EU digital IDs are NOT private or anonymous; they are NOT a solution.
Posted by Gugalcrom123@reddit | linux | View on Reddit | 148 comments
While cryptographically sound, they have the major issue that they require attested Android or iOS, so anyone wanting to use legal Internet services would have to get their phones.
Introducing a third phone platform is not a solution, it will also be proprietary because that's the real goal: banning libre software. It will also not solve the fact that all oligopolies are bad.
ExternalUserError@reddit
They are not a solution because there never was a problem. There’s no need for a digital ID. It shouldn’t exist. It’s EU bureaucrat busybodies who are too inept to solve actual problems and focusing instead on imaginary ones.
No one needs a “digital ID.” It’s a stupid solution for a problem that doesn’t exist.
CreatorSiSo@reddit
So online services that replace paperwork should not exist?
ExternalUserError@reddit
None of those things require a "digital ID."
Afghanistan issues digital IDs. Canada does not. Which do you think has a better system for getting appointments?
There are ~200 countries in the world and 10 with digital IDs. Do you seriously think those 10 are the only ones that have stuff online?
Toby_Forrester@reddit
I would assume Canada uses some alternative ID verification, like using ebank codes or such online. This kind of ID verification is dependent on private companies.
Digital ID creates an unified option to verify your ID wiyhout relying on private companies.
ExternalUserError@reddit
No, you just enter your username/password to login to a bank, then usually with a two-factor code. In America too. And Portugal (though I wouldn't turn to Portugal for efficiency).
The world doesn't need digital IDs. Really.
Not every website needs a vector to identify you. It's probably better if no such vector exists.
Toby_Forrester@reddit
So currently, verification of your ID online is dependent on private companies. Like if you want to file your taxes online, you have to log in using credentials from a private bank.
Digital ID means you are not dependent on private companies.
ExternalUserError@reddit
Why not go with neither? No one is going to file your taxes for you.
Toby_Forrester@reddit
So you don't care about privacy? Anyone should be able to see everyones full tax records, full medical history and such online?
ExternalUserError@reddit
I do care about privacy. That’s why I don’t want to give companies and governments the ability to impose frictionless identification requirements online.
No one is seeing your medical history or tax records online either way.
Toby_Forrester@reddit
Then what would be a secure and private method of acessing that information? Just a password?
ExternalUserError@reddit
Usually two factor is industry best practice.
Toby_Forrester@reddit
And if one factor is a password, what is the other one which is independent of government or any company?
And how do you first create the password? What gives you acces to the online service to create an account and password?
ExternalUserError@reddit
Depends on the country and government agencies. The US and Canada use passkeys (probably best), TOTP generators, security keys, etc.
Is it really so strange to you that people in other countries access government websites without this thing only 10 countries in the world have?
Toby_Forrester@reddit
The point made is that countries like Finland, which do not have eID, utilize private banks or such for ID verification. In these countries, ID verification depends on private companies, which is not ideal.
Here in Finland it used to be an issue that if banks refuse to open a bank account to some people, these people could not verify their ID online.
And aren't passkeys dependent on your fingerprint, or your phone, which is dependent on your service provider?
And you didn't explain how people get to create these accounts and passkeys to begin with.
ExternalUserError@reddit
How people create the logins depends on the service. In Canada I think you hold up your id card to a camera once. I think the US uses a series of questions that only you would know.
Passkeys are an open standard and can be implemented by anyone, not just Apple or Google. Keepass or 1Password can store them. A hardware dongle can too. They needn’t be tied to your phone.
Neither use banks for identity. It wouldn’t work in the US or Canada either—they have 10,000 or so banks and credit unions so thousands of federated identity providers wouldn’t work. In Portugal (where I live now) there’s no centralized identity verification systems online. Nor is there in the US or Canada.
To me the choice isn’t between banks and government. The obvious solution is to not have a standardized or frictionless id system at all. We don’t need to create an internet of websites soliciting your real identity in a verifiable way.
