLY google can and we will ban everyone else“

As long as it is easier to don't give a fuck, that is the option that will be taken. z.B. the only reason our publisher allow the removal of play services was finding out that chinese players on definitely not google certified phone spends the most by orders of magnitude and even then it is only relaxing the check for specific region, forcing all EU players to continue to have this checking.

I would be wholly unsurprised if the result was to continue to require attestation but allow GrapheneOS f.e. only in Motorola factory shiped phones and disallow it if the user was involved in any way in the installation of it.

Definitely not bad all the time. For instance, GrapheneOS provides the Auditor app, with which you can verify from another phone or from a server that the OS is not tampered with. It also uses remote attestation.

So, there are certainly useful applications.

A hypothetical useful use of attestation is that a company promising to process personal data securely could actually prove it to end-users, by open-sourcing their server-side code and using reproducible builds combined with remote attestation, to prove to the client that the server-side is running unmodified within a secure enclave.

I struggle to think of a useful use for it on the end-user client side, though.

Not to mention self-signed custom builds of GrapheneOS.

Functionally illiterate means that they can read in their own language, but they cannot understand the meaning, a part from very simple things.

"functionally illiterate" means that while you can read your native language, you will not correctly understand what you have just read.

Rates seem to vary state by state, from as low as 8% (denmark) to 43% (romania).

It's also not a clearly defined target, since it would be better to have rates based on the reading comprehension of the average school at year X or something similar.

50% of the population are below average intelligence.

Dunno what the OP meant, but in the UK

https://www.southtyneside.gov.uk/article/16247/Public-Health...

> Guidance tells us the average reading age in the North East is lower than the national average at between 9 to 11 years. To put that into context The Guardian Newspaper has a reading age of 14 and the Sun Newspaper has a reading age of 8.

Health literacy specifically is a major problem in healthcare

https://literacytrust.org.uk/parents-and-families/adult-lite...

> 1 in 4 (26.7% / 931,000 people) adults in Scotland experience challenges due to their lack of literacy skills.

I find that page somewhat ironic as they claim 18% is one in six, but 17.4% is one in five. Seems numeracy is as big a challenge.

The US is no better according to wikipedia

> In 2023, 28% of adults scored at or below Level 1, 29% at Level 2, and 44% at Level 3 or above

> Adults scoring below Level 1 can comprehend simple sentences and short paragraphs with minimal structure but will struggle with multi-step instructions or complex sentences

> Adults scoring at Level 3 or above are considered "proficient at working with information and ideas in texts

https://en.wikipedia.org/wiki/Literacy_in_the_United_States

Why are you surprised? Europe has 700 million people. Think of the average construction worker you know, do you think they could read and correctly summarize any moderately complex article? Think an article about inflation or evolution or heat pumps or investment funds, etc.

Fairly sure that in most countries the average person reads less than 1 book per year, so half of the population reads less than that. I know people who haven't read a book since highschool, when they were forced to.

Especially as it's claimed to be only 50 Million in the US hahahahahaha

Whoever believes those statistics I have a strait to sell to

I specifically referred to the remote attestation functionality in Play Integrity and that that can be replaced by AOSPs APIs, since the linked post is about remote attestation.

Play Integrity actually does both and passing remote attestation is necessary to pass Play Integrity at the strong level. Remote attestation is used for this level, since a modified OS could fool DroidGuard.

I'm sorry if my comment was not clear in what I was referring to.

Sounds like an outreach opportunity!

...and Debian, PureOS, Fedora, Arch, NixOS...

Google and Apple's odds of being caught are too high to expect they would risk it. They have more to lose if caught than they have to gain.

Obviously some companies do despite the risks, I wouldn't expect this of any individual company, but as a whole some company will once in a while anyway. So stay vigilant.

Well that is the point of this entire digital wallet thingy, there's going to be a transition period since everything here is more or less hardcoded to bankid not to mention tons of code with presumptions about Swedish identity semantics (that do differ from other countries).

But on the plus-side the Swedish state-eID solutions is planned to be delivered by end of year and hopefully most organizations will start migrating or at least dual-supporting them and in doing so also fix their services to support foreign eID's in the process.

This is a problem I'm seeing a lot of countries rushing full steam ahead. The age of a single physical ID that's only rarely needed and ubiquitous cash payments seems to be coming to an end. For anyone who travels a lot, migrants first settling in a place, or citizens abroad, this makes things even harder than they already were.

The ability of the government(s) to exclude you from every day activities required for participation in society (or survival) if you run afoul of their edicts is a feature of digital ID/digital currency, not a bug.