Toby_Forrester@reddit
So you reveal your ID to them. eID does the same.
Also, a fake ID can be shown to camera, and questions can be abswered by family members.
How do you get the hardware dongle without revealing your ID?
ExternalUserError@reddit
If a sibling looked a bit like you, they could also use your physical ID. Someone who knows a lot about you could also impersonate you to get that physical ID in the first place.
In reality, these are seldom real concerns. They happen but they’re rare. That’s why I said it’s a solution to a fake problem. And they don’t even solve the problem because someone could also impersonate you to get the digital ID to begin with.
It’s just a second factor. You’d set it up when you create your password. It’s webauthn—like passkeys but not on your phone.
The general theory of two factor authentication is that you want any two of these: something you know (like a password), something you have (like a phone or dongle), or something you are (like a fingerprint).
Kartonrealista@reddit
They're tremendously useful for doing various government related things online. Instead of going to an office you just go to a website and do your thing. You're ignorant and should never speak on this until you properly learn about the topic.
ExternalUserError@reddit
Did you know that websites exist in countries without digital IDs?
Kartonrealista@reddit
But how do those websites know it's you for government purposes? I don't want Joe Shmoe filing documents under my name
ExternalUserError@reddit
They generally don't need to for most things. No one is going to register a pet license under your name.
For things that are sensitive, you have a two-step login process just like anything else.
But the difference is, with an authenticated government website, your ID is just for that website and other government matters. It couldn't be used, for instance, to surveil who is using what eSIM where.
Kartonrealista@reddit
This is not how digital IDs in EU work
ExternalUserError@reddit
Yes it is. Or rather it can be. It’s called eKYC in the industry and the idea is that cell providers must verify the identity of each user.
Now you could have KYC with or without digital IDs and you can have digital IDs with or without KYC. But having a frictionless and high certainty way of identifying someone on the internet makes KYC a lot easier and probable. At some point it becomes rote—you do anything and since a digital ID exists, the business might as well collect it.
The world does not need more touch points for frictionless identification and surveillance. Right now it’s hard for any website to really verify anyone’s identity. It should stay that way.
Kartonrealista@reddit
Ok bro
ExternalUserError@reddit
When you called a government office on the phone, and they answered, how did they know who you were to schedule an appointment? When you wrote a letter to a government office by post, how did they know who you were?
You don't need definitive identification for these things.
Before there were websites, a lot was done by post. You didn't mail in your passport to pay your taxes in the 90s, you know.
Kartonrealista@reddit
I never once in my life "scheduled an appointment" for any government office. I just walked in, maybe waited in a queue. Nor did I write any letters, and if I would have, they would probably be signed with my signature. The idea of writing a letter to an office in my town is also insane when I could just walk there.
And for a number of documents for work, etc. I did need to provide a scan of my ID, student card, ect. Maybe your country just doesn't take security seriously.
ExternalUserError@reddit
Yes. That’s it. The rest of the world doesn’t “take security seriously.”
Toby_Forrester@reddit
Here in Finland we don't have a digital ID so ebank codes are used to verify identity. So if I have to check my medical data online, I have to use bank codes of a private multinational bank.
Sarv_@reddit
Digital ID already exists in plenty of EU countries. I want this to replace the model used in Sweden which is controlled by the banks. (actually theres 3 but the bank one is the big one). That is a real problem that this would solve.
tchernobog84@reddit
Can't you use something like the AusweisApp in Germany, which is open source and works via a card reader too?
I am just asking.
If the AusweisApp is open source, isn't it possible to implement also an app for a phone modeled after it?
Craftkorb@reddit
It is, but spreading fud is more fun
Gugalcrom123@reddit (OP)
It works only for e-signatures. Show me ONE proof that the EU-wide age verification will work with the AusweisApp, for example.
Craftkorb@reddit
No, you show me the proof. You made the accusation, it's on you to proof it.
Gugalcrom123@reddit (OP)
https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/discussions/19
flooberoo@reddit
I guess the README has changed in the meantime, because it does not e.g. mention the Play store at all anymore. So outdated issue?
Gugalcrom123@reddit (OP)
No, because most national implementations (like Italy, mentioned in the thread) do still require it. There is no obligation to require it, but also no prohibition, and the developers of the national implementation will default to requiring it without justification.
flooberoo@reddit
How cab you possibly know what every single future implemebtation will default to? Seems like FUD.
Gugalcrom123@reddit (OP)
It's not every single. If Romania's does, and knowing the tech illiteracy, it will do, I am screwed.
flooberoo@reddit
Ok, but the title is still missleading in that case, right? That's a Romania problem, not EU problem. Romania is also in charge of physical IDs for Romanians, but you wouldn't try to pr3vent all physical IDs in the EU just because of that.
Is everyone else just supposed to suffer because some countries might screw it up for some people? If you are in Romania, just don't use the Romanian e-id, and don't spoil it for others.
Gugalcrom123@reddit (OP)
If I don't use the e-ID, I will not be able to verify myself, thus not be able to use any online services.
Vordreller@reddit
Not knowing yet is precisely the reason to be proactive. These are not actors you can put your trust in.
flooberoo@reddit
Sure. So stay factual so a proper discussion can be had. Hysteria and FUD just makes it easier to discredit any opposing arguments.
Major-Dyel6090@reddit
Just calling everything FUD is stupidity. You should, by default not trust the government.
flooberoo@reddit
Agreed. But in this case it is FUD. It speards misinformation based on pure speculation. It's easy enough to check the spec, no need to trust any government.
Arco123@reddit
The fact that anyone is asking for proof that digital age control is a bad idea is insane to me.
Is the basic premise that I don’t want to trust an operating system and/or app developer with my digital identity?
We can’t even properly secure bank apps to prevent people from getting scammed out of their life savings and we think this is a good idea?
Can someone please remind me what problem that we’re trying to solve here? I can’t and I don’t like where society is going.
aeternus_hypertrophy@reddit
What banking apps are insecure? I ask because I haven't heard of this before in the UK.
Unless you are talking about phishing scams which are not really a technical issue?
Just curious as someone would need my unlocked phone, password/biometrics to open the app, and a pass code to send anything
Arco123@reddit
It’s about phishing.
Banking apps aren’t inherently secure, but fraudsters are essentially bypassing biometrics and multiple factors of authentication/authorization with relative ease.
I DO NOT want this to be possible with certificates which certify who and/or what I am.
aeternus_hypertrophy@reddit
If it's about phishing then it's nothing to do with banking app security. They all already have anti-phishing measures and warnings. It's all redundant if you hand over your info willingly.
I can't claim my home alarm system is faulty if I hand over the code and keys to someone trying to rob me.
You're saying banking apps are insecure because some people give away their login info. It's very misleading
Arco123@reddit
You’re misunderstanding the point: it opens a door for abuse.
Again: I can’t believe people are willing to compromise on this. Sheer stupidity.
aeternus_hypertrophy@reddit
That door for abuse is always there if you give out your information in a phishing scam
It's still a human error and not a technical one. It's social engineering.
I'm confused that this is somehow confusing you, but maybe you're in that minority that even banking apps can't protect from themselves 🤷♂️
Arco123@reddit
I find this hilarious. There’s entire businesses being made around scamming people and the user is the problem.
Awful take, you should be ashamed. You clearly have no understanding of the impact of identity theft and prefer to blame the victim rather than looking at the root cause of problems.
This WILL go wrong, no matter what. People WILL get social engineered and we will have a new generation of easy identity theft.
You still haven’t responded what these digital identities are resolving.
aeternus_hypertrophy@reddit
So you agree it is social engineering. Not a technical app problem 👍 ticket closed
Arco123@reddit
If we’re going to twist about technicalities, then it IS a technical problem because it’s a problem. An added problem in society clearly is that people cannot think about root causes anymore, which includes you in that problem.
You’re not answering my question, you’re only echoing your own stupidity.
aeternus_hypertrophy@reddit
A technical problem is a vulnerability in the app's security. Technical.
Phishing is social engineering. A human problem.
No technicalities or changing it to being about shady businesses or societal problems. None of that. Stop.
You somehow conflated phishing and app security but we resolved it x
Arco123@reddit
You continue to miss the point and are seriously making me doubt your intellect.
Are you going to answer the actual question or will you continue spewing BS? Your responses are embarrassing.
Isofruit@reddit
The german ausweisapp also works to identify you for an entire flock of bureaucratic tasks - source, I literally used it two days ago to do various amounts of paperwork with it.
Gugalcrom123@reddit (OP)
Yes, but doesn't the app require attestation?
Isofruit@reddit
The Android-part of the app was literally just the NFC reader bit, had I bought an actual NFC reader it would've been irrelevant, I merely mentioned it for completeness sake. So whether the android part requires attestation or not does not matter, the relevant bit is that it has a Linux flatpak available and that I really need an NFC reader.
Gugalcrom123@reddit (OP)
OK, that sounds much better. However, it is not guaranteed that the pan-EU age verification will support it, or just the mobile version.
botle@reddit
Every privacy preserving solution relies on being big free to be privacy preserving.
It won't be big free for ever.
Far_Calligrapher1334@reddit
Yeah you can, at least in all the countries I know of
Gugalcrom123@reddit (OP)
I know that there are alternatives, but these alternatives are only for e-signatures. For the age verification, many countries have already implemented it without regard for non-Android/iOS users.
dethb0y@reddit
I would argue the goal is not the death of libre software, but the death of anonymity.
Alaknar@reddit
If it only sends a "true" or "false" token on a "is this person 18+?", anonymity will be preserved.
Kirides@reddit
Just ask it each year/day at some point a false will turn true and now we now know your birth year/date.
Flags are only appropriate if they can't be abused.
Alaknar@reddit
That's not how these things work - a user attempts logging in, the website requests age confirmation, shows a QR code. The user scans the code with their eID app, authenticates with password/PIN/biometrics, approves the type of data to be sent (which is listed), the website receives the "18+" token. Or not.
The website itself cannot receive any user data without the user's express approval.
Kirides@reddit
How does that against what I said?
Just make the website require age verification each year?
Who says that you can't? You don't even need to be that precise.
Every 4 years is still enough to put a person in a "age bucket" and assume their age precise enough to show them Ads for s** toys or the next card deck.
Alaknar@reddit
If you have a website that so many people will stick around on and use a specially prepared version for non-adults. while waiting for the "full" version to unlock for them, then you have a billion other ways of inferring a non-precise DoB.
Martin8412@reddit
That’s a lot of effort to learn someone’s age. You’d have to prompt the user once a year since you can’t reuse a proof that would tell you that as of 2026-04-11T00:00:00 the user is below 18.
Gugalcrom123@reddit (OP)
Both.
Bubbly_Extreme4986@reddit
The best way to do this is by providing every citizen a private key that is their private property then generating a trusted first public key thus linking this private key to this person. The government keeps the signed public key for reference. If it is leaked or stolen the private key is not lost and the victims identity or data cannot be feasibly stolen. The citizen then goes on to use his “registered” private key to sign any agreements that require an ID, at each point anyone can verify that he is who he says he is because his signature matches the filed government one. However none of these interactions let the users identity be at risk. Only a signed public key is created.
PiercingSight@reddit
The privacy violation is the government knowing.
morphick@reddit
How's the government supposed to vouch you are who you say you are without knowing who you are?
If you think the govt sholdn't know who anyone is, how do you make sure I am who I say I am when you have to deal with me?
PiercingSight@reddit
NOT by telling the government I interacted with you.
In fact, in the overwhelming majority of cases, I never need to know who you are and should be incapable of knowing.
morphick@reddit
Then how do you know you're doing business with the right person and not an impostor? How do you know I'm not just impersonating the person you're supposed to make that payment to?
There needs to exist a trust root for identities. People got tigether and agreed the entity entrusted for this should be the government.
Just because overtime citizens lapsed their sities and allowed govts to become corrupt and overreaching does not mean either the principles or governments in themselves are bad. Ironically, it only means citizens are bad for losing the grip on the power entrusted to them through demo-kracy.
Anarchy is definitely NOT rhe answer!
PiercingSight@reddit
The only entity that needs to be known, in the overwhelming majority of cases, is the business itself. The customer does not need to be known.
Certainly there are rare cases where some limited verification needs to be done, but that verification should not report to government, nor should it reveal more than is absolutely necessary to the business.
ALL governments inevitably become corrupt, and as such, should never be trusted with any power that could allow them to violate liberty uncontested. This especially includes knowledge of one's financial purchases and history.
Privacy does not create nor require anarchy. Privacy is a fundamental right of liberty.
morphick@reddit
Which means the govt has the need to know identity. Which was exactly my point all along.
Without a commonly agreed-upon entity designated certify identity, the whole concept of identity itself is void of any meaning because I can say I'm someone else every other day and there's nothing anyone could do about it. Agreed, trivial daily tasks like buying food or going to work might not need IDing, but at some point you'll buy a house or move state or collect insurance so you'll have to have your identity certified by someone. That someone is the govt. I's how it has been convened long ago.
If you thought of a system that is able to function without the concept of individual identity, please present it.
PiercingSight@reddit
That is not my argument.
I am not saying we should do away with identity altogether. I am saying that whatever method of identification we use, it should not inform the government of any interaction that required identification.
Being identifiable and verifiable does NOT require notifying the government every time you need to be identified.
For example, physical photo ID cards, issued by the government, can be shown to the business wanting to know. The business does not need to ask the government to verify the individual (thus notifying them of the interaction) because the card already does that. The business also doesn't need to record anything about the card, just inspect it to verify it is legitimate.
There are also several cryptographic protocols for doing effectively the same thing, but digitally. However, none have been implemented, and no government will ever properly do so in a way that respects privacy.
And again, in the overwhelming majority of cases, especially when it comes to the internet, identification is basically never necessary, and barriers requiring identification should never be erected around general usage. Not to mention the risks are much higher because businesses can record details about every interaction, so identification online should be reserved for only the most exigent of circumstances.
TheOfficialMayor@reddit
It's the government needing to know to deal with others that's the issue.
morphick@reddit
It's not that the government needs to know who you are, it's that you need the government to know who I am everytime you have to interact with me!
TheOfficialMayor@reddit
Just remember what happened in Amsterdam.
Bubbly_Extreme4986@reddit
If they are going to do it anyway this is the best way to do it, at least the persons identity isn’t at risk of being stolen and the software used to implement this is all libre
1116574@reddit
The goal of the system is to provide age verification that's anonymous.
The website would need to consult the gov server to see if the public key is in the 18+ category or not, so everyone would need to have a copy of all public keys to preserve anything, right?
PiercingSight@reddit
There is NO safe way to do digital ID. All of them are unsafe fundamentally.
There is no "if they're doing it anyway" because doing it at all already violates all of the most important privacy principles.
sircrunchofbackwater@reddit
That won't work in reality, absolutely unfeasible.
Bubbly_Extreme4986@reddit
Why?
These-Apple8817@reddit
Because it's not simple enough for all the old farts on this planet. Even the whole eID in general will be too difficult for most of them.
Alaknar@reddit
The entirety of Sweden and Denmark already run on this, including "old farts".
These-Apple8817@reddit
Well, what you said is fairly easy to debunk.
https://www.oru.se/english/news/news-archive/news-archive-2023/digitalisation-excludes-older-adults/
https://www.tietoevry.com/en/blog/2020/05/one-million-swedes-affected-by-the-digital-divide/
https://www.riksbank.se/en-gb/payments--cash/payments-in-sweden/payments-report--2024/safety-efficiency-and-accessibility/are-payments-in-sweden-accessible/many-do-not-have-access-to-e-identification-e-id/
Just because Sweden has widely adopted something, does not mean it's actually accessible to those who can barely understand technology.
Alaknar@reddit
Not having access to BankdID (their eID) is not that big of a deal - banks can issue physical QR code readers that will work in place of a phone.
sircrunchofbackwater@reddit
People cannot securely keep their private keys. They'll be lost, deleted, and exfiltrated all the time. It would be a nightmare to support all those. Also you would need a robust revocation system, which is another difficult thing to maintain.
Gugalcrom123@reddit (OP)
So give both options.
National_Way_3344@reddit
The best way to do this is by a citizen having their private key and issuing the government a message signed with that key to link it to your digital ID.
Hence all the social media site gets is a "true" message and a digest or receipt of the transaction.
TheOfficialMayor@reddit
The best way is to do nothing.
TheVenetianMask@reddit
We have digital IDs in the publicly issued ID cards, we don't use crappy phone company ideas for it.
Gugalcrom123@reddit (OP)
We also have them in Romania and you can e-sign with it, but there is no evidence that the EU-wide age verification will use the card directly; rather, it will use stupid scans and "AI face verification" to load the data onto the "phone" and that only works if it is "trusted".
theschrodingerdog@reddit
Spain already has a digital ID card with an option for age verification (basically it just provides +18 or -18) and it does not use any kind of AI face stuff. It uses your own physical ID card to set up. I don't see why the EU-wide app will be different.
Gugalcrom123@reddit (OP)
It uses your own ID card, but you need to register it in an Android or iOS "app", no? Is there a desktop option?
Hamilton950B@reddit
There is a desktop option, and it even works in linux. There are only deb and rpm packages but someone made an Arch pkg and it seems to work. It installs a lot of java crap, insists on a particular jre, leaves turds in your home directory, and seems a bit intrusive for something I need to install on my personal computer.
I'm in the process of getting the cert now. I installed the software then went to the local social security office to verify my identity. I went through security, surrendered all my metal objects, took a ticket and waited 20 minutes. Then they made an appointment for me to come back in three weeks.
Getting the cert requires that you do everything on one computer, but I think once you have the cert you can use it anywhere. I'll find out soon. The whole process seems unnecessarily comlicated to me.
Martin8412@reddit
It’s not great software from a UI point of view, but it works on Linux. I was impressed how easy it was to make it work on Arch Linux, and I didn’t even know that someone made a package for Arch. I just extracted the deb file and copied files to the expected locations and it worked with the JRE I had installed.
But yes, once you have the certificate you can use it everywhere. I keep mine on a Yubikey. I got my certificate in a single day through my local ayuntamiento office.
Hamilton950B@reddit
They don't really make it clear on the web site where you should go to verify ID. There is a list of places but it doesn't say which ones require an appointment. I thought I could go to TGSS and do it the same day, but no. I should have gone to the ayuntamiento.
Gugalcrom123@reddit (OP)
But we don't know whether it will be connected to the EU "age verification".
theschrodingerdog@reddit
We have a website called 'Carpeta Ciudadana' ('Citizen Folder') and among many stuff you can also show and certify your DoB. However I am not sure if this will get connected to the planned EU-wide age system.
orak7ee@reddit
No, that’s not.
Gugalcrom123@reddit (OP)
Explain, then, how I can verify myself under this scheme without using a phone with nonfree OS.
orak7ee@reddit
You are the one stating that there is conspiracy for banning libre software. The burden of proof is up to you.
All i know is that the goal of this project is to provide a "digital identity" solution for the EU citizen.
The fact that currently only Android and Apple devices comply with the specification (btw, i've not verified that it is actually true…) does not mean that there is a secret goal of "banning libre software" behind it.
Gugalcrom123@reddit (OP)
It could be easy to skip the "secure enclave" BS and let me plug in my ID card into the computer, reading it with (ideally free) GNU/Linux software. But they don't want that, even though it's secure.
1116574@reddit
I don't think chips on physical ids support the roundabout way of veryfing age without revealing identity, which is main feature of the system. One would need to update a very obscure chip system that's based on numerous outdated specs, replace all 300 million ids if not more, and most importantly replace all current public infra for reading them.
Gugalcrom123@reddit (OP)
Member states are already replacing the ID cards, also no identity revealing would be done if there was a web portal where I could log in with my card and sign the challenge from the website I want to access.
1116574@reddit
No info to pornhub correct, but your gov would know that you, named XY, accessed pornhub at time Z. For non hardened browsers they would also know your browser fingerprint.
Gugalcrom123@reddit (OP)
No, the government wouldn't know what I accessed because the restricted site could just not include info about who generated the token.
1116574@reddit
This seems similar to what's eu already planning, and the problem for you is just the attestation (?) and fear that it will be widely implemented. It doesn't seem however that it's required in any way.
https://digital-strategy.ec.europa.eu/en/factpages/blueprint-age-verification-solution-help-protect-minors-online
https://www.eff.org/deeplinks/2025/04/age-verification-european-union-mini-id-wallet
Gugalcrom123@reddit (OP)
It is required by most implementing member stated.
orak7ee@reddit
I agree, my point is just that you do not have to put a conspiracy against FLOSS behind it. IMO, it only undermines your point.
However i can understand the point of having a device attestation and a "secure enclave". It allows to securely link an ID card to a device, and not having to carry the actual ID card with the device everywhere. This way to you can leave the ID at home, not worrying about theft or losing it. But sure it restricts it to only some proprietary vendors... (maybe it could work with nitrokey & alternatives in the future?)
Gugalcrom123@reddit (OP)
Whatever, but the problem is that I am not allowed to use my physical ID card as an alternative.
Gugalcrom123@reddit (OP)
Also, why have all this paranoid security when kids will just use a VPN?
1116574@reddit
Why do we forbid children from buying cigarettes or alcohol if they can get it from shady shops anyways? Why do we go to the trouble of prosecuting those sellers if a new one will just replace it sooner or later?
This is what it boils down to me; when I hear arguments that parents should be responsible for their children's online activities, I compare it to this. We don't expect parents to follow their children 24/7, there is a social contract that we won't let them do bad(tm) stuff. What this bad stuff is depends on your society and one might disagree, but still. I expect my 12 year old kid to not be able to buy cigs or porn in local kiosk, but still go on his way to school on his own by bus and get bus tickets from that same kiosk. I can understand why parents want to expect the kid to be able to play games online and get some entertainment (even education!) on the Internet while not getting access to harmful side of it.
One of arguments was that every device should include parental controls, which is good I guess, but then you still include extensive device side tracking, just handing the keys to the parent. And if there is a key to the kingdom, sooner or later there will be push/leak/attack to get it. But it's a different discussion and interesting one, probably a good approach nonetheless but requires more work from parents.
Gugalcrom123@reddit (OP)
At least with normal parental controls, the parent is the actual parent! With this, the parent is Google or Apple. See what Apple has done, restricting iPhone DNS in the UK unless you give your ID to Apple! Also, communication platforms (which all these laws mean by social media) can have advantages, unlike cigarettes.
1116574@reddit
Was it apple decision or UK decision that forced apple to do that? I agree in principle that big tech has too much power, though.
I guess, but that's the matter of what you are putting behind age gate, not of the validity of having an age gate in the first place. There is also gore, porn, and other content or groups considered harmful that we wouldn't want.
theschrodingerdog@reddit
Using a VPN will do nothing to avoid the new planned system. Kids will still be asked to verify their age.
switched_reluctance@reddit
Remote attestation is anti-libre, google play integrity is anti-libre. If the EU wants digital ID while preserving software freedom, they shouldn't need an "attested" android or apple and should work with degoogled phones.
neoneat@reddit
So what? Why dont send physical mail to Council of EU? May they hear you someday.
AutoModerator@reddit
This submission has been removed due to receiving too many reports from users. The mods have been notified and will re-approve if this removal was inappropriate, or leave it removed.
This is most likely because:
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Craftkorb@reddit
The app is open source. You can compile it yourself, or technically, reimplement it natively. But that would require a NFC reader - and most people only have one in their pocket.
Gugalcrom123@reddit (OP)
If there were an option to use a card reader, that would be good. There are desktop card readers. The problem is that it doesn't work like this — it requires a signed app binary running in a signed OS on a "trusted" "device" with attestation. It does not let me read the ID with that reader, because it wants to store the data on the "phone", but it also wants it not to be accessible to me, so it wants "attestation" to make sure that the OS does not allow me to access data stored on my own "device".
Fupcker_1315@reddit
You can still compare the hash of the signed app vs. your unsigned version you compiled yourself so it is possible to verify that your getting the same app.
Martin8412@reddit
That only works for certain compilers, I’m not sure it will work for Android applications. It’s an active area of research to have reproducible builds.
Interesting_Key3421@reddit
They require Play Integrity backdoor to work
Fupcker_1315@reddit
I really wish there was something like Play Integrity but vendor-indepedent on all operating systems.
Interesting_Key3421@reddit
You are asking a backdoor for "good" people..
Fupcker_1315@reddit
Do you understand what Play Integrity is?
1116574@reddit
I thought it was about rooted devices?
From where I am sitting it looks functionally like kernel level anti cheat: requires a closed group of friends (Microsoft signing infra, secure elements etc) to work properly. So you are proposing that this group of trusted partners should be more open (?)
Fupcker_1315@reddit
Play Integrity only cryptographically attests that the state of the device is "trusted", so there cannot be any "backdoor" by definition. Yes, it is tied to Google, which is why mentioned a vendor-neutral alternative.
1116574@reddit
To attest that they need a piece of hardware that you effectively don't have any control over (secure enclave etc), in order for the attestation to be meaningfully useful. To attest that device is running trusted code, in needs to access big swathes of components to check them. So in a roundabout way it could be described as backdoor, no?
Borealid@reddit
No individual components need to be checked directly.
TPM registers alone are enough.
FranticBronchitis@reddit
Attested Android or iOS? So Google ID/Apple ID?
LowOwl4312@reddit
yes, it won't work on a degoogled Android or a PC with any OS
Gugalcrom123@reddit (OP)
Precisely.
nicman24@reddit
actually europe is building its own attestation framework
Gugalcrom123@reddit (OP)
No, Volla is building one, that it's libre is irrelevant because it's still centralised. Plus, they have not actually made any authorities use it.
nicman24@reddit
baby steps
switched_reluctance@reddit
How about completely remove remote attestation. No one asked for that, it's completely against FOSS.
https://www.gnu.org/philosophy/can-you-trust.en.html
nicman24@reddit
it does not have to be remote. also it probably can be self hosted if it is opensource. attestation is like secure boot, it is just a security system. Open source just needs to first catch up and then to be regulated as the only option
Gunzmo1337@reddit
Sweden has BankID as a digital id and we had it for ages. Works on rooted untrusted phones without googleplay services
redballooon@reddit
I understand your woes
But this
Is conspiracy theory level bullshit.
They have to work with what is there. They can't reinvent the wheel.
Clogboy82@reddit
I believe that one of the least bad options is ID verification with a 3rd party, which can be used as an authentication service that gives off a flag for a certain age. It's either true or false,and should come with a session ID that a site or service can use to verify authenticity.
This is private, and it can exist in the open source domain as long as the site or service can verify a session ID with a legitimate issuer.
Gugalcrom123@reddit (OP)
Probably, in case they need it, they could use some kind of partnership with telecom providers, where the restricted site gives you a token and you go to the telecom to sign it; still, it is not as good as simply not having it, plus it would not work for users who rely on others' telecom contracts.
Clogboy82@reddit
No. A major Dutch provider Odido had a major data leak,the problem wasn't digital security but social engineering. This should be at most a handful of parties with a single task.